Flash in 2015 – Exploit Fashion
In exploit development, the majority of the observable community (particularly the exploit kit and smash-and-grab APT groups) has longstanding favorite target products for remote exploits, but often there’s a cycle wherein a few will be the current favorites. There can be a number of reasons why the community will begin to favor a new target. Sometimes, one particularly effective attack will surface, and other exploit developers will realize that the application has a lot of undiscovered bugs, or that exploiting a bug in a given application is easier or more effective than usual. Other times, the existing favorite will be hardened, and exploit authors are forced to move to the next best thing.
In the past few years, web exploits had three main targets: Internet Explorer, Java, and Flash. In 2013, the popularity of Java exploits peaked. Bug hunters became really good at finding Java bugs, and corrupting the security manager was a convenient exploitation technique. Multiple exploit campaigns used Java zero-days, and exploit kits (EK) universally adopted these exploits.
In January of 2014, however, Oracle blocked the execution of unsigned applets by default, and exploit authors largely abandoned Java. The change left Internet Explorer and Adobe Flash as the next best targets. Both IE and Flash received attention from exploit developers, but in June of 2014, Microsoft began rolling out heap corruption mitigations such as an isolated heap and delayed frees for IE. Exploit developers again, needed to shift their focus.
There was an intermittent period from late April until October of 2014 where no high profile Remote Code Execution (RCE) zero-day exploits were discovered. Following this period, we saw a flurry of creative exploits such as CVE-2014-4114 in Microsoft Office and CVE-2014-4148 in Windows True Type fonts. All the while, exploit kits began routinely incorporating exploits for recently patched vulnerabilities. In December, a watering hole attack exploited a new zero-day Flash vulnerability (CVE-2014-9163). By the end of the first month of 2015, we saw two more memory corruption vulnerabilities (CVE-2015-0311 and CVE-2015-0313) and one info leak (CVE-2015-0310).
The shift to Flash was not surprising. Of the favorite browser targets, Java and IE both received security mitigations that fundamentally changed the application. For Java, their change made their platform less attractive to attack, since exploitation now required user interaction (or a new technique to bypass the prompt). For IE, the mitigations broke existing heap corruption techniques. Flash, however, did not change. The established techniques for exploiting bugs in Flash and bypassing ASLR remain valid.