This article is more than 1 year old

Flash zero day under attack

Most popular exploit kit smashing IE users, but Chrome safe

A zero day Flash vulnerability is being actively exploited by criminals using the popular Angler exploit kit.

Adobe is investigating the report by respected French malware researcher Kafeine, who found the exploit kit circulating on cybercrime forums.

The vulnerabilities affected Flash Player versions up to 15.0.0.223 and the latest 16.0.0.257, he said.

Punters on Windows 8.1 are safe, along with those using Google Chrome thanks to use of sandboxing.

Those operating other Windows platforms with Internet Explorer versions 10 and below, and some Mozilla Firefox versions, have been confirmed as vulnerable to the exploit.

More tests are being conducted by Kafeine, Adobe and likely other malware researchers including MalwareBytes' Jerome Segura (@jeromesegura).




Flash exploit. Credit: Kafeine


The free version of MalwareBytes' Anti-Exploit tool prevented the attack, but it is as yet unknown if Microsoft's Enhanced Mitigation Exploit Tool can fight the attack.

The exploit kit drops the Bedep trojan which could serve as a persistent advertising slinger and malware downloader, (last version of Win7 at least) is bypassed.

Angler remainz one of the most proflic exploit kits.

The zero-day came as Cisco warned separately that exploit kit writers were taking more time to write obfuscated code.

This would ostensibly prolong the life of investments such as the discovered Flash zero day that would decrease in effectiveness after users applied the imminent Adobe patches.

Cisco bods in a new annual report (pdf) painted Angler as the most active kit last year, followed by Sweet Orange and Goon.

"Angler’s use of Flash, Java, Microsoft Internet Explorer, and even Silverlight vulnerabilities makes this exploit kit the 'one to watch'," Cisco bods said.

"Once the exploit is triggered, the malware payload is written directly into memory in a process such as iexplore.exe, instead of being written to a disk.

"The payload delivered by Angler looks like a blob of encrypted data, which makes it harder to identify and block."

Angler was more popular having spiked in August thanks to a developer decision to nix the need to download Windows executables to foist malware.

Flash should be disabled where possible forever until a patch was issued. ®

More about

TIP US OFF

Send us news


Other stories you might like