On January 22 Adobe confirmed the existence of a Zero Day affecting Adobe Flash Player 16.0.0.287 and assigned CVE-2015-0311 to it. This is the classic zero day scenario of exploitation in the wild before any vendor patch was available and in this blog post we will explain how the uniqueness of Palo Alto Networks Traps blocks this vulnerability.
Let’s start with a brief background on CVE-2015-0311 security implications. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. All versions of Internet Explorer or Firefox, with any version of Windows with Flash up to 16.0.0.287 (included) installed and enabled, are exposed.
Following the disclosure, several security companies reported encounters with attacks utilizing this zero day, as well as a considerable surge in Angler EK activity, mainly in the United States.
Zero days such as CVE-2015-0311 illustrate why signature-based solutions are a dead-end when facing the current advanced threat landscape. Prior knowledge is futile when encountering an attack that is, by definition, unknown. Reliance on vendor patching is also insufficient both from security and operational perspectives – we all know large enterprises do not easily pause company-wide IT activity in favor of mass updates.
Traps Advanced Endpoint Protection is designed to proactively block attacks targeting endpoints, including unknown zero-day exploits. Traps automatically detects and blocks the core set of techniques that every attacker must link together in order to accomplish exploitation. Because of the chain-like nature of an exploit, preventing just one technique in that chain is all that is needed in order to block the entire attack even before a payload is dropped.
The exploitation of CVE-2015-0311 is no different than other exploitations in the essential phases it needs do go through. Traps blocks it.
To further illustrate how, let’s reflect on a common exploitation pattern. First, there are preparation acts intended to expand the victim machine's memory attack surface. What usually follows next is an attempt to actually seize a memory portion, and circumvent standard protection means. Upon accomplishing these stages, the exploit still needs to access certain OS functions to gain the required resources for malicious activity. Once all these steps are successful the attacker can remotely run its code on the victim's machine.
There are several techniques attackers deploy to perform each one of these stages. Obstructing any of these stages terminates the exploitation. Posing obstructions to each and every one of the core techniques creates a powerful multilayered defense which proactively prevents any exploitation attempt from maturing into an ongoing attack.
Moreover, such defense will succeed, regardless of the utilized CVE and regardless of specific exploit prior knowledge since it relies on obstructing the core techniques all exploits utilize.
Applying this defense paradigm to CVE-2015-0311 reveals that despite it being a zero day, and supposedly an unknown attack vector, it is blocked by Palo Alto Networks Traps. Traps prevents the exploit from writing to memory and from accessing OS functions. Each of these is sufficient for successful prevention. Even if the attack is a zero day and not a known exploit, it poses no additional challenge to Traps.
Traps users are exempt from emergency patching and from the concern that an unknown attacker is crawling undiscovered in their endpoints. Traps users were actually protected from CVE-2015-0311 way before it has even existed.
Learn more about Advanced Endpoint Protection here.