Archive for the Flash Category

It’s getting boring.

Current Flash Player version (10.2.153.1 for the general public, 10.2.154.25 for Chrome users) is affected by a remote code execution vulnerability which is reported as being exploited in the wild.

Since Adobe Reader X (the newest version with “protected” mode) is vulnerable but not exploitable, Adobe doesn’t plan an out-of-band patch: looks like browser users are second-class citizens.

As usual, you can outright disable the Flash plugin or use NoScript’s active content blocking (not FlashBlock, please).

Yawn…

I know, it’s getting ridiculous, so here’s a news report about the new unpatched vulnerabilities being exploited in the wild, and here’s my old commentary about the old ones, which is still valid as it will always be, I’m afraid, until Adobe’s plugins finally fade away…

Yesterday Adobe rushed out a security update (version 10.1.85.3), one week in advance on the announced schedule, patching a critical vulnerability that has being exploited in the wild for more than one week.

As usual, users of the latest stable Firefox version on Windows are plagued with an awful manual update process, involving the installation of a ridiculous “Adobe DLM (powered by getPlus(3))” extension (forcing an extra, useless, browser restart), whose only function seems to be displaying additional banners during the download.

Even worse, this time looks like Adobe made going through this process actually impossible, on my system at least, because of a mismatch between the DLM plugin version they automatically offer, i.e. getPlusPlus for Adobe 16290, and the version actually required for downloading the Flash update with their markup:

<embed type="application/getplusplusadobe16291"
pluginspage="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.xpi"
service-url="http://get.adobe.com/flashplayer/webservices/dlm/"
return-page="http://get.adobe.com/flashplayer/completion/dlm/"
itemid="Flash_Player_10.1_for_Windows_-_Other_Browsers"
core-product="flashplayer" dlmbanner="on" language="" os="" height="1" width="1">

As you can see, the required version is 16291, rather than 16290.

Fortunately the actual direct download URL is not impossible to discover, for instance by dinamically replacing “16291″ with “16290″ with a bit of javascript: magic in the address bar and sniffing the network activity.

So, if you’re stuck like me or you just don’t want to install this getPlusPlus crap, you probably want to use this direct link :)

The Adobe Flash Player, current version 10.1.82.76 and below, is affected by a critical vulnerability which, according to Adobe’s Security Advisory APSA10-03, is being actively exploited in the wild. A patch won’t be available until September the 27th, which means the 3 or 4 Flash users out there are left in the cold, under attack for two weeks at least.

In the meanwhile, the only mitigation measures available are either disabling Flash outright or using NoScript.
At any rate, relying on the “FlashBlock” extensions for your security is not a good idea, neither on Firefox nor on Chrome: these toys are great against annoyances, but too easy to circumvent to be hacker-proof. Unfortunately you can always find naive advices in the press

If you believe that building your whitelist of websites trusted to run scripts is too tiresome, please consider this: after 2 or 3 days of training, NoScript will know enough about your browsing habits to amost vanish in the background. Moreover, latest versions feature a true “one click” UI which further reduces your initial effort, because now the contextual menu is shown as soon as you just hover over NoScript’s icon, allows you to switch multiple permissions at once and disappears as your mouse moves away. However, if you’re an irreducible who wants JavaScript to run free everywhere, you can still emulate a safer “FlashBlock mode” by using NoScript’s (not recommended) Allow Scripts Globally command after having checked NoScript Options|Embeddings|Apply these restrictions to trusted sites as well.

Talking about mitigation, I heard much fanfare (even on ./) about Microsoft’s Enhanced Mitigation Toolkit (EMET) 2.0 being able to prevent exploitation of another 0 day affecting Adobe Acrobat Reader. Unfortunately at this moment I had no success at downloading this fabulous tool by following the available links, but this probably just means I’m low on caffeine. Could anybody point me to a working and trusted EMET 2.0 download source? Update: the link from the MS blog was actually broken this morning, but now it’s reachable as pointed out by a commenter.

Update 2010-09-20

Adobe rushed out version 10.1.85.3 one week earlier than scheduled to patch this hole.

Users of Adobe products (i.e. almost all the web surfers) are in serious danger (well, not exactly breaking news).
Critical bugs in Flash Player and Acrobat, both allowing arbitrary remote code execution, are being exploited in the wild.

Adobe just released a Flash Update addressing the player vulnerability, which has been abused in real world attacks for more than 6 weeks. Notice that the FlashBlock work-around suggested by the iDefense bulletin is bogus: as we already clarified a few times, FlashBlock can’t be relied upon as a security defense. The only reliable means to protect yourself against Flash-based 0 day attacks like these are either disabling the Flash Player plugin globally, or using NoScript’s content blocking features to selectively enable only the Flash applets you trust.

Regarding the Acrobat flaw, Adobe announced that a patch won’t be available until March the 11th. In the meanwhile many sources, including Adobe itself, recommend to disable JavaScript execution in Acrobat’s options, but again the suggested work-around is not effective: disabling Acrobat’s JavaScript does not prevent the vulnerability from being exploited. As always, you should be very careful in opening PDF files you receive by email, and use NoScript to prevent automatic exploitation on the web: NoScript’s default deny policy applies to all the plugin content, indeed, including PDF.

Bad Behavior has blocked 7038 access attempts in the last 7 days.