Home Tags The Flash

Tag: The Flash

VU#247016: Flash Seats Mobile App for Android and iOS fails to...

Flash Seats Mobile App for Android,version 1.7.9 and earlier,and for iOS,version 1.9.51 and earlier,fails to properly validate SSL certificates provided by HTTPS connections,which may enable an attacker to conduct man-in-the-middle(MITM)attacks.

Microsoft rolls out KB 4010250 Flash Player update for Windows 8.1...

Microsoft has released an old-fashioned Security Bulletin, MS 17-005, which shepherds a handful of patches for various versions of Windows.

The patches, all called KB 4010250, implement the Flash Player fixes contained in Adobe's APSB17-04, which fi...

RHSA-2017:0057-1: Critical: flash-plugin security update

An update for flash-plugin is now available for Red Hat Enterprise Linux 6Supplementary.Red Hat Product Security has rated this update as having a security impact ofCritical.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe FlashPlayer web browser plug-in.This update upgrades Flash Player to version 24.0.0.194.Security Fix(es):* This update fixes multiple vulnerabilities in Adobe Flash Player.

Thesevulnerabilities, detailed in the Adobe Security Bulletin listed in theReferences section, could allow an attacker to create a specially crafted SWFfile that would cause flash-plugin to crash, execute arbitrary code, or disclosesensitive information when the victim loaded a page containing the malicious SWFcontent. (CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928,CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934,CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938) Red Hat Enterprise Linux Desktop Supplementary (v. 6) IA-32: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   x86_64: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   Red Hat Enterprise Linux Server Supplementary (v. 6) IA-32: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   x86_64: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   Red Hat Enterprise Linux Workstation Supplementary (v. 6) IA-32: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   x86_64: flash-plugin-24.0.0.194-1.el6_8.i686.rpm     MD5: 89b0f146cac8ceb7cdf0d34c671dbf8dSHA-256: c791905f5cac7148af679887190c481616d2241f559f726f00238772fec1bc16   (The unlinked packages above are only available from the Red Hat Network) 1411929 - CVE-2017-2925 CVE-2017-2926 CVE-2017-2927 CVE-2017-2928 CVE-2017-2930 CVE-2017-2931 CVE-2017-2932 CVE-2017-2933 CVE-2017-2934 CVE-2017-2935 CVE-2017-2936 CVE-2017-2937 CVE-2017-2938 flash-plugin: multiple code execution issues fixed in APSB17-02 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Adobe patches critical flaws in Flash Player, Reader, and Acrobat

Adobe Systems released security updates for its Flash Player, Adobe Reader and Acrobat products fixing critical vulnerabilities that could allow attackers to install malware on computers. The Flash Player update fixes 13 vulnerabilities, 12 that can lead to remote code execution and one that allows attackers to bypass a security restriction and disclose information.

Adobe is not aware of any exploit for these flaws existing in the wild. Users are advised to upgrade to Flash Player version 24.0.0.194 on Windows, Mac and Linux.

The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be automatically upgraded through those browsers' respective update mechanisms. The Adobe Reader and Acrobat updates address 29 vulnerabilities, 28 of which can lead to arbitrary code execution. Like with the Flash Player flaws, Adobe is not aware of any of these vulnerabilities being exploited by attackers. The company advises Acrobat and Reader DC users to upgrade to version 15.023.20053 if they use the "continuous" release track or to version 15.006.30279 if they're on the "classic" track. Users of the older, but still supported, Acrobat XI and Reader XI should upgrade to version 11.0.19. Because of their security sandbox which makes exploits significantly harder to implement, Adobe Reader and Acrobat are rarely targeted by hackers today compared to be some years ago. However, Flash Player remains a hacker favourite, with zero-day attacks against it being relatively common and with exploits being integrated into widely used Web-based attack tools.

It’s now 2017, and your Windows PC can still be pwned...

Also: Edge is foiled by hyperlinks, Windows Server fails at authentication requests, and Microsoft is a $486bn company Microsoft has begun its 2017 with the release of four updates to address security holes in Windows and Office, while Adobe has posted fixes for more than three dozen vulnerabilities in Flash and Reader. Microsoft's January patch load includes: MS17-001, a fix for the Edge browser to address a flaw that would let a malicious page gain elevated access privileges when the user clicks on a link. "An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain," Microsoft says of CVE-2017-0002. The update will only be pushed out to Windows 10 and Server 2016. MS17-002 addresses a memory corruption issue in Office that allows for remote code execution in Office 2016 and SharePoint Enterprise Server 2016. The flaw, designated CVE-2017-0003, allows a specially crafted Word file to take control of the target system with the current user's access privileges.

