Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit

wiredmikey writes: Adobe released a Flash Player update on Thursday night to patch a zero-day vulnerability that has been leveraged by cybercriminals to deliver malware via the Magnitude exploit kit. The vulnerability [CVE-2016-1019], a memory corruption that can be exploited for remote code execution, was discovered after, on April 2, security researcher Kafeine of Proofpoint noticed a change in the Magnitude exploit kit. The sample was then investigated by FireEye, which determined that Magnitude EK had been exploiting a previously unknown vulnerability in Flash Player."Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability," Proofpoint said in a blog post.

Armor old new armor!

[Anonymous Coward]

New old pierce weapon armor!! âoeOld armor only âoeâoe armor! Cyber armor WEAPON,â said Armor!

Re:

[halivar]

The only thing "astandard" here is the site that only handles US-ASCII characters in 2016. It's not defensible.

Re:

[KGIII]

Is that true? ½ ¼ ¥ € £ © ® etc... I thought those were early Unicode. It does make sense, though.

Re:

[halivar]

Nope! Those are all high ASCII.

Re:

[KGIII]

Thanks! I wasn't sure which ones where which. There's a slew of 'em that pass through the filters. I do believe they'll be fixing Unicode in the stories but not adding the full list to the comments. At least something along those lines. (I've been paying attention to the various comments made by our new overlords. They've specifically referenced fixing them in stories but not in any other context.)

Re:

[U2xhc2hkb3QgU3Vja3M]

I'm on a Mac and I also see accented characters all over the place.

Re:

[halivar]

"SAFETY IS OUR GOAL: It has been [ 2 ] days since our last Adobe Flash 0-day exploit."

Re:

[U2xhc2hkb3QgU3Vja3M]

Much more simple to add a permanent banner that says "Security warning: uninstall Flash from your computer".

You were warned

[Gravis Zero]

You have been warned repeatedly that you Flash and Java plugins/addons/extensions are insecure and that you should uninstall them. Therefore, if you still have Flash or Java installed and you get compromised because of it, you only have yourself to blame.

Re:

[Anonymous Coward]

Bingo. I installed Windows 8 shortly after it came out and I purposely avoided installing Java because I knew there were huge security issues with it. That meant giving up VisualRoute, but I lived with it. As I live in China, I sometimes rely on using a proxy server to access parts of the internet I enjoy (facebook, youtube, mamedev). Previously I was using a free service called SoftEither VPN. It worked, rarely, but it was often very slow. A worker showed me a paid service called Lightning VPN. It w

Re:

[arth1]

Indeed. Even my ZyXEL "Unified Security Gateway" uses both Flash and Java.

Re:You were warned

[GrumpySteen]

You have been warned repeatedly that cars are dangerous. Therefore, if you still get in a car and you get hurt or killed by a drunk driver, you only have yourself to blame.

Yeah, no. Blaming the victim doesn't accomplish anything other than making sure that nothing changes and nothing gets better.

Until companies are actually held liable for the damage that their insecure software causes, they will keep creating insecure software because it's cheaper and more profitable than taking the time to make it secure.

Re:

[wbr1]

Look at parents sig. He wants to hold victims accountable but not himself. Typical entitled attitude. Move along.

Re:

[Archangel Michael]

You do realize that the very first slave owner in America was ... black, right?

There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more. We are 150 years from slavery in the US, but people like you keep acting like it was last week.

At some point, you're going to have to realize that the problem isn't slavery, it is attitude. But I guess it is always easier to blame others for your own shortcomings.

Re:

[Archangel Michael]

http://www.thegatewaypundit.co... [thegatewaypundit.com]

Re:

[Archangel Michael]

http://www.thegatewaypundit.co... [thegatewaypundit.com]

There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more.

I have relatives alive today who are in their 80s and 90s, whose grandfather or grandmother
was born a slave in the United States.

