This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Learn, connect, and collaborate at the Cyber Voices Zero Trust Summit. October 27th.

Monday, Jul 13, 2015

Four Adobe Flash 0-days In Three Weeks - Patches Now Available

Share

Carl Leonard Principal Security Analyst

<p>
Following on from the revelation of a 0-day in Adobe Flash in June 2015 (<a href="http://community.websense.com/blogs/securitylabs/archive/2015/06/24/adob..., since patched) 3 further 0-days have been discovered in the last 3 weeks.&nbsp; The 3 have references CVE-2015-5119, CVE-2015-5122, and CVE-2015-5123.</p>

<p>
The knowledge of the 0-day Proof of Concept code arose from analysis of the data breach from the Italian Hacking Team company.</p>

<h3>
The journey from discovery to exploit kit</h3>

<p>
Within hours of the exploit code being made public it was&nbsp;<a href="http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-t... have been incorporated into exploit kits including Angler, Neutrino, and NuclearPack.</p>

<p>
Telemetry from our&nbsp;<a href="https://www.websense.com/content/websense-threatseeker-network.aspx?cmpi... Intelligence Cloud</a>&nbsp;shows a spike in the the number of&nbsp; NuclearPack security incidents that we identified and protected against over the last few days:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/3463.nuclear_23930.png-550x0.png" style="height:247px; width:278px" /></p>

<h3>
Is your browser trying to tell you something?</h3>

<p>
Firefox has been configured to block the Flash plugin (aka Shockwave Flash) by default.&nbsp; You can see this through a warning presented underneath your address bar when you browse to a website that uses Flash, or there will be an overlay to the Flash artifact that would have been displayed:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/2330.plugin_has_vuln.png-550x0.png" style="height:161px; width:330px" /></p>

<p>
Further you can access the information via Menu &gt; Add-ons &gt; Plugins.&nbsp; The example below tells us that the version of Flash Player in our environment is known to be vulnerable:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/3750.flash_blocked.png-550x0.png" style="height:25px; width:550px" /></p>

<h3>
How to update your Flash Player?</h3>

<p>
You can check which version of Flash Player you have running here:&nbsp;<a href="http://www.adobe.com/software/flash/about/">http://www.adobe.com/softwar...

<p>
For example, the Adobe website is able to tell us that we are running an older version of Adobe Flash Player in our virtual environment:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/5584.version_18_0_0_203.png-550x0.png" style="height:107px; width:174px" /></p>

<p>
The latest version of Flash (as of 14 July 2015 2:30pm BST) is 18.0.0.209, 11.2.202.481, or 11.2.202.223 depending on your OS and browser combination.</p>

<p>
You can download the latest version of Flash here:&nbsp;<a href="https://get.adobe.com/flashplayer/">https://get.adobe.com/flashplayer/</...

<p>
An alternative mitigation strategy would be to consider if disabling Flash Player is appropriate in your environment.</p>

<p>
You can monitor the Adobe Product Security Incident Response Team (PSIRT) Blog at&nbsp;<a href="https://blogs.adobe.com/psirt/">https://blogs.adobe.com/psirt/</a>&nbsp;for details of any upcoming patches should any further vulnerabilities beidentified.</p>

<h3>
Protection Offered to Raytheon|Websense Customers</h3>

<h4>
CVE-2015-5119 &ndash; A Case Study</h4>

<p>
These vulnerabilities, if and when incorporated into existing exploit kits, will still be blocked by Raytheon|Websense solutions because we have a variety of detection techniques across the&nbsp;<a href="http://www.websense.com/sevenstages?cmpid=slbl">7 Stages of Advanced Threats</a>&nbsp;via real-time analytics within ACE, our&nbsp;<a href="https://www.websense.com/content/websense-advanced-classification-engine... Classification Engine</a>.&nbsp; This includes:</p>

<p>
Stage 3 (Redirect) - the detection of known malicious sites</p>

<p>
Stage 6 (Call Home) - detection of command and control channels</p>

<p>
Stage 7 (Data Theft) &ndash; to reduce the occurrence of data exfiltration</p>

<p>
If exploitation of these vulnerabilities is incorporated into wholly new exploit kits then we are capable of detecting malicious behaviour through our heuristics, behavioural monitoring, and analysis techniques.</p>

<p>
We will update coverage as necessary to keep our customers protected.</p>

<h3>
What do we know about these vulnerabilities?</h3>

<p>
Here is a quick summary of the 4 vulnerabilities and their related patches.</p>

<p>
CVE identifier?&nbsp;<a href="http://community.websense.com/controlpanel/blogs/posteditor.aspx/Adobe%2...

<p>
Rating? Critical</p>

<p>
Impact? Remote code execution and DDOS</p>

<p>
Affected version? 18.0.0.161</p>

<p>
Patched? Yes, in version 18.0.0.194</p>

<p>
CVE identifier?&nbsp;<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119">CVE-2015-5...

<p>
Rating? Critical</p>

<p>
Impact? Remote code execution and DDOS</p>

<p>
Affected version? 18.0.0.194</p>

<p>
Patched? Yes, in version 18.0.0.203</p>

<p>
CVE identifier? CVE-2015-5122</p>

<p>
Rating? Critical</p>

<p>
Affected version? 18.0.0.204 and others.</p>

<p>
Patched? Yes, in version 18.0.0.209 released today, see&nbsp;<a href="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">h...

<p>
CVE identifier? CVE-2015-5123</p>

<p>
Rating? Critical</p>

<p>
Affected version? 18.0.0.204 and others.</p>

<p>
Patched? Yes, in version 18.0.0.209 today, see&nbsp;<a href="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">h...

<p>
<em>Contributors: Andy Settle</em></p>

About the Author

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...