The last week has been a very interesting one ( read OMG it’s almost the end of the world ) in the security world. There were new threats from all corners but Adobe Flash stole the show with 3 critical issues in 2 days.
All 3 issues could result in remote code execution or DoS attacks. Grim stuff.
The CVE details are:
http://www.cvedetails.com/cve/CVE-2015-5123/
http://www.cvedetails.com/cve/CVE-2015-5122/
http://www.cvedetails.com/cve/CVE-2015-5119/
What’s really scary is that CVE lists 30 critical issues of level 10 for Flash in July alone. If ever there was a time to stop using Flash, it’s now. The problem is that many sites are still using it in frames, ads and other areas, including sites that actively promote not using Flash.
To be clear, these vulnerabilities are actively being exploited at this time. We’ve also seen an alarming rise in Remote Trojan/Ransomware attacks locally here in SA, which may or may not be related to Flash vulnerabilities. These result in the encryption of client data and a subsequent blackmail request for payment to unlock the data. The primary injection method for this is spam email and associated attachments.
What can you do?
- Disable and remove Flash completely – this is the best choice but it may result in some websites breaking – it’s a choice you need to live with ( or not ). Also, disabling Flash in your browser does not disable it in your OS and will result in the OS still being vulnerable to application-based attacks. Complete removal is the only option.
- Disable Flash in browser and set to ask for activation – Firefox ( I”m not sure about other browsers ) can set a plugin like Flash, to ask for activation on each event. So normally, Flash does not work however you can click a placeholder to activate a particular Flash element on a page.
- Carry on using Flash – no comment
For applications that rely on Flash in the Operating System, it’s time to send a friendly email to the developers asking them why they are opening their clients up to potential security issues.
For users of Youtube, most browsers already support Google’s HTML5 Flash-less option. You can check the status of browser support here:
https://www.youtube.com/html5
Of course, you also need to update your OS regularly and any other 3rd party applications. And keep an eye open for spam emails.
For those with a few extra minutes, Steve Jobs wrote a fairly famous open letter to Adobe in 2010 criticizing Flash. I’m not a Jobs fan but this hits the nail on the head – well said.
The latest issues are a direct result of the hacking of one of the largest hacking companies ( The Hacking Team ), based Italy. Hacking the hackers – where have I heard that before? Some movie I think …