Not a big deal, really, if you consider FlashBlock a “noise reducer”: it does a great job, in facts, working almost always.
A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flashvulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley…
To be fair, you would be in good company:
Slashdot, whose “flashblock” tag is attached to all the most recent Flash security horror stories
US-CERT (United States Computer Emergency Readiness Team)
If they just looked at FlashBlock’s FAQ, they would have found that the word “security” is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.
Dancho is especially inexcusable, since he’s the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.
Some minutes after I published my post about the Flash unpatched vulnerability being exploited through mass SQL injections, popups of this kind started flying all over my notebook’s desktop:
Since the “virus” was reported to be in my Firefox cache, and since Firefox has not the bad habit of randomly open cached files for execution, I guessed this “threat” was relatively harmless and AVG was just over-reacting to the mere “open for reading” action.
In facts, all my attempts to inspect the offending file using an hexadecimal editor were frustrated with “Access Denied” errors, and AVG on its side refused to give me any argumented detail about this alert.
Hence I typed about:cache in my awesome bar and quickly found a file matching the size of the “menace”: it was http://www.0x000000.com/rss.php, i.e. the RSS feed of Ronald van den Heetkamp’s “Hacker Webzine”…
So, was just a mere van den Heetkamp stink enough to scare the hell out of my cute (and frankly, absolutely virginal) anti-virus?
Actually the most likely culprit is Ronald’s latest article about the hot topic of the day: since he likes to feature generous portions of source code extracted from infected sites, a signature-based engine like AVG have no choice but going wild.
Dear anti-virus vendors, can we have a “Relax, I use Firefox + NoScript” Ronald-friendly option, please?
Yesterday Symantec elevated its ThreatCon rating as a response to an infection involving about 20,000 web pages (250,000 according to other sources), and probably still actively spreading through an automated SQL injection.
The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox.
In the meanwhile, according to Symantec, you should:
Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed.
Additional notes for NoScript users
Since the offending SWF files are served from external ad-hoc Chinese domains, (wuqing17173.cn, woai117.cn and dota11.cn at this moment,very unlikely to be in your whitelist), even if a trusted site was infected you should still be protected.
However, if you want maximum protection, it’s a good time to check NoScript Options|Plugins|Apply these restrictions to trusted sites as well.
This option turns NoScript in an effective security-oriented replacement of the FlashBlock extension, working also with Java, Silverlight and other potentially vulnerable plugins such as QuickTime.
All the active embedded content pieces, no matter where they come from, will be blocked preemptively and you will be able to load them selectively by clicking on visual placeholders.
Since the currently exploited vulnerability appears to be patched, but the attacking vector explicitly tests for the 9.0.124.0 player and can perform dynamic redirects, I’d obviously upgrade but still stay on the cautious side, deploying preemptive countermeasures just in case they’re saving the real zero-day for a second weave…
I wonder why some people is so much shocked by what Cisco’s Chief Security Officer John Stewart publicly stated two days ago:
If patching and antivirus is where I spend my money, and I’m still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user’s data and I still have to reinstall it, the entire cost equation of that is a waste.
It’s completely wasted money.
I’m sick of blacklisted stuff. I’ve got to go for whitelisted stuff — I know what that is because I put it there.
Needless to say, antivirus vendors are violently shaking their heads, and Cisco is not exactly super-partes, since it partially competes on the same enterprise security budgets. Also, I wouldn’t go so far as saying that you shouldn’t be patching your buggy software, or that a free antivirus scanner can’t help preventing your mum from getting caught by opening that apparently innocuous PDF attachment, or that the new Firefox 3 anti-malware features are not be greeted as godsend…
But this pretty logical if not just obvious concept is not new at all, even if kept in the dark as a dirty secret — maybe because you can’t build a long-term subcription-based business model around it?
And you can’t tell I’m a last-minute convert :)
The Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:
Report an XSS hole in PayPal “safe” area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of “certifying” XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you’ve got a modern, secure browser supporting EV SSL :)
The Register columns are getting better and better at web security related content.
