2015-01-16 - 0day

CVE-2015-0310 [Not ! CVE-2014-9162/CVE-2014-9163] (Flash 15.0.0.242 and below) integrating Exploit Kits




[[ERRATUM - 2015-01-22]]
I couldn't write about it earlier but this is not CVE-2014-9162/9163.
It's CVE-2015-0310 which was an unpatched bug in Flash Player but as coder were not aware it seems (not fired to Flash > 15.0.0.242) this post was leaved untouched.
The CVE has been fixed the 2015-01-22 with Flash 16.0.0.287
http://helpx.adobe.com/security/products/flash-player/apsb15-02.html
[[ERRATUM]]

CVE-2014-9162 and CVE-2014-9163 were patched on 2014-12-09. They are affecting Flash Player 15.0.0.242 and below.

Angler EK :
2015-01-15 <- It seems.
Angler EK was really rare those days (since december). I saw many delivery path migrating to Nuclear, Neutrino or Sweet Orange. The Flash exploit did not rotate between 2014-12-24 and yesterday (when it's usually rotating every 3-4 days). It seems they are now back from vacation with a new exploit which have been identified as a combination of CVE-2014-9162 and CVE-2014-9163 by [REDACTED - mistake happen]

CVE-2014-9162/CVE-2014-9163 successfully exploited by Angler EK on Flash 15.0.0.223
2015-01-16


Landing after first pass of debofuscation : http://pastebin.com/KPasYHkY
(nothing specific to that CVE here)

Sample:  eeb243bb918464dedc29a6a36a25a638
Another one spotted by EKWatcher yesterday : eba97461a4ebda24c5183f66b810ea7e
And a fiddler pushed to VT.

That's all for now !

Post publication Reading :
Understanding CVE-2015-0310 Flash vulnerability 2015-02-20 HiddenCodes