Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Flash 0-Day: Deciphering CVEs and Understanding Patches - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Flash 0-Day: Deciphering CVEs and Understanding Patches

(updated with Jan 24th update)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version  Currently Used in Attacks Advisory
CVE-2014-8440 15.0.0.223 (Nov. 2014) yes APSB14-24
several 16.0.0.257 (mid Jan 2015) yes. APSB15-01
CVE-2015-0310 16.0.0.287 (late Jan 2015) yes APSB15-02
CVE-2015-0311 16.0.0.296 (Jan 24th 2015) yes APSA15-01

So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3221 Posts
ISC Handler
Thanks for such a succinct and useful post. The URL for the CVE-2015-0310 has a typo in it, and should point to http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0310
Adam

3 Posts Posts
Thanks! Typos fixed.

Cheers,
Adrien
Adrien de Beaupre

353 Posts Posts
ISC Handler
The link for CVE-2015-0311 also has a typo.
ScottL

2 Posts Posts
Thx Adrien for a diary,
Another broken link for CVE-2015-0311 please:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311
Regards
@Rmkml
Rmkml

10 Posts Posts
Is it advised to hold off on patching for CVE-2015-0310, and wait until Adobe releases a new patch next week that 'may' have been proposed?
Anonymous
Posts
I wouldn't wait.....
K-Dee

64 Posts Posts
Kafeine originally reported latest Windows/IE as either not vulnerable or not targeted (can't remember which). However his blog has been revised to the contrary. Only the Chrome PepperFlash sandbox contains it.

Fully Update windows 8.1 with Internet Explorer 11 up to date.
Owned - 2015-01-22

However EMET 5.1 detects a stack-pivot and blocks the exploit, though Kafeine reports performing only testing one configuration (the above) one time.
Starlight

34 Posts Posts
Extremely useful, thanks!

If only every vendor provided clear tables like this, and if I could combine them into one, and annotate with which versions are installed on every managed workstation, laptop, handheld, ... it would go some way to actually being able to keep up with the rate we see new vulnerabilities these days.
Steven C.

171 Posts Posts
hey people,

so as briefly discussed in https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/19213/
( =( aww couldn't crowdsource it via SANS ;) )

I've looked at extending MS's out of date active-x blocking XML for Flash and it worked.
Technically there is no indication if it is intended for admin modification but hey.

the readme, xml and a brief discussion of things are in a poorly formatted readme.md
on

here is a picture of the end result: https://github.com/mallorybobalice/ie-custom-oob-xml-rules/issues/1

https://github.com/mallorybobalice/ie-custom-oob-xml-rules/
https://github.com/mallorybobalice/ie-custom-oob-xml-rules/blob/master/versionlist.xml
https://github.com/mallorybobalice/ie-custom-oob-xml-rules/blob/master/README.md

the versionlist.xml and how to deploy it is there as well.



While on the subject of blocking or preventing it being exploited - please join the discussion about deploying EMET and to whine a bit about your experience here: https://isc.sans.edu/forums/your+EMET+51+experience/667/
While on the subject - let's share experiences about deploying EMET. It is hard. We should put together more guidance as a community for it or pressure MS to. (or if there's good docs and I'm confused - please do point me to them)



PS if EMET 5.1 wasn't blocking the exploits in question via the StackPivot detection or another mitigation [complementation mention for Kafeine only testing defaults and existing exploits, but I have a feeling 5.1 is harder to bypass]

EMET can do something very similar to the above using EMET 'Attack Surface Reduction'.
That's a fancy name for 'prevent a DLL you name from loading' [not granular for versions unlike with ALB] and allows you to grant local intranet/trusted site exceptions

e.g. add flash.ocx;FlashUtil_ActiveX.dll to the ASR list

What's more can also do it for any other process you add EMET rules for . [once you get past the initial deployment hurdles that is]
Mallory Bobalice

28 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!