The vulnerability was spotted by Tony Loi of FortiGuard Labs. MS17-003 is Microsoft's edition of the January Flash Player update to remedy 12 security flaws.

The patch will be automatically pushed to Windows users running Microsoft Edge or Internet Explorer 11. MS17-004 addresses a denial of service vulnerability in Local Security Authority Subsystem Service for older versions of Windows and Windows Server. Microsoft says that an attacker who sent a specially crafted authentication request to the targeted Windows (Vista through 7) or Windows Server (2008 to 2008 R2) box could trigger an automatic reset.

Discovery of the flaw, CVE-2017-0004, was credited to Nicolás Economou and Laurent Gaffie from Core Security. Meanwhile, Adobe is updating both Flash Player and Acrobat/Reader for Windows, macOS, and Linux desktops. The Flash Player update covers 13 vulnerabilities, none of which have been actively targeted in the wild yet.

Adobe is rating the fix as a critical priority for both Windows and macOS systems, as a successful exploit could allow for remote code execution. Linux systems are thought to be at lower risk for attack, but should still install the update as needed. The Adobe Acrobat and Reader update patches up 29 CVE-listed problems, including a number of remote code execution flaws in both Windows and macOS.

Adobe says it has not yet received reports of active exploits in the wild. By the way, if you update Reader, bear in mind it comes with a little surprise: a Chrome extension that sends Adobe telemetry. ® Sponsored: Customer Identity and Access Management

RHSA-2016:2947-1: Critical: flash-plugin security update

An update for flash-plugin is now available for Red Hat Enterprise Linux 6Supplementary.Red Hat Product Security has rated this update as having a security impact ofCritical.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. The flash-plugin package contains a Mozilla Firefox compatible Adobe FlashPlayer web browser plug-in.This update upgrades Flash Player to version 24.0.0.186.Security Fix(es):* This update fixes multiple vulnerabilities in Adobe Flash Player.

Thesevulnerabilities, detailed in the Adobe Security Bulletin listed in theReferences section, could allow an attacker to create a specially crafted SWFfile that would cause flash-plugin to crash, execute arbitrary code, or disclosesensitive information when the victim loaded a page containing the malicious SWFcontent. (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870,CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875,CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880,CVE-2016-7881, CVE-2016-7890, CVE-2016-7892) Red Hat Enterprise Linux Desktop Supplementary (v. 6) IA-32: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   x86_64: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   Red Hat Enterprise Linux Server Supplementary (v. 6) IA-32: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   x86_64: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   Red Hat Enterprise Linux Workstation Supplementary (v. 6) IA-32: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   x86_64: flash-plugin-24.0.0.186-1.el6_8.i686.rpm     MD5: b6b6f1d3fc5504a6a93dbadddc4353f8SHA-256: 2f0c4e7ec7805b9edcf4fb403f83b4fee4a08e4b60dfc85dd103b01224ea289f   (The unlinked packages above are only available from the Red Hat Network) 1404307 - flash-plugin: multiple code execution issues fixed in APSB16-39 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Need Xmas ideas? Try CVE-2015-7645, a Flash gift that keeps on...

Who the hell needs zero days? A Flash vulnerability subject to emergency patching by Adobe has been used in all major exploit kits to compromise users not already updated. The vulnerability (CVE-2015-7645) patched in October last year was the first zer...

Flash Player remains target of choice for exploit kits

Clearly, reports of Flash's death are greatly exaggerated, as exploit kits continue to successfully infect victims via unpatched versions of Flash Player. Instead of sounding Flash's death knell, get to patching. Adobe Flash Player has the dubious hono...

Millions exposed to malvertising that hid attack code in banner pixels

reader comments 67 Share this story Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners. Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014.

Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors.

Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.Enlarge / Left: Clean picture; middle: picture with malicious content; right: malicious version enhanced for illustrative purposes. Eset The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect.

After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities. "We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals—the websites onto which they managed to get the malicious banners installed," Eset researchers wrote in a report published Tuesday. "We have observed major domains, including news websites visited by millions of people every day, acting as 'referrers' hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer.

There is, however, a lot more to it than advertising." The ads promote applications calling themselves "Browser Defence" and "Broxu" and targeted people who visited the news sites using Internet Explorer browsers.

