Update Soon: Emergency Patch for Another Critical Flash Vulnerability
Be on the lookout for yet another Adobe Flash Player emergency patch to apply immediately if your users still have Flash installed on their devices, to be released as soon as tomorrow.
This is an emergency because attackers are actively exploiting the critical vulnerability, CVE-2016-1019, which affects Flash version 22.214.171.124 on Windows, Mac, Linux and Chrome OS. While Adobe typically releases Flash updates on Patch Tuesday, same as Microsoft, the company does issue emergency patches for critical vulnerabilities seen in use in the wild.
Adobe’s security advisory warns that successful exploitation could cause a crash and allow an attacker to take control of the affected system. In a recent update to an Adobe Product Security Incident Response Team (PSIRT) blog, the company reports that the vulnerability is being exploited on systems running Windows 10 and earlier with Flash version 126.96.36.1996 and earlier (not Windows 7 and XP as previously reported).
That means, even if your Windows operating system is up to date, running an outdated version of Flash Player on your browsers can put your company at risk of exploitation, resulting in data loss or malware infection.
There is a mitigation in Flash version 188.8.131.52 that protects users against this exploit, and Adobe encourages users to update and install the update in each browser installed on your system.
Exploiting Flash Vulnerabilities
We hear about the 700+ vulnerabilities, many of them critical, that affect different, older versions of Flash Player, but how does an attacker actually get control of your computer and steal data?
Late last year, Trend Micro reported on a Flash zero-day vulnerability used in a campaign targeting specific foreign affairs ministries. The campaign sent a number of targeted phishing emails that contained a URL. The content was crafted to appear to be sharing news articles pertaining to current events.
When the user clicked on the URL in the email, they download a number of dynamic link libraries (DLL) files that contain code, data and resources, similar to executables. Then, the malware is downloaded onto the user’s system and exploits the Flash vulnerability to gain control (this process varies by different types of vulnerabilities). Trend Micro offers a more technical explanation under Analyzing the Vulnerability’s Root Cause of how attackers used the Method Confusion vulnerability in this scenario.
Redirects and Exploit Kits
Another way an attacker can leverage a Flash vulnerability is by first injecting code into legitimate websites that can redirect users from the original site.
A user may click on a website link in their browser, then get redirected to a hacker’s landing page containing an exploit kit. The exploit kit checks if a user can be exploited using a Flash vulnerability and can execute malware that steals data or controls the machine.
Learn about other Flash exploit delivery methods in Flash Vulnerabilities & Exploits: An Information Security Primer.
Protecting Against Flash Exploits
Uninstalling Flash is one way to go; browsing securely another way. Google Chrome (and other browsers) feature a click-to-play built-in functionality that requires a user to click on the ad or video before playing it. This is an opt-in feature, meaning the user must enable it, or an administrator. Certain security plugins for your browser can also stop Flash from loading unless the user clicks on it.
Another way administrators can get insight into the plugins on any device logging into their company’s applications is with Duo’s Device Insight, which tracks the different Flash versions in your environment. This data is distilled into our User & Device reports that shows you can see exactly which devices are out of date, and even when Adobe (or another vendor) releases a new version.
To reduce the risk of introducing vulnerabilities and malware to your company, you can create custom policies and controls to notify, warn, and block any users running outdated versions of Flash. Learn more about our endpoint visibility solution.