Archive for Adobe

« Older Entries
Newer Entries »

Once Again You Have To Update Flash To Protect Yourself From A Threat

Posted in Commentary with tags on September 21, 2015 by itnerd

I admit that I don’t have to worry about updating Adobe Flash since I dumped it due to their lack of security. But for the anyone who still has Flash on their system, Adobe’s Security Bulletin APSB15-23 describes “critical” Adobe Flash flaws that can “allow an attacker to take control of the affected system.”

Lovely. Here’s what they recommend:

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 19.0.0.185
  • Adobe recommends users of the Adobe Flash Player Extended Support Release update to version 18.0.0.241
  • Adobe recommends users of the AIR desktop runtime, AIR SDK and AIR SDK & Compiler update to version 19.0.0.190

Thus you should make sure that you update Flash and the like ASAP. Or just dump it and avoid this mess and be happier and more secure as a result.

Leave a comment »

Google Chrome To Force Some Flash Content To Be “Click-To-Play” Starting September 1st

Posted in Commentary with tags , on August 28, 2015 by itnerd

Do you hate Adobe Flash ads that auto play? Apparently so does Google and if you use their Chrome browser, I have good news for you. Google has said that as of September 1, 2015 non-important Flash files will be “click-to-play” in the browser by default. Meaning that you will have to click on them to play them. That is good for the following reasons:

  • Performance: Flash sucks CPU power. So by going this route, you will get better performance from your browser and computer.
  • Security: This will mitigate some types of “drive by” attacks where simply browsing to a website with a malicious Flash ad will get you pwned.

This is a good first step. But what would be better is if ALL Flash content was “click-to-play” rather than whatever Google defines as being “non-important”. I guess Google has to strike a balance between security and allowing some Flash ads to appear. But one has to think that if they took a stance that all Flash content were “click-to-play” by default, advertisers would switch their content to HTML5 in a hurry. Thus putting one more nail in Flash’s coffin.

Expect this behavior to show up in other browsers shortly.

Leave a comment »

Another Nail In The Coffin For Flash…….Amazon Says No To Flash Ads

Posted in Commentary with tags , on August 20, 2015 by itnerd

Amazon has made a move that is a massive blow to the long term prospects of Adobe Flash. Amazon’s advertising group has issued an update to its technical guidelines today declaring that it will stop accepting Flash-based ads starting next month. Here’s why they are making this move:

This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.

Clearly Amazon wants to make money and the security issues in Adobe Flash along with what various browsers have to do to protect users from those issues are getting in the way of that. Thus Flash is verboten at Amazon. Does anyone want to take bets on how long it will take ad networks owned by Yahoo, Google, and AOL among others to do the same thing?

Leave a comment »

Malware Via Yahoo Ads Resurfaces With A Vengance

Posted in Commentary with tags , on August 17, 2015 by itnerd

You might recall that a massive amount of malware got distributed via Yahoo Ads and vulnerabilities in Adobe Flash a little while ago before Yahoo put a stop to it. Now it seems that this issue is back and it is worse than it was before. This latest attack uses ads that silently load (meaning that there is zero user interaction required), and then redirects you to script code that attempts to exploit vulnerabilities in Adobe Flash to install either an adware package or the CryptoWall ransomware.

Lovely.

Websites that are known to be carrying this attack include:

  • weather.com
  • drudgereport.com
  • wunderground.com
  • findagrave.com
  • webmaila.juno.com
  • my.netzero.net
  • sltrib.com

These sites have millions of hits per month which make them perfect attack vectors. What is worse is that the attackers are using multiple ad networks as it’s been seen on the ad networks belonging Yahoo and AOL. That makes it potentially difficult to avoid. If you want more details, check out the Malwarebytes website.

In terms of protecting yourself, here are your options:

  • Remove or disable Flash
  • If you must have Flash, set the plugin into “click-to-play” mode
  • Keeping fully up-to-date with security patches will also help as these exploits tend to target older vulnerabilities rather than zero-day vulnerabilities.

Leave a comment »

Once Again, You Need To Update Flash To Protect Yourself From Threats

Posted in Commentary with tags , on August 12, 2015 by itnerd

If you for whatever reason are still running Adobe Flash, even though you are leaving yourself open to being attacked by some hacker who wishes to do you some sort of harm, you should update to the latest version of Flash to make sure that you have some semblance of protection. Adobe put out Security Bulletin APSB15-19 which speaks to “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” Lovely. Head over to the Adobe Flash Distribution website to protect yourself from this latest threat. Or you could simply uninstall Flash and not ever have to worry about this again. Trust me, I did and you’re not missing much by doing so.

