July 11, 2015

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

brokenflash-aIn an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacking Team data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.


44 thoughts on “Adobe To Fix Another Hacking Team Zero-Day

  1. Hayeito

    Great report. You should make a graph or list of all patches of flash and java to show how insecure one could be if they used both

    1. Anthony

      I believe you can get info including graphs from secunia.com (free for non-commercial use). It’s been awhile since I used Secunia’s free desktop version inspector as I run a linux desktop these days.

    2. JeffJ

      The website FlashTester.org has a history of patches to the Flash Player

  2. JCitizen

    I was ready to dump flash after this latest fiasco, as the circus has become too much; but some sites still do not work for IE-9 and Firefox. I only need the active x and the PPAPI version for functionality. I realize I should probably update to Win7, but it is just too much at this time; I guess I’m willing to risk the slings and arrows to maintain functionality for now.

    1. Atombath

      If you have the ability, install a modern browser like Chrome or Firefox.

  3. Ronald Rump

    I can’t say that any of this surprises me – when reports first came out about what was leaked, you knew that there were various zero-day bugs that were in there that were going to need to be fixed.

    I maintain and use multiple machines. The vast majority of which do not have flash. But there are a handful of things that we use at the office which seem to require it, and I keep on having to put the stupid thing back again.

  4. Brad

    Flash needs to just go away, and websites dependent on it should look elsewhere. Too many patches upon patches upon patches. But several music streaming sites do seem to use it.

  5. Chriz

    I did remove flash 5 months ago and sure doesn’t miss it one bit. I keep it installed on a VM if I really need it. Same thing for java. Sorry, but 1 update a week is just unbearable for me. Let alone for a company who has to repackage to redeploy.

  6. President Donald J Trump

    No sense on using Flash anymore, many websites like Youtube are moving or have moved to HTMl5

  7. CooloutAC

    Only site i need flash for is c-span.org… I’m going to write them a letter.

    1. Mike

      There would only be two reasons to need flash on the cspan site and that’s for videos and advertising. Your not going to need the advertising anyway so I would recommend filtering those things out by whatever means available. Any video they have is likely going to be something from somewhere else (like youtube). Contacting cspan regarding this issue will likely not get you anywhere.

      1. James Edward Lewis II

        C-SPAN does not rely on YouTube or any other third party to host its videos, and it looks like the website does not run ads, much the same way it doesn’t run ads on TV but is instead funded by the cable companies through agreements made while cable was in its infancy.

        C-SPAN is no ordinary media site.

        Judging from its shift to an iframe-based embed code, I suspect that it allows certain devices to load video without Flash, and it may soon switch to HTML5 on modern desktop browsers; it’s a step up from the bad old days when it relied on RealPlayer for embedded video.

        1. Mike

          fair enough

          This then becomes an issue regarding the equipment and the way such equipment is used and not so much about flash at all

  8. markD

    There are now alternatives to Flash, and nearly no consequence whatever to just dropping it entirely. Media will only have a reason to drop it if they find they are losing eyeballs of people who no longer have it.

    In that regard the very best thing everyone can do is to just drop Flash and hang on until those straggling media that only run Flash catch on by losing all those precious eyeballs, having been given the incentive by everybody just dropping flash and thereby “moving the food.”

  9. flasher

    i don’t really understand flash, there are 3 to download, activex, PPaPI and NPaPI, ok activex is IE, NPAPI is FF, but what is NPAPI chrome and opera, if chrome has its own version built in ? and do i or do i not also want the chrome program ‘native client’ enabled to ?sandbox ?

    1. James Edward Lewis II

      The PPAPI installer is meant for new Opera, and for other Chromium-based browsers that don’t come bundled with Flash (including the nightly Chromium builds themselves); it installs the same plugin that Chrome is bundled with, and Chrome is smart enough now to not even list the separately installed PPAPI Flash Player in the Plugins page.

      The reason Adobe is even making a PPAPI installer is that this fall, Chromium will stop supporting NPAPI plugins, and Chromium-based browsers that don’t make the effort to keep NPAPI support going will no longer be able to use NPAPI Flash Player.

  10. OldGnome

    Other than not using Flash, what are the alternatives to Flash? Are these alternatives truly better, or just more sloppy coding waiting to be attacked?

    1. CooloutAC

      in general for me, html5 uses less cpu power and has less screen tearing and smoother play.

    2. Cavoyo

      The big replacement for Flash is the HTML5 standard, as the other commenter pointed out. There are at least two security benefits to HTML5 compared to Flash:

      1. The HTML5 implementation is specific to each browser. What this means is that a security vulnerability in one browser’s HTML5 implementation is unlikely to be duplicated in other browsers. Compare this to Flash. HackingTeam was able to get code running on any Windows system with any browser using just a Flash vulnerability and a Windows vulnerability. Without Flash, HackingTeam would have to find one vulnerability each in Internet Explorer, Firefox, Chrome, and so on, which is considerably more work.

