For the third time in two weeks, online criminals have won the race to find a new flaw in Adobe Flash Player. Security researchers didn’t know this flaw existed until the criminals were already exploiting it to infect Web browsers, most prominently to launch malvertising attacks staged from the popular website Daily Motion.
Adobe says the flaw affects Flash Player in Microsoft Internet Explorer and Mozilla Firefox browsers on Windows, OS X and Linux; the company promises to have a patch for it later this week. Meanwhile, people may want to disable Flash in these browsers to minimize the risk of attack.
Flaws that security researchers only discover once attackers have already exploited them are called zero-days, because the “good guys” have zero days to prepare a patch.
In this case, it was Tokyo-based security company Trend Micro that first noticed the exploit appearing on Daily Motion, possibly as a result of site infection by the Angler browser exploit kit, a package of cobbled-together browser attacks that cybercriminals use to install malware on people’s computers.
“It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself,” wrote Trend Micro’s Peter Pi in a company blog post.
Browser exploit kits are bundles of various exploits for known flaws in widely used Web browsers. When embedded or linked to in a Web page, an exploit kit will systematically try every attack at its disposal until it finds one that penetrates the visitor’s specific Web browser and operating system. Once the security hole is created, more malware — again tailored to the visitor’s OS — can be injected to infect the computer. Last month, security researcher Kafeine discovered an earlier Adobe Flash zero-day in the Angler exploit kit.
This third zero-day flaw affects Adobe Flash Player 184.108.40.2066 and earlier versions on Windows and OS X; and Adobe Flash Player 220.127.116.110 and earlier versions on Linux, according to Adobe’s security bulletin.
The ads that were compromised to exploit this flaw seem to be down, according to Trend Micro, but until the flaw is patched, users may want to disable Adobe Flash in their browsers, or set it to click-to-run. Click-to-run disables the default automatic playing of Flash-based Web content, ensuring that only content you specifically select (such as a YouTube video) will run in your browser.
To enable click-to-run on Firefox, click the Menu button in the upper right-hand corner (denoted by three horizontal lines). Then click Add-Ons to see a list of your browser’s add-ons. Change the settings of Adobe Flash, Adobe Flash Player or Adobe Shockwave Flash — the names may vary — from Always Activate to Ask to Activate.
To do so on Google Chrome, click the Menu button (also in the upper right, also denoted by three horizontal lines). Click Settings, then Show Advanced Settings. Scroll down to the Privacy section and click Content Settings. This will launch a pop-up window. In this window, scroll to the Plug-Ins section, and select Click to Play.
To do so on Internet Explorer 9, 10 and 11, click the gear icon in the top-right corner, then click Manage Add-Ons, which will launch a pop-up window. Click Toolbars and Extensions in the window’s left-hand navigation menu. In this right-hand results window, right-click Shockwave Flash Object, which will launch another pop-up window. Under the form field labeled “You have approved this add-on to run on the following websites,” click Remove all sites. (If there’s an asterisk in the form field, it means that all sites have been approved; you want to get rid of the asterisk.)
Source: Toms Guide