Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit

wiredmikey writes: Adobe released a Flash Player update on Thursday night to patch a zero-day vulnerability that has been leveraged by cybercriminals to deliver malware via the Magnitude exploit kit. The vulnerability [CVE-2016-1019], a memory corruption that can be exploited for remote code execution, was discovered after, on April 2, security researcher Kafeine of Proofpoint noticed a change in the Magnitude exploit kit. The sample was then investigated by FireEye, which determined that Magnitude EK had been exploiting a previously unknown vulnerability in Flash Player."Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability," Proofpoint said in a blog post.

Re:You were warned

[GrumpySteen]

You have been warned repeatedly that cars are dangerous. Therefore, if you still get in a car and you get hurt or killed by a drunk driver, you only have yourself to blame.

Yeah, no. Blaming the victim doesn't accomplish anything other than making sure that nothing changes and nothing gets better.

Until companies are actually held liable for the damage that their insecure software causes, they will keep creating insecure software because it's cheaper and more profitable than taking the time to make it secure.

Re:You were warned

[gstoddart]

Funny, I use the back button for sites requiring Flash.

The only things I truly need Flash for are work related training, which periodically requires I re-enable it. But I won't even run my work browser with it enabled.

No way in hell I'd ever consider running Flash by default ... the idea of letting random websites let random third parties run arbitrary code is so utterly moronic as to defy belief.

To me Flash is primarily an ad platform. If there are useful sites requiring Flash to work, I'm afraid I've never seen them, or don't consider them useful. I don't use video on the intertubes, because I don't care.

It seems like Flash has had at least one major security exploit every month for over 15 years, which tells me the entire platform and its security model are so defective that it has to be in the "don't trust by default" category.

I have no interest in letting advertisers, or anybody else, have access to anything which runs arbitrary code on my machine just because I visited a web page.

Interesting evolution of malware

[140Mandak262Jamuna]

When malware were named viruses and borrowed terminology from biology and germ theory of diseases, initially (I mean back in early 1990s) it was kind of funny almost snark. But the the behavior of the malware evolved very similar to the way biological viruses evolve, and the comparison and terminology became increasingly relevant. Bio viruses reduce their own lethality [*1] to improve their own chances of survival and propagation. Even the original C-brain floppy disk virus of 1988 waited for 50 copies being made before it would take adverse action. Keeping a few weapons in the reserve, not attacking all possible hosts etc are all things bio viruses do too.

So where would it go? Some viruses reduced their lethality a lot and helped their hosts survive better so that these viruses could also survive better. At some point they benefit they added was so much, they were more symbiotes rather than a pathogen. Some eventually gave up all attempts find new host or propagation and became totally dependent on their hosts. The mitochondria in each of our cells that is actually the powerhouse that generates energy for the organisms, was once a free living bacteria [*2]. The gut bacteria of so many animals are totally dependent on their host. Some of the viruses got spliced into our DNA itself! There are genes from viruses in our DNA happily churning out proteins for us!

Malware authors can not claim copyright, nor can they enforce any intellectual property rights on their creation. There is nothing to stop OS developers from picking up useful bits of algorithms and code from these viruses and using it in legitimate code. Very interesting to think about what could happen. Of course, the biota is still full of harmful viruses and bacteria. So not all viruses will be tamed. But there is some potential to harvest these viruses for any good code/algorithm/logic they might have in them.

[*1] no no no, I am not saying these viruses are sentient and they deliberately did X to achieve Y. Some viruses did X, that was beneficial due to Y, and they survived better than the ones that did not do X, thus eventually only the viruses that did X are the only ones still alive. Anthropomorphizing and attributing purpose to an evolutionary process is simply a shorthand used by biologists. Read Daniel Dennett, he explains it far better than I do.

[*2] Endosymbiosis.

Re:You were warned

[Solandri]

Macromedia never asked for Flash to become the de facto web standard for multimedia on web pages. All they wanted to do was make a tool which allowed artists to stream animated video using less bandwidth than real video - very important in the early days of the Internet when people were connecting over dialup on 56 kbps modems. So rather than transmit ever frame, it'll let you transmit the spirtes of the animated characters and a background image, and scroll the background image as the sprites move around. Being an artist's tool, they added lots of features to help with the creation of animation. The features have gotten good enough that Flash is still being used for this purpose by animators making TV shows.

Flash became widely adopted on the web because the W3C dragged their feet for 15 years. Users wanted multimedia in web pages. Web designers wanted multimedia in web pages. A bunch of W3C people with sticks up their asses decided there shouldn't be multimedia in web pages (probably traumatized by the way the blink tag was abused), and refused to update the HTML standard to allow it (until HTML 5 was standardized a couple years ago). So web designers looked around for the next best thing, and hey! There's this thing called Flash. It's originally meant for creating animated videos, but it's flexible enough for us to add scripted multimedia to our web pages. Let's use that instead!

The situation is analogous to users wanting hammers, and stores wanting to sell hammers, but the government refusing to pass safety standards which would allow the sale of hammers. Then people realize they can buy rocks from a decorative landscaping store and use them as hammers. Soon everyone is using rocks as hammers, except that being rocks they frequently break and injure the user. Do you really think the rock-selling company should be liable for damage caused by people using their product in a manner in which it wasn't intended?