The script concealed in the pixels exploited a now-patched IE vulnerability indexed as CVE-2016-0162 to obtain details about the visitors' computers.

Among other things, the script checked for the presence of packet capture, sandboxing, and virtualization software and a variety of security products. Machines that didn't exhibit signs of the software and contained a vulnerable version of Flash were then redirected to the exploit site, which would serve one of two families of malware.

The Ursnif family is made up mainly of modules for stealing e-mail credentials, logging keystrokes, taking screenshots and videos, and acting as a backdoor.

The Ramnit variety of malware offers most of the same capabilities and mainly targets the banking industry. The attackers took extra pains to ensure the machines being infected didn't belong to security-savvy people who might detect what was happening.
In addition to a check carried out by the script embedded in the ad, a separate check was carried out by the exploit server before going through with the attack.

The Eset report didn't identify any of the sites that delivered the malicious ads.
It did say that the people exposed were concentrated in Canada, the UK, Australia, Spain, and Italy, which are the countries served by the affected ad networks.

Earlier versions of the campaign from 2014 and 2015 targeted people in the Netherlands and the Czech Republic.

The Flash vulnerabilities exploited included CVE-2015-8641, CVE-2016-1019, and CVE-2016-4117. Update: To execute the hidden payload, the malicious ads load a heavily modified version of Countly, an open-source package for measuring website traffic.

That JavaScript extracts the hidden code out of the image and executes it.

Because there's nothing per se malicious in the JavaScript, ad networks fail to detect what's happening. Referring to an ad located at hxxps://browser-defence.com/ads/s/index.html?w=160&h=600, Eset researchers described it this way: The index.html loads countly.min.js and feeds the initial parameters to the script.

This countly, however, is not the stock library of the open source mobile & web analytics platform you would download from github.
It is a heavily modified and obfuscated version, with some parts deleted and interlaced with custom code.

This custom code is responsible for an initial environment check.
Information about the environment is reported back to the server as XOR-encrypted parameters of the 1x1gif file, as captured in the image above. The following information about the environment is sent:systemLocale^screenResolution^GMT offset^Date^userAgent^pixelRatio After that, the script will request the advertising banner.

The server will reply with either a clean or a malicious version, most likely also depending on the previous environment check. The script will then attempt to load the banner and read the RGBA structure.
If a malicious version of the image was received, it will decode some Javascript and variables from the alpha channel The steganography is implemented in the following way: Two consecutive alpha values represent the tens and ones of a character code, encoded as a difference from 255 (the full alpha). Moreover, in order to make the change more difficult to spot by naked eye, the difference is minimized using an offset of 32. Researchers from Eset competitor Malwarebytes have published their own write-up of the campaign, which they are calling AdGholas. Despite targeting only people using IE and unpatched versions of Flash, Stegano is noteworthy for its concealment of exploit code in the pixels of the banner ads.

There's no reason future campaigns—or possibly ongoing ones that have yet to be discovered—couldn't exploit zero-day vulnerabilities that infected a much larger base of people. Until ad networks get much better at detecting malvertising campaigns, the scourge is likely to continue.

Flash Exploit Found in Seven Exploit Kits

A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide.

APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year. The Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks.

Despite the improvements in Flash security, attackers still take a shine to these exploits. Recorded Future’s report “New Kit, Same Player” says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year’s top 10 vulnerabilities were present in a similar analysis done last year. Exploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear.

Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums.

The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab confirmed the connection between the Lurk gang and Angler distribution in an August report. Nonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware.
Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim’s browser to the exploit kit’s landing page.

Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt. CVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunger.
It, by far, had the highest penetration into exploits kits, according to Recorded Future. But since Angler’s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits.
Sundown’s payload, however, differs in that it drops banking Trojans on users’ machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks. Sundown also contained CVE-2016-0189, an Internet Explorer bug used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well.

The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times.

CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three.

CVE-2016-4117 was used by the ScarCruft APT group, Kaspersky Lab researchers said in June, in watering hole attacks.