Leave a comment »

Flash Used In Massive Attack Via Yahoo Ads

Posted in Commentary with tags , on August 4, 2015 by itnerd

Here’s yet another reason to keep Adobe Flash off your systems. There’s word of a massive attack that started on July 28th via the Yahoo Ads network that leveraged vulnerabilities in Adobe Flash. Here are the details via The New York Times:

The scheme, which Yahoo shut down on Monday, worked like this: A group of hackers bought ads across the Internet giant’s sports, news and finance sites. When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code.

From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.

That alone proves that if you must run Flash, it needs to be up to date. But there have been many, many zero day Flash exploits that can affect any version of Flash. Thus running the latest version of this rather insecure plugin won’t do you any good. Thus punting it from your system is likely the best bet to keep yourself safe.

Oh, I have a message for Adobe. Please kill Flash. NOW. It isn’t safe and you can’t make it safe. Thus it’s best for all of us if you kill it off and move on.

2 Comments »

Firefox Now Blocks Flash By Default

Posted in Commentary with tags , on July 14, 2015 by itnerd

I am guessing that Mozilla who are the people behind the popular Firefox browser have had enough of exploits via Adobe Flash. I say that because all versions of the Flash Player plugin up to version 18.0.0.203 on Windows have been blocked by default.

If that isn’t enough, the head of Firefox support Mark Schmidt tweeted these out:

And the Firefox Twitter feed tweeted this:

Clearly, the message has been sent to Adobe to fix Flash. Though I will note that Adobe has released version 18.0.0.209 which is not blocked and it isn’t clear if it addresses all of the known issues that made Mozilla block Flash in the first place. But it is clear that momentum is gaining to kill Flash once and for all.

Leave a comment »

Facebook Exec Channels His Inner Steve Jobs To Call For The Death Of Flash

Posted in Commentary with tags on July 13, 2015 by itnerd

About five years ago, Steve Jobs called for the death of Adobe Flash. At the time I was leaning towards the Adobe side of the argument despite the fact that Flash was a CPU and energy hog. But as Flash became horrifically insecure, and that was before the whole Hacking Team horror show, I’ve changed my mind. Now Facebook’s Chief Security Officer Alex Stamos has decided to pick up the torch left by Steve Jobs and he’s calling for the death of Flash. Here’s what he Tweeted:

https://twitter.com/alexstamos/status/620306643360706561

This was followed up by a number of Tweets, including this one:

https://twitter.com/alexstamos/status/620306791520309248

And this one:

https://twitter.com/alexstamos/status/620308114990968832

I agree with everything that he posted. HTML5 can replace Flash. We just need to set a date to kill Flash off once and for all and computer users everywhere would not only be safer, but they would get better performing computers as a result. Now would Adobe ever kill Flash? Anything is possible, but they have proven to be stubborn about it. Thus only public pressure or more likely Flash falling out of favor with developers and the general public would get Adobe to kill it. Until that happens, expect more and more exploits and lots of patching of Flash to continue.

Leave a comment »

WOW! Another Flash Exploit Related To The Hacking Team Hack In The Wild!

Posted in Commentary with tags on July 13, 2015 by itnerd

This is starting to get really, really stupid.

Trend Micro has discovered a third Adobe Flash exploit that’s in the wild thanks to the epic hack of Hacking Team. Here’s what Trend Micro had to say:

Similar to the second Adobe Flash vulnerability discussed on Saturday, we have identified proof of concept (PoC) code; however, it has not yet been seen in active attacks or added to exploit kits like the first Adobe zero-day vulnerability, also spawned from the Hacking Team compromise.

Adobe has updated their security advisory with this information and has begun addressing both of these vulnerabilities through updates this coming week.

So, for those keeping score at home, this latest exploit follows this exploit and this exploit.

My recommendation? Pull Adobe Flash from your systems right now as it is clearly not safe to have installed. Take it from me, I did that and my month long experiment showed that I didn’t need it. If you must have it for whatever reason, my suggestion is to use Chrome as at least it is in a sandbox that should keep you safe. Though it’s been suggested that some of the Hacking Team’s exploits could get outside that sandbox. Thus it might be better to avoid it entirely. You’ll be better off if you do.

Leave a comment »

Adobe Announces Emergency Flash Fix For The Second Time This Week

Posted in Commentary with tags on July 11, 2015 by itnerd

The fallout from the Hacking Team hack continues for Adobe as late last night they posted a bulletin announcing a upcoming fix for another one of their exploits that leverages everybody’s favorite attack vector, Flash:

A critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  

A fix will be out next week. This follows a fix for a similar issue earlier this week. Thus another piece of proof that Adobe Flash is horribly insecure and it should be dumped immediately. But if for whatever reason you need to run it, keep your eye out for a fix because you can be sure it will be actively exploited in the days ahead.

Leave a comment »

« Older Entries
Newer Entries »