Patch Tuesday has again descended upon us, sending security teams scurrying to update systems and protect users from potential exploitation by the seemingly endless tide of cybercriminals looking to profit or siphon data out of your environment. Which goes without saying, if you have not already rolled out these security updates, it is highly advised that you do so, now. As well, make sure all commercial security solutions are updated with the latest security content in order to ensure maximum protection against potential attacks.
For full details on the vulnerabilities that have been patched this month, check the respective software vendor security bulletin pages:
Of special note this Patch Tuesday is CVE-2016-7892, a Zero Day affecting Adobe Flash Player running on 32 bit versions of Internet Explorer. This one has been deemed “Critical” and has reportedly already been seen in the wild. This means that a malicious Flash file (identified by its .swf extension) containing the exploit can lead to compromise for systems that are vulnerable. The likely way for this to occur would be by visiting a website hosting the specially crafted Adobe Flash file. Systems running Adobe Flash older than version 18.104.22.168 with a 32-bit version of Internet Explorer, visiting such a site would most certainly be at risk.
We do not know of any active campaigns or sites using the exploit at this time, so guidance for now is to patch systems and maintain up to date security detections. (As well as avoid suspicious emails or websites!)
Zero Days are generally defined as vulnerabilities in software applications that are yet to be disclosed and fixed by the vendor. Exploits (or Zero Day attacks) leverage these vulnerabilities to compromise computer systems, potentially allowing attackers to install additional tools or malware.
These days we may hear about Zero Days being sold on the black market or to nation states for high dollar amounts due to their effectiveness and ability to go undetected during computer intrusions. We have seen breaches in the past leveraging Zero Days to gain a foothold into target environments as well as for mass infection via malware campaigns.
Though they may seem specialized and an unlikely visitor to all environments, keep in mind that Exploit Kits are known to adopt Zero Days into their arsenal. Although in this case we have not seen it happen yet, it would not come as a surprise to see this Zero Day CVE or any Microsoft “Critical” (RCE) vulnerabilities implemented by Exploit Kits in the near future.
It’s important to stay on your toes with Zero Day threats as they can be weaponized on a larger scale at any moment, putting your environment at greater risk. Access to Threat Intelligence as campaigns or indicators come to light can help you discover and mitigate threats before they cause widespread damage.
Josh Gomez is a Senior Security Researcher with over fifteen years experience in the networking and security industries. Prior to Anomali, he was a senior member of FireEye Labs where he specialized in research and detection of exploit kits, malvertising and crimeware campaigns.