New Flash zero-day

Topic

New Reply

Catalin Cimpanu at BleepingComputer has a worrisome post. Apparently the South Korean version of CERT, KR-CERT, has found a Flash 0day that’s in the w
[See the full post at: New Flash zero-day]

5 users thanked author for this post.

geekdom, Lori, JDeC, AJNorth, Kirsty

Reply | Quote

Replies

To disable flash on Firefox , Tom’s guide shows one way, I click on “tools” then ” Add On’s”  Also one of the articles mentions you have to manually patch Firefox.  You can set for automatic updates.

 

1 user thanked author for this post.

WildBill

Reply | Quote

It may be worth noting that this vulnerability affects the “current” version of Flash. Even if you updated this month, that won’t give you any help – until a fix is released (that may possibly be a couple of weeks away, as Catalin mentioned).

3 users thanked author for this post.

Lori, JDeC, Laptop Boy

Reply | Quote

With regard to how to turn off Adobe Flash,  Woody’s posting has a link to an article by Tom Wagenseil.  That article appears to be over a year old,  and I think it might be outdated with respect to how to turn off Adobe Flash in the Google Chrome browser.  If you have trouble with the procedure in that article with respect to Chrome,  you might want to go to the following link https://productforums.google.com/forum/#!topic/chrome/1VNwlragY-s   and scroll down to the “Best Answer” on that page to see a more updated procedure for disabling Flash.   At least that’s the procedure that I’ve been using for the past year or so,  whereas in prior years  I used procedure described in the Tom Wagenseil article.

Reply | Quote

I’ve had Flash uninstalled from my PCs for a while now.  It was not that long ago that having no Flash was a serious impediment, but HTML5 has risen to fill the void for the vast majority of sites.  Every now and then I get a link to some site (Vimeo, I think), and it tells me that “[my] technology may be out of date” because I don’t have Flash installed.  You’re pushing Flash videos and I’m the one whose tech is out of date?

Fortunately, by clicking the video and going to the site directly, it then works with HTML5; it just doesn’t work embedded that way.

Flash has never managed to get its act together and become a secure product.   Like Java, it’s just a great big security sieve, and because of that, we’re all better off without it.  If you have no sites that you use that specifically require Flash, I would just remove it; otherwise, in Firefox, you can set the plugin to “Ask to activate” or “Never activate.”  You can always manually turn it on for those few sites that still need it.

For me, the US National Weather Service site is the only one I use regularly that still wants Flash (for the radar animations).  Not really a problem; there are lots of weather sites that provide radar data better than NWS that don’t try to get me to install and use an unsafe plugin.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

SueW

Reply | Quote

I believe that people who stream movies and TV shows from Hulu still need to use flash to do that, and I wonder which other similar services also widely used might be still requiring Flash to watch. There is a general move towards HTML5 these days, but at different stages at different streaming services. There is a similar situation with Java, that is still required by some useful Web sites (I am thinking of some publicly available online government services, such as those of NOAA where one can download USA atmospheric and GPS data).

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

In Firefox, Flash is already set to Ask to Activate by default. It can also be disabled in the Add-ons Manager (Ctrl+Shift+A) > Plugins.

EOL schedule – https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

2 users thanked author for this post.

Charlie, amraybt

Reply | Quote

Attackers Exploiting Unpatched Flaw in Flash
By Brian Krebs | February 2, 2018

 
Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could allow an attacker to take control of the affected system.

The software company warns that an exploit for the flaw is being used in the wild, and that so far the attacks leverage Microsoft Office documents with embedded malicious Flash content. Adobe said it plans to address this vulnerability in a release planned for the week of February 5.

 
Read the full article here, which includes tips on hobbling Flash, like:

“Another, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.”

3 users thanked author for this post.

WildBill, walker, Charlie

Reply | Quote

As per Woody’s advice, I’ve turned off Flash in Firefox & IE. However, patching Flash is like patching IE; even if you don’t use it, it’s best to keep it updated. You mentioned “Adobe said it plans to address this vulnerability in a release planned for the week of February 5.” Just letting folks know today, KB4074595 appeared in Windows Update today, labeled “2018-02 Security Update for Adobe Flash Player”, & dated 02/06/18. For Windows 8.1; your numbering & mileage may vary. Is this the fix for the flaw? Even if it is & we are still at MS-DEFCON 3, should we rush to patch before Feb. 13?! Or should we hold off?

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

@Wildbill re #165843

The Flash update was released a couple of days ago (see here). I would recommend updating Flash through the Adobe website, as linked in AKB1000002, if you aren’t planning on updating with WU yet.

1 user thanked author for this post.

WildBill

Reply | Quote

Thanks; I’ll probably do it through WU before MS-DEFCON goes back to 2 next week. Later tonight or tomorrow. Just for grins, though, I re-enabled Flash as Ask to Activate, then checked my Flash version for Firefox under Win 8.1. Adobe says it’s current at 28.0.0.161.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

Kirsty

Reply | Quote

So this means that Windows 10 is bad, when Flash is integrated with that os?

One more reason to not go there. So much talk about security for newer and better bloatware windows.

Reply | Quote

@Woody I am wondering why you (only) gave the advice
“If you absolutely must use Flash on a specific site, first write to the site’s owners and complain loudly. Then, figure out which browser you want to use with Flash (I’ve picked Chrome) and only use that browser to go to the bad site”
and not to use a container like Sandboxie to keep yourself safe from Flash (and other) vulnerabilities?

