Emergency Flash Update Fixes “In the Wild” Vulnerabilities

Feb

7

February 7 , 2013 | Posted by Nachreiner | 6 Comments

Emergency Flash Update Fixes “In the Wild” Vulnerabilities

Summary:

  • These vulnerabilities affect: Adobe Flash Player running on all platforms
  • How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  •  FLV Hex: 46 4C 56 01
  • FLV ASCII: FLV
  • FLA Hex:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.) 

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Comments (6)

  1. Emergency Flash Update Fixes “In the Wild” Vulnerabilities « microreksa

  2. WatchGuard Security Week in Review: Episode 51 – Flash 0day | WatchGuard Security Center

  3. Although I’m always careful about file attachments and Web-sites I visit – I was on on vulnerable Adobe Flash Player version 11.5.502.146. Updated to 11.5.502.149. Thank you for timely information. Also would like to notice, that Adobe Flash Player automatic updater has very uninformative “need to update” description page…without any categorization and more or less informative description for updates it uploads. Same static page all the time :-)

  4. Adobe Patch Day: Shockwave and (More) Flash Updates | WatchGuard Security Center

  5. But Itisam Akhtar, manager of My Home Finance to cover part of the state
    where the borrower lives, rather than temporary expenses. With, borrowers get the benefits of borrowers who want to repay their loan in full.
    You’ve taken out a payday loan to make ends meat which can turn into a vicious circle, because at your next
    payday. One of the cash first things that you need and/or desire.

Add Comment

Your email address will not be published. Required fields are marked *