Adobe Flash Flaws Dominate Exploit Kits In 2016

The top 10 vulnerabilities this year were mostly Adobe Flash, followed by Internet Explorer, according to a Recorded Future study. Six of the top 10 vulnerabilities found in cyberattack exploit kits in 2016 were bugs in Adobe Flash Player – including one Flash flaw that was packaged with a whopping seven different exploit kits, new research found. Recorded Future studied the contents of 141 exploit kits from Nov. 16, 2015 to Nov. 15 of this year, and found that Flash for the second year running led as the application whose vulns were used most in exploit kits; Flash comprised 8 of the top 10 last year. "A large majority of exploit kits have Adobe Flash Player vulnerabilities, so at the end of the day, not a whole lot has changed" with Flash's prevalence in exploit kits since last year's study, says Scott Donnelly, director of technical solutions at Recorded Future. Interestingly, the Flash vulnerability found in the most exploit kits by Recorded Future's research, CVE-2015-7645 - which lives in seven exploit kits - was the first zero-day Flash flaw discovered in the wake of Adobe's efforts over the past year to better secure its software with code-structure updates and mitigation features.

Adobe worked with Google's Project Zero team to add attack mitigation features to Flash last year. Meanwhile, Microsoft Internet Explorer, Silverlight, and Windows vulnerabilities also made the top 10 list, with IE's CVE-2016-0189 as the number one flaw found in exploit kits overall. "CVE-2016-0189's impact is tied to multiple version of IE it affects as well as its link to three active exploit kits including Sundown and RIG, which have helped fill the void left by the Angler Exploit Kit," according to Recorded Future's report published today, "New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016." Recorded Future also found that the exploit kits that have stepped up to fill the gap of the now-defunct Angler exploit are Sundown, RIG, and Neutrino. Flash-yThe Flash CVE-2015-7645 flaw affects Windows, Mac, and Linux operating systems, which Recorded Future said makes it especially attractive and "versatile" for attackers.

The flaw, which Trend Micro had dubbed a "method confusion" bug, was used by the Russian state hacking group known as Pawn Storm/APT 28/Fancy Bear.

The attack group sent spear phishing emails to foreign affairs ministers in various nations and rigged the URLs with exploits that the flaw, which allows an attacker to wrest control of the victim's machine. Its dominance among exploit kits came as a bit of surprise to researchers since Adobe had been working on better securing its apps. "Theoretically, that was the more secure version" of Adobe software, Donnelly says. But the vuln is fairly simple to exploit, and isn't always patched, according to Recorded Future. "While the vulnerability was patched by Adobe fairly quickly, its ease of exploitation and the breadth of operating systems affected have kept it active. Unfortunately, slow enterprise patching and lack of knowledge by home users mean the vulnerability still manages to help kits infect machines," the report says. None of the vulnerabilities that made the top 10 in last year's report were found this year in exploit kits. "These were all new" vulnerabilities, Donnelly says. Another key finding of the report was that the new exploit kit on the block, Sundown, is making inroads.
Sundown, which reuses other kits' exploits, appears to be the handiwork of less sophisticated authors, experts say. "It's not like Angler and Neutrino, which were written from scratch by sharp guys," says CW Walker, a Recorded Future researcher. "It's gaining a lot of popularity, but it doesn't require the same support as Tier 1, AAA-level exploit kits in the past." ChecklistRecorded Future says the best bet is to patch the vulns it cites in the report, as well as get rid of any of these affected apps that aren't needed by the business.

The security firm in its report also recommends: Enable "click to play" for Flash Take a look at running Google Chrome, which benefits from Google Project Zero's work and study of Flash flaws Deploy browser ad-blockers to protect from malvertisting attacks Run regular backups, especially for shared files Related Content:   Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

How to survive the death of Flash

Seven years ago, Steve Jobs launched the once-popular Abode Flash into a long, slow death spiral when he announced that Flash would not be installed on any of his cutting-edge products, particularly the iPad and iPhone. Jobs argued that Flash was slow, cumbersome, battery intensive, incompatible with touch-screens, and had massive security issues. Since then, Flash has fallen out of favor for a number of very good reasons. First, it remains a serious security concern. Second, around five years ago, Adobe announced that Flash would not be available for mobile devices, which is where Internet users were headed. And third, HTML5 emerged in 2014 as an adequate replacement for Flash as a development platform for multimedia applications such as animation and games. Five years ago, Flash was active on close to 30 percent of all websites. Today, that number is down to less than 8 percent, according to W3Techs, a division of Q-Success Management Consulting. However, Flash is still being used on some of the major sites on the Internet, including the New York Times, salesforce.com, Fox News, Spotify and Starbucks. And while Adobe has recognized that Flash’s best days are behind it, the company is continuing to patch and update the software. And end users continue to download the Flash player plug-in, even though most security pros consider it a serious risk.