Time to Finally Dump Flash
Adobe flash users are once again are being advised to update the application ASAP – to protect against two previously unknown security vulnerabilities. Worth noting, the PC Matic vulnerability engine – automates the process of keeping some of most commonly used applications on your system (like Flash) up to date and patched with the latest security protections. However, many security researchers are calling for a more drastic approach – stop using Flash now.
At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date.
For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.
News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.
We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.—http://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/
For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.
In an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacking Team data breach,” the advisory notes.
Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.
There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.
If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.
Two unpatched vulnerabilities have been discovered, affecting Adobe’s Flash software and Microsoft’s Windows operating system. Hacking Team describes the Flash flaw as “the most beautiful Flash bug for the last four years,” suggesting that the company may have been using this to access people’s machines for quite some time. The vulnerability itself allows malicious attackers to execute code on a victim’s machine through a website. It affects Windows, OS X, and Linux, and can be used against browsers like IE, Firefox, Chrome, and Safari. Hacking Team appears to have used this hole to install its own exploit kits and monitor or remotely control PCs. Adobe is now aware of the vulnerability and is planning to issue a patch later today, but given the vast amount of security issues with Flash over the years it’s advisable to move away from using the software if you’re able to.
What Should You Do
Great information from Tom’s Hardware for those looking for the best way to cope with the seemingly never ending list of Flash security vulnerabilities.
Update: Adobe posted Security Bulletin CVE-2015-5119 today stating that they are working on closing the hole.
Users of Chrome, and Windows 8 users running Internet Explorer, will automatically receive the updated version. For those on other browsers, Adobe recommends installing the patch as soon as possible.
Security researchers have an alternative solution to offer users: Dump Flash.
“In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all,” wrote security journalist Brian Krebs.
So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).
In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.
If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.
Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).
Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.
Those who wish to stick with Flash Player can get the patched versions from Adobe’s download page.–http://www.theregister.co.uk/2015/06/23/adobe_flash_player/