During the holiday season, users can do themselves a big favor by ditching Adobe Flash, a software notorious for its frequent security flaws. The reason: A zero-day-exploit, which has been spotted at Hacking Team.
Adobe has released an emergency patch for its Flash software, which is plagued by numerous security vulnerabilities. The problem appears to be so serious that the company is releasing the update outside their regular patch interval. Users should carefully check whether the use of Flash is really critical to their requirements - or at least apply the patch as quickly as possible.
"Security vulnerabilities in Flash are not only common, they are also regularly exploited by criminals. This makes it a very real and very serious security risk," says Tim Berghoff, Security Evangelist at G DATA. "In addition to using a good security solution, users should always remember to check the software used for security gaps and keep it up-to-date.
In the current case, the attack does not target web applications developed with Flash, but uses the so-called active elements in Word documents, as The Register writes (link will open in a new window). The documents are distributed by the criminals via e-mail. When users open such a document and allow the active content, additional malicious code is loaded in the background.
Exploit can bypass operating system limitations
As usual with Flash, the exploit (designation CVE-2018-15982) makes use of a vulnerability in the memory management of the software. Such a bug allows a program to execute code at certain points in the memory without the restrictions normally imposed by the operating system taking effect - this opens the door for further attacks. In the current case, this is a so-called "use after free" vulnerability.
The security researchers at Applied Threat Research (link will open in a new window), who discovered the vulnerability, point out some similarities to an exploit used a few years ago by the controversial Hacking Team to install Trojans on computers. Hacking Team has been criticized for years for selling Trojan software to authoritarian regimes that use it to spy on political opponents or human rights activists. Despite the similarity, they see no proof that the current exploit was actually developed by Hacking Team itself.
The good news is: G DATA users are protected. Our ExploitProtection module detects the attack without any issues.
The writing is on the wall for Flash
For years, Adobe Flash has been making headlines due to serious and frequent security flaws. For this reason, there has long been a call for the end of Flash. Moreover, HTML5 is already an alternative that not only runs faster but is also more secure. Adobe has therefore announced that it will discontinue support for Flash in 2020. This means there is one major gateway less to worry about. However, this is only a limited reason to breathe a sigh of relief, as attackers are already using alternatives to infect computers with malware.