Archive for Adobe

Microsoft To Nuke Adobe Flash For Good This Summer

Posted in Commentary with tags , on May 5, 2021 by itnerd

Microsoft is preparing to issue two more Windows 10 updates in June and July that will eliminate the now unsupported Adobe Flash Player from Windows PCs for good:

The update KB4577586 called “Update for Removal of Adobe Flash Player” has been available as an optional update since October and now looks set for a broader deployment. Flash Player officially reached end of life on December 31, 2020 as per an announcement by Adobe and major browser makers in 2017. 

“Starting in June 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Preview Update for Windows 10, version 1809 and above platforms. It will also be included in every subsequent Latest Cumulative Update,” Microsoft said. “As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard,” it added.

One of these patches will hit the streets in June and the second will hit the streets in July. That will pretty much “Thanos Snap” Adobe Flash out of existence. And it’s about time. Adobe Flash has major security issues and it shouldn’t be on any computer on planet Earth. So the fact that Microsoft is taking this step is something that I applaud.

Users Of Older Adobe Creative Cloud Apps Might Get Sued If They Don’t Upgrade

Posted in Commentary with tags on May 14, 2019 by itnerd

If you’re using older versions of Adobe Creative Cloud apps, now might be a great time to upgrade. Because according to Adobe, you might get sued if you don’t. Customers have been getting emails from Adobe in regards to this which apparently aren’t too nice. And one customer reached out to Adobe on Twitter and got this response.

The apps affected include Photoshop, Lightroom Classic, Premiere, Animate and Media Director. And you’re likely wondering why using older versions of these apps is an issue. Well, it stems from the fact that a lot of creative types have workflows that work best with older versions of software. Or they are just used to the software and don’t want to change. Or they don’t want to introduce issues by upgrading to something that breaks their workflow.

Apparently this stems from a licensing dispute between Adobe and Dolby which seems to be turning ugly. Thus users of Created Cloud should consider themselves warned because by the time a company starts sending out notices like these, it’s a sign that things are not good.

Remember That Flash Exploit That Popped Up Last Week… Well, There’s Actually TWO Of Them

Posted in Commentary with tags on February 7, 2018 by itnerd

Last week I told you about an Adobe Flash exploit that had been around since November and was actively being used by North Korean hackers. Adobe promised to fixed it this week and they did. But in the process of fixing that exploit, they disclosed that there was a second exploit that was floating around unfixed. It’s documented in the CVE database as CVE-2018-4877 and in short, it’s an exploit that allows for remote code execution. In other words, doing something as simple as opening a webpage or other document with a malicious Flash file embedded in it will pretty much result in pwnage if you have the wrong version of Flash installed. Thus, you should update your version of Flash right now to avoid pwnage.

Or the better route is to dump Flash completely because it’s a security nightmare that Adobe cannot remedy. Thus since Adobe can’t save you from the nasties that are out there, you have to save yourself.

Reason #6719 Not To Run Adobe Flash: A Dangerous New Zero Day Exploit Has Been Found

Posted in Commentary with tags on February 2, 2018 by itnerd

I’ve been saying for a very long time that if you want your computer to be secure, you need to dump Adobe Flash. On top of the security factor, you have no practical need for it as the world has moved on to standards like HTML5. But here’s a new reason not to run Adobe Flash. South Korean authorities have found a dangerous new Zero Day exploit that leverages Adobe Flash:

According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

“An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code,” KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.

What makes it worse is that the North Koreans are apparently behind this and it’s been around since November and it’s actively being exploited. This has Adobe scrambling to fix this and a fix is coming out on Monday. Which is pretty craptastic on Adobe’s part seeing as this has been around since November and is actively being exploited. So if you still run Adobe Flash for whatever reason, make sure that you update it on Monday. Or better yet, uninstall it and make yourself more secure than you are now.

Update Adobe Flash ASAP As Exploits Are In The Wild

Posted in Commentary with tags , on October 16, 2017 by itnerd

Stop me if you’ve heard this before, but you need to update Adobe Flash ASAP as there are exploits that hackers are actively using them. The really funny part is that the people who came across this was beleaguered anti-virus company Kaspersky.

Yeah. Those guys.

In any case, this exploit is serious as per this:

The warning came after cyber security firm Kaspersky Lab Inc said a group it was tracking, BlackOasis, used the previously unknown weakness on Oct. 10 to plant malicious software on computers before connecting them back to servers in Switzerland, Bulgaria and the Netherlands.

Kaspersky said the malware, known as FinSpy or FinFisher, is a commercial product typically sold to nation states and law enforcement agencies to conduct surveillance.

Kaspersky said its assessment of BlackOasis shows it is targeting Middle Eastern politicians and United Nations officials engaged in the region, opposition bloggers and activists, and regional news correspondents with the latest version of FinSpy.

The company said victims have so far been observed in Russia, Iraq, Afghanistan, the United Kingdom, Iran and elsewhere in Africa and the Middle East.

Excellent. Here’s what you can do to protect yourself:

Option 1: Download the latest Adobe Flash. Install it and wait for the next Flash based exploit to appear.

Option 2: Uninstall Adobe Flash as there is no real reason to run it. That will make the next Flash based exploit a non-event.

The choice is yours.

A Petition To Open-Source Flash? Like WTF?

Posted in Commentary with tags on July 31, 2017 by itnerd

In a strange twist of fate, there’s now a petition to open-source Flash. Here’s where it gets weird. The petition acknowledges Adobe’s reasons for killing Flash, namely that it’s been superseded and is woefully insecure. But….:

However Flash along with its sister project Shockwave is an important piece of Internet history and killing Flash and Shockwave means future generations can’t access the past. Games, experiments and websites would be forgotten.

