It's getting boring.

Current Flash Player version ( for the general public, for Chrome users) is affected by a remote code execution vulnerability which is reported as being exploited in the wild.

Since Adobe Reader X (the newest version with "protected" mode) is vulnerable but not exploitable, Adobe doesn't plan an out-of-band patch: looks like browser users are second-class citizens.

As usual, you can outright disable the Flash plugin or use NoScript's active content blocking (not FlashBlock, please).


12 Responses to “Yet Another Adobe Flash and Reader 0 Day”

  1. #1 Guest says:

    why not FlashBlock?

  2. #2 Giorgio says:

    You didn't follow that link, did you?

  3. #3 john says:

    I've read this vulnerability is exploitable through Word documents, not browsers

  4. #4 Giorgio says:

    Where did you read it?
    Adobe's advisory explicitly mentions Chrome's "special" version number, and since Chrome ships with its own private Flash Player there would be no reason if this wasn't browser-exploitable.

    They're probably playing on the ambiguity due to reported incidents being targeted attacks through email attachments (Microsoft Office documents with embedded Flash content), but this doesn't rule out browser attacks at all.

  5. #5 Giovanni Bajo says:

    Flash is sandboxed in Chrome, so it's probable that it's not exploitable in there as well.

  6. #6 Giorgio says:

    @Giovanni Bajo:
    Sandboxes are overrated.
    A sandbox just means that the malicious code can't (theoretically, pending sandbox bugs) write to/read from the local filesystem and perform other "privileged" actions which a browser can perform but a web page cannot. On the other hand, just by controlling the Flash Player itself and the content process (without accessing local resources) an attacker can take control of your assents "in the cloud": for instance, it can navigate your online bank account and steal your credentials, either by waiting for the password manager to fill in the details or by using your session cookies if you're already logged in.

  7. #7 Giovanni Bajo says:

    @Giorgio: well, I've seen many malwares that exploit OS-level tricks to inject trojans, so I wouldn't call it overrated (after all, there are so many ready-to-drop payloads around). Chrome is the only browser that prevents this today, so I think it's a good step forward. I concede it's not enough.

    Aren't the problems you mention fixed through the PPAPI? Chrome is currently deploying PPAPI support for its embedded Flash plugin (as we speak, it's available in dev builds under an about:flags).

  8. #8 Giorgio says:

    @Giovanni Bajo:

    Aren’t the problems you mention fixed through the PPAPI?

    No they aren't. PPAPI's scope is entirely different, and as long as plugins like Flash (which can do low-level TCP networking and has access to web context) exist, you can't fix them but just mitigate.

  9. #9 Dan says:

    I switched from Flashblock to NoScript last time you explained why it was better for blocking plugins. I've stuck with it, but it does have some issues.

    I can't work out how to enable JavaScript globally, but block plugins globally, and yet whitelist some pages.

    I.e. the use case "block Flash on all pages except this one" is not possbile without disabling JavaScript globally, which Flashblock users probably don't want, otherwise they'd be using NoScript already. Let me know if there is a way to do this.

  10. #10 Thrawn says:

    @Dan: You're right, NoScript is designed to block scripts first (hence the name), plugins second. Blocking only plugins isn't really the objective.

    That said, if you're concerned enough to block Flash by default, then it might be worth making the effort to selectively enable JavaScript too. It's at least as dangerous, possibly more, given how widely it's used to launch attacks.

  11. #11 Giorgio says:

    Allow Scripts Globally +
    NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well is what you want.

  12. #12 Gary Thompson says:

    Chrome always appears to have a problem with adobe flash releases and also adobe air .. pity, 'cos I love the browser and prefer it to Firefox

Bad Behavior has blocked 1000 access attempts in the last 7 days.