Tag Archives: Adobe Flash Player

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

  • The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
  • In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
  • Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
  • In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.

  1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

  2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

  3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

  4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

  5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

Adobe Systems Inc’s Flash will be retired at the end of 2020

30 July 2017

From an IT security point of view, Adobe’s announcement to retire Flash Player at the end of 2020 is excellent news. For details see the report ‘Adobe to pull plug on Flash, ending an era’ published in Reuters Technology News on 25 July 2017.

Flash player was good for a lot of CVSS V2 severity High rated vulnerabilities every year.

Flash Player CVSS Severity High rated vulnerabilities

Flash Player CVSS V2 Severity High rated vulnerabilities

NIST NVD search parameters:  Results Type: Statistics /  Keyword (text search): Adobe flash player /  Publication Start Date: January 2010 / Publication End Date: July 2017 / CVSS Version: 2
CVSS V2 Severity: High (7-10)

The result was an endless stream of patches which kept IT operations groups busy all year.

Thank you, Adobe, for the good news.

Have a great week.

Attention! Attention! Ransomware Cerber talks to you

16 April 2016

I use Adobe Flash Player only if there’s no other way. The plugin is deactivated by default, and activated only in the case I view an SC Magazine seminar.

Nevertheless, the latest security flaws, in particular CVE-2016-1019, must be patched as soon as possible. Because this bug was being exploited in drive-by download attacks that infect computers with ransomware Cerber after visiting tainted websites.

New on Cerber is that it has a computer-generated voice. And, that the malware is delivered by a drive-by download. With this, the first line of defense, your users, is of limited effectiveness because they are unable to determine that they were tricked.

From my point of view, a next generation endpoint protection tool, that containerizes all applications which connect to the Internet, is the means of choice in the defense of drive-by attacks. Since I am a strong advocate of the Zero-Trust Network concept, I recommend to containerize applications even if they access internal network resources only.

In addition, containerization frees us from the patching treadmill, at least to some extent, since we are no longer forced to install every patch on thousands of computers.

Unfortunately, Microsoft missed the opportunity to run Flash Player more secure in Windows 10.

Process Explorer View of Edge and FLashPlayer

Process Explorer View of Edge and Flash Player. Click to enlarge.

Edge runs by default at integrity level AppContainer. This makes sure that access to system resources is widely blocked. By contrast, Flash Player has access to lots of system resources because it runs at Medium Integrity Level.

Have a good weekend, and patch your Flash Player!

Is ‘Assume you have been breached’ really the best Cybersecurity Strategy?

19 March 2016

I watched webinar ‘The Best Cybersecurity Strategy: Assume You Have Been Breached’ this week. The summary in the email invitation sounded really interesting, thus I registered, and had to compromise the integrity of my computer once again. Why on earth presents SC Magazine all content in this security nightmare Flash Player?

Young-Sae Song, Vice President Marketing, Arctic Wolf, quotes the Gartner advice ‘Shift Cybersecurity Investment to Detection and Response’ of January this year:

Experts recommend more focus on detecttion

Experts recommend to shift focus on detection and response

Is this advice meant seriously? I don’t think so. The Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study: Global Analysis’ the mean time to identify at 206 days with a range of 20 to 582 days (based on a sample of 350 companies). And this, despite the increasing number of SIEM installations in the past years.

CISOs are well advised to make sure, that the existing cyber defense measures, including their SIEM system, work effectively before they follow this advice.

A ray of hope is Invincea’s Advanced Attack Challenge Simulator. The simulator allows to test the effectiveness of defensive measures against a variety of adversaries. For more details, please see Anup Ghosh’s post ‘Take the Advanced Attack Challenge’. I tried to cut the number of possible defense measures as far as possible. The results are really interesting. Of course only in the context of this model?

Have a good weekend, and good luck with the simulation.

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

I haven’t missed it – The first week without Adobe Flash Player

4 July 2015

In my last week’s post I raised the question whether it might not be useful to solve the endless problems with Flash Player once and for all by just deactivating this add-on.

