New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."

Die Flash, Die

I know many will rush to disagree with me but Flash cannot die soon enough...

Re:Die Flash, Die

This is German for "the Flash, the".

Re:Die Flash, Die

[jbeaupre]

Yeah. Remember that time, about 70 years ago, when a bunch of of Americans and British were running around Europe yelling "The German!" So silly.

Re:Die Flash, Die

[Beorytis]

Actually no. Although the term shares its origin with the ethnonym "Deutsch", in the local dialect of English spoken there, it's "Pennsylvania Dutch". Not idiots. Just not speaking your idiolect.

Are there non-malicious uses?

[fuzzyfuzzyfungus]

I realize that implementing embedded flash objects in Office documents was probably something that mostly happened because Microsoft wanted OLE to make embedding arbitrary stuff in arbitrary stuff happen(unlike Adobe's sick fetish for inserting horrible things into PDFs, which is their own damn fault); but do Flash embeds in Office documents actually occur, in the wild, as something people would actually do and distribute, for anything other than malicious purposes? I honestly can't remember ever having seen a single one, ever.

Re:Are there non-malicious uses?

[tibit]

People use Word documents to send freaking pictures around, because they don't know they can paste into Paint. They don't know how to send weblinks either, so they paste it into Word and send it on.

Related to 57 patches for IE next Tuesday?

[Billly+Gates]

I wonder if this and Java are related to the HUE monster security update for IE?

And replace it with what?

[popo]

And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?

There's a reason Flash is the world's most popular online multimedia platform. It's not without issues, but it is lacking a worthy contender.

Re:And replace it with what?

[Billly+Gates]

Yep. HTML 5 can offer hardware acceleration on pretty much any mobile device.

The reason for flash was that Java was an ugly POS and people did not want to wiat a full minute for their ugly applets to load while flash was all nice and pretty and loaded instantly.

Flash also exists because of IE. Old IE I may add as IE 9 and IE 10 got their act together and support the HTML 5 video tags. When IE 10 comes out for Windows 7 and XP goes EOL we will see a shift in websites catering to HTML 5 users making flash obsolete for all but the conservative businesses.

Re:And replace it with what?

[Billly+Gates]

Businesses only upgrade if they have a case. Having websites and cloud services move to HTML 5 is a pretty darn good business case to upgrade. IN the past IE 6 had such a strong marketshare that they didnt have to worry about as webmasters were forced to cater to it.

According to statcounter.com IE 8 usage is falling fast to 14% in the weekdays and 10% at the weekends. IE also is getting auto updated with Windows Update and before did not which is why grandmas kept using IE 6 for many many years. When that number hits 5% IE 8 you can expect websites will start focusing on HTML 5 and CSS 3.

IE 8 may remain for many corps for years but it wont be all business this time around because of the things stated above. I mean they didn't stick with Mosaic for 10 years did they?

Re:And replace it with what?

[gstoddart]

There's a reason Flash is the world's most popular online multimedia platform.

Can you tell us what that is?

For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

Re:And replace it with what?

There's a reason Flash is the world's most popular online multimedia platform.

Yes. DRM.

Re:And replace it with what?

[gstoddart]

I block Flash ads as well, but it's completely myopic to suggest that they don't provide "value" for website owners.

Yeah, but is it of value to users? It isn't for me, and I'm not here to provide value for website owners. As a user, requirement for flash means the back button.

Flash is used for adverts because it works. Deal with it.

Flash gets blocked/not even installed by me an other users because it's crap. Deal with it.

I'm not going to allow Flash ads for any reason -- and if the only thing of value is for ads, that pretty much is what I already thought.

For video, I've yet to see a HTML5 player that works as well as Flash

Maybe it's my age showing, but the number of times I feel like I want to watch a video on the internet is vanishingly small. As in, I have no idea the last time I cared enough to watch a video on the internet. Same for games.

I don't give a rats ass if other people want to run Flash -- run wild, it's your computer. But I'd be hard pressed to name a single thing that has ever made me think "gee, I've been missing out by not having Flash".

Re:And replace it with what?

[ColdWetDog]

And you can argue with this being a feature - or a bug. Just recently finished some course work over at the American Heart Association website. Flash, natch. The structure of which has not been changed for a decade. The same poorly thought out navigation, the same IE centric, buggy code. Just some new content.

Yes, it's AHA's decision not to spend the money to really look at what they are doing, but it's a pretty standard business practice. If it ever worked, it's good enough.

If I ever find the person(s) responsible for that abomination, they'd best hope I don't have a defibrillator handy.

Re:And replace it with what?

[miknix]

For video, I've yet to see a HTML5 player that works as well as Flash.

Youtube's? In fact, youtube switches to html5 everytime when it can, guess what? I don't even notice.

Re:And replace it with what?

[westlake]

For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

You're entitled to your opinion.

