Grab Adobe and Microsoft’s Emergency Flash and IE Fixes

Let’s start with the short version. Yesterday, both Microsoft and Adobe released out-of-cycle updates to fix zero day security vulnerabilities that advanced attackers are exploiting in the wild via “watering hole” campaigns. If you use these products and haven’t installed the updates, go get the Flash and Internet Explorer (IE) fixes now!

The slightly longer story is early this week (during the U.S. President’s Day holiday) two security companies, FireEye and Websense, independently reported discovering two different legitimate web sites serving malware via a drive-by download attack. The web sites included a U.S Veteran’s site (VFW.org) and a French aeronautical company’s web site. The malicious code on these sites exploited two previously undiscovered, zero day vulnerabilities affecting Adobe Flash, and IE 9 and 10. They also delivered some relatively advanced trojan malware (in one case, Gh0strat), which has been used before in attacks that seem to come from China-based hackers. Since these sites have very specific user bases (military and ex-military, or aeronautical engineers), these attack campaigns fall into the category of watering hole attacks, where smart attackers purposely hijack web sites they know their target visits in hopes of poisoning the target’s watering hole. If you’d like to learn more about these types of attacks, and other web threats, you can check out a presentation I recently gave on the subject in a BrightTALK. You can also learn more about these specific attacks in this week’s upcoming security video.

In any case, yesterday both Microsoft and Adobe released advisories that include updates or FixIts that patch these zero day flaws. While you probably haven’t run into these exploits yet, unless you happen to fall into the two victim bases for these attacks, I expect criminal attackers to quickly start leveraging these new flaws. Now that they are public, you can expect criminal hackers to quickly incorporate the new attacks into the exploit kits they sell on the underground. Once they do, you’ll start to see these exploits popping up every where, to serve normal criminal malware. In other words, if you use IE or Flash, you should go get the updates immediately. You can find links to them in Microsoft and Adobe’s advisories. — Corey Nachreiner, CISSP (@SecAdept

 

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

6 Responses to “Grab Adobe and Microsoft’s Emergency Flash and IE Fixes”

  1. I understand this has been an element of fighting games for a while now, but to someone who is anything less than a hardcore gamer;
    staring at these symbols is meaningless and irritating.
    Injustice: Gods Among Us – Injustice: Gods Among Us has several of DC Comics’ superheroes and supervillains (or at least, alternate reality versions of the characters) fighting against each other
    in 3 on 3 bouts, where they punch, kick, blast and even hit each
    other with cars. Nothing is a bigger drag than blowing a fuse or tripping a circuit breaker mid-match.

  2. Hmm is anyone else experiencing problems with the images on this blog
    loading? I’m trying to figure out if its a problem on my end
    or if it’s the blog. Any suggestions would be greatly
    appreciated.

Trackbacks/Pingbacks

  1. March’s Patch Day Includes an IE Zero Day Fix | WatchGuard Security Center - March 7, 2014

    […] the rest as Important. The biggest news about these updates is that the IE one will completely fix the zero day flaw that attackers have been exploiting in the wild, in watering hole attacks. So at the very least, you should prepare to install the IE update as […]

  2. Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities | WatchGuard Security Center - March 11, 2014

    […] zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make […]

  3. Latest IE Update Patches Zero Day Hole and 17 Others | WatchGuard Security Center - March 11, 2014

    […] one of these memory corruption corruption flaws in the wild. Recently, security researchers have discovered attackers exploiting this particular IE flaw in two watering hole attacks, where they hijack legitimate […]

  4. Adobe Patch Day Consists of Minor Flash Update | WatchGuard Security Center - March 11, 2014

    […] attackers to read the contents of your computer’s clipboard. Compared to Adobe’s recent emergency Flash patch, which fixed a zero day issue exploited in the wild, these issues are not very severe. In fact, […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: