SpiderLabs Blog

A New Zero-Day of Adobe Flash is used by the Prevalent Angler Exploit Kit in the Wild

Written by | Jan 22, 2015 9:37:00 AM

Just yesterday, security researcher Kafeine discovered a zero-day vulnerability in Adobe Flash Player version 16.0.0.257. The zero-day is delivered by the prevalent Angler exploit kit and potentially attacking a large number of users. Because the attack exploits Adobe Flash, the malicious code will successfully execute in various browsers.

Here's a screen shot of Fiddler showing the execution of the attack:

Here is the detailed execution flow:

1. The user's browser accesses the Angler exploit kit's landing page hosted at http://s0-349u3hsdfkhs.bxoipoqlytera.in (#7). This host was specifically set up to serve this exploit kit.

2. Angler delivers the Flash zero-day (#8). Notice that the browser's Flash plugin is patched and runs the latest version (16.0.0.257).

3. The zero day successfully infects the machine (#9).

Our Secure Web Gateway blocks access to various exploit kits including Angler and therefore already protects from this attack out of the box. No further update is required.

Thanks to Kafeine for sharing this discovery with the security industry.

Thanks to Arseny Levin for his help with this blogpost.