Trend Micro is aware of the recently reported unpatched “zero-day” vulnerability affecting versions of Adobe Flash (up to version 16.0.0.287) on Microsoft Windows systems. We have also obtained samples from our Smart Protection Network of malicious SWF files used by the Angler Exploit kit that may be exploiting this vulnerability, currently detected as SWF_ANGZIA.A using Trend Micro’s latest VSAPI and SmartScan pattern files.
Trend Micro’s primary recommendation to users when vulnerabilities such as this one is discovered is to apply a vendor-issued patch as soon as possible; however, Adobe has not yet released an official patch or fix for this issue as of the time of this writing.
Fortunately, Trend Micro has some solutions that already provide protection against this threat:
- The Browser Exploit Prevention (BEP) feature in Trend Micro Endpoint solutions (such as Worry-Free Business Security and OfficeScan) blocks the exploit upon accessing the URL it is hosted in. BEP also protects against exploits that target browsers or related plugins.
- Domains and URLs associated with the Angler Exploit are already detected and blocked using Trend Micro Web Reputation Services (WRS):
- sdhcnniq33iq3ytrg.nojovoitrwaz.in/ea6gutg5x5
- asdbvgzt3440s834.in
- bidolazot54moosa.in
- nojovoitrwaz.in
- bxoipoqlytera.in
- hdusnzpo2n3.in
- Deep Security, Vulnerability Protection (formerly the IDF plug-in for OfficeScan), and Deep Discovery customers with the latest rules also have an additional layer of protection against this vulnerability. Specifically, Trend Micro has released the following rules and patterns for proactive protection:
- Deep Security rule DSRU15-002;
- Deep Packet Inspection (DPI) rule 1006460 for Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers; and
- The existing Sandbox and Script Analyzer engine that is part of Deep Discovery can also be used to detect this threat, without any engine or pattern update.
- Administrators looking to block Flash can specifically block the affected versions from running or even lock down their endpoints to only run specific applications and their updates with Endpoint Application Control. This lockdown policy blocks all unwanted applications (Ex: Any malware from executing on the endpoint).
Again, Trend Micro always highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro Technical Support representative for further assistance.
References: