The new year is off to a challenging start for Adobe, with the company’s Flash Player being hit by multiple zero-day exploits in just the first weeks of 2015. The zero-day exploits stand in contrast to the disciplined security regime that has been in place in recent years, which reversed a common trend of zero-day Flash exploits that existed back in 2009.
The latest zero-day vulnerability was publicly disclosed by Adobe in a bulletin released on Feb. 2. The new vulnerability is identified as CVE-2015-0313 and is present in Adobe Flash Player 16.0.0.296 and prior versions.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned in its advisory. “We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.”
The CVE-2015-0313 exploit was preceded by the CVE-2015-0311 issues that Adobe warned about in a bulletin issued Jan. 27.
For the CVE-2015-0311 issue, Cisco’s Talos security research group has reported that it has evidence the vulnerability is being exploited in the Angler exploit kit and has already infected at least 1,800 known domains.
On Jan. 22, Adobe issued a bulletin warning about the CVE-2015-0310 vulnerability, which was also being exploited in the wild.
The CVE-2015-0310 flaw is an address space layout randomization (ASLR) mitigation bypass, while the CVE-2015-0311 and CVE-2015-0313 vulnerabilities are memory-corruption bugs, said Dan Caselden, senior malware researcher at FireEye. “For CVE-2015-0311 and CVE-2015 0313, there are a ton of similarities,” Caselden told eWEEK. “The exploits in CVE-2015-0311 and CVE-2015-0313 also share a lot of code, and some of the CVE-2015-0311 exploits drop a payload from the same family as the CVE-2015-0313 exploit.”
The Adobe Flash zero-days are fundamentally memory-management issues, according to Karl Sigler, threat intelligence manager at Trustwave. “This allows a criminal to push malicious code into a system by manipulating flaws in how Flash handles memory,” Sigler explained to eWEEK. “The other similarity is that all of them were discovered being actively used by criminals in the wild.”
The exploits are all in one way or another bypassing Adobe’s security sandbox, which is supposed to limit the potential risk of an exploit. By accessing memory directly, these exploits are able to bypass any security protections in Flash, Trustwave’s Sigler said.
In a 2013 video interview with eWEEK, Brad Arkin, Adobe chief security officer, explained how the company had re-engineered its development process to build more secure applications. The sandbox is a key part of the process.
Adobe did not respond to a request for comment from eWEEK by press time on the new zero-day issues in 2015.
Although Adobe has had to scramble to patch multiple zero-day issues so far in 2015, Sigler doesn’t see the challenge as being about a fundamental insecurity flaw in Flash though the technology doesn’t have a great security track record.
“Criminals know this and pick applications that are widely used with a poor security history,” Sigler said. “Given that all three were discovered being used by exploit kits, it’s possible that the same researcher or team of researchers found all three vulnerabilities just by poking and prodding Flash.”
Al Pascual, director, fraud and security, Javelin Strategy & Research, noted that given Flash’s ubiquity, it is an attractive attack vector. Flash’s age, which serves to make it ever more complex with every update, likely adds as many security holes as are patched along the way, and the trend of Flash exploits is likely to continue, he added.
“Apple was right to avoid Flash like the plague, especially with so many less vulnerable alternatives now readily available,” Pascual told eWEEK.
In 2014, the focus for exploit writers was Microsoft’s Internet Explorer (IE) browser, Caselden said. Microsoft released some neat mitigations for memory heap exploits, which broke the technique that the exploit writers had become comfortable with, he said, adding that there was a quiet period where they were looking for the “next thing,” and that next thing is Flash.
“[Flash] has a similar attack surface as IE, and exploit writers were already using Flash to orchestrate IE exploits,” Caselden said. “So, all they needed to do was move their bug-hunting efforts from IE UAFs [use-after-free vulnerabilities] to Flash bugs, and they could continue using the same techniques as last year to bypass ASLR and DEP [data-execution prevention].”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.