Update: Flash and Java Emergency Zero-Day Patches
Adobe recently issued an emergency patch outside of their normal patch release schedule for a Flash zero-day, CVE-2015-7645, reported by Trend Micro security researchers. The vulnerability affects Flash versions 184.108.40.206 and 220.127.116.11.
Primarily used in targeted phishing campaigns with the intent to steal credentials, the vulnerability could allow an attacker to execute code on an affected system. The attack has been used in the wild, targeting government agencies as part of an espionage campaign waged by a group known as Pawn Storm, according to Trend Micro.
Patch for Flash...Again
Updating your systems and browsers to the latest version of Flash with the emergency patch is advised, as Adobe has categorized the priority level as 1, meaning:
This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).
But not everyone updates their systems right away, especially for patches released off schedule - based on Duo data analytics, we’ve found that 91 percent of users didn’t update to the latest iOS version a week after it was released. That means they were left exposed to more than 70 critical documented vulnerabilities during that time. Get the latest on iOS security in Identifying Bad Apples: Getting to the Core of iOS Vulnerabilities.
Our analytics also show that on average, 46 percent of corporate PCs are running out-of-date browser versions and Flash and Java plugins, putting them at risk of getting compromised. Yet another datapoint reveals that 30 percent of users are running an outdated version of Flash (version 18 or lower) - yikes. See the full infographic on The Current State of Endpoint Security.
Another option is to disable Flash entirely. Here’s how to do it in your browsers, and on Macs and Windows.
Recent Java Patches and Vulnerabilities
Oracle released a critical patch Tuesday resolving a total of 154 vulnerabilities, with 25 affecting Java SE. Most of these issues can be exploited remotely without authentication.
Twenty of the vulnerabilities only affect Java running in web browsers - considering the fact that nearly 50 percent of users are running an outdated version, according to Duo’s analytics, that means many are affected.
A Java zero-day, CVE-2015-2590, was found to be used as part of the attacks carried out by Pawn Storm, as reported by Trend Micro. They found another, separate vulnerability that was used to bypass the click-to-play protection used by Java.
Click-to-play requires a user to verify and click on the Java app before it executes. Bypassing this functionality means an attacker can run malicious Java code without any user prompts or alerts, which can put your users at risk without detection or notification.
Protecting Against Flash and Java Vulnerabilities
While this vulnerability can be used to compromise a system and primary credentials, it wouldn’t be effective in bypassing two-factor authentication. Two-factor authentication would prevent any unauthorized logins as the result of stolen credentials.
If you have a lot of users and not a lot of visibility into what kind of devices, browsers and plugins they’re running as they log into your company’s applications, Duo’s Device Insight and Device Analysis features can change that.
These endpoint security tools let you see high-level and in-depth data on your users’ devices, including:
- How many users have Java and Flash enabled on their devices used to access your corporate network
- How many are out of date
- How many are vulnerable, by comparing plugin versions to the CVE database
- Which users are using which devices
We do the analysis so you don’t have to by flagging any outdated and vulnerable devices. Our Self-Remediation feature can notify your users as they log into Duo about any plugins or browsers that need to be updated. These features are included in our Duo Access.