Tag Archives: Flash

Kill Flash Now or Patch These 36 New Vulnerabilities

I don’t normally publish posts on individual software updates, but Flash is such a mess and such a security swamp that I feel compelled to do that.  Microsoft’s attempt to copy Flash – Silverlight – is even worse.  It is so bad that Google doesn’t support it inside Chrome.

My recommendation is that you uninstall Flash and Silverlight if you can do that and still operate your business.  Some web sites that businesses use still require Flash so you may need to keep it around.  More and more web developers are moving away from Flash due to the swamp that it is.

OK, so let’s look at this particular patch.

36 separate bugs are patched.  Microsoft releases patches once a month and usually has around 10-15 patches covering 50 software products.  Adobe seems to patch just this one product several times a month – sometimes several times a week – and is still patching 36 bugs in a single patch.   They have been doing this for as long as I can remember.  What does that mean about the security quality of the product?

One of those bugs, named CVE-2016-4171, is being exploited in the wild right now.

Adobe says the bugs were found by Cisco Talos, Google, FireEye, Microsoft, Tencent, Kaspersky, Pangu Lab and Qihoo.  That, of course, does not include every intelligence agency in the world.

To add insult to injury, this patch comes days after Adobe’s regular monthly Flash (and other product) patch release.

Apple has announced that it will be disabling Flash by default in Safari, Joining Google’s Chrome.

I use two browsers.  One browser, the one I use every day, has Flash completely disabled.  The other browser, a kind of ‘break class in case of emergency’, has Flash enabled, but I only use it if my main browser complains.

A lot of malware is delivered silently by Flash based ads that contain malware in the ads.  Major sites like The New York Times, BBC and AOL, among a number of others were hit with malicious ads recently.  The ads delivered ransomware to users who happened to have particular unpatched vulnerabilities and it DID NOT require users to click on anything to become infected.  Disabling Flash protects you against these attacks.

If, after all this, you really do need Flash, then make sure that you install this patch as soon as possible.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Adobe Patchs 23 Flash Flaws – Enough Is Enough

Adobe announced patches yesterday for 23 additional Flash vulnerabilities.  18 of these bugs can be used to run malicious code on the underlying computer.

To see what version you are running, go to:

WWW.Adobe.com/software/flash/about

That web page will give you the version that you are running, the current version that you should be running and a link to the download page.

On my computer, I run Firefox and Chrome.

On Chrome I have Flash disabled completely.  To do that, open Chrome and type

Chrome://plugins – you will get a screen that looks like this (click to enlarge).  You should look at what plugins you are running and decided which ones you want to run and which ones you want to disable.

Chrome flash

Chrome IMMEDIATELY disables Flash if you do this –  if you have browser windows open with Flash objects in it, those objects will go away.  On the other hand, if you enable it, you have to click on the page refresh to make the Flash object reappear.

In Firefox, you have to go to

About:addons

You will see a page that looks like this.  Find the SHOCKWAVE FLASH addon.  I set it to Ask to activate, but you can select Never activate.  If you set it to ask, Firefox displays a box where the Flash object should be with a link.  The link asks you if you want to activate it one time or always – Should you want to display a Flash object I recommend selecting One time.

Firefox flash

Curiously, the Flash installer requires you to activate Flash in order to run the installer.

It is surprising how many sites still use Flash, but the number is decreasing every day because a lot of businesses are blocking Flash as a security enhancement.

The biggest benefit is the number of ads that won’t run – reducing page load times.

Still, it is a personal decision – kind of like paper, plastic or your own grocery bag.  Some web sites will not work without Flash, so you have to decide.

Facebooktwitterredditlinkedinmailby feather

Not A Great Week For Adobe

Researchers at FireEye have uncovered another zero day Flash exploit from within the ruins of the Hacking Team data dump.  Adobe says that they will patch it some time this week.  Adobe also says that the flaw could cause a crash and potentially allow an attacker to take control of the affected system.

Like the first Flash zero day that was revealed from the Hacking Team data dump, this one includes a well written proof of concept, so assume that the malware writers will jump right on this one like they did the first one.

According to Adobe, the new bug affects the Windows, Linux and Mac OS X versions of Flash.

In addition, there are reports of a third Flash zero day in the Hacking Team dump, so it may well be that Adobe gets to release 3 emergency patches in a week.  That would not be a good week for the Flash maker.

This comes at a time when there is a lot of pressure to move away from Flash to HTML 5.  Three emergency patches in a week will only strengthen the call for the move.

Information for this post came from Computerworld.

Facebooktwitterredditlinkedinmailby feather

Adobe Releases Emergency Patch For Flash

Yet again Flash is the means of attack by a Chinese hacking group that Fireeye has labelled APT3.

The attack IS in the wild, although limited in use.

The attack looks like a phishing email offering discounts on Apple computers.

You can find out what version of flash you are running at http://www.adobe.com/software/flash/about/ and download the newest update at https://get.adobe.com/flashplayer/ .

Even though I have updates enabled on this computer, the version of Flash that I was running was 34 versions old.  Of course, Adobe may not have released any or all of those intermediate versions.

You may remember that Steve Jobs was not a big fan of Flash – to be very polite.  This is just one of the reasons why.

Facebooktwitterredditlinkedinmailby feather