Open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons. Don’t know how, but that’s the beauty of open source: you never know what will come up after you go open source! There might be a way to convert swf/fla/drc/dir to HTML5/canvas/webgl/webassembly, or some might write a standalone player for it. Another possibility would be to have a separate browser. We’re not saying Flash and Shockwave player should be preserved as is.

I don’t know of anything that was made with Flash that would be worth this effort to preserve a piece of software that is horribly insecure. But that’s just me. If you have a different view of this, I would ask you to share your thoughts by leaving a comment.

Flash To Be Deep Sixed By Adobe By 2020

Posted in Commentary with tags on July 25, 2017 by itnerd

Somewhere Steve Jobs is declaring victory when it comes to killing Adobe Flash. The news is out that the once popular, but now exploit ridden browser plug in will be dead by 2020:

The software company’s decision to phase out Flash is noteworthy considering that the software has been synonymous with Adobe since its debut for playing videos and animations in web browsers. As the Internet matured and grew in popularity over the years, so did Flash, which became one of the most widely used ways for people to watch video clips and play online video games.

But as more people used Flash, criminals increasingly found ways to exploit security vulnerabilities in the technology and hack into people’s computers. Flash’s increasing holes and bugs soon became a source of frustration for some of the world’s biggest technology companies.

Frankly, Flash won’t be missed. With standards such as HTML 5 and Web GL, there are way better and safer ways to display web content than Flash.

R.I.P. Flash.

UPDATE: Here’s the official word from Adobe.

#PSA: Update Adobe Flash NOW To Mitigate Security Flaws

Posted in Commentary with tags on February 17, 2017 by itnerd

If you are still running Adobe Flash for whatever reason, you need to upgrade it now. As in right now. The version that you need to be running 24.0.0.221 as it “address critical vulnerabilities that could potentially allow an attacker to take control of the affected system”. These holes are on Mac, Windows and Linux.

So, if I were you I would run to the Adobe Flash Player Download Center and update away. Or better yet, dump Flash and make your system a whole lot more secure.

Latest Adobe Acrobat Reader Update SILENTLY Installs Chrome Extension

Posted in Commentary with tags , on January 12, 2017 by itnerd

The news is out that the latest update out from Adobe for its Acrobat Reader for Windows does something that I find distasteful. It silently installs an extension into your Google Chrome browser. After you update Acrobat Reader, the next time you open Chrome it will note the new extension and ask if you want to enable it or remove it.

The problem is this:

The installation process is covert, but the next time users open their Chrome browser, they’ll be notified by Chrome’s security systems that a new extension has been added.

The extensions name is Adobe Acrobat and is the same extension available through the Chrome Web Store.

Let me focus on three things. First is the fact that the “installation process is covert” meaning that you are not told that this is going to happen when you update Adobe Acrobat Reader. Which in turn would give you the choice as to if you want it installed or not. But I bet that lots of users are going to say yes when the prompt to enable it pops up in Chrome and I bet that is what Adobe is counting on. The second thing that I want to focus on is the fact that the extension in question is available on the Chrome Web Store. That means that if you really wanted this, you had an avenue to get it. So one has to wonder why Adobe is now forcing it upon users? Finally, Chrome offers pretty good native PDF support. So why even bother having more software installed?

Now the cyinic in me sees this as the real reason behind this:

The Adobe Acrobat extension also comes with anonymous usage data collection turned on by default, which might scare some users.

According to Adobe, extension users “share information with Adobe about how [they] use the application.”

“The information is anonymous and will help us improve product quality and features,” Adobe also says.

Digging deeper into this data collection mechanism, we see that Adobe collects the following user information:

  • Browser type and version
  • Adobe product information such as version
  • Adobe feature usage such as menu options or buttons selected

“Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe,” the company says.

I’m sorry, but force feeding me a browser extension that phones home doesn’t exactly give me the warm fuzzies.

Now there’s one thing that popped to mind as I was typing this.Chrome has come bundled with Adobe products such as Flash. If you want to see this in action, install or update Flash. You’ll see that installing Google Chrome is an option (that to be frank I remove 100% of the time). Is there a connection?

That’s a question that I would love to have an answer to.

UPDATE: Clearly this story got Adobe’s attention. 24 Minutes after posting this, I got this Tweet:

Ten Top Exploits Of 2016 Exist Via Adobe Flash Or Microsoft Products

Posted in Commentary with tags , on December 8, 2016 by itnerd

I am no fan of Adobe Flash because of how insecure it is. And a report from On The Wire illustrates this fact perfectly. Six of the top ten exploits in 2016 leveraged bugs in Flash:

Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it’s deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future’s analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups.

Flash gets targeted because 95% of potential victims are running the same Flash plugin with the same vulnerabilities. And because HTML5 hasn’t yet completely taken over, one may have no alternative other than to run Flash to see the content that they want. It also gets targeted because Adobe for whatever reason cannot properly secure it and hackers know that. Thus the only way to really protect yourself is to dump Adobe Flash.

As for the fact that Microsoft products are the other four exploit vectors, here are my thoughts on that:

  1. Silverlight which was meant to be a competitor to Flash is basically a dead product as Microsoft no longer supports it. If you still have it on your system, you should really remove it. Trust me, you won’t be missing anything by not having it on your system. Except for the odd exploit which isn’t a bad thing.
  2. If you use IE (Internet Explorer), you should if possible move to another browser such as Edge for Windows 10, Chrome or Firefox.If you can’t, the best defense is to make sure your Windows systems are always fully patched as patches for IE are always part of Windows patches.
  3. If you run Windows, the best defense is to make sure your Windows systems are always fully patched.

If you do all of that, you can likely sleep somewhat better at night.