As we have said before, it seems hardly a week goes by without an announcement of another security weakness found in Adobe Flash. This week we discuss two.
HTML5 was supposed to replace Adobe Flash. The goal was to have a standard that browser designers could use to process video without having to rely on 3rd-party software for that. But for different reasons, most sites still use Flash. Steve Jobs at Apple famously wrote in 2010 that he would not allow Flash onto the iPhone or iPad. He later backtracked, in part because of the threat of anti-competitive litigation. Plus website owners whose videos would no longer work complained in large numbers.
The Flash Player is built into most browsers. For example in Google Chrome you can type chrome://plugins/ and you will see something like:
Adobe Flash Player - Version: 22.214.171.124
Shockwave Flash 24.0 r0
The two new exploits are CVE-2016-4117 Flash Zero-Day Exploited in the Wild and CVE-2016-1019 A New Flash Exploit Included in Magnitude Exploit Kit, reports FireEye. Those vulnerabilities are in version 126.96.36.199 and and 188.8.131.52 and older. They have been fixed by Adobe.
Adobe thanked the security researcher @kafeine for finding the second one. It is related to some of the hacking techniques leaked to WikiPedia by The Italian Team, author of million dollar exploits sold to governments and others.
This Flash exploit is embedded in a Microsoft Word document. This exploit is a memory leakage problem. The hackers have studied Adobe Flash very well, because they figured out how to extend an object in Flash and then add their own methods.
For non-programmers, that means, suppose you have an object Ball. To make a Volley Ball object you would extend Ball. That lets you add new functions and fields that a Volley Ball would need that a generic Ball might not. What the hackers did in this case was overload a function, meaning implement one with the same name as Adobe was using. Then they effectively overwrote the logic in Adobe Flash.
The approach then is to corrupt memory where Flash is pointing to make the addressable space larger. Then the hacker can change the program flow in Flash to execute instructions they write there. In this case, this causes Flash to download further malware from the hacker’s website thus installing more software to take over the user’s machine and install ransomware or other software they can operate via remote control.
FireEye says that Windows software developers can protect their apps from some of these types of exploits by downloading and installing the Windows Enhanced Mitigation Experience Toolkit (EMET). That works for almost every version of Windows, including Windows 10. FireEye recommends that Adobe used that.
Microsoft says of EMET, “EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques.”
Like the exploit above, this one also attacks memory allocation problems. Flash is a .so (Linux) or .dll (Windows) subroutine that is written in C or C++ language. That language requires the programmer to allocated and keep track of objects in memory and their address. Java and other programming languages do not allow the programmer to directly access memory like that. So they do not have these kinds of issues.
The buffer overflow attack is launched via the Magnitude Exploit Kit, which is exactly the kind of hacking tools that The Italian Team and other cyber espionage firms sell.
The hack targets any operating system that runs Adobe Flash in the browser. It does not matter if it is Windows or Ubuntu or other, as the target, Adobe Flash, is loaded by the browser and thus not part of the OS.