he first major zero-day of 2015 has been discovered, it is actively exploiting Adobe Flash and already bundled into an exploit kit.
The flaw was discovered by researcher Kafeine, and he said that he spotted an instance of the Angler exploit kit which is sending three different “bullets” targeting Flash Player, although it is not being used in all Angler instances. What is safe is Windows 8.1 and Google Chrome, however other Windows OS are not as safe.
In a year where I expect we will see more zero-day vulnerabilities revealed and less time between disclosure and remediation, and following Microsoft’s decision not to reveal which flaws it is patching and then pointing the finger at Google for revealing the details of unpatched flaws, could this be the start of another tumultuous year for vendors and administrators alike? We asked some of security’s finest minds what they thought.
Richard Cassidy, senior solutions architect at Alert Logic
“Web based exploit kits (such as Angler) pose a real and complex threat to businesses, given that they can operate on both file (malware code downloaded to target system disk) and fileless (malicious code executed in memory only) methods, and are run as web-applications designed to exploit vulnerabilities in browsers and browser-plugins.
“Simply put, you could visit a compromised website that will silently use web applications hosted on those sites or adverts to infect the target system, or you could open an e-mail with an infected link, click on that link and be directed to the malicious website. Once infected, the exploit kit simply chooses which exploit to run based upon it’s knowledge of your browser and exploitable plugins (flash, java, adobe, etc.) which in turn leads to a compromise of the system and loss of data, or unwanted activity.”
Fraser Kyne, principal systems engineer at Bromium
“This is yet more proof that existing security tools are failing. It is simply not good enough to wait for something bad to happen, start a stopwatch, and see how quickly we can react to avert a disaster. Particularly when the attackers started their stopwatches some time ago. Companies need a modern approach to protect against modern threats. This does not mean the hopeless task of detection. It means making our systems robust to malware by design.”
Adam Winn, product manager at OPSWAT
“While the rise of yet another zero-day attack is unnerving, the silver lining here is that a fully patched Windows 8.1 environment is not vulnerable. Users of Windows 8.1 can protect themselves simply by ensuring Windows automatic
updates are enabled, and promptly rebooting their system when instructed to. These types of attacks are going to become increasingly common for Windows XP and soon Windows 7 as Microsoft stops releasing security updates.”
Carl Leonard, principal security analyst at Websense
“Malware authors are bringing their proven formula into 2015. What better way to establish a foothold in numerous organisations than by hitting businesses in their popular applications?
“This is why companies need defence in depth, with protection across all stages of the kill chain. Most importantly, data theft prevention is so important because it’s the final stage, and the most dangerous. Left exposed, it opens the door to the bad guys and gives them access to the company’s most valuable secrets.”
Update – Adobe has announced that there is a patch available for this flaw, and said it is investigating a report that a separate exploit for Flash Player 16.0.0.287 and earlier versions also exists in the wild.2222
