Time From Patch To Exploit Narrowing For Adobe Flash

====================
Update: 10th January 2017:
For the 2017 Adobe Flash update timeline, please see this blog post. Thank you.

====================

2015 has been a busy year so far for Adobe with regard to the number and severity of Flash Player security vulnerabilities (flaws). This is demonstrated in the timeline below:

=======================
Aside:
What is a Common Vulnerabilities and Exposure (CVE) number?
Throughout this post I mention Common Vulnerabilities and Exposures (CVE) identifiers. These numbers serve as a standardized means of naming/identifying security vulnerabilities. Please note that one CVE does not always correspond to a single flaw. More information on CVE identifiers is available from here.
=======================
2015:
13th January: Adobe releases Flash Player v16.0.0.257 resolving 9 CVEs.

21st January: A zero day flaw (i.e. a flaw that has no update to resolve it and was previously unknown) CVE-2015-0310 was discovered by a well-known French malware researcher known as “Kafeine”.

22nd January: Adobe releases Flash Player v16.0.0.287 to resolve the above flaw.

22nd January: A new zero day flaw CVE-2015-0311 was then being exploited by the same Angler exploit kit.

24th January: Adobe releases Flash Player v16.0.0.296 to resolve CVE-2015-0311.

27th January: Flash Player v16.0.0.296 made available to Google Chrome and Internet Explorer users of Windows 8.0 and 8.1.

2nd February: Another zero day flaw CVE-2015-0313 was discovered being used by the Angler exploit kit.

4th February: Adobe releases Flash Player v16.0.0.305 to resolve CVE-2015-0313 as well as 18 other CVEs.

5th February: Flash Player v16.0.0.305 made available to Google Chrome and Internet Explorer users of Windows 8.0 and 8.1.

12th March: Adobe releases Flash Player v17.0.0.134 resolving 11 CVEs.

19th March: The Nuclear Exploit kit incorporated an exploit for CVE-2015-0336. A day later the Angler Exploit kit did the same.

14th April: Adobe releases Flash Player v17.0.0.169 resolving 22 CVEs. It appears that all 3 flaws discovered in Flash at the Pwn2Own 2015 competition were patched by Adobe in this update.

17th April: The Angler Exploit kit incorporated an exploit for CVE-2015-0359.

12th May: Adobe releases Flash Player v17.0.0.188 resolving 18 CVEs.

26th May: FireEye detects the Angler Exploit kit beginning to exploit CVE-2015-3090.

9th June: Adobe releases Flash Player v18.0.0.160 resolving 14 CVEs.

23rd June: Adobe releases Flash Player v18.0.0.194 resolving 1 CVE already being exploited by an APT group as reported by FireEye.

28th June: The Magnitude Exploit Kit begins to use the recently patched Adobe zero day flaw to install Cryptowall ransomware.

8th July: Adobe releases Flash Player v18.0.0.203 resolving 37 CVEs including an issue already being exploited in the wild by 3 exploit kits.

14th July: Adobe releases Flash Player v18.0.0.209 resolving 2 CVEs. Exploit kits were exploiting these flaws from the 11th of July onwards. In addition, an APT gang known as Darkhotel exploited a Hacking Team zero day flaw that was patched by Adobe in July.

11th August: Adobe releases Flash Player v18.0.0.232 resolving 35 CVEs.

21st September: Adobe releases Flash Player v19.0.0.185 resolving 23 CVEs.

13th October: Adobe releases Flash Player v19.0.0.207 resolving 21 CVEs.

16th October: Adobe releases Flash Player v19.0.0.226 resolving 3 CVEs. One of which, CVE-2015-7645 a zero day vulnerability was being exploited by malicious hackers known as Pawn Storm in targeted attacks.

10th November:
Adobe releases Flash Player v19.0.0.245 resolving 17 CVEs.

8th December: Adobe releases Flash Player v20.0.0.228 resolving 79 CVEs.

28th December: Adobe releases Flash Player v20.0.0.267 resolving 19 CVEs.

