SandBlast Protects Against Flash Zero-Day Vulnerability

In recent days, a critical Adobe Flash zero-day vulnerability has been discovered to be exploited in the wild. Attacks are reportedly being distributed by embedding malicious Flash objects into Microsoft Excel documents. Once infected, it allows the responsible hacking group to take full control of infected machines. When the Flash object is triggered, it installs ROKRAT, a remote administration tool.


Adobe is planning to address this vulnerability and release a patch in the week starting February 5th.


Fortunately, Check Point SandBlast customers are already protected with multilayer protection that effectively blocks the zero-day attack both on the network and endpoint. SandBlast is able to detect and prevent the attack without relying on signatures and without any prior knowledge of the vulnerability.


While SandBlast customers are protected, other organizations remain at risk until an Adobe patch is released and the patch is applied to all endpoints.


How Does SandBlast Protect You?

SandBlast, Check Point’s multilayered security technology, provides protection against advanced and zero-day cyber threats.


The following SandBlast technologies prevent this attack:

  • Threat Extraction
    Threat Extraction technology provides real-time content sanitization for documents. As part of the document cleaning functionality, Threat Extraction removes embedded Adobe Flash from documents and Excel spreadsheets. Thus, the Excel spreadsheets used in this attack are delivered to users without the embedded malicious Flash.


  • Threat Emulation
    Threat Emulation is our advanced, evasion-resistant sandbox technology. It has been successfully detecting and blocking all variants of this attack with the aid of our unique
    Push Forward technology. Push Forward detects highly evasive and zero-day exploits in Adobe Flash by dynamically driving Flash execution in order to trigger and detect concealed exploitation attempts. This unique ability is designed to detect and block highly evasive and zero-day Flash attacks, which would evade conventional sandbox solutions.


  • Anti-Exploit
    Anti-Exploit detects runtime program exploitation attempts on endpoints. It blocks the Flash exploitation in this attack, preventing malicious code from running.


Each of these three protections is able to independently prevent this attack without relying on signatures.


Threat Extraction and Threat Emulation are available both as a network protection and as an endpoint protection. Anti-Exploit is exclusive to our advanced endpoint protection.


In addition, now that signatures are available, we have also released an IPS protection.


Wasn’t Flash Supposed to Be Dead?

Well, not exactly. There has been a great deal of industry conversation around eradicating Adobe Flash and removing it from all web browsers. Unfortunately, it’s a long road and we’re not quite there yet.  As others have noted, Flash is here to stay for a few more years and as long as users have Flash installed, they remain vulnerable and attackers know this.


Malicious Flash continues to be used extensively by threat actors, primarily through exploit kits, in attempts to compromise end-user systems. In December 2017 alone, Check Point’s Threat Emulation cloud service detected over 25,000 unique malicious Flash objects being served to web users.


With Flash attacks still raging and Flash zero-days exploited in the wild, it is crucial you have a solution in place which will prevent the next Flash zero-day attack.