It seems as if we are caught in a flash zero-day storm. It has not yet been two weeks from the disclosure of CVE-2015-0311 and we are already informed that there is yet another attack flying under the radar of signature-based security solutions.
Similar to its older kinsmen, CVE-2015-0313 was discovered in attacks utilizing the Angler exploit kit. According to security reports, around 3,294 hits related to the exploit were already identified and as is usually the case with zero days, what we see is only the tip of the iceberg.
Standard security measures do not offer sufficient protection. In browsing through various security vendor responses, we see recommendations to disable Flash’s targeted version until a patch will become available or to block the URL which – temporarily – hosts the exploit kit. We might expect that quite soon a signature will be generated to the exploit which – again temporarily – utilizes CVE-2015-0313 to execute malicious code in victim endpoints.
These are all reactive steps. They have limited mitigation value, but they lag behind the attackers. And what’s more, they are reactive to what thus far is a small manifestation of a potentially larger threat. Attackers are evolving and it’s not farfetched to assume that out of the box URLs are standing in line to replace the one which was already tagged as malicious and that the exploit code is being modified right away, emptying the original’s one signature of any value.
This zero-day is yet another example of why advanced attacks need to be addressed in a manner that tackles them at the core and sustains security — regardless of changing factors.
Palo Alto Networks Traps analysis of CVE-2015-0313 reveals that exploits utilizing this vulnerability attempt to bypass standard DEP protection using a ROP chain. Once the ROP is successfully carried out, the exploit tries to access OS functions.
What Traps “sees” in this case is not an unknown threat but an understandable and well-defined pattern. In fact, it quite resembles the one we described in our last zero day post. Obstructing the exploit in these phases breaks the chain and crashes the attack.
Traps has knowledge of the techniques attackers need in each critical stage of exploitation. Possessing that knowledge enables Traps to obstruct them in real time, proactively preventing the exploitation from reaching its goal. The result is that endpoints are completely protected from exploitation trying to make use of zero day CVE-2015-0313.
Installing Traps on your endpoints protects your enterprise from known attacks and zero days alike. Learn more about Advanced Endpoint Protection here.