Endpoint Protection

An unconfirmed Adobe Flash Player zero-day vulnerability was discovered yesterday by security researcher Kafeine. The zero-day bug is reported to affect the latest versions of Adobe Flash Player and has been seen in some versions of the Angler exploit kit. Initial reports indicate that Internet Explorer versions 6 to 10 running on Windows XP, Windows 7, and Windows 8 are affected. Fully patched versions of Windows 8.1 and Google Chrome browsers appear to be unaffected.

Symantec regards this vulnerability as critical because Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a computer, which then allows for the unauthorized installation of malware.

Adobe has not confirmed the existence of this vulnerability, and has not issued a security advisory.  

Prior to its disclosure, Symantec products were already blocking the versions of the Angler exploit kit known to be attempting to exploit this vulnerability, with the following Intrusion Prevention signatures:

• Web Attack: Angler Exploit Kit Website 15
• Web Attack: Angler Exploit Kit Website 6

Analysis of the exploit has also found that the Flash file being used in the attack is detected by Symantec products as Trojan.Swifi.

Figure. Detections of attempts to exploit unconfirmed Flash vulnerability from January 19 to 21, 2015

Mitigation
Users of Internet Explorer versions 10 and 11 who are concerned about this issue can temporarily disable Adobe Flash by taking the following steps:

1. Open Internet Explorer
2. Click on the “Tools” menu, and then click “Manage add-ons”
3. Under “Show”, select “All add-ons”
4. Select “Shockwave Flash Object” and then click on the disable button

You can re-enable Adobe Flash by repeating the same process, selecting “Shockwave Flash Object” and then clicking on the disable button.

Guidance for users of earlier versions of Internet Explorer is available on Microsoft's website. Select the version of Internet Explorer you are using in the top right corner.

Symantec and Norton protection
Symantec and Norton products have the following detections in place to protect against instances of the Angler exploit kit attempting to take advantage of this unconfirmed vulnerability:

Antivirus

• Trojan.Swifi

Intrusion prevention system

• Web Attack: Angler Exploit Kit Website 15
• Web Attack: Angler Exploit Kit Website 6

Additionally, Symantec and Norton products detect other instances of the Angler exploit kit with the following intrusion prevent signatures:

• Web Attack: Angler Exploit Kit Website 12
• Web Attack: Angler Exploit Kit Website 9
• Web Attack: Angler Exploit kit Flash Download 3
• Web Attack: Angler Exploit Kit Website 8
• Web Attack: Angler Exploit Kit Website 7
• Web Attack: Angler Exploit Kit Silverlight Exploit
• Web Attack: Angler Exploit kit Flash Download 2
• Web Attack: Angler Exploit kit Flash Download
• Web Attack: Angler Exploit Kit Website 2
• Web Attack: Angler Exploit Kit Website

Update – January 23, 2015:
Adobe has confirmed the existence of the Adobe Flash Player Unspecified Security Vulnerability (CVE-2015-0311). The company said that it expects a patch to be issued next week.