Adobe Patches Zero-Day Flaw in Flash Player

Adobe Systems fixed a critical vulnerability in Flash Player that was publicly disclosed by a researcher earlier this month.

The vulnerability, tracked as CVE-2018-15981, is a type confusion issue that can lead to arbitrary code execution. It was fixed in Flash Player for all platforms and browsers.

Adobe didn’t credit anyone with finding the vulnerability in its advisory, but mentioned that technical details about the flaw are already public.

It turns out the flaw was discovered by an Israeli security researcher named Gil Dabah, who disclosed it as a zero-day on his blog Nov. 13, SecurityWeek reports.

“The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution,” the researcher wrote in his blog post at the time.

Two days later he thanked the Adobe security team on Twitter for reaching out to him and starting work on a fix. The patch was finally released Tuesday, Nov. 20.

Mirai Targets Linux Servers Running Hadoop

Security researchers have spotted new versions of the Mirai malware compiled for the x86 platform that attempts to exploit a known vulnerability in Hadoop YARN.

Hadoop is a distributed processing framework for big data applications and YARN is its resource management layer. The YARN remote code execution vulnerability was discovered in March and allows attackers to execute arbitrary shell commands on a server.

Before these new versions of Mirai, at least two other botnets—DemonBot and Sora—also took advantage of this vulnerability to spread.

“These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices,” researchers from Netscout’s ASERT team said in a report. “While ASERT has previously published observations of Windows Mirai, this is the first time we’ve seen non-IoT Mirai in the wild.”

One of the new Mirai variants calls itself VPNFilter, but has nothing to do with the more sophisticated VPNFilter IoT malware that infected more than 500,000 routers and network-attached storage devices from around the world. Like other Mirai variants, once deployed, this new version starts scanning IP addresses for Telnet access and attempts to brute-force login credentials.

While the strength of IoT botnets is in the number of infected devices, Linux servers that run in data centers are much more appealing targets to hackers. That’s because they have better computing resources and bandwidth and can be used for cryptomining and powerful distributed denial-of-service attacks.

Magecart Groups are Fighting Through Infected Websites

Security researchers have observed a group of attackers that uses the Magecart card skimming code hijack an infection by another group that uses a similar script.

The last few months have seen a rise in the number of attacks in which hackers infect the checkout pages of e-commerce websites with code designed to steal payment card information. The most prolific of these web-based skimmers is called Magecart and is used by multiple groups.

However, it seems that there’s some competition going on between them, as researchers have recently observed a Magecart skimmer on the Umbro Brasil website messing with the data collection of another Magecart skimmer that was already present on the site.

The second skimmer was not designed to detect and remove the existing skimmer, but to actually intercept the credit card numbers collected by it and replace the last digits with random ones. The goal was likely to discredit the first group on the underground markets where the stolen data was being put up for sale.

“By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer,” Jérôme Segura, a researcher with Malwarebytes, said in a blog post. “Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin