Exploit kit targeting zero-day vulnerability in Flash Player

Only some instances of the Angler Exploit Kit are targeting the latest flaw

Image Courtesy of Linux G

UPDATE (23/Jan/2015): Adobe has issued a patch to address one of two zero-day vulnerabilities being exploited online. However, attacks targeting both are ongoing, so users are urged to update as soon as possible. The flaw referenced below is set to be patched next week.

Kafeine, a well-known malware researcher, is reporting that the Angler Exploit Kit has started targeting new vulnerability in Adobe's Flash Player. The malicious payload isn't being used by all Angler instances, but at least one is targeting version 16.0.0.257, the current release.

According a recent report from Malwarebytes, exploit kits are one of the fastest-growing threats online, as they're able to leverage the inherent trust that people place in the websites they regularly visit. Not that long ago, a single exploit kit on a well-visited website infected 6,000 people in just 30 minutes, the report noted.

Modular by design, exploit kits and be updated on the fly to target the latest vulnerabilities in Flash, Internet Explorer, Adobe Reader, and Java.

Angler is just one of the popular kits on the criminal market, holding its own against RIG, Astrum, Sweet Orange, and Fiesta.

In a statement, Pedro Bustamante, the director of Special Projects at Malwarebytes, said the fact that the zero-day was being used by Angler shows that criminals are keen to target people en-masse.

"Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites," Bustamante's statement added.

The zero-day was observed during a drive-by-attack, and Kafeine says the payload is focused on Internet Explorer.

Testing has confirmed that the attack targets Windows XP (IE versions 6-9), Windows 7 (IE 8), and Windows 8 (IE 10). However, Windows 8.1 isn't being targeted. Likewise, Chrome users are also being ignored by the payload delivery script.

A spokesperson from Adobe said that the company is aware of the zero-day reports and investigating the claims.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.