Category Archives: Flash

Adobe, Flash, Internet crime, Security

Exploit for unpatched Flash vulnerability found in leaked material

4 Comments

Hacking Team is an Italian company that develops counter-security (i.e. hacking) software. They claim to provide their tools only to NATO partners, but there have long been suspicions that their client list includes oppressive governments. These claims have always been denied by the company, but a recent, comprehensive hack against their servers has confirmed Hacking Group sells their software to anyone who asks, including Kazakhstan, Sudan, Russia, Saudi Arabia, Egypt and Malaysia.

Nobody has yet claimed credit for the hack and data scoop, but whoever did it, they have done the world a favour in exposing the practices of Hacking Group. Unfortunately, in publishing the information obtained in the hack, at least one serious – and unpatched – Flash vulnerability has also been exposed.

Adobe responded to the publication of the vulnerability with a Flash security bulletin, in which they confirm that the vulnerability and exploit exist, and that they are currently working on a fix (expected later today). Meanwhile, the exploit has already found itself into hacking toolkits.

Anyone still using a web browser with Flash enabled should consider disabling Flash until this vulnerability is patched.

Update 2015Jul08: Bruce Schneier points out that Hacking Team’s practices are even worse than predicted, and doesn’t expect the company to survive.

Adobe, Flash, Patches and updates, Security

Critical update for Flash

Leave a comment

Anyone who uses a web browser with Flash enabled should stop what they’re doing and install the latest Flash update from Adobe. The new version (18.0.0.194) was announced earlier today to address a critical vulnerability for which exploits have been observed in the wild.

Note that YouTube no longer uses Flash by default, so if you previously only used Flash for YouTube, you might be able to completely disable it in your browser. YouTube now uses a video player based on HTML5 technology.

Internet Explorer on Windows 8.x and Google Chrome will receive the new version of Flash via their own update mechanisms.

Brian Krebs has additional details on the vulnerability and the update. Krebs also recently wrote about his recent experiment in trying to live without Flash.

Update 2015Jul01: And just like that, the Cryptowall malware has been modified to take advantage of this vulnerability in unpatched Flash installations.

Adobe, Flash, Patches and updates, Security

Flash 18.0.0.160 fixes 13 security issues

Leave a comment

The latest Flash release from Adobe is version 18.0.0.160. According to the associated security bulletin, this update addresses at least thirteen security vulnerabilities.

Several other bugs, unrelated to security, were also resolved. See the release announcement and release notes for details.

The new version also includes a somewhat streamlined installation process: users will no longer be prompted to restart their browser after Flash installation. The previous version will continue to function until the browser is restarted.

As usual, Chrome will be automatically updated to use the new Flash, and Internet Explorer 10 and 11 on recent versions of Windows will get the new Flash via Windows Update.

Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for May 2015

Leave a comment

It’s the second Tuesday of the month, so Microsoft is pushing out another set of updates. This month there are thirteen updates, addressing about 50 vulnerabilities in Windows, Internet Explorer, .NET, Office, and Silverlight. Three are flagged as Critical.

As always with security updates affecting Windows, you should install these as soon as possible.

Two of the updates (MS15-044 and MS15-049) affect Silverlight. Once you install these updates, your version of Silverlight should be 5.1.40416.0, which you can confirm on the Get Silverlight page. Installing from that page will also update Silverlight to version 5.1.40416.0. That’s also the only way you can get the latest version if you’re using Windows XP.

Adobe, Chrome, Flash, Google, Patches and updates, Security

Security updates for Adobe Flash and Reader

Leave a comment

Updates for Flash and Reader/Acrobat, released earlier today by Adobe, address a variety of security vulnerabilities “that could potentially allow an attacker to take control of the affected system.”

Flash 17.0.0.188 includes fixes for at least eighteen vulnerabilities, all of which have been flagged as Critical.

Adobe Reader/Acrobat version 11.0.11 addresses seven Critical vulnerabilities.

Anyone still using Flash in a web browser should update Flash as soon as possible. If you use Adobe Reader to open PDF files from unknown sources, you should update Reader as soon as possible. As usual, newer versions of Internet Explorer will auto-update, as will Chrome (to version 42.0.2311.152).

Adware, Flash, Google, Internet crime, Malware, Security

Malvertising shows no sign of slowing down

Leave a comment

Nasty malware, hidden inside a phony ad that appeared on the Huffington Post web site, was exposed to thousands of users earlier this week. The Flash-based ad was delivered via Google’s Doubleclick advertising network. And this wasn’t even the largest malvertising exposure this week.

Google had better get to work on fixing this, or it will start eating into their primary revenue source.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for April 2015

Leave a comment

It’s that time again. This month there are eleven updates from Microsoft, with four of them flagged as Critical, affecting Windows, Internet Explorer, Office and .NET.

Adobe has once again come along for the monthly festivities, today releasing a new version of Flash. Version 17.0.0.169 fixes at least fourteen vulnerabilities in Flash, including one for which exploits have been observed in the wild.

So, time to get busy updating your systems… especially where you’re using Flash in a web browser.

Update 2015Apr19: One of this month’s Windows updates is causing problems for people running Oracle VirtualBox, a popular emulator. The problematic update is KB3045999, also referred to as MS15-038. There’s no word yet from Oracle or Microsoft regarding a fix. Uninstalling the update appears to work, but this is obviously a temporary solution.

Adobe, Flash, Patches and updates, Security

Flash 17.0.0.134 fixes eleven security bugs

Leave a comment

A new version of Flash was announced by Adobe yesterday. Flash 17.0.0.134 addresses at least eleven critical security vulnerabilities.

Anyone who uses a web browser with Flash enabled should install this update as soon as possible. That includes anyone who ever looks at any videos on Youtube.

Internet Explorer 10 and up will receive this Flash update via Windows Update, and Google Chrome will update itself.

Update 2015Mar27: That didn’t take long. At least one popular exploit kit (aka ‘set of hacking tools’) now includes a pre-packaged attack that targets one of the vulnerabilities fixed in Flash 17.0.0.134. If you use Flash, and you’re not in the habit of updating it, you should either stop using Flash or keep it up to date.

Chrome, Flash, Google, Patches and updates, Security

Chrome 40.0.2214.111 fixes several vulnerabilities

Leave a comment

The latest version of Chrome fixes eleven security issues. Version 40.0.2214.111 also includes the latest embedded version of Flash (16.0.0.305).

The release notes for Chrome 40.0.2214.111 describe some of the changes in the new version. There’s a link to the ‘full list of changes’, but since the linked page is an automated change log from the version management software Git, it’s aimed at developers and not much use for regular users. A link to ’11 security fixes’ currently displays an empty page.

In any case, since the new Chrome contains security fixes and the new Flash, anyone using the browser is strongly encouraged to allow Chrome to update itself before using it for web browsing.