The Adobe Flash Player, current version and below, is affected by a critical vulnerability which, according to Adobe's Security Advisory APSA10-03, is being actively exploited in the wild. A patch won't be available until September the 27th, which means the 3 or 4 Flash users out there are left in the cold, under attack for two weeks at least.

In the meanwhile, the only mitigation measures available are either disabling Flash outright or using NoScript.
At any rate, relying on the "FlashBlock" extensions for your security is not a good idea, neither on Firefox nor on Chrome: these toys are great against annoyances, but too easy to circumvent to be hacker-proof. Unfortunately you can always find naive advices in the press...

If you believe that building your whitelist of websites trusted to run scripts is too tiresome, please consider this: after 2 or 3 days of training, NoScript will know enough about your browsing habits to amost vanish in the background. Moreover, latest versions feature a true "one click" UI which further reduces your initial effort, because now the contextual menu is shown as soon as you just hover over NoScript's icon, allows you to switch multiple permissions at once and disappears as your mouse moves away. However, if you're an irreducible who wants JavaScript to run free everywhere, you can still emulate a safer "FlashBlock mode" by using NoScript's (not recommended) Allow Scripts Globally command after having checked NoScript Options|Embeddings|Apply these restrictions to trusted sites as well.

Talking about mitigation, I heard much fanfare (even on ./) about Microsoft's Enhanced Mitigation Toolkit (EMET) 2.0 being able to prevent exploitation of another 0 day affecting Adobe Acrobat Reader. Unfortunately at this moment I had no success at downloading this fabulous tool by following the available links, but this probably just means I'm low on caffeine. Could anybody point me to a working and trusted EMET 2.0 download source? Update: the link from the MS blog was actually broken this morning, but now it's reachable as pointed out by a commenter.

Update 2010-09-20

Adobe rushed out version one week earlier than scheduled to patch this hole.

15 Responses to “Yet Another Adobe Flash Unpatched Vulnerability Actively Exploited in the Wild”

  1. #1 Joris van der Wel says:


  2. #2 Giorgio says:

    @Joris van der Wel:
    Thank you, the direct download link was broken this morning, leading to the 404-redirected Microsoft search page :P

  3. #3 Alan Baxter says:

    I bet it's more than just "3 or 4 Flash users out there" that "are left in the cold, under attack for two weeks at least." Do you mean "3 out of 4"?

  4. #4 Citizendruide says:

    Fx have a black list for plug-ins (like for Add-ons), right ?
    I don't know what happen when an UI plug-in is black-listed, but I hope the following :

    Show crash-plug-in-like UI with text : "This add-on (name) have been disabled until it get updated/a new version is released because it has a flaw that is currently exploited and expose you to security and privacy issues.

    If you know what you are doing and want to skip this warning, click here."

    Is that already the case or shoulf I make a new bug in Bugzilla ?

    Does flash have been black-listed yet ?

  5. #5 Giovanni Bajo says:

    I'm looking forward to Chrome being able to fully sandbox the flash plugin as promised, at which point I will stop caring about flash vulnerabilities.

  6. #6 Giorgio says:

    @Alan Baxter:
    It was "3 or 4" as written, my poor attempt at irony :)
    All them are vulnerable, though.

    I really doubt Firefox will blacklist an high profile plugin like Flash. Maybe when HTML 5 starts to be seen (and most important, deployed) as a credible replacement.

    @Giovanni Bajo:
    Sandboxes are overrated. A compromised plugin with full network access (like Flash) can do a lot of damage even if it couldn't touch anything on your local system, now that our lives move more and more "in the cloud".

  7. #7 computerfreaker says:

    "3 or 4 Flash users" is probably going to be pretty darn accurate if Adobe keeps getting their products pwned like this. Between Flash and their PDF reader, Adobe is in deep trouble IMHO.

    I'm glad NoScript is blocking this in Firefox, but I think it's finally time for me to uninstall Flash and Adobe PDF Reader, regardless of what breaks as a result. I have to use at least one non-Firefox browser every day, so NoScript's great protection regrettably won't cover me 100% of the time.

  8. #8 exceed says:

    Unfortunatelly it's not possible to EMET-ize Flash... but there's a NoScriot anyway :D

  9. #9 Alan Baxter says:

    Oh, I get it now after rereading it. The joke was good, but it was too early in the morning for me to get it the first time.

  10. #10 Cement Head says:

    Why can't you use EMET to protect the web browser in which the Flash plug-in is running?

  11. #11 Giorgio says:

    @Cement Head:
    Plugins run out of process now in most recent browser versions, so you should actually protect the plugin-host process.
    Even so, many plugins (including Flash and Java) can't be effectively protected because contain JIT compilers, which need write access to executable memory.

  12. #12 AnonymousCoward says:

    Oh man, what a bad beta that EMET is in XP so far. Enhanced Mitigation EXPERIMENT Tool. The promised version was NOT in the DL link, and no way could I get Flash on the block list. And a hefty 18MB needed on the disc.
    Nice idea though, and if you get the video you can see that MS means really to stop legacy applications getting hit. Those guys are just too sweet :-)

    It's just that for stuff out here on the Web, Fx with NS just does it with no mess and no fuss :-)

  13. #13 JB says:

    Any idea when you'll fix the "Backup NoScript configuration in a bookmark for easy synschronization feature" for Firefox 4, when I check that feature, no bookmark is created. Works fine on Firefox 3.6.9.

  14. #14 Dan says:

    How can I run NoScript in "Flashblock mode" but still whitelist some sites for Flash? I can't seem to get it to work after a bit of trying. If it's not that simple, then getting people to migrate from Flashblock will be more difficult.

  15. #15 Alan Baxter says:

    I haven't figured out how to do that either. So, whenever I'm on a site where I want to allow all Flash instead of just using the placeholder, I use NoScript's Blocked Objects flyout to temporarily enable it for the whole site (on trusted sites only, of course).

Bad Behavior has blocked 725 access attempts in the last 7 days.