I haven’t missed Flash Player on my iPad II so far. Regarding usage at home my expectations were clear: The world would not change dramatically. But I hadn’t any clue about the changes at work. Is Flash player often used as add-on in business applications or in the company Intranet?

On Monday morning I started a self-experiment and deactivated Flash Player on my company PC.

Now it’s time to draw a first summary: My expectations were clearly exceeded. Deactivating Flash Player has absolutely no impact on my daily work. I found only one intranet site where  Flash Player was used.

I will continue this experiment for some weeks. My feeling is that Flash Player can be disabled with little or no impact on business. Moreover, it is important to design new sites and applications without using Flash videos.

If you manage to waive Flash Player the attack surface of your system as well as the effort for patching will be reduced dramatically.

Happy 4th of July!

Adobe releases next emergency Flash zero-day patch

27 June 2015

Adobe Flash Player is a real source of irritation. New vulnerabilities are continuously made public. In the last three month 64 vulnerabilities were published in the NIST NVD Database, of which 43 with highest severity 10.0.

The latest vulnerability CVE-2015-3113, that potentially allows an attacker to take control of an affected system, is a technically advanced piece of malware. For technical details see the FireEye blog post ‘Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign’.

As usual the attack is started through a phishing email. And, once the attackers got access to the victim’s network, they move laterally through the network in the search of valuable information.

With this we have the first and second line of defense in a prevention strategy: User awareness training to support users in recognizing such attacks, and system isolation to prevent the attackers from moving laterally through the network.

Perhaps it’s time to solve this problem once and for all by uninstalling Flash Player…

Have a good weekend.

How to mitigate Drive-by-Downloads Attacks

24 January 2014

Bad news for Adobe Flash Player users. A new critical vulnerability (CVE-2015-0311) was found in Adobe Flash Player 16.0.0.28… Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

In the Adobe Security Bulletin we read ‘We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.’

Drive-by-download (DbD) attacks are a often used technology to exploit vulnerabilities in programs. In his post ‘How malware works: Anatomy of a drive-by download web attack’ John Zorabedian from SOPHOS gives a detailed description about how DbD attacks work.

The shocking fact is: It’s not even necessary to click a link on the malicious site. If you just load the site the malware download could start, automatically and silently in the background.

The good news is that we could almost completely deactivate this feature, namely without considerable comfort loss. The Security Technical Implementation Guide (STIG) for Internet Explorer 11 shows the direction.

STIG’s are primarily used to secure the information systems of the Departments of Defense, but this should not deter us from using STIGs to secure our systems at home, and of course in our businesses.

STIGs are available from http://www.stigviewer.com/stigs for operating systems, web servers, databases or applications. They are an excellent means to secure the devices that are connected to the internet against malicious attacks. But, be aware that 100% safety could not be achieved.

Applying STIGs to Microsoft operating systems and applications is very easy if you are familiar with the registry editor regedit.exe and the local group policy editor gpedit.msc. Since only standard windows security options are used the recommended settings could be applied to all computers.

Back to the Drive-by-Download attacks. To prevent DbD attacks we have to configure Internet Explorer such that downloads not consented by the user are blocked. Sound’s easy, doesn’t it? We have just to work through the STIG for Internet Explorer 11 and implement the relevant fixes:

Step 1: Block non user-initiated file downloads

The DoD requirements block unconsented downloads from the Restricted Sites Zone and the Internet Zone. Since I would not trust computers in local networks as well I would strongly recommend to block unconsented downloads from all zones.

Implement at least Fixes from Finding Ids V-46705 and V-46643

Step 2: Block non user-initiated file downloads for Internet Explorer Processes

Implement Fixes from Finding IDs V-46779 and V-46781

Step 3: Enforce Protected Mode

Protected Mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. I would recommend to enforce protected mode for all zones.

Implement at least Fixes from Finding IDs V-46685 and V-46681

Step 4: Enforce Enhanced Protected Mode on 64 bit Windows Systems

Implement Fix from Finding ID V-46987

That’s it for today. Please keep in mind that 100% safety could not be achieved, even if you implement the 155 fixes from the IE11 STIG.

Don’t Panic! And have a good weekend.