=======================
2016:
9th February 2016: Adobe releases Flash Player v20.0.0.306 resolving 22 CVEs.

10th March 2016: Adobe releases Flash Player v21.0.0.182 resolving 23 CVEs.

7th April 2016: Adobe releases Flash Player v21.0.0.213 addressing 24 CVEs.

12th May 2016: Adobe releases Flash Player v21.0.0.242 addressing 25 CVEs.

16th June 2016:
Adobe releases Flash Player v22.0.0.192 addressing 36 CVEs.

12th July 2016: Adobe releases Flash Player v22.0.0.209 addressing 52 CVEs.

13th September 2016: Adobe releases Flash Player v23.0.0.162 addressing 29 CVEs. No Flash Player update was made available in August 2016.

11th October 2016: Adobe releases Flash Player v23.0.0.185 addressing 12 CVEs. At this time none of these vulnerabilities are being exploited.

26th October 2016: Adobe releases Flash Player v23.0.0.205 addressing 1 CVE. This was an unscheduled update to patch a zero day (defined) vulnerability that was under attack in the wild.

8th November 2016: Adobe releases Flash Player v23.0.0.207 addressing 9 CVEs. None of these vulnerabilities at this time are being used in attacks.

13th December 2016: Adobe releases Flash Player v24.0.0.186 addressing 17 CVEs. One of this issues is a zero day (defined) that is already under attack against Internet Explorer (32 bit) users.

=======================
Update: 2nd June 2015: The above timeline has been updated to include Adobe’s May Flash player update and the Angler Exploit kit’s response to that patch.

Update: 24th June 2015: The above timeline has been updated to include Adobe’s scheduled June security patch and their out of band Flash player update issued on the 23rd of June due to a zero day flaw.

Update: 29th June 2015: Well-known malware researcher Kafeine has discovered the flaw patched by Adobe only 4 days ago is being exploited by the Magnitude Exploit Kit.

Update: 8th July 2015: The above timeline has been updated to include Adobe’s out of band Flash Player update issued today. It includes fixes for a zero day vulnerability as well as 36 other security vulnerabilities.

Update: 20th July 2015: The above timeline now includes Flash Player updates addressing all 3 of the Hacking Team zero day vulnerabilities.

Update: 12th August 2015: The timeline was updated to add the Adobe Flash Player August security update. The Darkhotel APT gang was added to the final July entry.

Update: 22nd September 2015: The timeline was updated to add the Adobe Flash Player September security update. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 18th October 2015: The timeline was updated to add the Adobe Flash Player updates for October 2015.

Update: 10th November 2015: The timeline was updated to add the Adobe Flash Player updates for November 2015. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 8th December 2015: The timeline was updated to add the Adobe Flash Player updates for December 2015. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 29th December 2015: The timeline was updated to add further Adobe Flash Player updates for December 2015 (originally scheduled for January 2016). At the time of writing limited targeted attacks are exploiting a zero day (defined) vulnerability that these updates address. Please see this more recent blog post for further details.

Update: 13th February 2016:
The timeline was updated to add the Adobe Flash Player updates for February 2016. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 13th March 2016:
The timeline was updated to add the Adobe Flash Player updates for March 2016. The update was delayed from the 8th of March in order to include CVE-2016-1010 which is a zero day (defined) vulnerability already under attack. Further details are available in this Qualys blog post.

The April update addressed a vulnerability that was being leveraged by the Magnitude Exploit kit (defined(defined within this post you are reading) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The May update addressed 25 CVEs including a zero-day vulnerability (defined) that was being exploited in the wild. Finally, the June 2016 addressed 36 CVEs including another zero-day vulnerability this time being used an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

Update: 17th June 2016:
The timeline was updated to add the Adobe Flash Player updates for April, May and June 2016. Sorry for not updating this sooner.

Update: 15th September 2016:
The timeline was updated to add the Adobe Flash Player updates for July and September 2016.

Update: 12th October 2016:
The timeline was updated to add the Adobe Flash Player updates for October 2016.

