Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit (securityweek.com)

← Back to Stories (view on slashdot.org)

Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit (securityweek.com)

Posted by BeauHD on Thursday April 7, 2016 @09:51PM from the quick-before-it's-too-late dept.

wiredmikey writes: Adobe released a Flash Player update on Thursday night to patch a zero-day vulnerability that has been leveraged by cybercriminals to deliver malware via the Magnitude exploit kit. The vulnerability [CVE-2016-1019], a memory corruption that can be exploited for remote code execution, was discovered after, on April 2, security researcher Kafeine of Proofpoint noticed a change in the Magnitude exploit kit. The sample was then investigated by FireEye, which determined that Magnitude EK had been exploiting a previously unknown vulnerability in Flash Player."Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability," Proofpoint said in a blog post.

34 of 69 comments (clear)

Min score:

Reason:

Sort:

Armor old new armor! by Anonymous Coward · 2016-04-07 21:55 · Score: 1

New old pierce weapon armor!! âoeOld armor only âoeâoe armor! Cyber armor WEAPON,â said Armor!
1. Re:Armor old new armor! by halivar · 2016-04-08 00:47 · Score: 1
  
  The only thing "astandard" here is the site that only handles US-ASCII characters in 2016. It's not defensible.
2. Re:Armor old new armor! by U2xhc2hkb3QgU3Vja3M · 2016-04-08 00:54 · Score: 1
  
  I'm on a Mac and I also see accented characters all over the place.
3. Re:Armor old new armor! by KGIII · 2016-04-08 06:43 · Score: 1
  
  Is that true? ½ ¼ ¥ € £ © ® etc... I thought those were early Unicode. It does make sense, though.
  
  --
  "So long and thanks for all the fish."
4. Re:Armor old new armor! by halivar · 2016-04-08 07:10 · Score: 1
  
  Nope! Those are all high ASCII.
5. Re:Armor old new armor! by KGIII · 2016-04-09 12:47 · Score: 1
  
  Thanks! I wasn't sure which ones where which. There's a slew of 'em that pass through the filters. I do believe they'll be fixing Unicode in the stories but not adding the full list to the comments. At least something along those lines. (I've been paying attention to the various comments made by our new overlords. They've specifically referenced fixing them in stories but not in any other context.)
  
  --
  "So long and thanks for all the fish."
You were warned by Gravis+Zero · 2016-04-07 22:44 · Score: 1, Troll

You have been warned repeatedly that you Flash and Java plugins/addons/extensions are insecure and that you should uninstall them. Therefore, if you still have Flash or Java installed and you get compromised because of it, you only have yourself to blame.

--
Anons need not reply. Questions end with a question mark.
1. Re:You were warned by GrumpySteen · 2016-04-07 23:26 · Score: 5, Interesting
  
  You have been warned repeatedly that cars are dangerous. Therefore, if you still get in a car and you get hurt or killed by a drunk driver, you only have yourself to blame.
  Yeah, no. Blaming the victim doesn't accomplish anything other than making sure that nothing changes and nothing gets better.
  Until companies are actually held liable for the damage that their insecure software causes, they will keep creating insecure software because it's cheaper and more profitable than taking the time to make it secure.
2. Re:You were warned by wbr1 · 2016-04-07 23:42 · Score: 1
  
  Look at parents sig. He wants to hold victims accountable but not himself. Typical entitled attitude. Move along.
  
  --
  Silence is a state of mime.
3. Re:You were warned by Anonymous Coward · 2016-04-07 23:42 · Score: 2, Informative
  
  Bingo. I installed Windows 8 shortly after it came out and I purposely avoided installing Java because I knew there were huge security issues with it. That meant giving up VisualRoute, but I lived with it. As I live in China, I sometimes rely on using a proxy server to access parts of the internet I enjoy (facebook, youtube, mamedev). Previously I was using a free service called SoftEither VPN. It worked, rarely, but it was often very slow. A worker showed me a paid service called Lightning VPN. It was awesome. Very fast and reliable. Connected everyrtime. So, I use it now too, but it requires Java. So, I bit the bullet and installed Java. So, you want people to quit using Java and Flash? Well, some of us want too, but don't have the luxury of making those choices.
4. Re:You were warned by ChunderDownunder · 2016-04-07 23:56 · Score: 1
  
