Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/2/2015
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New Adobe Flash 0-Day Used In Malvertising Campaign

The latest in a series of recent Flash vulnerabilities and malvertising exploits that are hard for users to avoid.

Yet another critical zero-day vulnerability has been found in Adobe Flash -- the latest in a series of holes found over the past month. This one, CVE-2015-0313, is being exploited in malvertising attacks, according to researchers from Trend Micro.

The vulnerability affects the most recent version of Flash on Windows systems running Internet Explorer or Firefox. Adobe has indicated that a patch will be available this week.

The exploit -- named SWF_EXPLOIT.MJST by Trend Micro -- was found redirecting visitors from dailymotion.com to a malicious site, hxxp://www.retilio.com/skillt.swf. The compromised site has been visited at least 3,294 times, mostly by users based in the United States. The exploit was triggered via an advertising platform, so researchers expect that it was running on other sites, not just Daily Motion. It might be "executed via the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains."

The latest spate of Flash vulnerabilities is troubling because Flash is so hard to avoid.

"Adobe’s software is everywhere, second to only Microsoft," says Andy Manoske, senior product manager at AlienVault. "Flash is also extremely proliferate, with something like 20 percent penetration of all active websites on the Web, so there's an incredible amount of scrutiny because it's so popular. As such, we're likely to continue to find vulnerabilities as the security community (both in terms of security companies and adversaries) pick through Flash with a fine tooth comb.

Manoske says the other issue is that Flash is "architecturally complicated."

"It's not really a single platform so much as it's a zoo of different operating system clients that agree on a series of protocols and features. Complexity like this has a tendency to create issues due to things like implementation errors and race conditions, thereby creating the opportunity for exploitable vulnerabilities to be accidentally created and missed in [quality assurance]," he says.

Malvertising on the rise

Malvertising is also hard to avoid. Exploits are delivered via drive-by-download, not requiring user interaction. Ads are found on millions of websites, and are served by third-party ad platforms, not the site administrators. And the process of serving ads is largely open and automated; legitimate businesses and criminal enterprises alike sign up to ad bidding services anonymously.

"Malvertising provides an elegant means of accomplishing for attackers what online advertising accomplishes for brands and agencies: exposing your content to a large and increasingly targeted breadth of users," Manoske says. "As real-time bidding and other automated and readily anonymized means of purchasing ad inventory continue to trend throughout the ad industry, it's likely we're going to continue to see malvertising-enhanced drive by download attacks that exploit vulnerabilities in the typical technology stack for ads, including and especially within Flash."

Lately, malvertising attacks are everywhere, targeting everything from consumers to US defense contractors, committing everything from click fraud to information gathering. In October, Invincea reported its discovery of a malvertising campaign "micro-targeting" the defense industry. Invincea dubbed it "Operation DeathClick" and described as an APT.

And from October to December, Facebook extended a special offer to members of its bug bounty program, paying double for reports of ad-related threats.

"The proliferation of exploit kits like Angler only exacerbates this issue," says Manoske, "and I think similar discoveries such as Trend's findings in DailyMotion will force ad networks to ask their industry serious questions about content review processes given how common these attacks are becoming."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/4/2015 | 8:21:54 AM
Re: Security Measures
Thanks, that was very helpful. I am a huge Chrome afficionado and the Ad Blocker is definitely a major benefit. Not only from its security aspect but also its seamless integration into the browser. Another security benefit is it helps to mitigate noise. Through this means you will be more attune to handling an event when notified instead of dismissing it.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/3/2015 | 4:43:23 PM
Re: Security Measures
Some people have argued that going with ad blocking software is like going without a firewall.
jps-forums
100%
0%
jps-forums,
User Rank: Apprentice
2/3/2015 | 4:30:06 PM
Re: Security Measures
There's actually 4 simple (and free) steps home users can take to drastically reduce their risk.  I had to put spaces in the URLS to get this to post, so take that into account when reading the links I include

 

1. Take advantage of OpenDNS (opendns .com/home-internet-security/). This requires you to set your primary DNS on your home router/wireless to use their DNS IP's. They filter many malicious sites for you and you get a free ability to implement content filtering for your family as well.  This is probably slightly complicated for your basic home user (you have to get them into their home router config under the IP and/or DHCP options to set the DNS) but their instructions make it much easier. 

2. Install anti-exploit software. Malware-bytes Anti-exploit Free edition protects all the major browsers and doesn't rely on def updates. Stops APT's in their tracks. Su[per tiny light-weight. You'll never know it's even running (https://www. malwarebytes. org/antiexploit/). The paid version protects more but stopping the exploits via browser for free is dang good.

3. Install some type of automated patching software that covers OS and 3rd party without any or much interaction at all. Secunia PSI is free and does an amazing job with little or no user interaction. (secunia. com/vulnerability_scanning/personal/) 

4. Use Chrome as much as possible and install the free ADBLOCK extension that stops all (99.9%) of adds (really useful on this particular exploit...plus it makes browsing much faster without all that garbage and annoying ads in vidoes/sidebars etc  (getadblock. com/)

Having a standard antivirus product is a given, although it probably protects you 20% if you are lucky. If you have AV, try to pick one that has host-based IPS built in as well (Intrusion Prevention System). The 4 above probably cover you 75%. Leaving a tiny window of risk left.  Every friend and family I help (there's many) has yet to been compromised or get infected using the tips above.  Best of all it will cost you 0 dollars to do the 4 things above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/3/2015 | 10:07:16 AM
Security Measures
Since, as the article denotes, it is very difficult to deny a malicious body the right to acquire digital ad space; are there any best practices in general for the user population to avoid this type of attack? For example, Ad-blockers, etc.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:17:58 AM
Guess I need to install Google Ultron
O, to go two weeks without having to update Adobe Flash!  #firstworldproblems
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.