      2. Because HTML5 is implemented in the browser, updates to the browser also update its HTML5 implementation. Right now, the only browsers that auto-update Flash are Internet Explorer on Windows 8.1 and Chrome on all OSes. This leaves about half of Windows users reliant on Adobe Flash’s shoddy auto-updater, which can miss patches that came out weeks ago. By contrast, Chrome and Firefox have very good auto-updaters that can detect a patch on the day it comes out, and Internet Explorer gets updates through Windows Update for every OS after XP.

      So bugs in an HTML5 implementation affect less users and they get patched sooner. Both of these make HTML5 bugs less valuable to attackers.

  11. Old School

    After reading this article, I said: Enough is enough. I removed the Flash plugin for Firefox and decided that today is going to be my first flashless day. So far so good because my favorite websites do not use Flash. If I can go flashless for one week then I will remove the code for IE thus allowing Flash to join the eight inch floppy disk in Heaven.

  12. Mike

    Any modern browser will already be capable of handling HTML5. This is a coding specification/standard for the way a browser renders a webpage. No extra software is required. Although HTML5 caries with it certain other issues like the ability to access a webcam or microphone. Plenty of people are getting upset at google for this when it’s something that is built into HTML5, so for google to say that they are not doing anything wrong is a correct statement (they are just making use of HTML5’s capabilities….which is normal). A big part of why we went from HTML4 to HTML5 was to create certain functionality that allows for *NOT* using things like flash.

    Flash is only good for five things:
    1) advertising
    2) presenting embedded interactive video
    3) games
    4) more specific niche fancy displays for displaying and working with data
    5) other

    4 and 5 is too small an area to justify continued risk. Web developers that continue to code for these things are contributing to the problem (like speedtest websites that require flash). 3 is a very difficult thing to convince people to see. Gaming is just not worth all the problems caused by continued use of flash. 2 is the most reasonable excuse to stick with flash but since HTML5 is the direction more and more web developers and companies (like youtube) are taking, it’s just not worth it. 1 should be self evident and is what I consider to be the single greatest threat.

    ActiveX has a long history of security issues aswell. It is not something I would EVER recommend anyone use. But then, I stopped using Internet Explorer as my primary browser many years ago.

    If your going to websites that require flash, you would be better off not going to those websites anymore. Unless it’s only a partial use of flash (like for advertising).

    Flash has ALWAYS been a security risk but it has only been these last few years that it has been getting seriously noticed. There are reasons why.

  13. Example

    Funny story about removing Flash. I uninstall flash from any computer I am using. But on my work machine, Amazon IT insists on claiming I don’t have the latest security updates and they keep reinstalling Flash. I gave up and let then install it.

  14. Kia

    Don’t they have at least some liability to all such vulnerabilities over the years? Flash + PDF

    There must be a lawyer somewhere that should pick this up

    1. Mike

      It’s called a EULA for some software. In other cases it’s why your allowed to use it at no cost. Either way, you made the choice to install it and run it. It’s alot like Facebook, Twitter, and other social media….your use and continued use of it without paying anything for it is your agreement to their terms. Although they are not completely without responsibility. That’s why THEY create and disperse “updates” and “patches”.

  15. Austin

    I applaud Adobe for their actions. Finally a company being proactive about these issues. Breath of fresh air.

    1. JJ

      That was sarcastic, right? The first one was there for five years. If there is one thing Adobe is not, it’s proactive about security. They now have a worse track record than Java and it’s not getting better. After they deprecated Flash, rather, after people finally got tired of the security issues and deprecated Flash for them, that security issues seem to have gotten worse. If Flash is no longer making money for them ,why should they put resources on it?

  16. mike~acker

    I’ve been trying to get a handle on why flash is such a disaster.

    apparently it just runs as a browser plug-in and as such should not be capable of doing much harm. that however is not the case.

    apparently flash is fed .swf files — which are actually containers and as such can pass a wide assortment of inputs into the flash player. any of these could be loaded with data designed to get code execution which would then seek to exploit and un-protected system program having escalation privileges . this is all the more dangerous because the .swf can be an active feed, feeding data from anywhere directly into the victim’s player…

    the key i’ve been looking for is to determine if flash installs a driver module into the kernel . if so it cannot be controlled with sand-boxing or named spaces — it will have to be killed.

    1. JJ

      One reason why Flash is so dangerous to targeted companies that use Flash on their web sites is that it is an interpreted language. That means the .swf is compiled and executed at runtime, not in advance. HP has a freeware tool called SWF Scan that decompiles .swf files into their original code, complete with developer comments and all.

      It makes it absolutely trivial to find developer mistakes, figure out how the backend application works and exploit it.

