By Peter Pi, Brooks Li and Joseph C. Chen
Following their security advisory last April 5, 2016, Adobe has released an out of band patch today for the vulnerability CVE-2016-1019, which affects Adobe Flash Player. Trend Micro has observed active zero day attacks from the Magnitude Exploit Kit affecting users of Flash 184.108.40.2066 and earlier. These attacks are not effective against users of Flash versions 220.127.116.11 and 18.104.22.168. This is because of a heap mitigation that Adobe introduced in version 22.214.171.124 and is also present in version 126.96.36.199. Users of these versions will only experience a crash in Adobe Flash when attacks attempt to exploit the vulnerability.
All users are highly recommended to immediately update their systems with the latest security fix as this is actively being exploited in the wild. Prior to today’s security fix, we observed the exploit kit already integrating this vulnerability in its arsenal, which leaves systems infected with ransomware.
Based on our analysis, CVE-2016-1019 is a type confusion vulnerability; and while the exploit works on Flash 188.8.131.526 and earlier versions, it will only cause a crash and the exploit will not run on Flash versions 184.108.40.206 and 220.127.116.11 respectively. Adobe has introduced the heap mitigation from 18.104.22.168.
Figure 1. Malicious domains hosting the Magnitude Exploit Kit
Magnitude integrated Adobe Flash zero-day attack; leaves systems infected with Locky ransomware
As early as March 31, 2016, we saw a zero-day attack during this time being included in the code of Magnitude Exploit Kit via our Trend Micro™ Smart Protection Network™ feedback. This then leads to Locky ransomware, a crypto-ransomware that abuses macros in document files to hide its malicious code. This malware reportedly hit the systems of the Methodist Hospital in Kentucky, USA.
Figure 2. Global distribution of Magnitude Exploit Kit traffic (March 31-April 6, 2016)
Security solutions against Adobe Flash zero-day attacks
The attackers behind the Magnitude exploit kit are quick to include this security bug in their list of targeted vulnerabilities. We advise users to update their systems to the latest version of Adobe Flash Player.
Trend Micro protects systems from the risks posed by zero-day attacks via our wide arrayed of solution technologies. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks browser exploits once the user accesses the URLs these are hosted at.
Our Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.
- 1007572 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2016-1019)
TippingPoint customers will be protected from attacks exploiting this vulnerability with the following MainlineDV filter that will be made avail on April 12:
- 24253: HTTP: Adobe Flash FileReference Type Confusion Vulnerability
We would like to acknowledge Kafeine for working with us to protect our customers.
Updated on April 7, 2016, 10:17 PM (UTC-7)
We updated this entry to revise the malware distributed by Magnitude Exploit Kit.