  Nice in theory.
  In the real world people still available themselves of content that they rely on served only via Flash.
  Which is why I use Firefox as my main browser and Chrome for those sites that require it.
5. Re:You were warned by Dutch+Gun · 2016-04-08 00:16 · Score: 2
  
  At the very least, people really need to enable click-to-play for Flash. That would tend to prevent nearly all of these sorts of exploits, but when you still find an occasional Flash video or content, you can still play it. Of course, still better if you can completely do without Flash at all, which is increasingly easy these days with HTML5 being embraced by more sites.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
6. Re:You were warned by Bengie · 2016-04-08 00:24 · Score: 1
  
  You have been warned repeatedly that [your] Internet connection is insecure and that you should not use it. Therefore, if you still have the Internet and you get compromised because of it, you only have yourself to blame.
  
  We need to get rid of dependencies before we can get rid of them. Not everyone wants to browses the Internet with Lynx.
7. Re:You were warned by gstoddart · 2016-04-08 01:42 · Score: 3, Interesting
  
  Funny, I use the back button for sites requiring Flash.
  The only things I truly need Flash for are work related training, which periodically requires I re-enable it. But I won't even run my work browser with it enabled.
  No way in hell I'd ever consider running Flash by default ... the idea of letting random websites let random third parties run arbitrary code is so utterly moronic as to defy belief.
  To me Flash is primarily an ad platform. If there are useful sites requiring Flash to work, I'm afraid I've never seen them, or don't consider them useful. I don't use video on the intertubes, because I don't care.
  It seems like Flash has had at least one major security exploit every month for over 15 years, which tells me the entire platform and its security model are so defective that it has to be in the "don't trust by default" category.
  I have no interest in letting advertisers, or anybody else, have access to anything which runs arbitrary code on my machine just because I visited a web page.
  
  --
  Lost at C:>. Found at C.
8. Re:You were warned by ChunderDownunder · 2016-04-08 02:27 · Score: 1
  
  Well in my case it's my university lessons.
  That and the local tv stations that repeat programs online, where I'll load one of their movies when there's nothing on.
  But for general usage, no. Which is why I don't have the Flash for Firefox but Chrome ships with its own internal copy when I do need it.
9. Re:You were warned by Solandri · 2016-04-08 02:43 · Score: 3, Interesting
  
  Macromedia never asked for Flash to become the de facto web standard for multimedia on web pages. All they wanted to do was make a tool which allowed artists to stream animated video using less bandwidth than real video - very important in the early days of the Internet when people were connecting over dialup on 56 kbps modems. So rather than transmit ever frame, it'll let you transmit the spirtes of the animated characters and a background image, and scroll the background image as the sprites move around. Being an artist's tool, they added lots of features to help with the creation of animation. The features have gotten good enough that Flash is still being used for this purpose by animators making TV shows.
  
  Flash became widely adopted on the web because the W3C dragged their feet for 15 years. Users wanted multimedia in web pages. Web designers wanted multimedia in web pages. A bunch of W3C people with sticks up their asses decided there shouldn't be multimedia in web pages (probably traumatized by the way the blink tag was abused), and refused to update the HTML standard to allow it (until HTML 5 was standardized a couple years ago). So web designers looked around for the next best thing, and hey! There's this thing called Flash. It's originally meant for creating animated videos, but it's flexible enough for us to add scripted multimedia to our web pages. Let's use that instead!
  
  The situation is analogous to users wanting hammers, and stores wanting to sell hammers, but the government refusing to pass safety standards which would allow the sale of hammers. Then people realize they can buy rocks from a decorative landscaping store and use them as hammers. Soon everyone is using rocks as hammers, except that being rocks they frequently break and injure the user. Do you really think the rock-selling company should be liable for damage caused by people using their product in a manner in which it wasn't intended?
10. Re:You were warned by Archangel+Michael · 2016-04-08 02:50 · Score: 1
  
  You do realize that the very first slave owner in America was ... black, right?
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more. We are 150 years from slavery in the US, but people like you keep acting like it was last week.
  At some point, you're going to have to realize that the problem isn't slavery, it is attitude. But I guess it is always easier to blame others for your own shortcomings.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
11. Re:You were warned by cheesybagel · 2016-04-08 03:40 · Score: 1
  
  Flash was abused all the time. People used it to design websites that took forever to load with animations and other useless crap, claiming it was leading edge tech, even if the only thing you wanted to get out of the site was a text list. There were perfectly valid uses for it, but it took a long time to standardize the technology in way that would fit with prior W3C standards. Initially the main concern was with the scalable vector graphics and animation. It was initially planned to do it with SVG and Javascript. The specs came out fine. But since Adobe bought Macromedia (Adobe being one of the main proponents behind SVG) they lost interest in SVG on the Web. So the artist tools never materialized on time. As for video, I think browsers have had a video tag or an object tag since like forever. But the problem was always that the W3C did not want patent royalties in any part of the spec including video and audio codecs. So you had a video tag but you didn't know which video formats the browser supported. Macromedia paid MPEG-4 royalties for every Flash plugin that was installed.
12. Re:You were warned by arth1 · 2016-04-08 03:48 · Score: 1
  
  Indeed. Even my ZyXEL "Unified Security Gateway" uses both Flash and Java.
13. Re:You were warned by Archangel+Michael · 2016-04-11 05:02 · Score: 1
  
  http://www.thegatewaypundit.co...
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
14. Re:You were warned by Archangel+Michael · 2016-04-11 05:21 · Score: 1
  
  http://www.thegatewaypundit.co...
  
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more.
  
  I have relatives alive today who are in their 80s and 90s, whose grandfather or grandmother
  was born a slave in the United States.
  If you're going to be pedantic, at least do it according to the criteria i setup. "Here" being slashdot. and "several more generations" would definitely qualify as making your cases, if your case was against my initial statement, rather than the "probably", which would acknowledge the possibility of edge case scenario you described. My dad's father may have known owners or former slaves. I don't know, because I don't remember him. My dad, was born at a time when there were former slaves and slave owners, but I am pretty sure he didn't know any. And I am kind of young for my "generation", my dad being in his 40's when I was born.
  Suffice it to say, my statements aren't false, they were emphasizing a real point. You being pedantic doesn't negate accuracy. Most people here are several generations removed from slavery. Again, quit pretending it was yesterday. With each subsequent generation that follows, the further we are removed.
  At some point, you're going to have to realize that the problem isn't slavery, it is attitude. And from yours, I can tell you're not yet there. Nobody you know was a slave, or owned a slave. Your kids are likely to have the exact same experience. Are you passing your excuses on to them?
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Heart broken ... by gstoddart · 2016-04-08 00:30 · Score: 1

Not a zero day exploit in Flash. Why, I'm utterly traumatized by this, my faith in humanity has been utterly ruined, why I ... oh, fuck it ...
Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.
And, having been largely Flash free for at least 15 of those years, all I can say is "enjoy your quality software, suckers".
Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I honestly don't know why people keep trusting it, because it really has been a terrible security risk forever, and disabling it is usually the first thing I do in a browser.

--
Lost at C:>. Found at C.
1. Re:Heart broken ... by Catiline · 2016-04-08 01:35 · Score: 1
  
  Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I honestly don't know why people keep trusting it, because it really has been a terrible security risk forever, and disabling it is usually the first thing I do in a browser.
  I expect a large portion of the Slashdot commentariat also have "disable Windows" as the first thing on their to-do list.
  
  --
  Do you like Japanese imports?
2. Re:Heart broken ... by Marginal+Coward · 2016-04-08 02:37 · Score: 1
  
  Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.
  Just curious: why is that? Is there something inherently insecure about the design of Flash? Or, is Adobe simply negligent? Or, is this a ploy to coax users into accidentally installing adware each time they update?
  (Please don't just answer "all of the above" - I'm looking for details here, especially if there is something inherently insecure about the design of Flash.)
3. Re:Heart broken ... by Marginal+Coward · 2016-04-08 02:41 · Score: 1
  
  I like your term "commentariat" - very clever. To that, we might add "curserati" and maybe even "conspirocracy."
4. Re:Heart broken ... by ole_timer · 2016-04-08 03:41 · Score: 1
  
  Flash (and PDF) have the .data segment that executes. That's all you need to know. Bad. For the real geeky look at how the flate directive works.
  
  --
  nothing to see here - move along
5. Re:Heart broken ... by ole_timer · 2016-04-08 03:43 · Score: 1
  
  for the truly geeky look at jit spraying, it has its own Wikipedia page.
  