      Download SWF Scan from http://h30499.www3.hp.com/hpeb/attachments/hpeb/sws-612/46/2/HP_FREE_TOOL_SwfScan.zip

      Then go into your Internet temp files folder and copy a .swf file to another folder. Set SWF Scan to point to that file and run it. Voila.

  17. Phoenix

    I deleted Flash (again) this morning because it kept hanging up on the New York Times site. I had added it to EMET 5.1. I wondered the what might be going on. Now I read this post…

  18. SL

    How on earth are Adobe worth $40 billion, you would of thought that the share price would eventually be affected by their continual incompetence. Surely if the share price is affected, someone at board level loses their job then someone would be hired to make this software less vulnerable. Adobe must take responsibility for making cyber crime so easy.

    1. Mike

      It’s advertising dollars at work.

      The only way to properly deal with this is to stop using Flash.

    2. Clint Davis

      Adobe are worth $40B because of their creative apps like Photoshop, Illustrator, InDesign, After Effects, etc. I don’t know the number of licenses Adobe has sold, but I’m sure it’s very high.

  19. JJ

    Because people want to buy features, not security. Have you ever, ever heard someone brag about spending fifty or a hundred dollars for their new anti-virus program? of course not. They want free security and free does not pay the bills.

    The only thing taking a hit is a small bit of their reputation, not their stock price or their bonuses. If you’ve ever gone into a retirement planning meeting, was the first question you get asked “How’s your reputation?” Nope, it’s “What’s your net worth?”

  20. IA Eng

    It almost makes me think that there is an insider in some major corporations that simply ignores, hides or modifies a vulnerability report for these zer0-days.

    Its as if the corporations don’t fuzz their product enough, or – at times – pushing the patch out too fast and opening new holes. Again, fuzzing would reveal some of these issues.

    There are alot of smart individuals in these corporations, but many may have their hands tied on what is to be fixed, and what is to be left alone.

    I remember reading about a few holes left in software on purpose in order for an agency to take advantage of that hole. I am sure it happens more often than what is advertised.

    Lets just hope the people who create these holes, and the communication paths they use are free and clear of any unknown malware or other evil software.

    1. pboss

      Hardly. Debugging software is incredibly hard. Especially code written early as it’s unlikely to be well-commented. Even innocent looking statements can be a vulnerability because you didn’t check that the function you called doesn’t verify inputs or something similar.

      1. Sasparilla

        Both you guys are correct. It’s very difficult and software that was written before security became the mainline security vector that it is today often were written without security being a big consideration. That said, the Stasi from all countries wants back doors in everything (which makes things unsafe for everyone) and work to make that happen, here are just a couple of pages touching on it:

        https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

        https://plus.google.com/+TheodoreTso/posts/SDcoemc9V3J

  21. anonymous

    Flash is data that executes. Data that executes is otherwise known as a buffer overflow. Flash is bad news.

  22. Biff Henerson

    Isn’t it amazing how many bugs are in such a tiny piece of software?

  23. grayslady

    Until the other day, the only occasion I had to use Flash was for a small, idiot game available on Yahoo games that I’ve enjoyed playing, from time to time, for years. However, I decided to try Mango, now available from my local library, as well as many other libraries around the country. It’s a fairly decent language learning program (according to a Dutch friend of mine, the program suggestions, while not sufficiently broad to encompass the true options Dutch people use in common speech, is perfectly correct in the basics). When you first log into the program, there are two questions you are asked before you can proceed: one of them is, “Do you have Flash installed?” Only if you use Flash can you proceed with the program. So, while many people here may think of Flash as only being a video alternative for watching movies, or the type of videos posted on YouTube, here is an educational program being offered by most libraries to home users that depends on Flash. Just an observation.

  24. Pookie

    Does anyone know, how many 0-days had Flash had over the years, looking for a total number, out of curiosity… could help develop convincing arguments to move away rom Flash dependency.

    1. SeymourB

      Every security fix was a 0 day at one point. 0 day just means it’s an unpatched vulnerability that others know about (and 99 times out of 100 the miscreants know about them before they’re patched). So just total up every published security fix for Flash… and Acrobat… and Java… and Windows… and…

  25. Jungle Jim

    Recently Chrome changed how to do the “click to play” function. Brian’s 2013 article describes the old way.

    This article from Berkeley’s security page describes new way.

    https://security.berkeley.edu/content/how-do-i-enable-click-play-google-chrome

    1. Open Chrome Preferences/Settings
    Scroll to the bottom and click Show Advanced Settings (Note: this link will say Hide Advanced Settings if you have previously revealed them)
    2. Privacy section
    3. Content Settings
    4. Plugins section
    5. Select Let me choose when to run plugin content option in the Plugins section
    6. Lastly, click the Manage individual plugins link and make sure the Always allowed to run option for each plugin is unchecked. Click to Play functionality will not work for any plugins with Always allowed to run selected.

Comments are closed.