Botched Flash 0day Gets Patched

Posted: April 8, 2016 by Jérôme Segura

Adobe has just released a patch for the infamous Flash Player to fix a vulnerability actively exploited in the wild by some exploit kits. This vulnerability was actually a zero-day (CVE-2016-1019) but exploit kit authors botched its integration which resulted in only affecting older versions of Flash.

Another saving grace was the fact that a “mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later“.

Nonetheless, since this could be tweaked and made functional to work on fully patched versions as well, Adobe went on to fix the bug.

The Magnitude EK which has been very active as of late was in fact using CVE-2016-1019 for some time. As we reported earlier this month, several (still) active malvertising campaigns are pushing Magnitude with a little tweak, including a fingerprinting gate right before the landing page.

Magnitude EK: CVE-2016-1019 with Flash 20.0.0.306:

The payload from this attack is the Cerber ransomware:

CVE-2016-1019 is blocked by Malwarebytes Anti-Exploit:

Drive-by download attacks that involve compromised sites or malvertising continue to leverage the Flash Player as the preferred piece of software for exploitation.

As an end-user, you need to evaluate your situation and decide whether you should keep it installed or not. If you do, it is critical that you run an exploit mitigation tool in parallel due to the likelihood of zero-day attacks. In other words, the traditional advice to keep your software up to date is not sufficient when it comes to high risk plugins such as Flash.

Malwarebytes customers running Malwarebytes Anti-Exploit were already protected against this latest zero-day.

COMMENTS

Alex Helton

Hit the road, Flash, and don’t you come back no more!
wootz

can not find flash player on my computer but I just upgraded to Win 10 – does that make a difference ??
Gloria Swan

I have been running both Malwarebytes and Exploit together for over a year now. It backs up my MSE, which there is nothing wrong with it. It´s a good anitvirus and the people from Malwarebytes have told me it is a very good combination.
babanapeal .

I have just received the email below is it ligitimate or spam?
I installed Adobe Flash player 21 ActiveX yesterday because a video said it needed it to play.
It shows up in ”programmes and feature” under ”control pane”l but not in my list of “all programmes”
Dear Angus,

Adobe issued an emergency update to its Adobe Flash
Player software today after researchers discovered a vulnerability that was
being exploited to deliver ransomware. Flash has over one billion users, so odds
are you are affected by this update.

But Malwarebytes proactively
protected its millions of customers from this attack, blocking the ransomware
before it could encrypt files.

As a precaution, we suggest you update
your Adobe Flash Player (Shockwave Flash Plugin). In addition, we urge you to
consider installing both Malwarebytes Anti-Exploit Premium and Malwarebytes Anti-Malware Premium for the layered protection
that stops attacks like this from infecting your computer. Malwarebytes
Anti-Exploit Premium blocks the exploit attempt, while Malwarebytes Anti-Malware
Premium stops the ransomware execution (if Malwarebytes Anti-Exploit Premium is
not installed).

We’d hate to see your computer compromised. Here at
Malwarebytes, we pledge to keep you protected and informed about the latest
issues. Your peace of mind is our number one priority.

Sincerely,

The Malwarebytes Team

P.S. Learn more about this threat here.
greekgal

I’ve done the same – makes me feel safer – and after reading about the ransom ware issue I feel even safer. Thanks, Malwarebytes!!
beer73

MBAM & MBAE helps to protect your pc (I use both) but you always must combine it with a regular backup plan and make it the backup location not accesible for the ramsomware (just in case).
Lynn1102

For quite some time we have been advised to get rid of Flash. I wouldn’t mind that, but there are still lots of sites out there that use Flash. What is the alternative?
John Fry

Does anyone have a discount code ? Here in the UK it’s over $30.00 for one year. I already have a lifetime licence for Mb Pro
John Fry

Just managed to download this program for the US dollar price instead of the UK pound price. Much better deal…
Duane Lawton

Here’s my fix: I have a way old version of flash that Firefox won’t run without my permission. “Firefox has prevented the outdated plugin “Adobe Flash” from running on…. Continue Blocking (or) Allow”.
I only Allow if I know what it is I’m running it on. This has the added benefit of keeping all the **** ad popups from overwhelming my experience. For that reason I’ve refused to upgrade Flash for a couple of years.

Are there downsides to my strategy? If I upgraded to avoid the malware, is there another way to stifle the adware?
Tylosaurus

Hey all,

Well I use Malwarebytes Anti-Malware Premium + Anti Exploit Premium 1 Year License for 3 systems that in combination with Panda Global Protection 2016 3 Year License for 3 systems + Microsoft Security Essentials as well these four seems to work well together, I was always like the more protection the better, but then again nothing is 100% fail safe, even I really hope that day will come.

Anyways hereby I want to greatly thank the Malwarebytes team for being the best for this type of protection software, you guys saved many lives from malicious attacks threats and other what nots, so thanks again.

May The Force Be With You Always 🙂
Tylosaurus 🙂
Sierragator

This is very important advice; if the backup drive is attached to your computer, the ransomware will encrypt it also, and your backup will do you no good.
If you back up to an external USB drive, get one that MUST be plugged in to AC power, not the compact USB-powered versions. Buy a small timer that can be set to power on at a specific time on a specific day of the week (or however often you back up). Set the timer to come on just before your automatic backup starts, and allow a little extra time for it to complete so the drive doesn’t shut off while it’s backing up.
This will give you a disconnected full system backup that the ransomware doesn’t have access to, and no need for ‘cloud’ storage or manually backing up and disconnecting each time.
Michael Hunt

I don’t understand exactly what you are saying. I have the latest flash player (always update that thing) and a current version of FF (which sadly auto updates rather you want it or not). In FF plugin just mark to always ask before opening flash player. Its the same as what you are doing, but you really should have the most current flash player installed. Its a menace for sure but it still rules the roost on the net. In fact I can only think of 2 sites I use regularly that don’t use it and that’s YouTube & Netflix.
j.granade

I only had this program for 3 weeks when my system crashed and after trying to get a replacement program and getting ignored I went to AVG. They corrected this problem yesterday.
Learjet

So far, so good, thanks to Malwarebytes. You’ve saved me so much potential harm over the years. The premium package is well worth the nominal price. Thank you!
bobby

Thank you malwarebytes!
dfgfdgg

Browser vendors or even Adobe themselves should start shipping a whitelist of sites that are allowed to run Flash, all other sites would refuse to load flash unless the user manually accepts it through a scary warning such as the ones you get for invalid SSL certificates. This is the only way to stop Flash from being the number one target for exploitation while still causing minimal headache for the average user (if implemented correctly). Ofcourse this doesn’t completely mitigate the problem; a whitelisted site could be compromised to host malicious flash code for example but this should still be enough to sift focus from Flash to something else.
dfgfdgg

What you’re doing is stupid. You can manually enable click-to-play for Flash even if you’re running the latest version which has the added benefit of you actually having the latest version of Flash which isn’t as full of holes as some ancient version.
DavidAR

What you forgot to add was do NOT try to restore the backup until the system is clean. If you do the backup will be encrypted too!
leexgx

in firefox and chrome you can set it to be Click and play (unless you whitelist a site on the drop down item or the puzzle on chrome)
just google it
make sure you use adblock as well (the ads are likely worse things then flash but that is pushing it on what it worse then flash java maybe?)
leexgx

its part of windows 10 (edge and IE as its updated via windows update) likely you already have the update already (the “About flash” website does not even have the updated version on there at the time of posting as chrome as 216 but site says newest is 213)

should really change to firefox and chrome and set flash to click to play (chrome) or always ask (firefox)
Glennfriend67

A friend turned me on to Malwarebytes a few years ago, and I am so grateful he did! My computers and tablets have stayed in much better shape ever since. It’s inexpensive, and I can cover my parents’ computers, too. I praise the day Malwarebytes was invented; it has protected my electronics from a lot of horrible things floating around out there. I long for the day when something will block everything, and put these evil jerks out of business once and for all. Till then, I’m grateful we have something like Malwarebytes to keep an eye out. Thanks folks, for looking after us ordinary people!
JohnnyBowe

Very pleased with MWBytes, however, something leaked through on my other computer that causes it to shut down. Was on a website purchasing an item and.. poof, the cursor started acting on it’s own and that was the end of it. It powers on but shuts itself off as soon as I try to log in. I’m not a computer genious so it may not even by malware. Very suspicious though.
No chance of me not renewing my premium license though.
wootz

Thank you – went into Chrome and disabled it
Alex Helton

Sounds like you got hit with a RAT.
Jean Gionet

I would use “Malwarebytes Anti-Exploit” in a “flash” (pun intended lol), however I’m not a fan of this subscription based licensing. Luckily for me I was able to obtain a lifetime license for Anti-Malware. 😉
Jérôme Segura

The Free version of Malwarebytes Anti-Exploit also blocks this 0day 🙂
Jérôme Segura

Thanks for the kind words!
Jérôme Segura

Thanks!
Jérôme Segura

Thank you!
leexgx

as long as your booting off a recovery windows 7 disk (as i found out you cant do a complete PC restore using any normal windows 7 disk)

if its a normal windows 7 backup it not matter as you’re doing a complete pc restore (not system restore) the drive is wiped when the image /complete pc restore is done
bobby

I use anti exploit and it’s an amazing piece of software! Screw mcafee!!!!
redwolfe_98

maybe the exploit-kit’s “zero-day” wasn’t botched at all.. rather, the cybercriminals saw that the “exploit” couldn’t do anything with the newer versions of “flash player” except cause it to crash, without anything else malicious being done, so they didn’t target the newer versions of FP..

by targetting older versions of FP, the cybercriminals managed to keep under the radar for a few extra hours, since, apparently, researchers assumed that it was an old exploit, since it was targetting older versions of FP..

really, for a supposed “zero-day”, it turned out to be pretty useless since it could only effectively exploit older, unpatched versions of FP.. they could have used old, known exploits to do the same thing, that is, to exploit old, unpatched versions of FP..
Johni Pennie

Love Malwarebytes!!!
KenD

I’m only finding a 14 day free trial of Anti-Exploit…do you have a link to a Free version?
thanks very much.
george miller

i got hit same thing. it was deep in my root system . everytime i ran a scan fron either Malwarebytes or Norton 360 . the system would crash before scans completion. even norton’s power eraser failed to fully deploy. what ever it was it has stealth and is crafty as the affected area changed location after each attempt at scanning. . only things that saved me was Malwarebytes ,Norton 360 C Cleaner and a host of other goodies that kept my data from being stolen. . i used two external back ups on a rotating basis so one is always off line. i did a clean recovery and lost only a few photos. not a biggie
Roger

When you install the Malwarebytes Anti-Exploit software, pay attention to the install and a small box will show that says try the 14 day free trial – for the premium version or close to those words. Just make sure the box is unchecked and the installer will install the free version. Hope that helps. I found that out myself when my Malwarebytes notified me that my 14 day trial had expired so I uninstalled it and reinstalled it. That’s when I noticed the check box. Hope this helps.
Roger

I love Malwarebytes. I have your premium version as well as your antiransome ware and anti-exploit as well. I wouldn’t use any other antimalware program. You guys have saved my bacon many times. thank you. You have a great company.
Pilot53

Malwarebytes Anti-Exploit seems to be invoked whenever I launch not only MS Edge but also Adobe PDF Reader, MS Word, Excel, etc with the result that there is a pause before my files open. Can this be mitigated somehow?
Cliff Mp

Love Malwarebytes!!!!!! One of my MAIN and most important priority apps I use. Oh, and of course Anti Exploit Prem. Fine company … FIne products… others can take some lessons…:-/
00000000001

On Sunday I caught the PUP.Optional.Gameo virus. On my screen was a letter, claiming to be Microsoft, and I should phone 844-402-2065 for help. Malwarebytes rounded up 89 nasties in the first scan, then 2 more scans to catch 3 more, then I was clean.
Mog Grat

Had Malwarebytes but when I upgraded my Trend Micro it automatically deleted it as being non-compatible. (win7)
publius_maximus_III

Love my Malwarebytes Anti-Malware Home (Premium). Never had a problem since it was installed a few years ago. I also use Microsoft Security Essentials, but suspect the Malwarebytes does most of the heavy lifting.
Peter Amsel

This Zero-Day attack took place the same week we installed our Anti-Exploit for the two laptops in our house; I’d have to say that the timing was pretty good … or rather suspicious (if Malwarebytes was trying to demonstrate how indispensable their software services happened to be, that is). Then again, I’m a writer and tend to look for suspicious intent where it may not otherwise exist. Either way, I’m not about to let my subscription lapse!
KenD

Thanks for the tip, Roger. Hopefully that will continue past the 14 days. Much appreciated.
Roger

You are welcome. So far it has been fine on my PC for over a month. Good luck bud.:)
Prof321

Malwalrebytes Premium and Ant-Exploit are excellent for protecting my desktop. Don’t go anywhere without them.
Darryl Cady

I do not see it on my Chrome. How do I find it? Or maybe do not have it installed.
Darryl Cady

I just downloaded the free version too. Love free stuff. I pay for the Malwarebytes Premium, but did not want another subscription.
Geesus

So you want cheaper for a great product? That breaks down to 2.50 $ a month to help protect you.
I pay 25$ a year for MBAM Home Premium and my sub is going to renew next month. I’m a single Dad with 2 sons and I can afford that because it’s WORTH the security we have on our PCs. /smh
Fr. Tom Bartolomeo

I have a malwarebytes account and yet was infected by the Cerber ransomware which required a clean install and fortunately I was able to upload my Carbonite external files with much difficulty. Why did Malwarebytes fail to catch the ransomware virus or at least advise me?

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS

Botched Flash 0day Gets Patched

Citadel: a cyber-criminal’s ultimate weapon?

Web Exploits: a bright future ahead

Zero-Day Java vulnerability wreaks havoc on computers worldwide

New Exploit Kit, Ransomware and AV evasion

Redkit Exploit Kit does the splits

Cybersecurity info you can’t do without