Researchers at Morphisec, an Israeli start-up focusing on polymorphic defense, a process that earned them kudos during the RSA Conference in 2014, have discovered a clever Flash bypass being used by the Nuclear exploit kit.
CVE-2015-5560 has been targeted by both the Angler and Nuclear exploit kits. The vulnerability itself was patched in August, after Adobe released Flash version 22.214.171.124.
Realistically though, Adobe, while a priority in most cases, doesn't often see immediate updates within organizations that lack a patch management process. Thus, there are still plenty of systems (at home and in the office) that are running Flash 126.96.36.199 or lower.
Morphisec says they discovered the bypass while trying to reproduce the exploit internally in order to ensure their product would properly detect it.
Oddly, in their eyes, the exploit delivery method in this case was unusual. The exploit was encrypted and needed access to a server side component before the attack could conclude properly.
This means the exploit is disposable in some ways, as it runs just a single time. In addition, this method also makes the exploit difficult to reproduce.
For signature-based detections, an encrypted exploit that runs once and requires server side components is a tough nut to crack – sometimes impossible. Last month, Kaspersky released information on this problem, which Morphisec used in their work.
It took some effort, but once the exploit was reproduced, Morphisec noticed something strange.
"To our big surprise we found out that the exploit itself (after decryption) was employing vector exploitation on Flash version 188.8.131.52 even though it had been declared that vector corruption exploitation are mitigated starting in this version," wrote Michael Gorelik, Morphisec's VP R&D, in a company blog.
In version 184.108.40.206 Adobe added two mitigations to Flash in order to address vector corruptions, an attack surface exploit kit developers have been targeting for some time. Unfortunately for Adobe, researchers were able to bypass those mitigations.
Later, Adobe fixed their broken mitigations and enabled vector heap partitioning to help limit some of the bypasses discovered by researchers. The technical details are available on the Google Project Zero blog.
"The vulnerability itself is patched now (this specific vulnerability does not exist in [Flash version 220.127.116.11], but the key thing here is not the vulnerability," explained Gorelik, when asked about the research via email.
"In [version 18.104.22.168], Flash not only fixed few vulnerabilities but also pushed a major redesign to mitigate this popular – some argue the most popular – exploitation method to make attackers lives harder and prevent exploitation even if vulnerabilities exist."
But what Morphisec discovered is that Adobe failed to mitigate the most popular and easiest method of vector corruptions to exploit.
"Therefore the bad guys will continue to focus on Flash vulnerabilities given the exploitation is still easy after you have a vulnerability," Gorelik added.
The point here is that while Adobe worked to limit the attack surface, there were problems and something was missed. Software isn't perfect – it never will be. That's why the rat race between end users and criminals exists.
If you can patch it, they can break it.
Adobe has fixed the vector issue discovered by Morphisec, as well as the bypasses discovered by other researchers, in version 22.214.171.124.
Morphisec's research is another example of why Adobe should be one of the priorities when it comes to patching. Not only are the normal vulnerabilities still valid, but even if they're fixed, it doesn't mean that criminals won't figure out a way past that hurdle.
However, if you or your organization doesn't need Flash – uninstall it. These days, Flash is a relic of the Web's past, and modern development practices have rendered it obsolete.