Security researchers find, report and patch so many vulnerabilities that it's easy to forget that some flaws slip by them into the wild before anyone notices — with disastrous results. At least one new zero-day exploit of Adobe Flash has already been built into a prominent browser exploit kit, and can successfully attack a variety of Internet browsers on all widely used versions of Windows.
This information comes from Malware Don't Need Coffee, a security blog written by an independent French researcher who goes by the pseudonym Kafeine. While researching the Angler exploit kit, which attempts to infect Web browsers and the computers running them via a wide variety of known security flaws and malware installations, Kafeine discovered that one of Angler's targets is the popular Adobe Flash program.
Flash is a ubiquitous media-playing framework from Adobe that's vital for running many online videos and games. While Flash isn't not strictly necessary for a Web browser to function, there's a good chance you've installed it at some point over the years, especially if you watched anything on YouTube in its pre-HTML 5 days. Adobe today (Jan. 22) released an update for Flash Player patching a new flaw, but it wasn't immediately clear if it was the same one being exploited by Angler.
Kafeine tested the Angler kit with Windows XP, Windows 7, Windows 8 and Windows 8.1 running Internet Explorer 10, Internet Explorer 11, Firefox and Chrome in various combinations, and found bad news for almost every combination. The Angler kit successfully compromised Flash and infected the machine on every platform, save for those using Chrome as their browsers.
Kafeine did not provide a clear explanation as to why Chrome was seemingly invulnerable, and its "safe" state may not last. Even as we were writing this piece, Kafeine tweeted further confirmation that fully patched Windows 8.1 running IE 11 was vulnerable.
Avoiding the Angler exploit kit, or any of its fellow browser exploit kits, is not as simple as denying strange downloads or not going to dodgy websites. Because it targets Flash, simply visiting an infected site — and popular, trusted websites get infected often — with Flash enabled is enough to compromise your computer.
Researchers at Malwarebytes discovered that Angler is drafting those infected computers into a botnet and wasting their resources to generate phony ad impressions for shady third parties.
Users have two options to avoid Angler: First, disable Flash in your Web browser, then make sure that an antivirus program is installed, running and fully up to date. Norton and Malwarebytes have said they are now fully capable of blocking Angler, but other antivirus makers may take a day to catch up.
The process is a bit different depending on your browser, but it's rather easy to turn off Flash in Chrome, Firefox, Internet Explorer and Safari. (Macs are not known to be affected by this particular exploit, but that could change.) As for when you'll be able to turn it back on, Kafeine will probably be the first to know.
- Scariest Security Threats Headed Your Way: Special Report
- Free vs. Paid Antivirus: Avira vs. Bitdefender
- Mobile Security Guide: Everything You Need to Know