- Why is this latest exploit so special? What's different about it vs. the others? Doesn't Flash get exploited in some new way, like, all the time?
- In case it's really this much more serious, I'm looking into upgrading Flash... but half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481, and the other half says those versions are still vulnerable... and I don't know what to believe. What Flash player versions are protected against this exploit for Mac OS X? What Flash versions (both on the 11.2.x series and the Chrome PPAPI version) are protected on Linux?
User's perspective questions re "major" Flash exploit
User's perspective questions re "major" Flash exploit
*Always* check the changelogs BEFORE updating that important software!
-
Re: User's perspective questions re "major" Flash exploit
> Why is this latest exploit so special? What's different about it vs. the others?
I think only in that the details of the exploit were obtained (cough, cough) & very quickly built into an exploit pack & placed in the wild & is effective.
> Doesn't Flash get exploited in some new way, like, all the time?
Yes.
> In case it's really this much more serious
Yes, seems so.
> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable
They're probably both right.
The latest releases fixed "something", enough to get by.
Probably didn't affect "everything" & certainly did not affect other exploits known about, but that are still under the table.
> What Flash player versions are protected against this exploit
Given that we don't know anything more then what might have been said, & given that we don't know anything about what has not been said, guess all you can do is to update to the latest release (& then update to the next release, & the next, &...).
> Chrome
I believe some of the reports stated specifically that Chrome, with all its "security" mechanism was exploited (prior to latest release).
I think only in that the details of the exploit were obtained (cough, cough) & very quickly built into an exploit pack & placed in the wild & is effective.
> Doesn't Flash get exploited in some new way, like, all the time?
Yes.
> In case it's really this much more serious
Yes, seems so.
> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable
They're probably both right.
The latest releases fixed "something", enough to get by.
Probably didn't affect "everything" & certainly did not affect other exploits known about, but that are still under the table.
> What Flash player versions are protected against this exploit
Given that we don't know anything more then what might have been said, & given that we don't know anything about what has not been said, guess all you can do is to update to the latest release (& then update to the next release, & the next, &...).
> Chrome
I believe some of the reports stated specifically that Chrome, with all its "security" mechanism was exploited (prior to latest release).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: User's perspective questions re "major" Flash exploit
And this leads me to a question I was going to bring up.
At what point does Flash "load", at what point is there "content" & at what point would a vulnerable Flash be able to be exploited?
In Mozilla you can set Flash to click-to-play.
In NoScript you can "Forbid" Flash.
In each case you get a placeholder.
And NoScript even piggybacks on Mozilla's setting.
Is one method of blocking Flash, Mozilla or NoScript, safer?
Does the content load with Mozilla, but simply does not play until you click, or is it actually blocked?
Likewise with NoScript?
At what point does Flash "load", at what point is there "content" & at what point would a vulnerable Flash be able to be exploited?
In Mozilla you can set Flash to click-to-play.
In NoScript you can "Forbid" Flash.
In each case you get a placeholder.
And NoScript even piggybacks on Mozilla's setting.
Is one method of blocking Flash, Mozilla or NoScript, safer?
Does the content load with Mozilla, but simply does not play until you click, or is it actually blocked?
Likewise with NoScript?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: User's perspective questions re "major" Flash exploit
I haven't checked it out but I'd guess NoScript because although (I think) the page can make the browser think you clicked on either item, NoScript throws up a confirmation dialog which is outside the page, so the page can't touch that. I'd hope Mozilla designed the click-to-play placeholders to tell between user clicks and "fake" clicks from the page... (in which case it's the same)therube wrote:Is one method of blocking Flash, Mozilla or NoScript, safer?
When the SWF runs. IOW, when Flash (or whatever other SWF reader) actually executes the file. I don't see how it's possible for a Flash exploit to affect something that's not interpreting the SWF.therube wrote:At what point does Flash "load", at what point is there "content" & at what point would a vulnerable Flash be able to be exploited?
I'm pretty sure that Mozilla's click-to-play & NoScript's click-to-play work the same in that respect. It has to, otherwise Mozilla's click-to-play plugin blocklist wouldn't do anything for security.therube wrote:Does the content load with Mozilla, but simply does not play until you click, or is it actually blocked?
Likewise with NoScript?
*Always* check the changelogs BEFORE updating that important software!
-
Re: User's perspective questions re "major" Flash exploit
Well, dang. Since "these" exploits really are this serious, guess it's going to be time to update Flash, and since they're still partially unpatched, guess it's not time for me to update Flash just yet.therube wrote:> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable
They're probably both right.
The latest releases fixed "something", enough to get by.
Probably didn't affect "everything" & certainly did not affect other exploits known about, but that are still under the table.
Not feasible, given A) my attitude about updating anything and B) the fact that other things on this system (e.g. Shockwave for Director) are quite picky about Flash version. I need to upgrade to a version that has all "these" exploits rendered moot and works for me, and then coast along relying on NoScript & my common sense to keep me safe until next time I decide that an update is worthwhile to evaluate... even if I have to disable Flash completely for anything online in the mean time. (Actually, I think I will this time. I can probably get by running Flash from the Internet inside an isolated VM all the time, at least for a short while...)therube wrote:Given that we don't know anything more then what might have been said, & given that we don't know anything about what has not been said, guess all you can do is to update to the latest release (& then update to the next release, & the next, &...).
*Always* check the changelogs BEFORE updating that important software!
-
Re: User's perspective questions re "major" Flash exploit
> and works for me
That's fine, for you.
For others, I simply say, update!
> common sense
Yes, that's fine too.
And probably more important then other "fixes".
But, in this case perhaps in particular, might want to further investigate just how the exploit works, how it is effected, because it might just not use "common sense". (And I haven't seen anything on that.)
(
> Shockwave
Shockwave Player & Adobe (Acrobat) Reader also had updates.
(Don't know offhand if all OS were affected?
)
Damn, I was hoping you'd have been more definitive in your reply, two up^.
Giorgio?
That's fine, for you.
For others, I simply say, update!
> common sense
Yes, that's fine too.
And probably more important then other "fixes".
But, in this case perhaps in particular, might want to further investigate just how the exploit works, how it is effected, because it might just not use "common sense". (And I haven't seen anything on that.)
(
> Shockwave
Shockwave Player & Adobe (Acrobat) Reader also had updates.
(Don't know offhand if all OS were affected?
)
Damn, I was hoping you'd have been more definitive in your reply, two up^.
Giorgio?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: User's perspective questions re "major" Flash exploit
Hmm, I'd really like to have changelogs for Shockwave for Director (I can only find changelogs for up to 11.5 and I'm using 12.1.7r157).. the ONLY reason I have it installed is literally two online games - if I can play them on my machine somehow, I consider my Shockwave for Director setup workingtherube wrote:> Shockwave
Shockwave Player
Well I read somewhere that some versions of Adobe Reader have the entire Flash runtime in there somewhere, so this is not really surprising.therube wrote:Adobe (Acrobat) Reader also had updates.
*Always* check the changelogs BEFORE updating that important software!
-
Re: User's perspective questions re "major" Flash exploit
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
Re: User's perspective questions re "major" Flash exploit
That link is disappointingly uninformative - it doesn't say whether that vulnerability is "the" vulnerability or not, and I don't know enough to figure it out. I'd guess from the date that it is, but still...
On this basis I've decided to upgrade Flash and just uninstall Shockwave for Director for the moment
Now I think what it probably was is that 11.2.202.481 did NOT fix it all but 18.0.0.209 did - the Linux flash player had a (additional) 20150716 update (haven't checked the version) but "latest" Flash is still 18.0.0.209therube wrote:> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable
They're probably both right.
On this basis I've decided to upgrade Flash and just uninstall Shockwave for Director for the moment
*Always* check the changelogs BEFORE updating that important software!
-
Re: User's perspective questions re "major" Flash exploit
"0-day attacks exploiting Flash just got harder thanks to new defenses
Flash mitigations now fully baked into Chrome; coming to other browsers soon"
http://arstechnica.com/security/2015/07 ... -defenses/
Flash mitigations now fully baked into Chrome; coming to other browsers soon"
http://arstechnica.com/security/2015/07 ... -defenses/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1