Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites

Posted by samzenpus on from the watch-what-you-watch dept.

MojoKid writes Adobe issued a patch for bug CVE-2015-0311, one that exposes a user's browser to become vulnerable to code injection, and the now infamous Angler EK (Exploit Kit). To fall victim to this kind of attack, all someone needs to do is visit a website with compromised Flash files, at which point the attacker can inject code and utilize Angler EK, which has proven to be an extremely popular tool over the past year. This particular version of Angler EK is different, however. For starters, it makes use of obfuscated JavaScript and attempts to detect virtual machines and anti-virus products. Its target audience is also rather specific: porn watchers. According to FireEye, which has researched the CVE-2015-0311 vulnerability extensively, this exploit has reached people via banner ads on popular adult websites. It was also noted that even a top 1000 website was affected, so it's not as though victims are surfing to the murkiest depths of the web to come in contact with it.

9 of 203 comments (clear)

  1. Adblock, FTW by Kiaser+Zohsay · · Score: 5, Insightful

    Seriously, who even sees ads anymore?

    --
    I am not your blowing wind, I am the lightning.
  2. Something Suspicious by Anonymous Coward · · Score: 5, Interesting

    ... About Adobe's plug-in.

    How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities. And not just bugs, but zero-day exploits too. Do I need a tinfoil hat? Or is it just a tad suspicious that this one product continues to have so many vulnerabilities found in it. After all this time. After all these previous bugs.

    Or is it the case that this is just yet another vector sponsored by the likes of the NSA or others, to infect machines of potential targets?

    This isn't an attempt to be flippant or to trash-talk Adobe. This is a serious question asked of a well-established software house and what must by now be one of the most heavily-scrutinised software packages in widespread use. Can anyone out these with specific knowledge of this product give us any insight as to why it is so regularly found to contain exploits? If we could look at the defect-per-thousand-lines-of-code, I am guessing that Adobe's products must be the worst in the industry... Can that really be the case?

    1. Re:Something Suspicious by FreonTrip · · Score: 5, Insightful

      It's a problem born from software bloat. It was originally intended to be a means of drawing vector graphics and simple animations, but there was a void in functionality in the days before PCs were fast enough to handle Javascript (or even had browsers that could cope with the highly abstracted pages written now). So more functionality was added, and with that came layer after layer of gooey, exploitable cruft. Now Flash doesn't just offer vector graphics. It's a multimedia environment with DRM, a method of offering rich internet applications, a video player, and a buttload more besides. All that bloat's been encouraged because Adobe wants Flash to be used by as many people as possible - it's publicly traded, you've got to show investors and stockholders where all that money's going - and we've now arrived at the point where it's a suppurating pile of vulnerabilities and patched-together functionality with legacy support, far more trouble than it's worth for most users.

  3. Re:Maybe if Adobe fixed their broken updater... by jandrese · · Score: 5, Interesting

    My favorite part is where the updater tells you that a new update is ready, but it won't install it automatically because Adobe needs another ad impression or something and you have to download and install it yourself. This is why I don't have Flash or Java installed anymore. I especially like when they try to sideload some crapware toolbar with their security update too. I can kind of understand this sort of behavior from a sketchy freeware app being hosted by J. Random Guy, but Oracle and Adobe are multimillion dollar corporations. Do they really care so little about their brand?

    --

    I read the internet for the articles.
  4. Re:Adobe Flash Installer Download Knows About Thes by FreonTrip · · Score: 5, Insightful

    It's galling, isn't it? "We know our software's as safe on the unprotected web as a Craigslist hookup, so be sure to keep this software rubber handy." And it might not be so insulting if McAfee was good at anything besides eating hardware resources...

  5. Security Issues by TrollstonButterbeans · · Score: 5, Insightful

    "How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities".

    Flash didn't start out as a media player, per se, but an interactive presentation layer for animations and for a while imagined itself as browser-independent web based user interface programming language.

    So it is a complex unwieldy beast.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  6. Re:Well I guess it's a good thing... by gstoddart · · Score: 5, Insightful

    I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

    Hey, there will always be people who don't block ads. Some sites have subscriptions, which people are free to use.

    But the reality is, most sites with ads are infested with literally dozens of third party crapware, places which sideload junk into your system (specifically through crap like Flash), and which want to collect collate and sell your private information.

    I will allow a site which serves its own advertising to show ads as long as they're not overly intrusive. But doubleclick, discus, scrorecard reasearch, quantcast, facebook, twitter -- and literally hundreds of other shit sites I have no interest in, well -- that's not my problem.

    I'm visiting your website. Unless you lock me out via subscription (in which case I'll ignore your site), I do not owe you ad revenue, and I sure as shit don't owe the 20 other sites embedded in your website anything.

    Honestly, if you eventually go out of business ... that is not my problem. Protecting myself from marketers and malware is my problem, and quite frankly, Flash gets reported as loading up malware pretty regularly. I've treated it as malware for over a decade now.

    But let's not act like I owe you something. And let's certainly not act like just because you collect your money from a bunch of shady assholes that I owe them anything.

    --
    Lost at C:>. Found at C.
  7. Re:Maybe if Adobe fixed their broken updater... by s.t.a.l.k.e.r._loner · · Score: 5, Insightful

    Mandatory: http://xkcd.com/1197

  8. Re:Well I guess it's a good thing... by fightinfilipino · · Score: 5, Insightful

    I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?

    i'm curious...at this point should we accept malware as just a regular part of going to websites?

    the question's rhetorical of course - until websites prevent malware from being distributed through their ad networks, i will block ALL ads to defend my computer.