But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design comes vividly to mind with games like Samorost, Machinarium, and Botanicula.

Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.

Re:And replace it with what?

[JDG1980]

And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?

It's true that for this one particular use-case, Flash may still have an edge against open technologies. But 99% of the Flash on the web is either ads or videos. We don't want to see the ads anyway, and HTML5 makes embedding videos without Flash in a standards-compliant fashion relatively easy. And remember, if your site relies upon Flash, no one with an iDevice will be able to use it correctly. And that's not going to change. In contrast, HTML5 videos work fine on both desktop browsers and portable devices.

If the only thing Flash is good for is some types of online gaming, then many users don't need it at all, and for those who do, it should be set by default to use a whitelist and only permit the plugin to be invoked on domains that are specifically authorized by the user.

Re:And replace it with what?

[cbhacking]

Good for you... but it turns out that a fair number of the most popular websites on the entire WWW play videos, typically in Flash, and they are watched by people of all ages (perhaps more among the younger set, but certainly not exclusively). Quite a few sites (perhaps not individually the most popular, but a massively common *class* of site) also serve lots of Flash video, although for legal reasons they are only supposed to be watched by adults. People also like to watch videos of events they couldn't make it to and listen to streaming music, both of which are common uses of Flash. You can do web-based video chat or even videoconferencing using Flash (Google Talk can do this, for example).

I don't like Flash, and I certainly don't trust it; I keep it tightly curtailed where it's installed at all. However, it's definitely useful in some cases. HTML5 is catching up, but not fast.

Re:And replace it with what?

[amicusNYCL]

It's gotten worse lately, now with Captivate and Articulate being released, anyone who can type can create online learning content. I've seen plenty that are no better than a Powerpoint presentation. We have a full staff of instructional designers, artists, etc who actually manage to create engaging and award-winning content, but seeing our competition, I feel your pain.

Re:And replace it with what?

[Waccoon]

Installation was fantastic. When Flash was new under Macromedia, I remember it being only 300K, and it installed immediately without a reboot or restarting the browser. Java at the time weighed in at (I believe) over 12MB and required a reboot. So did most other media players.

Games. Casual gaming on the PC owes itself almost entirely to Flash. Java sucked, and the alternative was to download and install an EXE, which could do just about anything to your PC. Flash made it possible to run games instantly, directly, without an install, on both PC and Mac. It was the Steam of the day, and worked when everything else failed miserably.

Cartoons. Doing stuff in vectors reduced bandwidth a thousand fold. Say what you want about HTML5 and movie codecs, but if you want to do vector animation, Flash is still your only option.

Educational apps. Ever been to a tech site where they have some kind of visual interactive application to show how the technology works? Java should have dominated in this area, but installing Java was painful, the download was huge, and at one time, Java applets couldn't play audio, because that was considered a security violation. Yes, in an attempt to crack down on the annoying audio and MIDI craze, Java banned all audio in applets for a while. No wonder tech sites dumped Java and went to Flash for their presentations.

Say what you will of closed-source, proprietary media players, but all things that tried to compete with Flash have royally sucked. Flash is most definitely useful, and will continue to exist until HTML stops being garbage (which may take another 10 years or so -- if ever).

Re:And replace it with what?

[mark-t]

Good reason for who? The user? Probably not... Good reason for the website owner? Definitely. Just because you might not agree with those reasons doesn't mean they don't carry any value for other people.

Re:Huh?

[PlusFiveTroll]

>Who in their right mind opens a Word doc from and unknown source

The idiot secretary in the next office over, or the next floor down.

Then the payload mines her email addresses and sends you "Minutes from meeting" or some similar crap. So now instead of having an email from an unknown person you get an email from someone you'd expect to get word documents from. Hopefully you are in a company that has decent A/V on incoming mail, most small businesses don't.

Re:Dear Adobe

[Rougement]

Yep. They've years to develop something that doesn't suck balls and failed miserably.

LOL ...

[gstoddart]

Or, don't even run it. Flash has been a security and privacy hole for a decade or more.

I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.

Yet another exploit? I'd like to say I'm shocked, but that would be a lie.

We don't need antivirus software!

[Netdoctor]

Such is the mantra here...

Sooo tempted to send the CVE out to several people internally, as a word document.

*sigh*

Re:Another reason to use Chrome, avoid Safari, Mac

[KiloByte]

This particular vulnerability might be patched, but you're wide open to hundreds of others. Flash is not something a responsible OS distributor should install by default.

How is Chromebook "open" to Flash vulnerability?

[Andy+Prough]

I'd like to see the explanation as to how my Chromebook could be "wide open to hundreds" of Flash vulnerabilities. Seems preposterous from what little I know about Flash and how it interacts with Chromebook's locked-down Gentoo-based OS.

Re:Huh?

[Inda]

"especially when Windows warns you when you start to open a word doc in Outlook"

Um, some of us have taught them to tick the "don't ask again" box. Sorry about that.

Getting macros to run is harder these days. There's an extra click or two. They don't execute automatically any more.

My report: 6 months without using Flash

[hessian]

Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.

There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue.

One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.)

Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.

The most amazing this is that browser crashes have dropped to near zero, either one or zero during this time. Most of what I thought was FF and Opera being buggy was in fact Flash being buggy.

There's not yet enough content switched to HTML5 from Flash to navigate everything, but during my 6 months without Flash, I've noticed that more firms are going away from the Flash-only navigation school of design.

YMMV. For me, life without Flash has been better, although I do miss out on some things.

Re:My report: 6 months without using Flash

[mister_playboy]

You can solve the video playing problem quite easily with something like FF's Video Download Helper add-on or JDownloader. These tools can examine a URL and allow you to download any videos they find for local playback.

Re:Why is it so bad?

[DarkOx]

Probably because there is not much you can do to fix a fundamentally bad idea. Think of it like all the various attempts to make smoking 'healthy' at the end of day intentionally sucking combustion gases into your lungs just is not good for you, no matter how low tar, free of synthetic chemicals etc you make it.

What does flash do? It executes code from unknown origin on your machine. That has never been a good idea; even if in some cases you can't get around needing to do it. Flash has more problems though it can't be fully sandbox'ed without breaking all those old apps, it needs to be able to do things like read files, open sockets connections, etc.

Re:Huh?

[_xeno_]

As far as I can tell, the Flash updater only bothers to check for an update when the computer first boots.

Because everyone here constantly reboots their computer, right? I mean, it's not like most computers have sleep modes, and that most people just leave the OS running so they don't have to wait for it to boot. Clearly everyone constantly reboots their computer, once per day, to allow the Adobe Flash Updater to check for updates.

Re:Huh?

[benjymouse]

Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content

Why?

Probably because of Windows sandboxing Flash through low-integrity mode. Even if you get to exploit a Flash vulnerability and execute your shell code on Windows, the code is still severely restricted in what it can do. Code executing inside of a low-integrity process can still not infect a system as write-ups (writing or interacting with a higher integrity object/process) are denied.

They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).

No, infecting with a Macro is more difficult since the last several versions of Word. Word will not automatically run macros and also has an internet-origin policy whereby documents received through Outlook or other email clients or downloaded using a browser is tainted with the "internet zone". You have to dismiss several warnings to run macros from such a document. But if Word will run Flash content (show the animation) and a vulnerability can be exploited, shell code can run as a user.

That is, until Word 2010 which *also* runs in low-integrity when viewing content tainted with the internet zone. Since Word 2010 the shell code will still be confined to the low-integrity sandbox.

Windows secure, OS X not so much.

[benjymouse]

We see here how the Windows platform has been battle hardened to the point where the attackers have to resort to lower-yield secondary attacks. Head-on attacking Flash on Windows does not get the attacker very far because of the security advancements such as Mandatory Integrity Control (MIC). That's why the attackers try to exploit it in contexts where MIC does not prevent system infection, such as through older versions of Microsoft Word through emails.

OS X is still wide open to such head-on attacks when a vulnerability exists, especially Firefox because Mozilla has steadfastly refused to put in place a proper sandboxing barrier. Even Safari has some sandboxing in the latest version of OS X.

Firefox not. A vulnerability in Firefox or one of its plugins means significant risk of successful exploits.

Flash on Windows executes in a low-integrity process. Even if a Flash vulnerability is exploitable and shellcode gets to execute in the Flash host process, it still cannot write anywhere or interact with higher integrity objects because of mandatory integrity control (MIC) which was introduced with Vista.

The upshot: Attackers have to try secondary routes on Windows where the conversion rates are much, much lower. And this specific attack vector will not work on Word (or other Office applications) since Word 2010. Since the 2010 versions, internet downloaded documents are also opened in low-integrity mode, meaning that even here the shellcode would be similarly restricted.

Re:How about Linux/Android/etc users

[benjymouse]

Does this bug also affect users of those OS's, because last time I heard
a) Adobe isn't offering a flash package for current android
b) Adobe isn't offering updates to the Linux flash version.

I'll assume that Linux users can have the vulnerable version, is there something in the OS that makes them immune or were they just not mentioned?

The 1st paragraph of TFA:

Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Short of using SELinux or apparmor on Linux (and live with the consequences), there is nothing to prevent an exploit using these vulnerabilities through e.g. Firefox or other non-sandbozed browsers. IIRC Chromium uses a sandbox which would prevent the attack from infecting your account.

Windows uses low-integrity mode to sandbox Flash in browsers which is why the attackers try to use an alternate (and lower yeilding) attack vector through older versions of Microsoft Word (Word 2010 sandboxes the entire document including any Flash content if the document was downloaded from an untrusted source or received through an email)