Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks

tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."

Separate the code and the data

[Gothmolly]

This is why your data should not be executable.

Re:Separate the code and the data

[Darinbob]

People want convenience. And convenience is the mortal enemy of security.

Re:Separate the code and the data

[davester666]

WTF is so convenient about having Word being able to display Flash content?

Do a significant/noticeable number of people embed Flash content in their Word documents?

How about Flash just preventing itself from running in non-browsers [and maybe their standalone Flash app]?

Re:Separate the code and the data

[rudy_wayne]

WTF is so convenient about having Word being able to display Flash content?

Do a significant/noticeable number of people embed Flash content in their Word documents?

The number of people actually doing this for legitimate reasons is probably very small. The problem is, companies like Microsoft and Adobe must constantly release new versions of their software in order to keep a constant revenue stream. And that means constantly adding new "features" of questionable value.

Re:Separate the code and the data

[nmb3000]

This is why your data should not be executable.

I'm trying to figure out what possible reason to have Flash embeddable inside an Office document someone might have. Maybe you could argue that it's worth being able to embed in a PowerPoint slide, but even that is reaching.

A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat.

I think a better solution is to disable Flash entirely* when run from an Office document and instead display a message that says:

"Flash has been disabled. To enable Flash content, contact your system administrator and he will come back there and hit you on the head with a tack hammer 'cause you are a retard ."

* of course with the obligatory registry-key-bypass for corporate users

Re:Separate the code and the data

[thegarbz]

While that may be true for flash specifically, the number of people who embed complex programming scripts into word documents is incredibly large. I've never worked for a company which didn't have some bizarre use for it.

A small Pizza joint used a complicated array of javascript to automate their ledgers which were kept in an excel file rather than an accounting program.
A biscuit factory I worked for actually managed to turn a very large collection of excel files into a rudimentary database with an insanely complicated set of scripts embedded in each file. This surprisingly worked, though you pushed a button and it would open many files in excel at once and the computer ground to a halt while computing the necessary ingredients for the next batch.
Now I work for a large fortune 500 company and every word document is embedded with complicated scripting to automagically update footers and synchronise with a 3rd party document management system.

While I haven't seen flash specifically it is not at fault here security wise, embedding programming languages into content files is, and that is incredibly common.

Re:Separate the code and the data

[symbolset]

What does it matter? Office may as well be considered a remote access terminal server backend with system privileges for a metasploit frontend remote desktop client. The document preparation features are optional and in most cases redundant.

Re:Separate the code and the data

[DNS-and-BIND]

I've noticed this in reverse: app reviewers on Google Play complain if the app hasn't been updated in a while - even if it is complete and stable. To the modern user, updating frequently doesn't mean "broken-ass program with lazy programmers", it means "normal".

Re:Separate the code and the data

[TitusGroan8856]

just because the software is flexible enough to do the job doesn't make it the right tool for that job. this system can indeed be built in house by those who don't have a full understanding of programming but do have a better insight in to the data that's being manipulated. it's going to be poorly documented and when it breaks or goes wrong very few people are going to be able to fix it for you. Do the job properly from the outset - hire a programmer and have custom software written to your spec. The false economy of using off the shelf products has led to many companies downfall.

Clever move

[physlord]

Yeah!. Since the average user totally understands the situation, that "vague warnings of a potential threat" will, obviously, solve the problem. Pure genius.

aaand it won't help much

[v1]

"So what's wrong with it?"

"You have the latest flash virus. Have you opened any Word documents lately?"

"Of course! I use Word all day."

(scans hdd, finds the one in email that started it)

"Did you open this?"

"Of course I did. It's the weekly report."

"Didn't it WARN you there may be a virus?"

"Yes it opened up a box I hadn't seen before. But I needed to see the report, so I clicked the Open Anyway button."

"Didn't you get the memo last week about not clicking Open Anyway?"

"Of course I read the memo. But I need to read that report. I had to open it."

aaaand this is why this doesn't work anywhere near as well as Adobe says it will. No matter how many times you tell them to call you and NOT open it anyway, they still will. And you'll be at her desk again. Maybe later today even. Because she opened it anyway, because she "had to". (speaking from experience here)

The only reasonably effective way to implement this is with a policy that is system-wide, that allows administrators to disable the Open Anyway button for the users that can't be trusted with it. (which will be most of them)

Re:aaand it won't help much

[Darinbob]

People sometimes don't realize that people they know may be sending malware (not on purpose), or that someone may be pretending to be people they know. Just because the email is from the head of your church committee doesn't mean it's safe to open the "look at these kitties!" file.

Some people also just click yes to everything. I was helping my mother figure out some new problem on Firefox, which involves telling her the names of a particular menu to choose and the like. And I couldn't figure out why she wasn't find the menus or buttons I was talking about. Then I realized she had updated her Firefox whenever it popped up and said "hey, please update me!", and now she had a UI she was unfamiliar with. This also means she occasionally ends up with google bars or yahoo bars or something else stupid that I have to uninstall every time I visit.

It's not just mothers that do this, I see professionals in the office doing the same thing.

Re:aaand it won't help much

[rabtech]

Here's the real version of that conversation:

"So what's wrong with it?"

"You have the latest flash virus. Have you opened any Word documents lately?"

"Of course! I use Word all day."

(scans hdd, finds the one in email that started it)

"Did you open this?"

"Of course I did. It's the weekly report."

"Didn't it WARN you there may be a virus?"

"No"

"I'm pretty sure it popped up and warned you about the security implications of opening documents containing flash applets from untrusted sources"

"What does that mean?"

"It means it warned you about a possible virus"

"Oh, well stuff pops up all the time and I just click OK so the computer will work. Sometimes it pops up again so I click Cancel"

Users are bombarded with dialog boxes, permission boxes, info bars, tray notifications, software update notifications, and so forth all day long. They don't read them, they just click YES/OK. If it pops up again, they try CANCEL (even if the text is different - remember they don't read it!)

That's why IE's ActiveX scheme was a massive failure - it relied on users to know what ActiveX was, know what digital certificates were, then make an informed security decision for each and every control that wanted to install. Even if the native code execution wasn't a huge hole all by itself the whole scheme is a massive failure because most users don't know what ActiveX is, wouldn't know how to verify a certificate if they wanted to, and can't control what the control does after it's installed.

This is also why Android is a huge security fail. It relies on the user to understand what the permissions mean and what the consequences are at the time of install. Even if you understood exactly what those 18 permissions were (including scrolling down to expand the list and finding identically named permissions but with slightly different detail text under them)... you can't enable-disable them if you decide the app shouldn't have some of them. Should App X be able to modify or delete USB storage? maybe... depends on what it wants to do! Should it be able to make phone calls or send text messages? Maybe... too bad you won't be asked about it when it signs you up for $9.99/mo SMS services. What about manage accounts? Maybe the app wants to legitimately manage accounts... or maybe it will delete your entire google account. Who knows, but you sure won't be prompted about it.

Any system that relies on the user to make potentially dangerous security decisions is an automatic failure; doubly so if the decision is irreversible and persistent for all time (which covers the vast majority of security systems in use today).

I'm almost certain that in the future we'll grant permissions to different apps and websites by answering at the time the app wants access to the resource, not forever. Further I think the system will want to keep a history (think git, but for the entire filesystem), allowing you to effectively "roll back" a bad security decision. That probably means browsers and apps all run isolated in their own OS-provided VM/sandbox and all sharing or filesystem access routes through the version control system.

Re:Just remove Flash from office machines

[hawguy]

There's absolutely no reason to have Flash installed on machines in an office. Remove it and give the users regular accounts so it can't be re-installed, and you'll be fine.

Except of course, for the web-based trainings that employees have to take that rely on Flash.

"Just show me auntie's e-card!"

[chronokitsune3233]

"This document contains macros which may harm your computer. Do you wish to allow them to run?" (Clicks "Yes" blindly.)

Some (or maybe all...IDK) Word documents that were actually templates contained macros in the absence of an actual wizard. This meant that in versions of Office that recognized the security hazard, you got a pop-up before the document actually opened. I personally clicked "Yes" or "Open Anyway" or "Allow" or whatever it said without even bothering to read it because I usually got the document from a trusted source (as in someone I trust, not someone a company/corporation trusts using an actual whitelist/blacklist). I presume many got tired of seeing the message as I did, and they did the same thing. Similar events will probably happen with this Flash issue. Your aunt sent you an e-card for your birthday from her virus-infested computer? Sweet! Allowed!

And before people ask, yes I was speaking in the past tense. I no longer use Microsoft Office, in favor of Google Drive's Office-like features that started out as "Google Docs & Spreadsheets". It may not be as full-featured, but I don't need it to be either.

Re:"Just show me auntie's e-card!"

[v1]

Macro viruses were annoying also. For awhile Word/Excel gave you only one check box in security prefs, to pop a dialog when a document contained macros. (you could not disable them, only turn on the dialog)

Then when the user opened a doc with a macro (or more often, a virus) it would pop and give just TWO options... (A) open and run macros, or (B) do not open.

Gotta love microsoft for that one. Took them insane ages to add the (C) Open with macros disabled. Until then we had to deal with the "but I HAD to open it" people. But then I could continue to bash on them for not having a "flush macros" button anywhere, and the ability to create a "hidden" macro, and every macro virus creator's all-time-favorites, the "run on open" and "copy macro to other closed document" options. But that's drifting somewhat OT.

Re:Just remove Flash from office machines

[ColdWetDog]

Genuinely interested... what would you use Flash for in an office? Not counting people who develop Flash games for work, since they ought to be clueful enough not to get pwned.

At least in the medical field, every damned 'training' company, every manufacturer, every news site uses Flash. And uses it poorly. But it's not going away any time soon.

Meanwhile Gnash

[Ceriel+Nosforit]

Meanwhile Gnash supports Youtube just fine, which remains Flash's sole legitimate use.

It even supports audio out of the box.

dealing with viruses is your job

[decora]

welcome to corporate america, you are responsible for shit you have no way to control or to fix.

just like everyone else.

those people who have to open those reports are in the same boat as you. if they dont open the report, then xyz doesnt get done, then a shit storm rolls down the hill and destroys the entire department.

Re:Just remove Flash from office machines

[hawguy]

Except of course, for the web-based trainings that employees have to take that rely on Flash.

Web-based training is a virus. It both decreases productivity and makes users unhappy.

No arguments here, but tell that to the state of California that requires 2 hours of sexual harassment training for all workers that supervise other employees. The training itself decreases productivity and makes users unhappy, making it web based doesn't make it moreso. A least I can browse the web while clicking through the tedious training with "quizes" with answers that anyone with a modicum of common sense can answer.

Yes another popup message is the fix!

[chopthechops]

After 18 years or so of increasingly frequent popup messages appearing in popular software you would think everyone realises by now how useless they are. Normal users don't read popups, and those who do read them don't know or care what they mean, and/or they just choose to ignore them. Actually I think software vendors know exactly how useless they are, and in the case of security-related popups it's just the vendor saying "security is the end user's problem, not ours". Kinda like the warnings you get on cigarette packets.

* Hopes popup warnings will stop * attacks

[Chas]

Sorry.

It doesn't happen that way.

It just doesn't.

They tried this with browsers. It was egregiously cumbersome and conditioned people to auto-click YES to everything.

They tried this with Windows. It's still egregiously cumbersome and is still just conditioning people to blindly auto-click YES to everything.

So...NOW...they're adding MORE crap to click YES automatically to?

Third time's the charm?

FUCK NO!

Three strikes and you're out fuckers!

Warning popups prevent a small amount of infestations up front.
HOWEVER, down the road, as people get conditioned to the popups, they just click past without looking. Because the popups ARE IN THEIR WAY.

Adding a stupid popup is basically an admission that they're too goddamn stupid or lazy (or both) to secure their software properly. Or that their software is, inherently not secure or not able to BE secured.

At which point, it's crap that needs to be replaced with a better solution. Even if it means giving up the convenience of "Well this works right now".