What Happens When You Ignore a Flash Security Patch?

[RV_]

Folks I posted about this Flash severe and under attack vulnerability a couple of days ago on Thursday as soon as the patch came out. Yesterday I found that dozens of serious attacks were done successfully just a few days after the vulnerability in Flash was announced. To safely update Flash on Windows 7 you use the Control Panel to get to the Flash app and then go to update tab. Windows 8/8.1/10 just run Windows updates. It was fixed several days ago.

 

I'm just posting an after patch issued real world scenario. As shown below it is becoming extremely hard to directly compromise Windows IF machines are PATCHED WITH ALL WINDOWS UPDATES.

 

Then the next biggest attack vectors are third party programs like Flash which has a vulnerability exploited monthly or more often, Adobe Reader which with Windows 8-10 can be uninstalled because Windows has their own pdf reader. In older Win 7 machines you can download FoxIt reader and avoid the mass attacks. Then Java is next which I uninstalled on my machines and load only when absolutely necessary, then uninstall as soon as I finish using it.

 

The problem isn't that once patched they go away so little guys like us can ignore the frequent patches required. THe problem is that then the script kiddies can go for you if not patched as low hanging fruit.

 

Or like these folks in Asia and Russia you can be infected and hacked:

 

ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks

 

Excerpt:

 

"Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia.

 

Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak.

 

Researchers said the group has a number of operations under way and that it has two Flash exploits and another against Microsoft’s Internet Explorer at its disposal. Kaspersky speculates that this group could also be behind another zero-day, CVE-2016-0147, a vulnerability in Microsoft XML Core Services that was patched in April.

 

In a report from Kaspersky Lab, researchers said the vulnerability is in Flash code that parses ExecPolicy metadata. ScarCruft’s exploit implements read/write operations at a particular address in memory that can allow for full remote code execution. Full details are explained in the Kaspersky Lab report published today.

 

The attack happens in stages starting with shellcode downloading and executing a malicious DLL that loads in Flash and also includes a technique designed to bypass antivirus detection using the Windows DDE component, or Dynamic Data Exchange, a protocol that facilitates data transfers between applications.

 

Kaspersky researchers said this part of the attack makes “clever” use of Windows DDE.

 

“The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed,” Kaspersky Lab said in its report. “This is an undocumented behavior in Microsoft Windows.”

 

Kaspersky’s research indicates there have been more than two dozen Operation Daybreak victims to date, including an Asian law enforcement agency, a large Asian trading company, an American mobile advertising company and individuals affiliated with the International Association of Athletics Federations (IAAF), some of which were compromised in the past few days.

 

Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks. The exploit kit eventually redirects victims’ browsers to a server in Poland controlled by the attackers.

 

“The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time,” researchers wrote. “In general, their work is very professional and focused. Their tools and techniques are well above the average.”

 

Another set of attacks called Operation Erebus leverages another Flash exploit, CVE-2016-4117, and relies on watering hole attacks as a means of propagation. Watering hole attacks involved compromising a site frequented by the target and serving exploits to site visitors that redirects to malware, often spy tools.

 

Adobe has implemented a number of mitigations in Flash that defend against memory-based attacks in particular that also make zero days incrementally difficult. While Adobe and outside researchers continue to find and patch critical issues in Flash Player, publicly attacks against unknown Flash flaws are much less frequent.

 

“Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky. Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult,” Kaspersky researchers wrote. “Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.”

 

Google Project Zero team researcher Natalie Silvanovich said that efforts by Adobe to introduce new exploit mitigations into the Flash Player code base have slowed down exploit development and made it more difficult for researchers looking for bugs."

 

More in the article here: https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/