Category Archives: Flash

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Patch Tuesday for April 2016

Microsoft offers up thirteen patches this month, addressing thirty security issues in the usual culprits: Windows, Internet Explorer, Edge, .NET, and Office. There are thirteen updates in all, six of them flagged as Critical.

The folks at SANS now provide useful summaries of Microsoft patch days, showing which vulnerabilities are addressed in each update, with multiple risk assessments.

Flash 21.0.0.213 fixes 24 security issues

Earlier this week Adobe issued a security alert about a Flash vulnerability that was (and still is) being actively exploited on the web. As expected, that vulnerability has been fixed in a new version of Flash. In all, twenty-four security vulnerabilities are addressed in Flash 21.0.0.213.

If you use a web browser with Flash enabled, you should install the new version as soon as possible. You can find out whether Flash is enabled in your browser by visiting Check-And-Secure.

As usual, Chrome will update itself with the new Flash, and Internet Explorer and Edge running on newer versions of Windows will get the new Flash via Windows Update.

New Flash vulnerability discovered

According to a security bulletin published yesterday by Adobe, all versions of Flash older than 21.0.0.182 running on Windows are vulnerable. The specific vulnerability involved — designated CVE-2016-1019 — is flagged as Critical, and could allow an attacker to crash or take over control of targeted Windows systems.

Adobe says that Flash 21.0.0.182 contains a mitigation that protects it from this vulnerability, so if you use Flash, and you’re not already running 21.0.0.182 or newer, you should install it ASAP.

Adobe is working on a more comprehensive fix for this vulnerability and plans to release another new version of Flash in the next day or so.

Flash 21.0.0.197

According to the announcement, the latest version of Flash – released on March 23 – fixes a specific bug that was causing problems for some Flash games.

A review of the release notes seems to show that Flash 21.0.0.197 doesn’t contain any security fixes, so this isn’t an urgent update. Unless of course you’re having trouble running Flash games in your browser.

The announcement for 21.0.0.197 contains at least one error: it shows the new PPAPI version of Flash, used in Chrome, Opera, and other Chromium-based browsers, as 21.0.0.286. My own tests, as well as the official release notes, shows that the new PPAPI version is actually 21.0.0.197. I reported the discrepancy to the author.

There is no new version of Flash for Internet Explorer and Edge on Windows 8.x and 10; the latest is Flash 21.0.0.182.

As usual, Chrome will update itself with the new version of Flash.

Emergency update for Flash

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Patch Tuesday for February 2016

Thirteen security updates from Microsoft this month address over forty issues in Windows, Internet Explorer, Edge, Office, server software and .NET. Six are flagged as Critical.

In keeping with their recent practise of tagging along with Microsoft, Adobe also just released several updates, most notably for Flash. The latest version of Flash is now 20.0.0.306. As usual, Internet Explorer on Windows 8.1 and 10 and Edge on Windows 10 will get their new Flash via Windows Update, and Chrome will update itself with the latest Flash. The associated security bulletin gets into all the technical details. A total of 22 vulnerabilities are addressed in the new version.

More Flash updates

The latest version of Flash is 20.0.0.286, for most browsers. Microsoft Edge and Internet Explorer on newer versions of Windows are apparently still stuck at Flash 20.0.0.272.

Sadly, the information on the Adobe site related to these updates is inconsistent, confusing, or just missing.

The About Flash page doesn’t seem to agree with the announcement page. The former shows “Internet Explorer (embedded – Windows 8.x) – ActiveX 20.0.0.286”, while the latter shows “Flash Player 20 for Internet Explorer on Windows 8.1: 20.0.0.272”.

The Flash runtime announcement says “Security update details can be found here: Security Bulletin (APSB16-01)”. But the APSB16-01 bulletin is for the previous Flash updates. The linked URL is also wrong; it points to an even older bulletin: APSB15-32. And to top it off, the security bulletin that should exist (APSB16-02) for this update currently generates an error.

Hopefully Adobe will fix this mess ASAP.

Meanwhile, although the announcement doesn’t mention any security fixes in the new versions, it’s safe to assume they exist, so you should update Flash in any browser where it’s enabled.

As usual, Internet Explorer on new versions of Windows will receive these updates via Windows Update, and Chrome will get its new Flash automatically.

Update 2016Feb02: I reported the announcement and bulletin problems (noted above) to the author of the announcement. He replied that the About page would be fixed, and that he had fixed the link to the bulletin on the announcement page. Unfortunately, that link now goes to the bulletin for the previous Flash release. The author claims that bulletin still applies, but it really doesn’t, since it recommends the previous version of Flash.

Update 2016Feb04: According to the author of the announcement, there were effectively no changes in this Flash update. Certainly there were no security fixes. A link to the previous security bulletin was included simply because it was the most recent bulletin. The link text will be changed to make this more clear.

Flash 20.0.0.267 fixes numerous security issues

There’s a holiday present from Adobe in the form of yet another new version of Flash. This one fixes at least nineteen security vulnerabilities – including one that is currently being exploited on the web – as well as a few other bugs. There are additional details in the release notes.

As usual, Chrome and Internet Explorer will get the new version via their own update mechanisms.

If you use Flash in a web browser, push that plate of turkey leftovers to the side and install the new Flash ASAP.

Update 2016Jan02: On January 1, Adobe released another version of Flash, this time just for the ActiveX version used in older versions of Internet Explorer on Windows 7 and earlier. According to the updated release notes, Flash 20.0.0.270 includes one change: “Fixed loading problem with Flash Player in embedded applications”.

Firefox 43.0.1

A single minor change seems to be the only reason for the Firefox 43.0.1 release yesterday. The release notes describe the change as preparation “to use SHA-256 signing certificate for Windows builds”. This does not appear to be a security-related change, so there’s no hurry to update.

Mozilla has improved the look of Firefox’s release notes pages, but there has been no functional improvement. For instance, while there is a link to the ‘complete list of changes‘, that link goes to the Bugzilla bug tracking system, which is not easy to parse for non-technical users. Worse, it shows all changes in Firefox 43, not just 43.0.1, and there’s no way to search for changes to 43.0.1 only.

As usual, there was no proper release announcement for this version. There wasn’t even a vaguely-corresponding post on the Mozilla blog.

On my test computer, when the Firefox 43.0.1 update finished installing, Firefox displayed a web page with a brief video and an underlying announcement, about Firefox 43’s new privacy features, and ‘new’ Pocket integration. Which seems weird, because Pocket integration was also announced for Firefox 38.0.5 in June.

In other Firefox-related news, Mozilla recently pointed to an announcement from Netflix in a blog post titled ‘Firefox Users Can Now Watch Netflix HTML5 Video on Windows‘. This is an important change, because it’s no longer necessary for Firefox users to install and use Flash to watch Netflix content.