A vulnerability in Adobe Flash Player that was patched just last week has been weaponized by cyber-criminals in record time.
Usually taking a few months to exploit, attackers have managed to incorporate this particular flaw (CVE-2014-0569), into two major exploit kits just seven days after it was patched and made public. Unfortunate victims of those exploit kits subsequently face a multi-pronged journey: The first payload is a file-less malware known as Bedep, which enrolls victims in a botnet. After that, more malware is downloaded, and the victim’s machine is harnesses to send out spam.
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group, giving the firm the time to fix the issue before it became known to the world. Less than a week later, exploit specialist Kafeine first discovered the addition in the Fiesta exploit kit. A few hours after that, he discovered that the vulnerability was also integrated into another Exploit Kit, Angler EK, famous for its file-less thread.
“Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” explained Jerome Segura, senior security researcher from Malwarebytes Labs, in a soon-to-be published blog post shared with Infosecurity.
“Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”
Typically, security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. Normally, there is a certain amount of time before a proof of concept is released, and then still more time after that before that PoC is weaponized. In this case, the time frame has been seriously condensed.
“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase,” Segura said. “This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later.”
It is crucial to patch any system running outdated Flash Player versions as soon as possible.