Update: Adobe has released an update to counter the zero-day exploit

[John Connor]

What I don't get about how insecure flash is, is why does the flash application even have code that allows those things to happen? Flash is basically a client to display information. It should not actually be able to DO things that change your computer. It should only be able to display you content.

Another one that always gets me even more is PDFs. Those are basically glorified images that require an overcomplicated viewer. Why is there so many exploits in those products?

You're thinking of HTML 5. Flash is like Ajax in code if you ask me.

 

[mikeymikec]

Crap, I would bet VLC is more secure than flash. It seem there is a vulnerability for Flash once a month.

What does that matter? It's still another unnecessary plug-in, more software to potentially exploit.

What I don't get about how insecure flash is, is why does the flash application even have code that allows those things to happen? Flash is basically a client to display information. It should not actually be able to DO things that change your computer. It should only be able to display you content.

Another one that always gets me even more is PDFs. Those are basically glorified images that require an overcomplicated viewer. Why is there so many exploits in those products?

IMHO it's possibly because Adobe are still in the same mindset as Microsoft was around the year 1999, ie. "develop features first and ask security model questions later". There's actually a setting in Adobe Reader 11, enabled by default, labelled as follows:

"Allow opening of non-PDF file attachments with external applications."

Adobe also developed "Adobe JavaScript" for Adobe Reader, again, enabled by default. The mind boggles.

 

[VirtualLarry]

What does that matter? It's still another unnecessary plug-in, more software to potentially exploit.



IMHO it's possibly because Adobe are still in the same mindset as Microsoft was around the year 1999, ie. "develop features first and ask security model questions later". There's actually a setting in Adobe Reader 11, enabled by default, labelled as follows:

"Allow opening of non-PDF file attachments with external applications."

Adobe also developed "Adobe JavaScript" for Adobe Reader, again, enabled by default. The mind boggles.

All we need is PDF "ActiveX" or PDF "BHO" support. Then it would be complete. Completely exploitable, that is.

 

[nemesismk2]

i stopped using adobe flash players a long time ago due to security reasons

 

[John Connor]

I wish I could just ditch Flash, but unfortunately many news sites I view use flash for their videos. HTML 5 needs to come out full swing!

 

[vailr]

There's a beta version [SIZE=-1]16.0.0.305 of Adobe Flash for Firefox 64-bit, according to SUMo:
http://www.kcsoftwares.com/?download
It's not yet listed on Adobe's Flash beta web site:
http://labs.adobe.com/downloads/flashplayer.html
[/SIZE]

 

[Red Squirrel]

i stopped using adobe flash players a long time ago due to security reasons

How do people just stop using flash? There's tons of sites that wont work without it. I would love to see it go away, but sadly most video sites like Youtube, live leak, etc use it.

 

[Red Squirrel]

IMHO it's possibly because Adobe are still in the same mindset as Microsoft was around the year 1999, ie. "develop features first and ask security model questions later". There's actually a setting in Adobe Reader 11, enabled by default, labelled as follows:

"Allow opening of non-PDF file attachments with external applications."

Adobe also developed "Adobe JavaScript" for Adobe Reader, again, enabled by default. The mind boggles.

Wow sounds like a real disaster. It is mind boggling that they do that.

 

[mikeymikec]

All we need is PDF "ActiveX" or PDF "BHO" support. Then it would be complete. Completely exploitable, that is.

IMO an SMTP client + server implementation in Adobe Reader would be far better.

 

[vailr]

Flash beta v. 17.0.0.93 now available:
http://labs.adobe.com/downloads/flashplayer.html

 

[TheRyuu]

It's worth noting that this exploit cannot break out of the Chrome sandbox[1] so if you want/need to use Flash, using it in Chrome is the safest option.

Remember the "click to play" option is not a security boundary[2][3] (in Chrome, not sure of its behavoir in other browsers but they likely have the same problem) so if you actually want it to be one you have to select "Disable plugins by default" and use the right click menu on Flash content (or the plugin icon in the omnibar, "Run all plugins this time").

[1] http://arstechnica.com/security/201...h-new-level-of-meanness-what-are-users-to-do/
[2] https://news.ycombinator.com/item?id=8942395 (some explination of why it's not a security boundary)
[3] https://code.google.com/p/chromium/issues/detail?id=174963

 

[ninaholic37]

Remember the "click to play" option is not a security boundary[2][3] (in Chrome, not sure of its behavoir in other browsers but they likely have the same problem) so if you actually want it to be one you have to select "Disable plugins by default" and use the right click menu on Flash content (or the plugin icon in the omnibar, "Run all plugins this time").

[1] http://arstechnica.com/security/201...h-new-level-of-meanness-what-are-users-to-do/
[2] https://news.ycombinator.com/item?id=8942395 (some explination of why it's not a security boundary)
[3] https://code.google.com/p/chromium/issues/detail?id=174963

What about the "Ask to Activate" option in Firefox? I normally disable Flash though anyway.

 

[Red Squirrel]

In Mine this options comes up every single time for every single page. Is there a way to disable that without outright disabling flash? Idealy I want it disabled by default but I want to have a white list of sorts for sites like Youtube, Facebook videos, and other video sites.

 

[ninaholic37]

In Mine this options comes up every single time for every single page. Is there a way to disable that without outright disabling flash? Idealy I want it disabled by default but I want to have a white list of sorts for sites like Youtube, Facebook videos, and other video sites.

