New Adobe Flash 0-Day Used In Malvertising CampaignThe latest in a series of recent Flash vulnerabilities and malvertising exploits that are hard for users to avoid.
Yet another critical zero-day vulnerability has been found in Adobe Flash -- the latest in a series of holes found over the past month. This one, CVE-2015-0313, is being exploited in malvertising attacks, according to researchers from Trend Micro.
The vulnerability affects the most recent version of Flash on Windows systems running Internet Explorer or Firefox. Adobe has indicated that a patch will be available this week.
The exploit -- named SWF_EXPLOIT.MJST by Trend Micro -- was found redirecting visitors from dailymotion.com to a malicious site, hxxp://www.retilio.com/skillt.swf. The compromised site has been visited at least 3,294 times, mostly by users based in the United States. The exploit was triggered via an advertising platform, so researchers expect that it was running on other sites, not just Daily Motion. It might be "executed via the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains."
The latest spate of Flash vulnerabilities is troubling because Flash is so hard to avoid.
"Adobe’s software is everywhere, second to only Microsoft," says Andy Manoske, senior product manager at AlienVault. "Flash is also extremely proliferate, with something like 20 percent penetration of all active websites on the Web, so there's an incredible amount of scrutiny because it's so popular. As such, we're likely to continue to find vulnerabilities as the security community (both in terms of security companies and adversaries) pick through Flash with a fine tooth comb.
Manoske says the other issue is that Flash is "architecturally complicated."
"It's not really a single platform so much as it's a zoo of different operating system clients that agree on a series of protocols and features. Complexity like this has a tendency to create issues due to things like implementation errors and race conditions, thereby creating the opportunity for exploitable vulnerabilities to be accidentally created and missed in [quality assurance]," he says.
Malvertising on the rise
Malvertising is also hard to avoid. Exploits are delivered via drive-by-download, not requiring user interaction. Ads are found on millions of websites, and are served by third-party ad platforms, not the site administrators. And the process of serving ads is largely open and automated; legitimate businesses and criminal enterprises alike sign up to ad bidding services anonymously.
"Malvertising provides an elegant means of accomplishing for attackers what online advertising accomplishes for brands and agencies: exposing your content to a large and increasingly targeted breadth of users," Manoske says. "As real-time bidding and other automated and readily anonymized means of purchasing ad inventory continue to trend throughout the ad industry, it's likely we're going to continue to see malvertising-enhanced drive by download attacks that exploit vulnerabilities in the typical technology stack for ads, including and especially within Flash."
Lately, malvertising attacks are everywhere, targeting everything from consumers to US defense contractors, committing everything from click fraud to information gathering. In October, Invincea reported its discovery of a malvertising campaign "micro-targeting" the defense industry. Invincea dubbed it "Operation DeathClick" and described as an APT.
And from October to December, Facebook extended a special offer to members of its bug bounty program, paying double for reports of ad-related threats.
"The proliferation of exploit kits like Angler only exacerbates this issue," says Manoske, "and I think similar discoveries such as Trend's findings in DailyMotion will force ad networks to ask their industry serious questions about content review processes given how common these attacks are becoming."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio