Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites

Posted by samzenpus on from the watch-what-you-watch dept.

MojoKid writes Adobe issued a patch for bug CVE-2015-0311, one that exposes a user's browser to become vulnerable to code injection, and the now infamous Angler EK (Exploit Kit). To fall victim to this kind of attack, all someone needs to do is visit a website with compromised Flash files, at which point the attacker can inject code and utilize Angler EK, which has proven to be an extremely popular tool over the past year. This particular version of Angler EK is different, however. For starters, it makes use of obfuscated JavaScript and attempts to detect virtual machines and anti-virus products. Its target audience is also rather specific: porn watchers. According to FireEye, which has researched the CVE-2015-0311 vulnerability extensively, this exploit has reached people via banner ads on popular adult websites. It was also noted that even a top 1000 website was affected, so it's not as though victims are surfing to the murkiest depths of the web to come in contact with it.

37 of 203 comments (clear)

  1. Adblock, FTW by Kiaser+Zohsay · · Score: 5, Insightful

    Seriously, who even sees ads anymore?

    --
    I am not your blowing wind, I am the lightning.
    1. Re:Adblock, FTW by buchner.johannes · · Score: 2, Interesting

      Youtube just switched to HTML5 video by default, so perhaps we can uninstall Flash for good now!

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Adblock, FTW by FreonTrip · · Score: 2

      As far as I know Hulu and Amazon Prime won't work without it for now. Otherwise it's basically flushable.

    3. Re:Adblock, FTW by Anonymous Coward · · Score: 3, Interesting

      or sites that don't seem to filter their own ads.

      Oh, you mean like Google Adsense? They've been known to run malicious ads on countless occasions.

    4. Re:Adblock, FTW by NatasRevol · · Score: 2

      Hulu works fine on an Apple TV. No flash available.

      --
      There are two types of people in the world: Those who crave closure
    5. Re:Adblock, FTW by Darinbob · · Score: 2

      BBC still uses them. Probably the most important site left for me that does.

    6. Re:Adblock, FTW by hcs_$reboot · · Score: 3, Informative

      Seriously, who even sees ads anymore?

      People using iPhones and iPads.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  2. Maybe if Adobe fixed their broken updater... by GerbilSoft · · Score: 4, Insightful

    Selecting "automatically update" doesn't actually automatically update. It just causes it to complain that an update is available every time you reboot and/or log on.

    Maybe if Adobe fixed this, there wouldn't be so many success Flash-based attacks.

    1. Re:Maybe if Adobe fixed their broken updater... by Anonymous Coward · · Score: 3, Insightful

      I totally agree. I solved this by disabling any Adobe stuff on any browser or platform or device.

      And when you go to Update it. It takes you to a web page. If you're not paying attention, it will try to install other stuff like the useless Mcaffee. The Adobe web page downloads a shim installer - not the real thing. The shim installer downloads the real thing and then installs that...

      Do Adobe programmers smoke crack or something?

    2. Re:Maybe if Adobe fixed their broken updater... by jandrese · · Score: 5, Interesting

      My favorite part is where the updater tells you that a new update is ready, but it won't install it automatically because Adobe needs another ad impression or something and you have to download and install it yourself. This is why I don't have Flash or Java installed anymore. I especially like when they try to sideload some crapware toolbar with their security update too. I can kind of understand this sort of behavior from a sketchy freeware app being hosted by J. Random Guy, but Oracle and Adobe are multimillion dollar corporations. Do they really care so little about their brand?

      --

      I read the internet for the articles.
    3. Re:Maybe if Adobe fixed their broken updater... by s.t.a.l.k.e.r._loner · · Score: 5, Insightful

      Mandatory: http://xkcd.com/1197

    4. Re:Maybe if Adobe fixed their broken updater... by tlhIngan · · Score: 2

      My favorite part is where the updater tells you that a new update is ready, but it won't install it automatically because Adobe needs another ad impression or something and you have to download and install it yourself. This is why I don't have Flash or Java installed anymore. I especially like when they try to sideload some crapware toolbar with their security update too. I can kind of understand this sort of behavior from a sketchy freeware app being hosted by J. Random Guy, but Oracle and Adobe are multimillion dollar corporations. Do they really care so little about their brand?

      Yes, this.

      I don't get it - I mean Flash used to have an auto-updater that popped up when you rebooted and installed the latest version after getting permission. Now they make you visit their damn web page to download the updated installer which you then must run.

      At least Oracle is slightly better in that it downloads and runs the updater automatically. Only slightly because they both want you to install Symantec or McAfee or Chrome or Ask or whatever.

      But Flash updates are useless as they just point you to their website. And it used to work just fine by itself.

    5. Re: Maybe if Adobe fixed their broken updater... by slaker · · Score: 2

      Run this command from the named Administrator account:
      @powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

      Add this to the machine startup script or acceptable alternative of your choosing.
      choco install flashplayeractivex
      choco install flashplayerplugin

      Flash is now less retarded.

      Also, the site for direct download of Flash installers is: http://www.adobe.com/products/...
      And the sad thing is I typed that shit out from memory because it is etched in my brain at this point.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
    6. Re: Maybe if Adobe fixed their broken updater... by slaker · · Score: 2

      The powershell stuff installs the Chocolatey.org software repository on a client. It's also entirely readable as pseudocode.

      Once it's installed, it's like have ports or apt, but on a Windows machine.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  3. Well I guess it's a good thing... by SeaFox · · Score: 3, Insightful

    I block ads on ALL websites.

    1. Re:Well I guess it's a good thing... by gstoddart · · Score: 5, Insightful

      I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

      Hey, there will always be people who don't block ads. Some sites have subscriptions, which people are free to use.

      But the reality is, most sites with ads are infested with literally dozens of third party crapware, places which sideload junk into your system (specifically through crap like Flash), and which want to collect collate and sell your private information.

      I will allow a site which serves its own advertising to show ads as long as they're not overly intrusive. But doubleclick, discus, scrorecard reasearch, quantcast, facebook, twitter -- and literally hundreds of other shit sites I have no interest in, well -- that's not my problem.

      I'm visiting your website. Unless you lock me out via subscription (in which case I'll ignore your site), I do not owe you ad revenue, and I sure as shit don't owe the 20 other sites embedded in your website anything.

      Honestly, if you eventually go out of business ... that is not my problem. Protecting myself from marketers and malware is my problem, and quite frankly, Flash gets reported as loading up malware pretty regularly. I've treated it as malware for over a decade now.

      But let's not act like I owe you something. And let's certainly not act like just because you collect your money from a bunch of shady assholes that I owe them anything.

      --
      Lost at C:>. Found at C.
    2. Re:Well I guess it's a good thing... by bmo · · Score: 3, Interesting

      But the reality is, most sites with ads are infested with literally dozens of third party crapware, places which sideload junk into your system (specifically through crap like Flash), and which want to collect collate and sell your private information.

      This.

      And you know what I've found out? The "serve ads" and "collate demographics to sell" industries have merged completely. There is probably nobody left that merely serves ads and doesn't track across websites. Go ahead and delete Adblock Plus and run /only/ Ghostery and Privacy Badger. You get nearly the exact same results as if you ran an adblocker that uses a popular list.

      Why Privacy Badger on top of Ghostery? Because it gets the things whitelisted by Ghostery. You didn't think that Ghostery was pure as the driven snow, did you?

      --
      BMO

    3. Re:Well I guess it's a good thing... by phantomfive · · Score: 4, Insightful

      At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

      I used to agree with you, but at this point, it's too dangerous to not block ads. You never know when one of them will be malware, and it's not a risk I want to take.

      Last time this conversation came up, someone suggested that the internet was better before advertising. I think there's some truth to that.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Well I guess it's a good thing... by fightinfilipino · · Score: 5, Insightful

      I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

      i'm curious...at this point should we accept malware as just a regular part of going to websites?

      the question's rhetorical of course - until websites prevent malware from being distributed through their ad networks, i will block ALL ads to defend my computer.

    5. Re:Well I guess it's a good thing... by gstoddart · · Score: 3, Insightful

      They don't owe me a damned thing, and I don't owe them anything -- but until they find a technology solution to stop me, too damned bad.

      I'm still going to block as many advertising and analytics companies as I can, using as many plugins as I can find. In every browser I use.

      The sites I read aren't in any danger of going under because I don't give them ad views -- and even if they were, I still don't trust the companies involved.

      But blocking Facebook and Twitter and the big ad/a analytics companies? If you think I give a crap about that, you're sadly mistaken.

      So you go ahead and be a well behaved little consumer, me, I'll continue to not give a crap about the revenue of large corporations.

      --
      Lost at C:>. Found at C.
    6. Re:Well I guess it's a good thing... by fightinfilipino · · Score: 2

      It's an arm's race.

      FYI, a great way to "defend" your computer is to not intentionally put it on the front-line.

      by "not putting it on the front line", do you mean not going to websites? like, at all?

      i mean, the article specifically notes adult websites here, but these sorts of drive-by installs and sideloading exploits occur on more mainstream sites, too. are you saying to simply not use the web?

    7. Re:Well I guess it's a good thing... by Anonymous Coward · · Score: 2, Insightful

      We don't feel entitled to their content.

      They are free to remove their content from the internet, or put it behind a paywall. But we ask them for a page, they give us a page. What we do with the page after we get it is up to us.

    8. Re:Well I guess it's a good thing... by ah.clem · · Score: 2

      I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

      Umm... if the advert sites go away for want of revenue, so what? I am currently involved in development work on a site in which we expect a lot of traffic, fill a niche not addressed in the chosen field, and we have no plans to run ads or charge for the service; that goes against all of our principals. And we will pony up the dough to run it ourselves, no contributions asked, expected or accepted. I also belong to a couple of private sites that are of interest to me and I contribute cash a few times a year to defray the operating costs. I also kick some cash to Wikipedia a few times a year just to help keep it ad-free. Provide it or not. Perhaps it will all come back around to Usenet and Fidonet connecting text-based RBBS. In any case, the profiteers will go away, but the information will still flow. Obviously, just my opinion.

      --
      "Life is not magic." Dr. Ron Weiss - "If we don't play God, who will?" Dr. James Watson
    9. Re:Well I guess it's a good thing... by phantomfive · · Score: 4, Interesting

      Yeah, once again, compare the dross on the internet to the good things. Slashdot, Wikipedia, a bunch of corporate websites you can visit to learn about their company, restaurant websites, Linkedin seems to be a decent place to look for a job, ebay, amazon, some news websites. Slashdot and some news websites would die without advertising, but I would be willing to subscribe to those.

      Now look at all the negative stuff. Buzzfeed, wired.com, all those websites that spew crap in order to attract your eyeballs. Out of all of that, are there any websites that would die without advertising, which you would also not be willing to subscribe to?

      The only one I can think of is Facebook, and if that one died, it would only encourage a distributed model, where everyone essentially ran their own RSS feed for their friends to look at (or something similar).

      So let the advertising die, I say, the internet will be a better place for it.

      --
      "First they came for the slanderers and i said nothing."
    10. Re:Well I guess it's a good thing... by bigfinger76 · · Score: 2, Insightful

      They don't "owe" us anything.
      They choose to put info up at a public website. What internet users do with their respective browsers is irrelevant.

    11. Re:Well I guess it's a good thing... by TranquilVoid · · Score: 2

      This entire discussion is a great example of the tragedy of the commons. Consider why you only view the large corporation sites - they offer something superior (for you, and many people), which is why they are larger, but also their revenue size is required to provide that superior service (professional journalists, double-checking by editors etc.).

      So your own browsing habits reveal that you actually do care about their revenue, indirectly. The world wouldn't end if we were all forced to get our news from random blog sites or state media, but the question is, how can larger organisations maintain a sufficient revenue stream given the inherent selfishness of the individual consumer? Subscription doesn't seem to work (and frankly I am surprised that advertising does).

  4. Something Suspicious by Anonymous Coward · · Score: 5, Interesting

    ... About Adobe's plug-in.

    How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities. And not just bugs, but zero-day exploits too. Do I need a tinfoil hat? Or is it just a tad suspicious that this one product continues to have so many vulnerabilities found in it. After all this time. After all these previous bugs.

    Or is it the case that this is just yet another vector sponsored by the likes of the NSA or others, to infect machines of potential targets?

