Yahoo Users Hacked Through Unpatched Flash Vulnerabilities

Researchers at Malwarebytes, an anti-malware software vendor, uncovered a large scale attack against Yahoo users through Yahoo’s own advertising network. Malwarebytes notified Yahoo about it and the “malvertising” campaign is no longer in progress.

The attack was possible due to Flash vulnerabilities in unpatched versions of Flash, perhaps even the same vulnerabilities that got Mozilla to block Flash by default in its browser for a few days until Adobe released the patch. Not all Flash users have updated to the latest version, though, which means they are still vulnerable to these highly dangerous security holes.

Yahoo owns large Web properties with an estimated 6.9 billion visits per month in total, according to data from SimilarWeb, which means even if a small percentage of those visits resulted in malware installation on the users’ PCs, it could still affect millions of people.

 

Malvertising is particularly dangerous because it requires no action from the user, and it can download and install itself automatically on the user’s PC (assuming the user is on a Standard account and not an Administrator one, and the User Account Control protection is weak enough to be bypassed, or the malware makes use of native privilege escalation zero-days).

The malware can even install “ransomware” on users’ computers and lock their files till the customers pay the criminals.

Recently, Flash has been a lot in the news, with even Facebook saying it might hurts their business. Apple and Twitch have already ditched Flash. Users are advised to either update their version of Flash or disable it completely.

Kowsik Guruswamy, CTO for Menlo Security, has a few pointers for how to protect yourself against this type of malware. 

 1. Disable Flash on your endpoints. This can be like cutting off your fingers to avoid getting splinters, but if the splinters are bad enough, maybe it’s what you need to do.

 2. Isolate your Web traffic so that malicious content never reaches your endpoint. The Menlo Security Isolation Platform does that.
 3. Continue browsing the Web with Flash enabled and hope you dodge the inevitable bullet.