Emergency Flash Update Fixes “In the Wild” Vulnerabilities

Summary:

  • These vulnerabilities affect: Adobe Flash Player running on all platforms
  • How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  •  FLV Hex: 46 4C 56 01
  • FLV ASCII: FLV
  • FLA Hex:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.) 

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

6 Responses to “Emergency Flash Update Fixes “In the Wild” Vulnerabilities”

  1. Although I’m always careful about file attachments and Web-sites I visit – I was on on vulnerable Adobe Flash Player version 11.5.502.146. Updated to 11.5.502.149. Thank you for timely information. Also would like to notice, that Adobe Flash Player automatic updater has very uninformative “need to update” description page…without any categorization and more or less informative description for updates it uploads. Same static page all the time :-)

  2. What’s up it’s me, I am also visiting this web page daily,
    this site is genuinely fastidious and the users are truly sharing pleasant thoughts.

  3. But Itisam Akhtar, manager of My Home Finance to cover part of the state
    where the borrower lives, rather than temporary expenses. With, borrowers get the benefits of borrowers who want to repay their loan in full.
    You’ve taken out a payday loan to make ends meat which can turn into a vicious circle, because at your next
    payday. One of the cash first things that you need and/or desire.

Trackbacks/Pingbacks

  1. Emergency Flash Update Fixes “In the Wild” Vulnerabilities « microreksa - February 7, 2013

    [...] Emergency Flash Update Fixes “In the Wild” Vulnerabilities [...]

  2. WatchGuard Security Week in Review: Episode 51 – Flash 0day | WatchGuard Security Center - February 8, 2013

    [...] Zero day Adobe Flash vulnerabilities in the wild – WGSC [...]

  3. Adobe Patch Day: Shockwave and (More) Flash Updates | WatchGuard Security Center - February 13, 2013

    [...] has suffered many zero day vulnerabilities recently. This is actually the second Flash update for the month; the last being an emergency update. Since attackers are exploiting these [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,561 other followers

%d bloggers like this: