Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Flash 0-Day Exploit Used by Angler Exploit Kit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Flash 0-Day Exploit Used by Angler Exploit Kit

The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.


Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Jan 21st 2015
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."


34 Posts
I think people could probably try to configure a custom 'out of date activex blocking'policy xml, and distribute it via gpo and or logon scripts and or sccm <insert distro policy> (add flash entries to the xml, disable ms source upstate dl for it as per kb, distribute xml as per kb(unintended use) , enjoy flash for your intranet and trusted sites, while working on a package to revert it when desired )

It's sleep time here, but anyone else want to take a stab?
Mallory Bobalice

28 Posts
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."

Geographic distribution of users affected by Angler

34 Posts
Ps Hopefully the day 1s in EKs and this 0 day will push ms to add flash to that xml list out of the box ASAP. Not to say 0day EK exploits are the use case for ms

Presumably the chrome pepper flash plugin is harder to exploit (and is possibly partially sandboxed, and if I recall correctly auto updates without chrome having to necessarily)
Mallory Bobalice

28 Posts
Too quick pctech:) re pepper flash in chrome
Mallory Bobalice

28 Posts
Ppps if anyone wants to try the custom xml policy stuff, keep in mind you should in parallel be looking at managing ie and trusted sites via GPO(hopefully as part of the ie10 or 11 scm3 baseline and not using legacy and horrid ieak)
Mallory Bobalice

28 Posts
while on the subject of plugins and plugin management - complementary plug for | DefaultPluginsSetting=3 (click to play) | PluginsAllowedForUrls

>if I recall correctly [chome] auto updates [the flash plugin] without chrome having to necessarily

to correct myself, that's probably incorrect (chrome sys update, not just the flash plugin itself)

in any case I digress, given >Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users.
Mallory Bobalice

28 Posts
Adobe have released another update for the Free Adobe Flash Player - v16.0.0.287.

The relevant Adobe bulletin can be found at:
h t t p://

I have just updated my main Windows 7 SP1 x64 build laptop today and will run a few tests to see if I get any issues.

4 Posts
Kafeine reports EMET 5.1 blocked the exploit in a superficial, single configuration test:

Windows 8.1 32bits, Internet Explorer 11, Flash

EMET detected StackPivot mitigation and will close the application: iexplore.exe

34 Posts

Sign Up for Free or Log In to start participating in the conversation!