IT security experts are warning Adobe Flash users to be aware of a couple of new zero-day vulnerabilities identified in the program. While Adobe has released updates to fix one of the vulnerabilities, it doesn't expect to have a patch ready for the other until next week.
The unresolved vulnerability targets users running Windows 8 or earlier versions of the OS and either Internet Explorer or Firefox. Chrome users and people with Windows 8.1 are not at risk, according to the Internet Storm Center. Adobe describes the unresolved security problem as a critical vulnerability. The yet-to-be-patched vulnerability is identified by Adobe as APSA15-01, or CVE-2015-0311.
Drive-By Download Attacks
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe warned Thursday in a security bulletin post on its Web site. "We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below."
Another vulnerability, identified this week by security researcher Kafeine, was addressed with an update released Thursday by Adobe. That problem, identified as APSB15-02 and given the CVE (common vulnerabilities and exposure) number CVE-2015-0310, opened up the possibility of malicious actors being able to load fraudulent ads into users' browsers.
We reached out to Karl Sigler, Threat Intelligence Manager at the Chicago-based Cybersecurity firm Trustwave, to get advice on how people can protect themselves against such vulnerabilities before patches are issued.
"Users should be wary of links sent in untrusted emails or documents," Sigler told us. "This is the primary method that criminals use to lure users to exploit kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time. In a business environment this will prevent internal users from even being presented with the Angler exploit kit that is currently running the Flash exploits."
These types of attacks require the criminals to lure their victims to malicious Web sites under their control, so this limits the number of people that could be affected by this, he said. "Users can protect themselves to a large extent by learning how to identify phishing emails and not clicking on untrusted links or opening untrusted documents," Sigler added.
Users 'Overwhelmed' by Security Challenges
While one of the vulnerabilities has now been resolved with a patch, it was a Flash zero-day that no one has seen before, according to Trustwave.
The attack was three-pronged, using an Angler exploit kit malicious Web site and the Adobe Flash vulnerability to install malware called Bedep.
"Bedep . . . can load fraudulent ads in your browser or download other malware like Cryptolocker," Trustwave noted. "Criminals are targeting users who have vulnerable browsers. Even if users reboot their computer, the malware will stay installed."
In a study commissioned by Osterman Research published earlier this week, Trustwave reported that both individuals and companies are finding themselves overwhelmed by "having to cope with skilled attackers, sophisticated threats, massive data proliferation, continued worker mobility and the meteoric rise of Internet-connected devices."
While average spending on security software increased last year, a significant proportion of the typical investment -- $33 out of every $115 spent -- was underutilized or never used at all, Trustwave reported.
"The four most significant reasons for products turning into shelfware were all focused on insufficient IT staff resources: IT was too busy to implement the software properly, the department did not have enough time to do so, there simply were not enough people available to help, or IT did not understand the software well enough," according to Trustwave.
Posted: 2015-01-26 @ 6:27am PT
The makers of Adobe Flash have done everything in their power to make the present situation a reality and nothing to stop it. Solution: Disable and uninstall Adobe Flash.
Posted: 2015-01-23 @ 2:11pm PT
Uninstall Adobe Flash. It is only used by obsolete video sites that could upgrade to html5.