Archive for Adobe

« Older Entries
Newer Entries »

Reason #6719 Not To Run Adobe Flash: A Dangerous New Zero Day Exploit Has Been Found

Posted in Commentary with tags on February 2, 2018 by itnerd

I’ve been saying for a very long time that if you want your computer to be secure, you need to dump Adobe Flash. On top of the security factor, you have no practical need for it as the world has moved on to standards like HTML5. But here’s a new reason not to run Adobe Flash. South Korean authorities have found a dangerous new Zero Day exploit that leverages Adobe Flash:

According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

“An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code,” KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.

What makes it worse is that the North Koreans are apparently behind this and it’s been around since November and it’s actively being exploited. This has Adobe scrambling to fix this and a fix is coming out on Monday. Which is pretty craptastic on Adobe’s part seeing as this has been around since November and is actively being exploited. So if you still run Adobe Flash for whatever reason, make sure that you update it on Monday. Or better yet, uninstall it and make yourself more secure than you are now.

1 Comment »

Update Adobe Flash ASAP As Exploits Are In The Wild

Posted in Commentary with tags , on October 16, 2017 by itnerd

Stop me if you’ve heard this before, but you need to update Adobe Flash ASAP as there are exploits that hackers are actively using them. The really funny part is that the people who came across this was beleaguered anti-virus company Kaspersky.

Yeah. Those guys.

In any case, this exploit is serious as per this:

The warning came after cyber security firm Kaspersky Lab Inc said a group it was tracking, BlackOasis, used the previously unknown weakness on Oct. 10 to plant malicious software on computers before connecting them back to servers in Switzerland, Bulgaria and the Netherlands.

Kaspersky said the malware, known as FinSpy or FinFisher, is a commercial product typically sold to nation states and law enforcement agencies to conduct surveillance.

Kaspersky said its assessment of BlackOasis shows it is targeting Middle Eastern politicians and United Nations officials engaged in the region, opposition bloggers and activists, and regional news correspondents with the latest version of FinSpy.

The company said victims have so far been observed in Russia, Iraq, Afghanistan, the United Kingdom, Iran and elsewhere in Africa and the Middle East.

Excellent. Here’s what you can do to protect yourself:

Option 1: Download the latest Adobe Flash. Install it and wait for the next Flash based exploit to appear.

Option 2: Uninstall Adobe Flash as there is no real reason to run it. That will make the next Flash based exploit a non-event.

The choice is yours.

Leave a comment »

A Petition To Open-Source Flash? Like WTF?

Posted in Commentary with tags on July 31, 2017 by itnerd

In a strange twist of fate, there’s now a petition to open-source Flash. Here’s where it gets weird. The petition acknowledges Adobe’s reasons for killing Flash, namely that it’s been superseded and is woefully insecure. But….:

However Flash along with its sister project Shockwave is an important piece of Internet history and killing Flash and Shockwave means future generations can’t access the past. Games, experiments and websites would be forgotten.

Open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons. Don’t know how, but that’s the beauty of open source: you never know what will come up after you go open source! There might be a way to convert swf/fla/drc/dir to HTML5/canvas/webgl/webassembly, or some might write a standalone player for it. Another possibility would be to have a separate browser. We’re not saying Flash and Shockwave player should be preserved as is.

I don’t know of anything that was made with Flash that would be worth this effort to preserve a piece of software that is horribly insecure. But that’s just me. If you have a different view of this, I would ask you to share your thoughts by leaving a comment.

Leave a comment »

Flash To Be Deep Sixed By Adobe By 2020

Posted in Commentary with tags on July 25, 2017 by itnerd

Somewhere Steve Jobs is declaring victory when it comes to killing Adobe Flash. The news is out that the once popular, but now exploit ridden browser plug in will be dead by 2020:

The software company’s decision to phase out Flash is noteworthy considering that the software has been synonymous with Adobe since its debut for playing videos and animations in web browsers. As the Internet matured and grew in popularity over the years, so did Flash, which became one of the most widely used ways for people to watch video clips and play online video games.

But as more people used Flash, criminals increasingly found ways to exploit security vulnerabilities in the technology and hack into people’s computers. Flash’s increasing holes and bugs soon became a source of frustration for some of the world’s biggest technology companies.

Frankly, Flash won’t be missed. With standards such as HTML 5 and Web GL, there are way better and safer ways to display web content than Flash.

R.I.P. Flash.

UPDATE: Here’s the official word from Adobe.

1 Comment »

#PSA: Update Adobe Flash NOW To Mitigate Security Flaws

Posted in Commentary with tags on February 17, 2017 by itnerd

If you are still running Adobe Flash for whatever reason, you need to upgrade it now. As in right now. The version that you need to be running 24.0.0.221 as it “address critical vulnerabilities that could potentially allow an attacker to take control of the affected system”. These holes are on Mac, Windows and Linux.

So, if I were you I would run to the Adobe Flash Player Download Center and update away. Or better yet, dump Flash and make your system a whole lot more secure.

1 Comment »

Latest Adobe Acrobat Reader Update SILENTLY Installs Chrome Extension

Posted in Commentary with tags , on January 12, 2017 by itnerd

The news is out that the latest update out from Adobe for its Acrobat Reader for Windows does something that I find distasteful. It silently installs an extension into your Google Chrome browser. After you update Acrobat Reader, the next time you open Chrome it will note the new extension and ask if you want to enable it or remove it.