  --
  nothing to see here - move along
eBay by ArchieBunker · 2016-04-08 00:33 · Score: 1

This might explain why I was getting all kinds of malware warnings while browsing eBay last night. Flash is so bad that Chrome started not playing it by default.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
Re:Site improvement idea by halivar · 2016-04-08 00:49 · Score: 2

"SAFETY IS OUR GOAL: It has been [ 2 ] days since our last Adobe Flash 0-day exploit."
Re:Site improvement idea by U2xhc2hkb3QgU3Vja3M · 2016-04-08 00:56 · Score: 1

Much more simple to add a permanent banner that says "Security warning: uninstall Flash from your computer".
Interesting evolution of malware by 140Mandak262Jamuna · 2016-04-08 02:06 · Score: 4, Interesting

When malware were named viruses and borrowed terminology from biology and germ theory of diseases, initially (I mean back in early 1990s) it was kind of funny almost snark. But the the behavior of the malware evolved very similar to the way biological viruses evolve, and the comparison and terminology became increasingly relevant. Bio viruses reduce their own lethality [*1] to improve their own chances of survival and propagation. Even the original C-brain floppy disk virus of 1988 waited for 50 copies being made before it would take adverse action. Keeping a few weapons in the reserve, not attacking all possible hosts etc are all things bio viruses do too.
So where would it go? Some viruses reduced their lethality a lot and helped their hosts survive better so that these viruses could also survive better. At some point they benefit they added was so much, they were more symbiotes rather than a pathogen. Some eventually gave up all attempts find new host or propagation and became totally dependent on their hosts. The mitochondria in each of our cells that is actually the powerhouse that generates energy for the organisms, was once a free living bacteria [*2]. The gut bacteria of so many animals are totally dependent on their host. Some of the viruses got spliced into our DNA itself! There are genes from viruses in our DNA happily churning out proteins for us!
Malware authors can not claim copyright, nor can they enforce any intellectual property rights on their creation. There is nothing to stop OS developers from picking up useful bits of algorithms and code from these viruses and using it in legitimate code. Very interesting to think about what could happen. Of course, the biota is still full of harmful viruses and bacteria. So not all viruses will be tamed. But there is some potential to harvest these viruses for any good code/algorithm/logic they might have in them.
[*1] no no no, I am not saying these viruses are sentient and they deliberately did X to achieve Y. Some viruses did X, that was beneficial due to Y, and they survived better than the ones that did not do X, thus eventually only the viruses that did X are the only ones still alive. Anthropomorphizing and attributing purpose to an evolutionary process is simply a shorthand used by biologists. Read Daniel Dennett, he explains it far better than I do.
[*2] Endosymbiosis.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Is Adobe paid to include vulnerabilities? by Futurepower(R) · 2016-04-08 04:24 · Score: 1

How can there be so many defects in Flash? Is Adobe paid to include vulnerabilities? If so, who pays? Secret government agencies? One of the many stories: The NSA hacks other countries by buying millions of dollars worth of computer vulnerabilities.

Is Adobe badly managed?

"Honestly, the only thing which has cumulatively had more security holes than Flash is Windows."

Is Microsoft paid to include vulnerabilities? Or is it bad management? "Monkey Boy" can't run a technology company?
Can viruses be cited as prior art? by 140Mandak262Jamuna · 2016-04-08 05:15 · Score: 1

Wondering the intellectual property ramifications of the virus code. USPTO says once something is published, we need to file within one year for patent. After one year published work can not be patented. Our lawyers force us to use complex #IF_PATENT_PENDING / #ENDIF constructs to keep patentable code away from daily builds and release builds. Even if there is no pathway for the code to be executed, the lawyers claim it does not matter. Inactive, unusable algorithms that were built and shipped would count. So they say.
So if there is an interesting, innovative, novel device in some virus, will it be counted as prior art? The security researchers who see this code first hand might try to patent it, of course. Now USPTO has moved from first-to-invent to first-to-file. So they might even get the patent, but only if they do it within one year since it was released. Has anyone cited some work in a virus to argue challenge a patent claim as not-novel, covered by prior art?

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So, just a vulnerability, then? by Chalnoth · 2016-04-08 07:40 · Score: 1

Every vulnerability is zero-day until a patch comes out addressing it.