WatchPoint Security Blog

Zero-Day Vulnerability Affects Adobe Flash

Written by Jordan Kadlec | February 24, 2015

A new zero-day vulnerability that affects Adobe Flash has been discovered, and is already being exploited by cyber criminals. Attackers are using compromised websites to exploit a new vulnerability in Flash Player. The new exploit was observed in a drive-by-download attack launched with an exploit kit called Angler.

What are Zero-Day Vulnerabilities?

A zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it - this exploit is called a zero-day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

Exploit Kits Explained

Exploit kits, such as Angler, are malicious Web applications that contain exploits for vulnerabilities in browsers and browser plug-ins such as Java, Flash Player, Adobe Reader and Silverlight. Attackers silently redirect users' browsers to exploit kit installations by inserting rogue code in compromised websites and malicious advertisements.

The kits choose which exploits to load from their arsenal depending on the visitor's browser and installed plug-ins. If successful, the exploits install malware. It is known as a drive-by-download attack and is typically transparent to users.

Exploit kits usually target known vulnerabilities, which is why it is important to keep browser plug-ins like Flash Player up-to-date. But that doesn't help if attackers have an exploit for a zero-day vulnerability; one that has not been patched yet by the software vendor.

Adobe Flash Vulnerability

Trend Micro gives a summary of the most important details about this particular vulnerability:

  • It is affecting the latest versions of Adobe Flash Player
  • It is being exploited to install malware onto vulnerable systems
  • The exploit kit being used in this particular instance is identified as the Angler exploit kit that uses new techniques to hide its malicious routines
  • By tracking the most recent victims of the Angler Exploit kit, Trend Micro believes most of this vulnerability's victims come from the US (84%) with a handful coming from Australia and Taiwan (9% and 5% respectively)
  • Based on attacks seen so far, the installed malware's function is to perform ad fraud against ad networks

What is ad (advertisement) fraud? Ad fraud is performed by a program designed to automatically click on certain ads on a certain website, artificially inflating the amount of clicks that ad gets. Since ad networks pay the owner of the website hosting their ads based on the amount of clicks each ad gets, ad fraud games the system by tricking the ad network to pay more. This may sound harmless as it doesn't necessarily affect users, but the fact is that it does install malware onto your system; which in turn may download and install other, more damaging and harmful malware, making this particular vulnerability something to be aware of.

As of January 23, 2015 Adobe had released an emergency patch for a flaw in its Flash software that was being widely exploited by thieves. The patch stops the flaw from being exploited on some versions of Windows, Apple and Linux operating systems.

It is expected that another patch will be released sometime this week. Adobe highly recommends users to download the latest version of Adobe Flash to significantly decrease the risk of being attacked. If you have not downloaded the update, it's strongly recommended that you disable the plug-in until you have time to do so.