02
Feb 18

Attackers Exploiting Unpatched Flaw in Flash

Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses.

Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could allow an attacker to take control of the affected system.

The software company warns that an exploit for the flaw is being used in the wild, and that so far the attacks leverage Microsoft Office documents with embedded malicious Flash content. Adobe said it plans to address this vulnerability in a release planned for the week of February 5.

According to Adobe’s advisory, beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.

Hopefully, most readers here have taken my longstanding advice to disable or at least hobble Flash, a buggy and insecure component that nonetheless ships by default with Google Chrome and Internet Explorer. More on that approach (as well as slightly less radical solutions) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

Tags: , , , , , ,

29 comments

  1. I thought the machines I wrangle (W7 SP-1; 32- and 64-bit) were Flash-free. Indeed, Flash isn’t installed in any of the browsers. But Flash was / is a required component in mobile fone management software provided by Samsung. Flash was also the first thing installed by the canned driver package provided with a Brother printer.

    So long as hardware manufacturers continue to accompany their products with Flash as a component of the supporting software, it’s difficult to totally avoid Flash.

    • Though it does not (indeed, cannot) on an iPad, Xfinity Stream on Wintel and OS X computers requires Flash to play video content. Does Comcast own Adobe stock?

  2. Worth mentioning that these attacks have been originating from North Korea against South Korea since November.

    https://www.theinquirer.net/inquirer/news/3025901/adobe-acknowledges-flash-zero-day-thats-been-exploited-since-november

    • I read from “Computing” that Adobe also knew about this zero day flaw for two months now! Hmm? Who to believe?

  3. Interesting! My Chrome was already set to “ask first” – I don’t remember setting that. I don’t use IE, but I’m surprised Mozilla has a mitigation for it. I haven’t used Firefox for a while, despite all the hub-bub about the newest version.

    I still hesitate to uninstall active x, or NPAPI flash, because there is always a site somewhere, that I need to research, that invariably requires either one or the other for me to view content.

  4. A couple of questions about scope:

    1. Does this setting in Chrome propagate to other devices on which Chrome is installed using the same Google account? For example, I have Chrome installed on Windows, macOS, and iOS devices. If I change this setting on one of those devices, does that change show up on the other devices the next time I log in to those devices?

    2. On any one machine, does this setting need to be made for each individual user account on that machine?

  5. The default setting of Chrome is set to “ask first” but is it enought to block any activity from Flash?

  6. So if “the attacks leverage Microsoft Office documents”, does that mean that the vulnerability only applies to “Microsoft Windows computers”, or is OS X vulnerable as well since Office also exists on that platform?

  7. I forever disabled flash in my firefox Quantum 58.0.1

  8. According to KrCERT’s advisory, the exploit can be included in a Microsoft Office document or a web page. As a workaround, KrCERT recommends disabling or uninstalling the Flash Player. Firefox appears to be not vulnerable to the web-based exploit.

    https://isc.sans.edu/forums/diary/Adobe+Flash+0Day+Used+Against+South+Korean+Targets/23301/

    • KoSReader6000000

      I have disabled flash on my win machines for safety. Have about had it with adobe flash or swf files. I use Firefox. Am I affected?

      Is there a way to add Flashpoints two md5 fingerprints to Microsoft security essentials?

      1F93C09EED6BB17EC46E63F00BD40EBB and 4C1533CBFB693DA14E54E5A92CE6FABA

      https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/

      Next, one of my Win 7 pro 64 bit boxes got and odd Microsoft critical update which caused the CPU to spike to 59& or higher constantly. Anybody else get this update?

      Description:

      “***TEST ONLY – DO NOT USE*** There are no prerequisites for installing this update.

      “How to get this update

      “Method 1: Windows Update

      “**TEST ONLY – DO NOT USE*** This update will be downloaded and installed automatically.”-microsoft

      https://support.microsoft.com/en-ca/help/4078126

      So much for Windows updates. Update setting: Download but let me install. I will turn updates off.