If you're going to be pedantic, at least do it according to the criteria i setup. "Here" being slashdot. and "several more generations" would definitely qualify as making your cases, if your case was against my initial statement, rather than the "probably", which would acknowledge the possibility of edge case scenario you described. My dad's father may have known owners or former slaves. I don't know, because I don't remember him. My dad, was born at a time when there were

Re:You were warned

[Solandri]

Macromedia never asked for Flash to become the de facto web standard for multimedia on web pages. All they wanted to do was make a tool which allowed artists to stream animated video using less bandwidth than real video [homestarrunner.com] - very important in the early days of the Internet when people were connecting over dialup on 56 kbps modems. So rather than transmit ever frame, it'll let you transmit the spirtes of the animated characters and a background image, and scroll the background image as the sprites move around. Being an artist's tool, they added lots of features to help with the creation of animation. The features have gotten good enough that Flash is still being used for this purpose by animators making TV shows [wikipedia.org].

Flash became widely adopted on the web because the W3C [wikipedia.org] dragged their feet for 15 years. Users wanted multimedia in web pages. Web designers wanted multimedia in web pages. A bunch of W3C people with sticks up their asses decided there shouldn't be multimedia in web pages (probably traumatized by the way the blink tag was abused), and refused to update the HTML standard to allow it (until HTML 5 was standardized a couple years ago). So web designers looked around for the next best thing, and hey! There's this thing called Flash. It's originally meant for creating animated videos, but it's flexible enough for us to add scripted multimedia to our web pages. Let's use that instead!

The situation is analogous to users wanting hammers, and stores wanting to sell hammers, but the government refusing to pass safety standards which would allow the sale of hammers. Then people realize they can buy rocks from a decorative landscaping store and use them as hammers. Soon everyone is using rocks as hammers, except that being rocks they frequently break and injure the user. Do you really think the rock-selling company should be liable for damage caused by people using their product in a manner in which it wasn't intended?

Re:

[cheesybagel]

Flash was abused all the time. People used it to design websites that took forever to load with animations and other useless crap, claiming it was leading edge tech, even if the only thing you wanted to get out of the site was a text list. There were perfectly valid uses for it, but it took a long time to standardize the technology in way that would fit with prior W3C standards. Initially the main concern was with the scalable vector graphics and animation. It was initially planned to do it with SVG and Jav

Re:

[ChunderDownunder]

Nice in theory.

In the real world people still available themselves of content that they rely on served only via Flash.

Which is why I use Firefox as my main browser and Chrome for those sites that require it.

Re:You were warned

[gstoddart]

Funny, I use the back button for sites requiring Flash.

The only things I truly need Flash for are work related training, which periodically requires I re-enable it. But I won't even run my work browser with it enabled.

No way in hell I'd ever consider running Flash by default ... the idea of letting random websites let random third parties run arbitrary code is so utterly moronic as to defy belief.

To me Flash is primarily an ad platform. If there are useful sites requiring Flash to work, I'm afraid I've never seen them, or don't consider them useful. I don't use video on the intertubes, because I don't care.

It seems like Flash has had at least one major security exploit every month for over 15 years, which tells me the entire platform and its security model are so defective that it has to be in the "don't trust by default" category.

I have no interest in letting advertisers, or anybody else, have access to anything which runs arbitrary code on my machine just because I visited a web page.

Re:

[ChunderDownunder]

Well in my case it's my university lessons.

That and the local tv stations that repeat programs online, where I'll load one of their movies when there's nothing on.

But for general usage, no. Which is why I don't have the Flash for Firefox but Chrome ships with its own internal copy when I do need it.

Re:

[Dutch Gun]

At the very least, people really need to enable click-to-play for Flash. That would tend to prevent nearly all of these sorts of exploits, but when you still find an occasional Flash video or content, you can still play it. Of course, still better if you can completely do without Flash at all, which is increasingly easy these days with HTML5 being embraced by more sites.

Re:

[Bengie]

You have been warned repeatedly that [your] Internet connection is insecure and that you should not use it. Therefore, if you still have the Internet and you get compromised because of it, you only have yourself to blame.

We need to get rid of dependencies before we can get rid of them. Not everyone wants to browses the Internet with Lynx.

Heart broken ...

[gstoddart]

Not a zero day exploit in Flash. Why, I'm utterly traumatized by this, my faith in humanity has been utterly ruined, why I ... oh, fuck it ...

Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.

And, having been largely Flash free for at least 15 of those years, all I can say is "enjoy your quality software, suckers".

Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I ho

Re:

[Catiline]

Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I honestly don't know why people keep trusting it, because it really has been a terrible security risk forever, and disabling it is usually the first thing I do in a browser.

I expect a large portion of the Slashdot commentariat also have "disable Windows" as the first thing on their to-do list.

Re:

[Marginal Coward]

I like your term "commentariat" - very clever. To that, we might add "curserati" and maybe even "conspirocracy."

Re:

[Marginal Coward]

Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.

Just curious: why is that? Is there something inherently insecure about the design of Flash? Or, is Adobe simply negligent? Or, is this a ploy to coax users into accidentally installing adware each time they update?

(Please don't just answer "all of the above" - I'm looking for details here, especially if there is something inherently insecure about the design of Flash.)

Re:

[ole_timer]

Flash (and PDF) have the .data segment that executes. That's all you need to know. Bad. For the real geeky look at how the flate directive works.

Re:

[ole_timer]

for the truly geeky look at jit spraying, it has its own Wikipedia page.

Is Adobe paid to include vulnerabilities?

[Futurepower(R)]

How can there be so many defects in Flash? Is Adobe paid to include vulnerabilities? If so, who pays? Secret government agencies? One of the many stories: The NSA hacks other countries by buying millions of dollars worth of computer vulnerabilities. [washingtonpost.com]

Is Adobe badly managed?

"Honestly, the only thing which has cumulatively had more security holes than Flash is Windows."

Is Microsoft paid to include vulnerabilities? Or is it bad management? "Monkey Boy" [businessinsider.com] can't run a technology company?

eBay

[ArchieBunker]

This might explain why I was getting all kinds of malware warnings while browsing eBay last night. Flash is so bad that Chrome started not playing it by default.

Interesting evolution of malware

[140Mandak262Jamuna]

When malware were named viruses and borrowed terminology from biology and germ theory of diseases, initially (I mean back in early 1990s) it was kind of funny almost snark. But the the behavior of the malware evolved very similar to the way biological viruses evolve, and the comparison and terminology became increasingly relevant. Bio viruses reduce their own lethality [*1] to improve their own chances of survival and propagation. Even the original C-brain floppy disk virus of 1988 waited for 50 copies being made before it would take adverse action. Keeping a few weapons in the reserve, not attacking all possible hosts etc are all things bio viruses do too.

So where would it go? Some viruses reduced their lethality a lot and helped their hosts survive better so that these viruses could also survive better. At some point they benefit they added was so much, they were more symbiotes rather than a pathogen. Some eventually gave up all attempts find new host or propagation and became totally dependent on their hosts. The mitochondria in each of our cells that is actually the powerhouse that generates energy for the organisms, was once a free living bacteria [*2]. The gut bacteria of so many animals are totally dependent on their host. Some of the viruses got spliced into our DNA itself! There are genes from viruses in our DNA happily churning out proteins for us!

Malware authors can not claim copyright, nor can they enforce any intellectual property rights on their creation. There is nothing to stop OS developers from picking up useful bits of algorithms and code from these viruses and using it in legitimate code. Very interesting to think about what could happen. Of course, the biota is still full of harmful viruses and bacteria. So not all viruses will be tamed. But there is some potential to harvest these viruses for any good code/algorithm/logic they might have in them.

[*1] no no no, I am not saying these viruses are sentient and they deliberately did X to achieve Y. Some viruses did X, that was beneficial due to Y, and they survived better than the ones that did not do X, thus eventually only the viruses that did X are the only ones still alive. Anthropomorphizing and attributing purpose to an evolutionary process is simply a shorthand used by biologists. Read Daniel Dennett, he explains it far better than I do.

[*2] Endosymbiosis. [fossilmuseum.net]

Can viruses be cited as prior art?

[140Mandak262Jamuna]

Wondering the intellectual property ramifications of the virus code. USPTO says once something is published, we need to file within one year for patent. After one year published work can not be patented. Our lawyers force us to use complex #IF_PATENT_PENDING / #ENDIF constructs to keep patentable code away from daily builds and release builds. Even if there is no pathway for the code to be executed, the lawyers claim it does not matter. Inactive, unusable algorithms that were built and shipped would count.

So, just a vulnerability, then?

[Chalnoth]

Every vulnerability is zero-day until a patch comes out addressing it.