    This isn't an attempt to be flippant or to trash-talk Adobe. This is a serious question asked of a well-established software house and what must by now be one of the most heavily-scrutinised software packages in widespread use. Can anyone out these with specific knowledge of this product give us any insight as to why it is so regularly found to contain exploits? If we could look at the defect-per-thousand-lines-of-code, I am guessing that Adobe's products must be the worst in the industry... Can that really be the case?

    1. Re:Something Suspicious by FreonTrip · · Score: 5, Insightful

      It's a problem born from software bloat. It was originally intended to be a means of drawing vector graphics and simple animations, but there was a void in functionality in the days before PCs were fast enough to handle Javascript (or even had browsers that could cope with the highly abstracted pages written now). So more functionality was added, and with that came layer after layer of gooey, exploitable cruft. Now Flash doesn't just offer vector graphics. It's a multimedia environment with DRM, a method of offering rich internet applications, a video player, and a buttload more besides. All that bloat's been encouraged because Adobe wants Flash to be used by as many people as possible - it's publicly traded, you've got to show investors and stockholders where all that money's going - and we've now arrived at the point where it's a suppurating pile of vulnerabilities and patched-together functionality with legacy support, far more trouble than it's worth for most users.

    2. Re:Something Suspicious by BarbaraHudson · · Score: 2

      So why don't they skip the middleman and write their own browser in Flash? See how well it worked for Java? :-)

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:Something Suspicious by Dogtanian · · Score: 2

      It's a problem born from software bloat. It was originally intended to be a means of drawing vector graphics and simple animations, but there was a void in functionality in the days before PCs were fast enough to handle Javascript (or even had browsers that could cope with the highly abstracted pages written now).

      Did you mean Java or JavaScript (*)? JavaScript of the time (late 90s) was too simplistic to be usable for serious client-side apps on its own, but I don't think it was especially slow. It was Java that was just too heavyweight for PCs of the time to handle; (**) and I think that explains *why* Flash succeeded.

      I've said it before, and I'll say it again- Flash basically snuck in via the back door to (eventually) end up filling almost the exact same role that Java Applets were supposed to meet (i.e. embedded rich software content running on the client PC via a web page) but never did.

      Since- as you say- it started out as little more than a lightweight animation tool, it was probably closer to what PCs at the time could handle, and added capabilities (and "bloat") more closely aligned with PCs' increasing power. I don't believe it was ever originally intended to take on Java Applets, but inevitably moved into that role because of a void left by Java's failure to meet the hype.

      (*) Two totally different languages and technologies intentionally confused by use of similar names
      (**) A reply to my original comment also pointed out that MS tried- and possibly did- kill off client-side Java through intentional cultivation of incompatibility in their own version. In case we'd forgotten how evil they were, given the opportunity.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    4. Re:Something Suspicious by complete+loony · · Score: 2

      Google ran a massive fuzz testing effort against the plugin and found 400 unique looking crashes that were resolved by about 80 patches. Yeah, the quality isn't looking that great...

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  5. Re:Adobe Flash Installer Download Knows About Thes by FreonTrip · · Score: 5, Insightful

    It's galling, isn't it? "We know our software's as safe on the unprotected web as a Craigslist hookup, so be sure to keep this software rubber handy." And it might not be so insulting if McAfee was good at anything besides eating hardware resources...

  6. Security Issues by TrollstonButterbeans · · Score: 5, Insightful

    "How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities".

    Flash didn't start out as a media player, per se, but an interactive presentation layer for animations and for a while imagined itself as browser-independent web based user interface programming language.

    So it is a complex unwieldy beast.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  7. This sounds serious! by hyades1 · · Score: 2

    So do action shots of me in my Captain Cocktastic costume (girlfriend's crotchless panties, Captain America helmet, red cape, and big, hairy winter boots), leaping to the attack over a suspiciously-shaped beanbag chair, constitute pornography, comedy or educational material?

    If the first is true, should I worry that I may fall victim to this security threat should the pictures accidentally become public?

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  8. Re:Adobe Flash Installer Download Knows About Thes by Rich0 · · Score: 2

    And it might not be so insulting if McAfee was good at anything besides eating hardware resources...

    Oh, they're rather good at marketing and processing credit card payments too.

  9. Re: again for the naysayers by Rockoon · · Score: 2

    ...all I see is blond, brunette, redhead....

    --
    "His name was James Damore."
  10. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion