FacebookTwitterLinkedIn

More Vulnerabilities found in Adobe Flash

Karolis Liucveikis Written by on

As we have said before, it seems hardly a week goes by without an announcement of another security weakness found in Adobe Flash. This week we discuss two.

HTML5 was supposed to replace Adobe Flash. The goal was to have a standard that browser designers could use to process video without having to rely on 3rd-party software for that. But for different reasons, most sites still use Flash. Steve Jobs at Apple famously wrote in 2010 that he would not allow Flash onto the iPhone or iPad. He later backtracked, in part because of the threat of anti-competitive litigation. Plus website owners whose videos would no longer work complained in large numbers.

The Flash Player is built into most browsers. For example in Google Chrome you can type chrome://plugins/ and you will see something like:

Adobe Flash Player - Version: 24.0.0.194
Shockwave Flash 24.0 r0

The two new exploits are CVE-2016-4117 Flash Zero-Day Exploited in the Wild and CVE-2016-1019 A New Flash Exploit Included in Magnitude Exploit Kit, reports FireEye. Those vulnerabilities are in version 21.0.0.216 and and 21.0.0.197 and older. They have been fixed by Adobe.

Adobe thanked the security researcher @kafeine for finding the second one. It is related to some of the hacking techniques leaked to WikiPedia by The Italian Team, author of million dollar exploits sold to governments and others.

CVE-2016-4117
This Flash exploit is embedded in a Microsoft Word document. This exploit is a memory leakage problem. The hackers have studied Adobe Flash very well, because they figured out how to extend an object in Flash and then add their own methods.

For non-programmers, that means, suppose you have an object Ball. To make a Volley Ball object you would extend Ball. That lets you add new functions and fields that a Volley Ball would need that a generic Ball might not. What the hackers did in this case was overload a function, meaning implement one with the same name as Adobe was using. Then they effectively overwrote the logic in Adobe Flash.

more vulnerabilities flash

The approach then is to corrupt memory where Flash is pointing to make the addressable space larger. Then the hacker can change the program flow in Flash to execute instructions they write there. In this case, this causes Flash to download further malware from the hacker’s website thus installing more software to take over the user’s machine and install ransomware or other software they can operate via remote control.

FireEye says that Windows software developers can protect their apps from some of these types of exploits by downloading and installing the Windows Enhanced Mitigation Experience Toolkit (EMET). That works for almost every version of Windows, including Windows 10.  FireEye recommends that Adobe used that.

Microsoft says of EMET, “EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques.”

CVE-2016-1019
Like the exploit above, this one also attacks memory allocation problems. Flash is a .so (Linux) or .dll (Windows) subroutine that is written in C or C++ language. That language requires the programmer to allocated and keep track of objects in memory and their address. Java and other programming languages do not allow the programmer to directly access memory like that. So they do not have these kinds of issues.

The buffer overflow attack is launched via the Magnitude Exploit Kit, which is exactly the kind of hacking tools that The Italian Team and other cyber espionage firms sell.

The hack targets any operating system that runs Adobe Flash in the browser. It does not matter if it is Windows or Ubuntu or other, as the target, Adobe Flash, is loaded by the browser and thus not part of the OS.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog