Flash Greets 2015 With New Zero-Day Vulnerability

23 January 2015 – Trend Micro has recently learned of a new problem affecting Adobe Flash. This is a serious situation that affects nearly everyone using Microsoft Windows. Below is a very easy-to-understand summary of what you need to know and what you can do to negate any issues around this vulnerability.

What is The Problem?

There is a newly discovered vulnerability affecting Adobe Flash Player for Microsoft Windows. This vulnerability or flaw can be used by attackers to run code or programs on your Windows computer as if you ran it. Anything you can do on your computer, the attacker’s program can do. In a worst case like this, they can load malware on your computer.

New vulnerabilities are found all the time. However, usually by the time they are disclosed, there is already a patch or security update to fix the problem before attackers and cybercriminals can take advantage of them when creating malware or launching attacks. As long as you keep your system up-to-date, you’re protected against most vulnerability exploits. But in this case, researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been taking advantage of it before a patch is made available: this kind of situation is called a “zero-day" situation, because defenders have “zero days" to provide protection against exploits and attacks. This means that even if you keep your systems up-to-date, you’re still at risk of becoming victim of an attack until Adobe releases a patch. This is not expected until next week; a patch was recently released by Adobe, but that fixed a separate vulnerability, not the one discussed here.

In addition, we’ve found that the attacks we’ve seen are using malicious banner ads (called “malvertisements") to spread malware. Malvertising is a technique of pushing malicious or malware-laden ads into legitimate advertising networks that, in turn, display the ads you see on legitimate and popular sites. This means your employees can go to trusted sites you expect to be safe and may still get malware into your network. This is a particularly nasty form of attack, one that puts almost all users at great risk.

The situation is even more serious because this vulnerability is being used by what we call an “exploit kit": a tool that cybercriminals make and sell to other cybercriminals so they can carry out attacks. An exploit kit spreads attacks much more widely. This particular vulnerability is being used in the “Angler" exploit kit, which is one of the most commonly used exploit kits today.

Taken all together, this means that this is a vulnerability that can be widely exploited. It is a very serious situation that everyone running Microsoft Windows should be aware of.

What Can Businesses Do About It?

The two most important things that businesses can do to protect their systems are the following:

In this case, because it’s a zero-day situation, step #1 will only come into effect once Adobe releases a patch for this. When Adobe does release a patch, you should apply it to your systems as soon as possible. But in the absence of an Adobe bulletin for the moment, users may consider disabling Flash Player until a fixed version is released.

This is why at Trend Micro, we always recommend that businesses keep themselves well-protected with a comprehensive, end-to-end Advanced Persistent Threat (APT) solution. While some might think that this will be expensive to implement, there are effective APT solutions out there in the market today that leverage on the power of economies of scale to ensure affordability. Our existing solutions are able to detect this threat, preventing users from becoming the next victims of this attack.

Right now, there is no indication that attackers are targeting Adobe Flash Player on other platforms like Mac or Android. If you use these platforms, though, you should still make sure that you’re running security software, and that you apply security patches from Adobe as soon as possible.

For more information, please refer to the following blog post from Trend Micro. Click here