That's the default behavior for me too when I set it to "Ask to Activate". I think changing plugins.notifyMissingFlash to false in about:config stops that though.

 

[Chiefcrowe]

FYI, just checked which version I have and it was automatically updated to 16.0.0.305

I think this version patches the last vulnerability and it hasn't been posted on the main adobe page yet but I suspect it will be pretty shortly.

 

[mikeymikec]

With the 'ask to activate' feature, I had a problem in that pages without any Flash would have a notification at the top asking me if I wanted to enable Flash content on the page. At some point (I don't think I changed anything), it stopped.

 

[John Connor]

Using Noscript greatly enhances security of flash.

 

[TheRyuu]

What about the "Ask to Activate" option in Firefox? I normally disable Flash though anyway.

As long as it does not operate on a "click to play" functonality (as in the click to play thing appears right over where the flash content would normally be) and requires additional user interaction (such as through a dialog provided by the browser) then it should be fine.

I believe NoScript may also provide additional protections against such scripting even when not operating in the default "block all" mode. Whitelisting first party content by default (this is under the options name "Temporarily allow top-level sites by default") makes using NoScript much easier and will still provide much stronger protections over not using it at all. People who might not want to use NoScript because of it's barrier to entry may actually use it after enabling that option. uMatrix on Chrome operates similarly by default.

In Mine this options comes up every single time for every single page. Is there a way to disable that without outright disabling flash? Idealy I want it disabled by default but I want to have a white list of sorts for sites like Youtube, Facebook videos, and other video sites.

You can do this in Chrome at least, I'm not sure if Firefox has a similiar feature. If you click the page icon (where you can view stuff like connection info, the encryption settings a site uses, etc) under the permissions tab you can set plugins to allow by default.

I would be surprised if Firefox didn't have similiar functionality to allow plugins on a per-origin basis. If not using built in functionality I'm pretty sure you could do it with NoScript.

Using Noscript greatly enhances security of flash.

Only to the extent that it would block flash being loaded. It does not make the use of Flash after it's already been loaded more secure. As I've said before, using Flash in the confines of the Chrome sandbox is the most secure way to use Flash.

There's actually a setting in Adobe Reader 11, enabled by default, labelled as follows:

"Allow opening of non-PDF file attachments with external applications."

Adobe also developed "Adobe JavaScript" for Adobe Reader, again, enabled by default. The mind boggles.

There are several settings such as the one you mentioned which can actually make the Adobe Reader sandbox pretty secure. The other is forcing on "Protected Mode" by default in addition to disabling the scripting.

IE11 also has similar options which are not enabled by default but can significantly increase the protection level such as enabling Enhanced Protected Mode (and the use of 64-bit processes for it).

The problem is compatibility. These settings may break very few things but the fact that they can cause problems is probably why they haven't been enabled by default.

 

[mikeymikec]

Only to the extent that it would block flash being loaded. It does not make the use of Flash after it's already been loaded more secure. As I've said before, using Flash in the confines of the Chrome sandbox is the most secure way to use Flash.

Admittedly I can't think of a way to answer this question, but I wonder how likely it is for a Flash exploit to be included as part of a Flash clip that a user actually wants to view.

AFAIK, I would expect the most likely sources of exploits to be a) adverts or b) phishing sites.

If I'm correct, then NoScript would probably provide better protection than anything else out there (assuming the user hasn't done something stupid like "enable JS globally" or, if there is such an option, "enable non-third party JS globally). Alternatively, the "Ask to activate" plug-in feature would also provide better protection than say Chrome sandboxing.

PS - I realise that in the case of the "phishing site" scenario I mentioned, a user might well get duped into loading dodgy JS / plug-in exploits, but it's (NoScript/Ask to Activate) still an additional hurdle for malware designers to overcome.

 

[TheRyuu]

Alternatively, the "Ask to activate" plug-in feature would also provide better protection than say Chrome sandboxing.

I said use Flash. You would of course still disable plugins by default even in Chrome (I do this).

And yes, blocking scripting through extensions like NoScript or uBlock/uMatrix is of course the safest option but these things do have barriers to entry that some people may not want to have to go through.

 

[mikeymikec]

I said use Flash. You would of course still disable plugins by default even in Chrome (I do this).

I'm not sure if you read this:

Admittedly I can't think of a way to answer this question, but I wonder how likely it is for a Flash exploit to be included as part of a Flash clip that a user actually wants to view.

 

[TheRyuu]

I'm not sure if you read this:

I think we're both right. It's probably very unlikely but my statement is still true.

Lets also not forget, the Chrome sandbox also applies to other things than Flash although that's (sort of) outside the context of this thread (e.g. the renderer, javascript, etc). It is arguably the most secure sandbox of any browser (and you can gain additional protection with some configuration).

 

[mikeymikec]

I think we're both right. It's probably very unlikely but my statement is still true.

Yes, I think so, I think we're just approaching the same problem from opposite directions.

 

[TheRyuu]

Yes, I think so, I think we're just approaching the same problem from opposite directions.

Not really. Ok, well sort of I suppose but there's no reason that you can't have both.

As in use Chrome AND block plugins by default (and (optionally) use ublock/umatrix to block ads/scripting/iframes as well).

 

[mikeymikec]

Of course, though I wish that blocking solutions would receive more development attention because 'ask to activate' in FF is rather hit and miss, especially on Facebook (integrated videos don't work a lot of the time and I had to open the link in a new tab for it to consistently work).