Zero-Day Comms/Adobe Flash Exploit

Alert: Adobe Flash has experienced another exploit.

Contact your customers to make them aware of the zero-day vulnerabilities in Adobe Flash that were found in stolen data that had been posted online as a result of a breach at Hacking Team.

The vulnerability is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory. It affects versions of Adobe Flash Player 18.0.0.204 and earlier. Many organizations deploy Adobe Flash inside their networks, and given the widespread proliferation of the software, the risk of attack is high. Our Threat Intelligence team has created a signature for the vulnerabilities, which protects Symantec Endpoint Protection and Norton customers from the likely risk of the exploit’s use in cyber-attacks this

Use this event as an opportunity to ensure that your customers are taking the necessary steps to protect themselves and discuss the bigger issues of the fallout from Hacking Team being breached. Reinforce yourself, and Symantec, as a trusted security partner. Share best practices for hardening of networks and ensuring that sensitive data, e.g. bug-bounty program data, remains secure.

OVERVIEW

It was made public earlier this month that Italian hacker-for-hire surveillance firm, Hacking Team, had itself been breached. The company, known for selling intrusion and surveillance tools to governments and law enforcement agencies had been the target of an attack in which the attacks had uploaded 400GB of data onto Pastebin. The data dump contained various information such as email communications, customers’ information, invoices, source code, among others.

Over the weekend of July 10th, Trend Micro and FireEye independently announced that they had discovered two zero-day vulnerabilities in Adobe Flash that were found in the stolen data that had been posted online as a result of the breach at Hacking Team. At this time the exploits are proofs-of-concept, yet the code can be executed on the latest version of Flash Player. The vulnerability, dubbed the “most beautiful Flash bug for the last four years” in Hacking Team’s internal notes, is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory. It affects versions of Adobe Flash Player 18.0.0.204 and earlier. Symantec has added detection for the exploits as Hacktool and has created an AV signature to detect the exploits.

WHY THIS MATTERS TO MY CUSTOMERS

Organizations that allow Adobe Flash to run on their endpoints are vulnerable to this exploit. The vulnerability affects Windows, Macintosh, and Linux operation systems. A successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We consider this to be a high severity incident, and encourage customers to take immediate action to prevent damage from happening. Network users running affected versions of Adobe Flash could be victims of drive-by downloads.

SHOULD I REACH OUT TO MY CUSOMTERS?

We recommend that you contact your customers to make them aware of this vulnerability. Many organizations deploy Adobe Flash inside their networks, and given the widespread proliferation of the software, the risk of attack is high. Use this event as an opportunity to share the information provided in this bulletin to ensure that your customers are taking the necessary steps to protect themselves while reinforcing yourself, and Symantec, as a trusted security partner.

Important Talking Points

  • Our Threat Intelligence team has created a signature for the vulnerabilities, which protects Symantec Endpoint Protection and Norton customers from the likely risk of the exploit’s use in cyber-attacksthis week.
  • Symantec’s Security Response blog will keep you current on developments pertaining to this situation, including mitigation instructions.
  • Discuss the bigger issue of the fallout from Hacking Team being breached. Share best practices for hardening of networks and ensuring that sensitive data, for example, bug-bounty program data remains secure. Symantec provides solutions that can protect organizations from such attacks.

Q: When was this incident/vulnerability/threat discovered?
A: The vulnerability proof of concept was discovered within the Hacking Team leaked data on July 10 PDT and was shared on Twitter.
Q: How significant is this incident and why?
A: This incident is significant due to the prevalence of Adobe Flash and the fact that upon first analysis, the proof- of-concept code can successfully exploit the latest version of Adobe Flash (18,0,0,203). We are not aware if this vulnerability is being exploited in the wild. With the proof of concept disclosed, we can expect to see it released in the wild very soon.
Q: Which OS platforms are being targeted or could potentially be affected?
A: Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux.

  • Adobe Flash Player 18.0.0.203 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 18.0.0.204 and earlier versions for Linux installed with Google Chrome
  • Adobe Flash Player Extended Support Release version 13.0.0.302 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 11.2.202.481 and earlier 11.x versions for Linux

Q: Is user interaction (other than normal web browsing, file opening, email viewing, etc.) required to become infected?
A: This vulnerability could be exploited by way of drive-by-download.
Q: Do Symantec/Norton products (Win/Mac/NMS) protect against this threat?
A: We have added detection for the exploits as Hacktool. Antivirus detection has been introduced as Exp.CVE- 2015-5122. This detection is available as of definitions version 20150711.022. We also have confirmed that the following IPS signature proactively blocked the Proof-of-Concept exploit code: Web Attack: Malicious SWF Download 30.
Q: Has this vulnerability been exploited in the wild?
A: At the moment, we are not aware, but because the information came from Hacking Team’s leaked data, it may have potentially been used, however, is it unlikely to be widespread. With the vulnerability disclosure, we can expect it to be rolled out to exploit kits in the coming days.
Q: Has the vendor issued an alert or advisory?
A: Adobe has launched an investigation on this vulnerability and has released a security bulletin and has stated that a patch will be released this week.
Q: Has the vendor issued a patch for this vulnerability?
A: No, not at this time.
Q: Are there any other sources of information on this threat (i.e. from our competitors) which have already been issued?
A: FireEye and TrendMicro released a blog about the vulnerability CVE-2015-5122 presented in this alert and have been credited with discovering the two exploits.
Q: Is Symantec releasing a public blog about this vulnerability?
A: The external blog has been published today over EMEA shift and it can be viewed in the Security Response Blog here.

 

Reference by symantec