Emergency Flash Update Fixes "In the Wild" Vulnerabilities

Corey Nachreiner

11 years ago

Summary:

These vulnerabilities affect: Adobe Flash Player running on all platforms
How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension, MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

.flv – Adobe Flash file (file typically used on websites)
.fla – Flash movie file
.f4v – Flash video file
.f4p – Protected Flash video file
.f4a – Flash audio file
.f4b – Flash audiobook file

MIME types:

video/x-flv
video/mp4 (used for more than just Flash)
audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

FLV Hex: 46 4C 56 01
FLV ASCII: FLV
FLA Hex: D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.)

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.