The problem is this:

The installation process is covert, but the next time users open their Chrome browser, they’ll be notified by Chrome’s security systems that a new extension has been added.

The extensions name is Adobe Acrobat and is the same extension available through the Chrome Web Store.

Let me focus on three things. First is the fact that the “installation process is covert” meaning that you are not told that this is going to happen when you update Adobe Acrobat Reader. Which in turn would give you the choice as to if you want it installed or not. But I bet that lots of users are going to say yes when the prompt to enable it pops up in Chrome and I bet that is what Adobe is counting on. The second thing that I want to focus on is the fact that the extension in question is available on the Chrome Web Store. That means that if you really wanted this, you had an avenue to get it. So one has to wonder why Adobe is now forcing it upon users? Finally, Chrome offers pretty good native PDF support. So why even bother having more software installed?

Now the cyinic in me sees this as the real reason behind this:

The Adobe Acrobat extension also comes with anonymous usage data collection turned on by default, which might scare some users.

According to Adobe, extension users “share information with Adobe about how [they] use the application.”

“The information is anonymous and will help us improve product quality and features,” Adobe also says.

Digging deeper into this data collection mechanism, we see that Adobe collects the following user information:

  • Browser type and version
  • Adobe product information such as version
  • Adobe feature usage such as menu options or buttons selected

“Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe,” the company says.

I’m sorry, but force feeding me a browser extension that phones home doesn’t exactly give me the warm fuzzies.

Now there’s one thing that popped to mind as I was typing this.Chrome has come bundled with Adobe products such as Flash. If you want to see this in action, install or update Flash. You’ll see that installing Google Chrome is an option (that to be frank I remove 100% of the time). Is there a connection?

That’s a question that I would love to have an answer to.

UPDATE: Clearly this story got Adobe’s attention. 24 Minutes after posting this, I got this Tweet:

Leave a comment »

Ten Top Exploits Of 2016 Exist Via Adobe Flash Or Microsoft Products

Posted in Commentary with tags , on December 8, 2016 by itnerd

I am no fan of Adobe Flash because of how insecure it is. And a report from On The Wire illustrates this fact perfectly. Six of the top ten exploits in 2016 leveraged bugs in Flash:

Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it’s deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future’s analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups.

Flash gets targeted because 95% of potential victims are running the same Flash plugin with the same vulnerabilities. And because HTML5 hasn’t yet completely taken over, one may have no alternative other than to run Flash to see the content that they want. It also gets targeted because Adobe for whatever reason cannot properly secure it and hackers know that. Thus the only way to really protect yourself is to dump Adobe Flash.

As for the fact that Microsoft products are the other four exploit vectors, here are my thoughts on that:

  1. Silverlight which was meant to be a competitor to Flash is basically a dead product as Microsoft no longer supports it. If you still have it on your system, you should really remove it. Trust me, you won’t be missing anything by not having it on your system. Except for the odd exploit which isn’t a bad thing.
  2. If you use IE (Internet Explorer), you should if possible move to another browser such as Edge for Windows 10, Chrome or Firefox.If you can’t, the best defense is to make sure your Windows systems are always fully patched as patches for IE are always part of Windows patches.
  3. If you run Windows, the best defense is to make sure your Windows systems are always fully patched.

If you do all of that, you can likely sleep somewhat better at night.

 

Leave a comment »

Update Flash Now Or Get Pwned By One Or More Of These 36 Exploits

Posted in Commentary with tags on June 16, 2016 by itnerd

It’s time again to update your install of Adobe Flash as there’s a new version that Adobe has just kicked out to the world that plugs 36 different issues. You read that right. 36 Of them. One of which are being exploited by the forces of evil as we speak. Details on the most severe of these issues can be found here. Once you upgrade, the version number for Windows and macOS users will be 22.0.0.192. If you’re not running that version, pwned you will get sooner or later.

Or you can take my advice and simply dump Flash and make your life easier and your computer far more secure. You’ll thank me if you do that.

Leave a comment »

Google Deep Sixes Swiffy… Ads Become HTML5 Only

Posted in Commentary with tags , on June 16, 2016 by itnerd

If you hate Adobe Flash based ads, I have good news for you. Google announced in a blog post that it is Google is closing down its Swiffy Flash conversion tool as of July 1st.:

Today more consumers are using the web in HTML5-compatible environments than Flash-compatible environments. In order to reach as large an audience as possible, we encourage everyone to transition to HTML5 authoring.

One thing that this change will mean for you is that the use of Flash ads as an attack vector will start to disappear. That makes you safer when surfing online. Second, it will force other ad providers such as Yahoo to do the same. That will make you even safer. Finally, it will hasten the death of Adobe Flash as something that you need to surf the net. That day cannot come soon enough.

Leave a comment »

Google To Block Flash On Chrome By End Of Year

Posted in Commentary with tags , on May 16, 2016 by itnerd

Another sign that Adobe Flash is dying a slow death is the plan that Google is planning to block Flash by default in all but a handful of sites by the end of year. Google will maintain support in the short-term for the top 10 domains using the player, including YouTube, Facebook, Yahoo, Twitch and Amazon. But you can expect that this list will shrink over time.

Clearly, it is becoming more and more clear that Flash is doomed. Thus you might want to consider if you really need to run it at all on your computer.

1 Comment »

« Older Entries
Newer Entries »