GOOGLE'S PROJECT ZERO OUTFIT has aligned itself with Adobe in order to see off the menace that is Flash insecurity.
Project Zero is the team that Google created to find zero day exploits, but according to one of its freshest blog posts that ain't the only game that it is involved in. Sometimes it looks to fix 'em.
"Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations," wrote Mark Brand and Chris Evans, whom Google terms ‘isolators of heap'.
"Sometimes, we'll take on exploit mitigations ourselves. Recently, we've been working with Adobe on Flash mitigations... Now is a good time to check your current Flash version because you really want the latest one."
Researchers from the companies collaborated on mitigation efforts against heap overflow enabled attacks that have found favour among the hacking team and its efforts.
The mitigation efforts will be felt in downloads of Adobe Flash version 188.8.131.52. Since the firms have assembled the Project Zero team will keep digging. This, they said, has just been one step on the road towards Flash security.
"We believe we've contributed a strong step forward in Flash security, but we're very far from finished," is the spine tingling summary of these efforts.
"For every mitigation landed by defenders, attackers will attempt to devise a counter-mitigation. It's a cat-and-mouse-game, but we'll be looking out for attackers' attempts to adapt, and devising further mitigations based on what we see."
Earlier this month Mozilla joined the side of the fence that is pointing at Adobe Flash and suggesting that it should have no security clearance on its software.
There is a short version of this, which is that Mozilla ain't having no auto Flash playing until Adobe fixes current known security flaws.
"All versions of Adobe's Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues," said the firm.
There is a long version, which is that Flash is particularly unpopular at the moment. Mozilla's stance is that hackers exploit the software for personal gain and that it is not about to enable such actions.
"Some websites use Adobe Flash to display content. However, attackers can also use the security flaws in Flash to run malicious software on your computer and gain access to your system," the firm said.
"One way to protect yourself is by disabling or removing Flash but, if your trusted websites require Flash, you can change your plugin settings so that Flash runs only when you click to activate it.”
Mozilla is onto something here. Earlier this week, Facebook chief security officer Alex Stamos used his personal Twitter account to suggest that the industry should pick a day and give up the use of Adobe Flash once and for all.
The suggestion does not come from nowhere. Adobe's Flash has a chequered past and is often held up as something of an annoyance or problem for internet users.
It is, of course, well entrenched in the hearts and minds of websites and website development.
Stamos' suggestion follows the news that the controversial Hacking Team company exploited the software for their gain. It is possible that he has been sitting on this idea for some time.
He said that the time has come to retire the software, suggesting that a date be set and that everyone backs it.
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.— Alex Stamos (@alexstamos) July 12, 2015
He followed this up by saying that it might take 18 months, but is the "only way" to regroup and upgrade the web.
Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.— Alex Stamos (@alexstamos) July 12, 2015
The Flash vulnerability was disclosed as a result of the Hacking Team data breach when attackers uncovered internal emails, files and source code, dumping 400GB of the files online for everyone to see.
After an Adobe Flash player zero-day was disclosed from the leaked data, Trend Micro discovered yet another flaw, assigned with CVE number CVE-2015-5123, rated as critical.
Adobe released a security advisory after Trend Micro reported the zero-day identified in Flash Player 184.108.40.206 and earlier versions for Windows, Macintosh and Linux.
The firm warned that successful exploitation of the flaw could cause a crash and "potentially allow an attacker to take control of the affected system".
The first zero-day vulnerability exposed in the data leak integrated into an exploit kit called Neutrino that was being used by cyber crooks to target Adobe Flash Player users.
At the time, security firm Malwarebytes warned that Flash Player versions up to 220.127.116.11 are vulnerable.
The Neutrino exploit kit was reported as "one of the fastest documented cases of an immediate weaponisation in the wild" thanks to the detailed instructions left in Hacking Team's data.
"We first discovered the Flash zero-day hit at 3PM PT and we believe it is the same as the one revealed in the Hacking Team hack," said Malwarebytes senior security researcher Jérôme Segura in a blog post.
Adobe acknowledged the CVE-2015-5119 flaw, and issued a patch, urging customers to update the software as soon as possible.
Hacking Team sells malware and spyware technology to governments and law enforcement and intelligence agencies, and was hit by the large-scale security breach on Monday by hackers whose identities are unknown.
The attackers took over Hacking Team's Twitter page and posted links to a torrent file comprising more than 400GB of the company's data for anyone to download.
Last weak, it was revealed that the hack was a result of weak passwords, with the firm's root passwords for its servers being useless for their purpose.
For example, one of the root passwords was simply 'P4ssword', which would've taken any experienced hacker just minutes to crack.
Other passwords grabbed from Hacking Team founder Christian Pozzi included 'wolverine' and 'universo', and other variations of dictionary words like 'Passw0rd'.
Up until the breach, Hacking Team's customers had never been formally disclosed. On Tuesday, it became clear from the leaked data that the FBI was even a client of Hacking Team.
While it had been rumoured for quite some time, it was confirmed that the FBI purchased services from the Italian company after hackers exposed corporate data revealing internal files including several spreadsheets giving evidence of transactions with the FBI.
Another controversial aspect in Hacking Team's past is that it was accused of selling spyware and targeted surveillance malware to Sudan. The company denied this at the time, but the leaked data suggests otherwise.
One file shows how the company instructed the Sudanese government to pay €480,000 by wire transfer for systems that were used to access a subject's personal information.
Hacking Team was founded in 2003 and focuses on offensive security. The company was the first to propose an offensive solution for cyber investigations in 2004, and is believed to have gained venture backing in 2007.
However, Reporters Without Borders lists the firm as "an enemy of the internet", mainly owing to products such as the DaVinci remote control software.
DaVinci is commonly viewed as 'legal malware' by the security industry owing to its ability to break encryption and allow law enforcement agencies to monitor files and emails and other digital communication.
"It allows identification of the target's location and relationships. It can also remotely activate microphones and cameras on a computer, and works worldwide," Reporters Without Borders' description reads.
This notoriety is perhaps one of the reasons behind the attack. Hacking Team's methods have been called into question in the past over deliveries to Morocco and the United Arab Emirates, so the firm is likely to have many enemies.
Hacking Team's Twitter page was still under the control of the hackers at the time of publication.
Hacking Team is yet to release a statement regarding the breach but the firm's senior system and security engineer, Christian Pozzi, confirmed the hack in a tweet shortly before he deleted his Twitter profile.
The company said only that it is currently working with the police and cannot officially comment on the attack. µ
WLAN down under
All 128GB models now shipping in 'three to four weeks'
Ransomware forced cancellation of 19,000 appointments, new report reveals
Yet chip costs upwards of 60 per cent more than AMD's finest