Nick
In Remembrance
http://api.viglink.com/api/click?fo...ng&txt=https://www.yahoo.co...-183245651.html
Security researchers find, report and patch so many vulnerabilities that it's easy to forget that some flaws slip by them into the wild before anyone notices ? with disastrous results. At least one new zero-day exploit of Adobe Flash has already been built into a prominent browser exploit kit, and can successfully attack a variety of Internet browsers on all widely used versions of Windows.
This information comes from Malware Don't Need Coffee, a security blog written by an independent French researcher who goes by the pseudonym Kafeine. While researching the Angler exploit kit, which attempts to infect Web browsers and the computers running them via a wide variety of known security flaws and malware installations, Kafeine discovered that one of Angler's targets is the popular Adobe Flash program.
Flash is a ubiquitous media-playing framework from Adobe that's vital for running many online videos and games. While Flash isn't not strictly necessary for a Web browser to function, there's a good chance you've installed it at some point over the years, especially if you watched anything on YouTube in its pre-HTML 5 days. Adobe today
(Jan. 22) released an update for Flash Player patching a new flaw, but it wasn't immediately clear if it was the same one being exploited by Angler.
Kafeine tested the Angler kit with Windows XP, Windows 7, Windows 8 and Windows 8.1 running Internet Explorer 10, Internet Explorer 11, Firefox and Chrome in various combinations, and found bad news for almost every combination. The Angler kit successfully compromised Flash and infected the machine on every platform, save for those using Chrome as their browsers.
Kafeine did not provide a clear explanation as to why Chrome was seemingly invulnerable, and its "safe" state may not last. Even as we were writing this piece, Kafeine tweeted further confirmation that fully patched Windows 8.1 running IE 11 was vulnerable.
Avoiding the Angler exploit kit, or any of its fellow browser exploit kits, is not as simple as denying strange downloads or not going to dodgy websites. Because it targets Flash, simply visiting an infected site ? and popular, trusted websites get infected often ? with Flash enabled is enough to compromise your computer.
Researchers at Malwarebytes discovered that Angler is drafting those infected computers into a botnet and wasting their resources to generate phony ad impressions for shady third parties.
I read on another site that Chrome is also vulnerable.
Adobe says it'll be a few days before a patch is available:
"Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26."
I've disabled it in both Chrome and Firefox for now:
FF, tools/addons/Shockwave Flash/disable.
Chrome, chrome
lugins in address bar/Adobe Flash Player/disable.
Security researchers find, report and patch so many vulnerabilities that it's easy to forget that some flaws slip by them into the wild before anyone notices ? with disastrous results. At least one new zero-day exploit of Adobe Flash has already been built into a prominent browser exploit kit, and can successfully attack a variety of Internet browsers on all widely used versions of Windows.
This information comes from Malware Don't Need Coffee, a security blog written by an independent French researcher who goes by the pseudonym Kafeine. While researching the Angler exploit kit, which attempts to infect Web browsers and the computers running them via a wide variety of known security flaws and malware installations, Kafeine discovered that one of Angler's targets is the popular Adobe Flash program.
Flash is a ubiquitous media-playing framework from Adobe that's vital for running many online videos and games. While Flash isn't not strictly necessary for a Web browser to function, there's a good chance you've installed it at some point over the years, especially if you watched anything on YouTube in its pre-HTML 5 days. Adobe today
(Jan. 22) released an update for Flash Player patching a new flaw, but it wasn't immediately clear if it was the same one being exploited by Angler.
Kafeine tested the Angler kit with Windows XP, Windows 7, Windows 8 and Windows 8.1 running Internet Explorer 10, Internet Explorer 11, Firefox and Chrome in various combinations, and found bad news for almost every combination. The Angler kit successfully compromised Flash and infected the machine on every platform, save for those using Chrome as their browsers.
Kafeine did not provide a clear explanation as to why Chrome was seemingly invulnerable, and its "safe" state may not last. Even as we were writing this piece, Kafeine tweeted further confirmation that fully patched Windows 8.1 running IE 11 was vulnerable.
Avoiding the Angler exploit kit, or any of its fellow browser exploit kits, is not as simple as denying strange downloads or not going to dodgy websites. Because it targets Flash, simply visiting an infected site ? and popular, trusted websites get infected often ? with Flash enabled is enough to compromise your computer.
Researchers at Malwarebytes discovered that Angler is drafting those infected computers into a botnet and wasting their resources to generate phony ad impressions for shady third parties.
I read on another site that Chrome is also vulnerable.
Adobe says it'll be a few days before a patch is available:
"Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26."
I've disabled it in both Chrome and Firefox for now:
FF, tools/addons/Shockwave Flash/disable.
Chrome, chrome
lugins in address bar/Adobe Flash Player/disable.