Reply | Quote

… that may be because sandboxing is no bullet-proof solution (I’ve found articles dating back to 2008, describing malware being able to fire in a sandbox, but this one is more current).

Malware like Dridex does not respect a sandbox:

Kirsty wrote:

Malwarebytes article discusses the Word document embedded in a .pdf (Dridex method), giving details of the exploits. It allows sandboxing to be bypassed!

The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.

https://blog.malwarebytes.com/cybercrime/2017/04/locky-ransomware-is-back-but-we-already-protect-against-it/

See: On proofpoint.com
and specific to Flash, last August, from threatpost.com

5 users thanked author for this post.

HiFlyer, SueW, walker, Charlie, Elly

Reply | Quote

@Kirsty:  Thank you for the additional information on this problem (2 posts).   I am very much aware of how dangerous these Flash, Adobe, etc. are, and appreciate all of the information you have posted here.   It is very much appreciated.     🙂

1 user thanked author for this post.

Kirsty

Reply | Quote

Adobe Flash is disabled on everything, but this news provides a good reason to uninstall it and never, ever install it again. Fewer moving parts is a good concept.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

geekdom wrote:

Adobe Flash is disabled on everything

That’s a broad, global statement that could easily be misunderstood…
As Flash isn’t automatically disabled on everything, it must indicate you have disabled it on “everything” on your system/s 😉 Good on you, @geekdom!

2 users thanked author for this post.

walker, geekdom

Reply | Quote

The thing that bothers me about removing Flash is the archival, preservational aspect of the Internet. There previously were projects that tried to port Flash over to web-standards, but they all seem to have been abandoned.

A huge part of Internet standards is backwards compatibility. Even when things break, we tend to break them in a way that they’re still technically usable. Sure, there are old sites that still use old things like RealPlayer, but you can still ultimately play the files, and even convert them to modern formats that are safer.

But Flash is an outlier. Flash video can be converted, sure. But Flash interactivity cannot. As such, to view older content, I need to run Flash.

I hate that the answer will be to run an older web browser, with fewer security fixes and more trouble. My ideal choice for an answer would be to have all the content archived on something like archive.org, and Flash enabled there, possibly with some sort of security tokens that prevent hackers from modifying the site.

Yes, new content should not be made in Flash. But so much of web history is Flash-based. I hate losing it. And I will fight to try and preserve it however I have to.

2 users thanked author for this post.

SueW, Elly

Reply | Quote

A related topic, discussed last year:
https://www.askwoody.com/forums/topic/would-open-source-flash-player-be-safer/

Reply | Quote

anonymous wrote:

But Flash is an outlier. Flash video can be converted, sure. But Flash interactivity cannot. As such, to view older content, I need to run Flash.

That’s the rub. I haven’t needed Flash or anything Adobe for years, but I know those that will truly miss Flash games. Some people have spent(wasted IMO) hundreds of hours on such games and have progress saved but only on the online websites. Is there any hope?

Reply | Quote

The BBC News Web site is my main source of news (I live in the UK) and it still uses Flash.  But there is no way I am going to take on the BBC over this.

1 user thanked author for this post.

SueW

Reply | Quote

Warning: If you are looking to uninstall the Adobe Flash, it does not uninstall nicely. (The Adobe Acrobat Reader also does not uninstall nicely.)

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

@geekdom have you tried the Flash uninstaller, linked in AKB1000002?

For Reader uninstall issues, try this page (Adobe Labs)

1 user thanked author for this post.

geekdom

Reply | Quote

The uninstaller from Adobe was run several times yesterday on another system. The uninstaller from your link was run just now on a different system. In both cases, the uninstaller appears to work just fine. Here is the kicker:

• Make sure to exit Internet Explorer.
• Run uninstaller.
• Manually delete C:\Users\[Name]\AppData\Roaming\Adobe file folder.
• Start Internet Explorer.
• C:\Users\[Name]\AppData\Roaming\Adobe file folder appears again.

The uninstaller has failed to remove some portion of Flash that reactivates each time Internet Explorer is started.

This problem does not appear with Firefox.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

I wonder if it relates to the WinOS? I am aware of long-standing issues with uninstalling, for which Adobe have been issuing manual uninstalltion instructions for ages.

Reply | Quote

The link you supplied just now is where I started yesterday. Both computer systems are:

• Windows 7
• 64-bit

I think the uninstaller has failed to clear registry entries.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Kirsty

Reply | Quote

While not being 100% similarity to your problem, there may be some suggestion/s in this answers.microsoft.com response that helps, i.e. being logged on as administrator?

Reply | Quote

I am logged on as administrator by default and the program was “run as administrator.” The problem persists. It is clear that the problem is on Adobe’s end.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Did you try the uninstaller suggested in the link? (Revo)
There are reasons why using an administrator account for daily use isn’t considered secure… (that’s another topic!).

1 user thanked author for this post.

walker

Reply | Quote

To set your mind at ease, I don’t run under built-in administrator. When I wish to “Run as administrator”, I right-click a program and select “run as administrator.”

To reiterate, I am sole user and owner, and am shown as administrator.

Revo Uninstaller was used; it is one of the tools in my toolkit.

The problem is Adobe’s.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Kirsty

Reply | Quote

While not everyone agrees about preferred user account privileges:

The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.

Of course, that is your own risk assessment to take 🙂

Reply | Quote

@Kirsty:    Good posts!  Lots of information there.    I have Flash turned off in Firefox, and try to stay away from it.  With my lack of computer literacy that’s probably the best thing to do.  Thank you for the good information you have shared!     🙂

Reply | Quote