User's perspective questions re "major" Flash exploit

General discussion about web technology.
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

User's perspective questions re "major" Flash exploit

Post by barbaz »

  1. Why is this latest exploit so special? What's different about it vs. the others? Doesn't Flash get exploited in some new way, like, all the time?
  2. In case it's really this much more serious, I'm looking into upgrading Flash... but half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481, and the other half says those versions are still vulnerable... and I don't know what to believe. What Flash player versions are protected against this exploit for Mac OS X? What Flash versions (both on the 11.2.x series and the Chrome PPAPI version) are protected on Linux?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: User's perspective questions re "major" Flash exploit

Post by therube »

> Why is this latest exploit so special? What's different about it vs. the others?

I think only in that the details of the exploit were obtained (cough, cough) & very quickly built into an exploit pack & placed in the wild & is effective.

> Doesn't Flash get exploited in some new way, like, all the time?

Yes.

> In case it's really this much more serious

Yes, seems so.

> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable

They're probably both right.
The latest releases fixed "something", enough to get by.
Probably didn't affect "everything" & certainly did not affect other exploits known about, but that are still under the table.

> What Flash player versions are protected against this exploit

Given that we don't know anything more then what might have been said, & given that we don't know anything about what has not been said, guess all you can do is to update to the latest release (& then update to the next release, & the next, &...).

> Chrome

I believe some of the reports stated specifically that Chrome, with all its "security" mechanism was exploited (prior to latest release).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: User's perspective questions re "major" Flash exploit

Post by therube »

And this leads me to a question I was going to bring up.

At what point does Flash "load", at what point is there "content" & at what point would a vulnerable Flash be able to be exploited?

In Mozilla you can set Flash to click-to-play.

In NoScript you can "Forbid" Flash.

In each case you get a placeholder.
And NoScript even piggybacks on Mozilla's setting.

Is one method of blocking Flash, Mozilla or NoScript, safer?

Does the content load with Mozilla, but simply does not play until you click, or is it actually blocked?

Likewise with NoScript?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: User's perspective questions re "major" Flash exploit

Post by barbaz »

therube wrote:Is one method of blocking Flash, Mozilla or NoScript, safer?
I haven't checked it out but I'd guess NoScript because although (I think) the page can make the browser think you clicked on either item, NoScript throws up a confirmation dialog which is outside the page, so the page can't touch that. I'd hope Mozilla designed the click-to-play placeholders to tell between user clicks and "fake" clicks from the page... (in which case it's the same)
therube wrote:At what point does Flash "load", at what point is there "content" & at what point would a vulnerable Flash be able to be exploited?
When the SWF runs. IOW, when Flash (or whatever other SWF reader) actually executes the file. I don't see how it's possible for a Flash exploit to affect something that's not interpreting the SWF.
therube wrote:Does the content load with Mozilla, but simply does not play until you click, or is it actually blocked?

Likewise with NoScript?
I'm pretty sure that Mozilla's click-to-play & NoScript's click-to-play work the same in that respect. It has to, otherwise Mozilla's click-to-play plugin blocklist wouldn't do anything for security.
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: User's perspective questions re "major" Flash exploit

Post by barbaz »

therube wrote:> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable

They're probably both right.
The latest releases fixed "something", enough to get by.
Probably didn't affect "everything" & certainly did not affect other exploits known about, but that are still under the table.
Well, dang. Since "these" exploits really are this serious, guess it's going to be time to update Flash, and since they're still partially unpatched, guess it's not time for me to update Flash just yet.
therube wrote:Given that we don't know anything more then what might have been said, & given that we don't know anything about what has not been said, guess all you can do is to update to the latest release (& then update to the next release, & the next, &...).
Not feasible, given A) my attitude about updating anything and B) the fact that other things on this system (e.g. Shockwave for Director) are quite picky about Flash version. I need to upgrade to a version that has all "these" exploits rendered moot and works for me, and then coast along relying on NoScript & my common sense to keep me safe until next time I decide that an update is worthwhile to evaluate... even if I have to disable Flash completely for anything online in the mean time. (Actually, I think I will this time. I can probably get by running Flash from the Internet inside an isolated VM all the time, at least for a short while...)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: User's perspective questions re "major" Flash exploit

Post by therube »

> and works for me

That's fine, for you.
For others, I simply say, update!

> common sense

Yes, that's fine too.
And probably more important then other "fixes".
But, in this case perhaps in particular, might want to further investigate just how the exploit works, how it is effected, because it might just not use "common sense". (And I haven't seen anything on that.)

(
> Shockwave

Shockwave Player & Adobe (Acrobat) Reader also had updates.
(Don't know offhand if all OS were affected?
)


Damn, I was hoping you'd have been more definitive in your reply, two up^.

Giorgio?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: User's perspective questions re "major" Flash exploit

Post by barbaz »

therube wrote:> Shockwave

Shockwave Player
Hmm, I'd really like to have changelogs for Shockwave for Director (I can only find changelogs for up to 11.5 and I'm using 12.1.7r157).. the ONLY reason I have it installed is literally two online games - if I can play them on my machine somehow, I consider my Shockwave for Director setup working 8-)
therube wrote:Adobe (Acrobat) Reader also had updates.
Well I read somewhere that some versions of Adobe Reader have the entire Flash runtime in there somewhere, so this is not really surprising.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: User's perspective questions re "major" Flash exploit

Post by therube »

Adobe Security Bulletins and Advisories.

(Feature changes, can't help with that.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: User's perspective questions re "major" Flash exploit

Post by barbaz »

That link is disappointingly uninformative - it doesn't say whether that vulnerability is "the" vulnerability or not, and I don't know enough to figure it out. I'd guess from the date that it is, but still...
therube wrote:> half the sources on the Internet say it's fixed in 18.0.0.209/11.2.202.481
> the other half says those versions are still vulnerable

They're probably both right.
Now I think what it probably was is that 11.2.202.481 did NOT fix it all but 18.0.0.209 did - the Linux flash player had a (additional) 20150716 update (haven't checked the version) but "latest" Flash is still 18.0.0.209

On this basis I've decided to upgrade Flash and just uninstall Shockwave for Director for the moment
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: User's perspective questions re "major" Flash exploit

Post by therube »

"0-day attacks exploiting Flash just got harder thanks to new defenses
Flash mitigations now fully baked into Chrome; coming to other browsers soon"
http://arstechnica.com/security/2015/07 ... -defenses/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
Post Reply