Four Adobe Flash 0-days In Three Weeks - Patches Now Available
<p>
Following on from the revelation of a 0-day in Adobe Flash in June 2015 (<a href="http://community.websense.com/blogs/securitylabs/archive/2015/06/24/adob..., since patched) 3 further 0-days have been discovered in the last 3 weeks. The 3 have references CVE-2015-5119, CVE-2015-5122, and CVE-2015-5123.</p>
<p>
The knowledge of the 0-day Proof of Concept code arose from analysis of the data breach from the Italian Hacking Team company.</p>
<h3>
The journey from discovery to exploit kit</h3>
<p>
Within hours of the exploit code being made public it was <a href="http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-t... have been incorporated into exploit kits including Angler, Neutrino, and NuclearPack.</p>
<p>
Telemetry from our <a href="https://www.websense.com/content/websense-threatseeker-network.aspx?cmpi... Intelligence Cloud</a> shows a spike in the the number of NuclearPack security incidents that we identified and protected against over the last few days:</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/3463.nuclear_23930.png-550x0.png" style="height:247px; width:278px" /></p>
<h3>
Is your browser trying to tell you something?</h3>
<p>
Firefox has been configured to block the Flash plugin (aka Shockwave Flash) by default. You can see this through a warning presented underneath your address bar when you browse to a website that uses Flash, or there will be an overlay to the Flash artifact that would have been displayed:</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/2330.plugin_has_vuln.png-550x0.png" style="height:161px; width:330px" /></p>
<p>
Further you can access the information via Menu > Add-ons > Plugins. The example below tells us that the version of Flash Player in our environment is known to be vulnerable:</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/3750.flash_blocked.png-550x0.png" style="height:25px; width:550px" /></p>
<h3>
How to update your Flash Player?</h3>
<p>
You can check which version of Flash Player you have running here: <a href="http://www.adobe.com/software/flash/about/">http://www.adobe.com/softwar...
<p>
For example, the Adobe website is able to tell us that we are running an older version of Adobe Flash Player in our virtual environment:</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/5584.version_18_0_0_203.png-550x0.png" style="height:107px; width:174px" /></p>
<p>
The latest version of Flash (as of 14 July 2015 2:30pm BST) is 18.0.0.209, 11.2.202.481, or 11.2.202.223 depending on your OS and browser combination.</p>
<p>
You can download the latest version of Flash here: <a href="https://get.adobe.com/flashplayer/">https://get.adobe.com/flashplayer/</...
<p>
An alternative mitigation strategy would be to consider if disabling Flash Player is appropriate in your environment.</p>
<p>
You can monitor the Adobe Product Security Incident Response Team (PSIRT) Blog at <a href="https://blogs.adobe.com/psirt/">https://blogs.adobe.com/psirt/</a> for details of any upcoming patches should any further vulnerabilities beidentified.</p>
<h3>
Protection Offered to Raytheon|Websense Customers</h3>
<h4>
CVE-2015-5119 – A Case Study</h4>
<p>
These vulnerabilities, if and when incorporated into existing exploit kits, will still be blocked by Raytheon|Websense solutions because we have a variety of detection techniques across the <a href="http://www.websense.com/sevenstages?cmpid=slbl">7 Stages of Advanced Threats</a> via real-time analytics within ACE, our <a href="https://www.websense.com/content/websense-advanced-classification-engine... Classification Engine</a>. This includes:</p>
<p>
Stage 3 (Redirect) - the detection of known malicious sites</p>
<p>
Stage 6 (Call Home) - detection of command and control channels</p>
<p>
Stage 7 (Data Theft) – to reduce the occurrence of data exfiltration</p>
<p>
If exploitation of these vulnerabilities is incorporated into wholly new exploit kits then we are capable of detecting malicious behaviour through our heuristics, behavioural monitoring, and analysis techniques.</p>
<p>
We will update coverage as necessary to keep our customers protected.</p>
<h3>
What do we know about these vulnerabilities?</h3>
<p>
Here is a quick summary of the 4 vulnerabilities and their related patches.</p>
<p>
CVE identifier? <a href="http://community.websense.com/controlpanel/blogs/posteditor.aspx/Adobe%2...
<p>
Rating? Critical</p>
<p>
Impact? Remote code execution and DDOS</p>
<p>
Affected version? 18.0.0.161</p>
<p>
Patched? Yes, in version 18.0.0.194</p>
<p>
CVE identifier? <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119">CVE-2015-5...
<p>
Rating? Critical</p>
<p>
Impact? Remote code execution and DDOS</p>
<p>
Affected version? 18.0.0.194</p>
<p>
Patched? Yes, in version 18.0.0.203</p>
<p>
CVE identifier? CVE-2015-5122</p>
<p>
Rating? Critical</p>
<p>
Affected version? 18.0.0.204 and others.</p>
<p>
Patched? Yes, in version 18.0.0.209 released today, see <a href="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">h...
<p>
CVE identifier? CVE-2015-5123</p>
<p>
Rating? Critical</p>
<p>
Affected version? 18.0.0.204 and others.</p>
<p>
Patched? Yes, in version 18.0.0.209 today, see <a href="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">h...
<p>
<em>Contributors: Andy Settle</em></p>
