Daily Archives: July 8, 2015

Adobe, Flash, Patches and updates, Security

Flash update fixes Hacking Team vulnerability

Leave a comment

As much as I would like to see Flash disappear completely, I have to commend Adobe’s quick response to the recent discovery of a critical Flash exploit.

Flash 18.0.0.203 was released earlier today. The new version fixes the vulnerability associated with the Hacking Team leak (CVE-2015-5119), but it also addresses thirty-five other security vulnerabilities in Flash.

As usual, Google Chrome will update itself with the new Flash code, and Internet Explorer 10 and 11 on Windows 8.x will get the Flash changes via Windows Update.

Recommendation: if you use a web browser with Flash enabled, install the new Flash as soon as possible. Keep in mind that the standard Flash installer also installs McAfee security software by default: look for a checkbox for this option in the installer and disable it.

Ars Technica has additional details.

Firefox, Security

Recent changes to Firefox prevent access to network resources

Leave a comment

By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.

The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.

Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.

I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.

Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.

Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.

Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.

Adobe, Flash, Internet crime, Security

Exploit for unpatched Flash vulnerability found in leaked material

4 Comments

Hacking Team is an Italian company that develops counter-security (i.e. hacking) software. They claim to provide their tools only to NATO partners, but there have long been suspicions that their client list includes oppressive governments. These claims have always been denied by the company, but a recent, comprehensive hack against their servers has confirmed Hacking Group sells their software to anyone who asks, including Kazakhstan, Sudan, Russia, Saudi Arabia, Egypt and Malaysia.

Nobody has yet claimed credit for the hack and data scoop, but whoever did it, they have done the world a favour in exposing the practices of Hacking Group. Unfortunately, in publishing the information obtained in the hack, at least one serious – and unpatched – Flash vulnerability has also been exposed.

Adobe responded to the publication of the vulnerability with a Flash security bulletin, in which they confirm that the vulnerability and exploit exist, and that they are currently working on a fix (expected later today). Meanwhile, the exploit has already found itself into hacking toolkits.

Anyone still using a web browser with Flash enabled should consider disabling Flash until this vulnerability is patched.

Update 2015Jul08: Bruce Schneier points out that Hacking Team’s practices are even worse than predicted, and doesn’t expect the company to survive.