What is going on?

http://www.dailymail.co.uk/sciencetech/article-3160644/Google-Mozilla-pull-plug-Adobe-Flash-Tech-giants-disable-program-browsers-following-critical-security-flaw.html

Google and Mozilla pull the plug on Adobe Flash: Tech giants disable the program on browsers following 'critical' security flaw
Leaked documents recently revealed Adobe Flash has a serious flaw
Vulnerability lets hackers take over a user's computer and install malware
Despite various patches and attempts at fixes, there are still security risks
Google and Mozilla have now pulled support for the plugin on browsers
By VICTORIA WOOLLASTON FOR MAILONLINE

PUBLISHED: 07:17 EST, 14 July 2015 | UPDATED: 11:26 EST, 14 July 2015


5.1k
shares
122
View comments
The end is could be nigh for Adobe Flash.

Leaked documents have revealed the program has a serious vulnerability that lets hackers take over anyone's computer.

And despite various patches and attempts at fixes, Google and Mozilla have now both pulled support for the plugin on their respective Chrome and Firefox browsers.

Critical flaw: Leaked documents recently revealed the program has a serious vulnerability that lets hackers take over anyone's computer. And despite various patches and attempts at fixes, Google and Mozilla have both pulled support for the plugin on their respective Chrome and Firefox browsers
Critical flaw: Leaked documents recently revealed the program has a serious vulnerability that lets hackers take over anyone's computer. And despite various patches and attempts at fixes, Google and Mozilla have both pulled support for the plugin on their respective Chrome and Firefox browsers

Adobe Flash, also known as Shockwave Flash, is used by websites to show multimedia items such as videos, graphics, games and animations.

It was once the go-to standard for multimedia, but many sites now use a markup language known as HTML 5 that does a similar job but is more advanced, doesn't require browser plugins and, given the recent hacks, is more secure.

Adobe issues emergency (out-of-cycle) FLASH player update
● https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe
-flash-zero-day.html
● Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign
● In June, FireEye’s FireEye as a Service team in Singapore uncovered a phishing campaign
exploiting an Adobe Flash Player zero-day vulnerability. The attackers’ emails included
links to compromised web servers that served either benign content or a malicious Adobe
Flash Player file that exploits the vulnerability (CVE-2015-3113).
● CVE-2015-3113:
○ Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x
through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on
Linux allows remote attackers to execute arbitrary code via unspecified vectors, as
exploited in the wild in June 2015.
● APT3
○ The China-based threat group FireEye tracks as APT3, aka UPS, is responsible for
this exploit and activity. This group is one of the more sophisticated threat groups
that FireEye Threat Intelligence tracks, and they have a history of introducing new
browser-based zero-day exploits (e.g., Internet Explorer, Firefox, and Adobe Flash
Player). After successfully exploiting a target host, this group will quickly dump
credentials, move laterally to additional hosts, and install custom backdoors. APT3’s
command and control (CnC) infrastructure is difficult to track, as there is little
overlap across campaigns.
● Overview
○ In the last several weeks, APT3 actors launched a large-scale phishing campaign
against organizations in the following industries:
■ Aerospace and Defense
■ Construction and Engineering
■ High Tech
■ Telecommunications
■ Transportation
○ Upon clicking the URLs provided in the phishing emails, targets were redirected to a
compromised server hosting JavaScript profiling scripts. Once a target host was
profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV
file, detailed below. This ultimately resulted in a custom backdoor known as
SHOTPUT being delivered to the victim’s system.
● Exploit Details
○ The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses
Flash Video (FLV) files. The exploit uses common vector corruption techniques to
bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented
Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to
their ROP technique makes it simpler to exploit and will evade some ROP detection
techniques.
Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key
used for its decryption. The payload is xor encoded and hidden inside an image.
The Adobe Flash Player exploit is packed with a simple RC4 packer. The RC4 key
and ciphertext are BinaryData blobs that the packer uses to decrypt the layer 2
Adobe Flash Player file. Once decrypted, layer 2 is executed with loader.loadBytes.
Layer 2 uses a classic Adobe Flash Player Vector corruption technique to develop its
heap corruption vulnerability to a full relative read/write available to ActionScript3.
In this technique, the attacker sprays Adobe Flash Player Vectors to the heap, and
triggers a write vulnerability to change the size of one of the vectors. The attacker
can then perform subsequent reads and writes to memory outside the intended
boundaries of the corrupted Vector object from AS3.
Once the attacker has limited read/write access to memory, they choose to corrupt
a second Vector to increase their access to a range of 0x3FFF FFFF bytes. This
second Vector is used for the remainder of the exploit.
The attackers use a ROP chain to call kernel32!VirtualAlloc to mark their shellcode
as executable before jumping to their shellcode. Instead of writing their ROP chain
to the heap along with their shellcode and payload, they used a different technique.
Usually, exploit developers will corrupt a built-in Adobe Flash Player object such as
a Sound object. Instead, the attackers chose to define their own class in AS3 with a
function that takes a lot of arguments:
class CustomClass {
public function victimFunction(arg1:uint, arg2:uint, …, arg80:uint):uint
}
Then, the attackers can simply overwrite the function pointer with a gadget that
adds to the stack pointer and returns to pivot to ROP.
● Users can check if their installation of Flash is up to date by visiting the Adobe website -
the current latest version is 18.0.0.194.
● https://www.adobe.com/software/