BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Adobe Issues Emergency Patch For Flash In Response To Zero-Day Exploit

This article is more than 7 years old.

Another day, another Adobe Flash vulnerability.

A flaw in the notoriously vulnerable software has prompted Adobe to deviate from its regular upgrade schedule (the second Tuesday of the month—like Microsoft ) to issue a critical patch. This, however, isn't your run-of-the-mill vulnerability.

Photo credit: João Silas, StockSnap

Cybersecurity company Proofpoint first identified the severe vulnerability in Adobe Flash at the end of last week. With confirmation from fellow cybersecurity researchers at FireEye, the Proofpoint team classified the vulnerability as a “zero day” exploit—a previously unknown flaw in the system—that cyber criminals were using to deliver ransomware to computers via Flash.

“To see them using it for a ransomware especially when it is a vulnerability in something that is as widespread as Flash—Flash has possibly a billion users—not only does that underscore the scale of the ransomware problem, but it shows just how lucrative it is,” Ryan Kalember, senior vice president of cybersecurity at Proofpoint, told FORBES in an interview.

On Thursday, Adobe issued a patch to address the vulnerability (now known as CVE-2016-1019), which Proofpoint first became aware of on April 2, when it prevented the exploit from affecting a client. Proofpoint informed Adobe of the vulnerability and the software company immediately issued a warning to users and announced the imminent system patch for Windows, Macintosh, Linux and Chrome OS.  Prior to today's patch, all versions of Flash were vulnerable to the attack—even the most up to date version. Interestingly, however, the exploit was only targeting older versions of Flash since it entered the wild on March 31.

“There was no reason for them to do that actually. We couldn’t tell if this was a mistake or intentional,” said Kalember. “They had a weapon that would work against any form of defenses, but they intentionally had it only targeting older [versions].”

According to Kalember, this is a technique used by cyber criminals known as a “degraded” implementation that is not uncommon. Threat actors typically use this approach when they are using known, commonplace exploits to take advantage of people who haven’t updated to the latest versions of software. There was no reason to do this with the zero day exploit.

“All it needs is Flash on the computer. It doesn’t need to be open,” he said. “Most software programs can basically be turned on by other software programs, or what we call invoked programmatically. So if Flash is there—that’s enough.”

Proofpoint discovered that the exploit was calling a vulnerable, undocumented API in Flash. The company first observed it primarily spreading Cerber ransomware, which takes control of victims’ computers and encrypts files until they pay a Bitcoin ransom—the amount of which increases the more time passes without payment.  It was also observed spreading Locky ransomware.

“It was interesting that they could even find an undocumented API, but Flash is so widely used that it might be worthwhile to do that level of analysis that would lead you to an undocumented API and then do what we call arbitrary code execution,” explained Kalember.

To deploy the exploit against Proofpoint’s client and others, the cyber criminals attempted to use an exploit kit, which is essentially a piece of software that runs on a web server and identifies the vulnerabilities in a system (think: old versions of Java or Flash), which it then targets with malware. On the black market, exploit kits can run anywhere from a few hundred dollars to subscription based kits that can cost a threat actor tens of thousands of dollars, depending on how effective they are. This particular threat actor was using an exploit kit by the name of Magnitude but since the exploit has been found in other kits.

“Cybercrime groups will make an investment in a couple of different exploit kits if their looking to diversify their risk and are operating at a really high scale,” Kalember added. “But most of the time they will pick one and stick with that kit until it doesn’t work anymore or it gets an update.”

According to Proofpoint’s research, the Magnitude exploit kit seems to have been used by only one actor in recent months, so the company is pretty certain it is the same group it has observed that spreading Cryptowall and Teslacrypt malware over the last few months and most recently Cerber ransomware.

“Any time you find a zero day that hasn’t been used anywhere else and no one has seen it before, the bad guys know just how valuable it is,” said Kalember. “That is the sort of thing you can sell to a government for millions of dollars or sell to any number of private groups that are very interested in offensive cyber capabilities for lots and lots of money.”

Kalember’s advice for individuals and enterprises? If you can, uninstall Flash from your computer and use Flash in a contained environment like Google Chrome’s sandbox. If it is pertinent to your enterprise, you need an advanced threat solution on the email vector that will block the method of transmission.

At the very least—upgrade Flash today.