  9. It’s been a long time I haven’t install flash player. Tho I never found it useful for the programs and games I ran. Adobe should do something about, make it more secure and I hope they’re doing it.

    • It’s been clear for many years that Flash was written without any thought for security. Security researchers and hackers have been picking off the available exploits one by one for Adobe to patch, but just as there were many vulnerabilities in the past, there are sure to be many remaining.

  10. I just recently noticed that Chrome has updated itself to v28.0.0.161. Verified via Adobe’s About Flash Player page. Has anyone else seen this?

    • FWIW, v28.0.0.161 is what I see on my Chrome 64.0.3282.140 (the latest as far as I can tell).
      (Aside, a peculiar choice of wording in Chrome under checking for Updated Flash… chrome://components / Flash / Check for update
      And then it reads: “If you see ‘component NOT updated’ or ‘component updated’, you’re on the latest version.”

    • Chromebook User in PA

      @Mike Gallagher–Yes. I’m seeing v28.0.0.161 for “Adobe Flash Player” on my Chromebook’s chrome://components page. I saw Google’s Flash update notification in my system tray a day or three ago.

      I haven’t missed Flash since I got rid of a mid-grade firewall that insisted on using Flash for its graphical console–over HTTP, no less.

  11. http://get.adobe.com/flashplayer/about/ reports that 28.0.0.137 is the newest version available. That’s also what the site is reporting as the version of Flash installed on my copy of Chrome.

  12. It’s idealistic to tell people to disable javascript, flash, etc., but in the business world it’s not realistic. I have no use for IE except for several government sites that still use (and require) Silverlight. I have to have IE, Chrome & Firefox for various sites – all of which I have no choice or say in how they are run. I use Firefox (which is locked down) for everyday browsing. Chrome, which allows cookies, history, blah blah, for the various sites that are broken by Ghostery/Adblock/No Autoplay/No Gif yada yada. Only in the rarest situations do I open IE. It’s not a simple “all or nothing” type of thing. Instead, it’s about damage control and risk mitigation.

    • How about running the poorly secured programs/browsers on separate computers, run off a Live CD?

      People with classified acesss for government systems generally should not be checking missile blueprints with the same box used for personal banking and updating social accounts.

      Same reason you don’t use the same phone for your mistresses and wife. Or computers for pr0n and work. Or email account to arrange for drug shipments and plan vacations.

  13. Except the local radio station stream everything works without this sh*t –> so uninstall Flash, you probably might not even notice it’s gone 😉

  14. Ubuntu and LibreOffice and the TorBrowser….

    Microsoft security seems to be a “four letter” work

  15. I forgot my username again

    If I’m not mistaken, Flash in Microsoft Office uses the functionality of the Internet Explorer ActiveX plug-in, so you could probably get away with having Flash installed in Firefox and/or Chrome as long as you don’t have the IE plug-in.

    This only applies to this particular exploit, of course.

  16. Not related to Flash but……The U.S. Justice Department announced that Peter Yuryevich Levashov, also known as Petr Levashov, Pyotr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, Russia, was arraigned on Friday in Connecticut. He has pleaded not guilty to the charges brought against him.

  17. Tatiana Logonova

    If run in read only mode does it not to execute the content? Does protected view really protect?

  18. Does anyone remember the days when Flash was used for creating animations? What about it being limited to simple basic clickable interactions?
    Those were secure and safe days. Before Adobe bought Macromedia and turned it into the monster that it has become.
    Lots of required enterprise eLearning is required to be run using Flash. Typically built in Captivate or Storyline. Those legacy lessons are slowly being phased out for HTML5.

  19. Is click to play the default for flash in Microsoft Edge?

  20. so if u have a android phone are we at risk and if so for. y amd other Info what must we do or where mist we go in. our phone to fix issue.. or what to download or update to not let this happen.. if anyone has a answer be greatly appreciated