Update: 2nd November 2016:
The timeline was updated to add an emergency Adobe Flash Player update for October 2016. The vulnerability it addresses is now being used in attacks in combination with a local elevation of privilege vulnerability within Windows that is scheduled to be patched on the 8th of November. Further details are available in a more recent post.

Update: 9th November 2016:
The timeline was updated to add the Adobe Flash Player updates for November 2016.

Update: 13th December 2016:
The timeline was updated to add the Adobe Flash Player updates for December 2016.

=======================

Aside 2:
What is an exploit kit?
I have also mentioned the term exploit kits extensively in this post. Exploit kits are packs/kits/sets of exploits that can be purchased on the black/underground market of the internet to be used for delivering malware or any payload of your choice to users with computers/devices that have vulnerable software installed. These exploits usually happen as drive by downloads within your web browser but some exploits may require some user interaction/assistance to compromise your device.

For more information on exploit kits I would recommend viewing this still relevant video from 2011 and this article from Kaspersky.
=======================

While it was good news to learn that Flash Player v16.0.0.287 when used with Windows 8.1 incorporated a new security mitigation Control Flow Guard (CFG) built into Windows 8.1 Update (the mitigation was added in November 2014)(and also included with EMET 5.2 and Windows 10 Technical Preview) it was quickly bypassed following the publishing of an example bypass by Core Security. This bypass was not intended to be used maliciously, it was provided as a proof of concept but exploit kits now use this technique to their advantage. This in addition to common evasion techniques such as obfuscation e.g. encrypting the malware payload with a different key, compressing the malware or simply changing a byte of the exploits file header can make these exploits harder to detect and prevent.

From the above information I would recommend that Adobe Flash Player updates are applied as soon as possible after their availability (usually the same day as Microsoft’s security updates on the second Tuesday of each month, 12th May for this month).

I have not encountered a Flash update causing issues with any Flash files but if you rely on Flash for critical business functions update a test system to check if it causing any issues before more widely deploying the Flash updates. Given that exploits are available as quick as 3 days after the update it does not leave much time for such testing to take place.

In addition, I would also recommend the following to specifically protect from Flash Player exploits:

  1. Keep your web browser up to date.
  2. Consider using an exploit mitigation tool such as HitmanPro.Alert (paid for product), Microsoft EMET (free) or Malwarebytes Anti-Exploit (free or paid for versions).
  3. Try to choose anti-malware software that includes a firewall with Intrusion Prevention (in a corporate environment a web application firewall is preferable).

=======================
Update: 31st January 2016:
Further reference material in relation to the large number of Flash Player vulnerabilities being patched are as follows:

Stop the Flash madness – 5 bugs a week by Michael Horowitz (Computerworld)

When it comes to bugs, the Adobe Flash Players cup runneth over by Michael Horowitz (Computerworld)

Flash has been updated again. Seriously. Really. No joke. by Michael Horowitz (Computerworld)

Moreover, a more recent blog post discusses Adobe’s gradual transition away from Flash Player.
=======================

Thank you.

5 thoughts on “Time From Patch To Exploit Narrowing For Adobe Flash

    1. JimC_Security Post author

      Hello review,

      I hope that you are well today and thanks for your comment. I’m really glad that your sister will find this post useful. It’s my pleasure to assist. Have a great day.

      Reply
    1. JimC_Security Post author

      Hello exeter finance glassdoor,

      I hope this message finds you well and thanks very much for your comment. I’m really glad that you found the post useful and I appreciate your kind words. I have added reference links at the end of the post that further discuss the trend of how many vulnerabilities Adobe is resolving within Flash Player. I have also linked to a recent post of mine concerning Adobe’s gradual transition from Flash Player to a newer technology. I hope that these are useful.

      However, if these further resources are not useful or you would like to me discuss other aspects of the number of vulnerabilities patched or to be patched by Adobe, please let me know. I am more than happy / willing to write more on this subject to the best of my ability but can you provide more details/specifics of what aspect I should elaborate more on and what content you would like to read more on?

      Thanks again and have a good day.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s