Emergency Adobe Flash Patch Fixes Zero-Day Under Attack

msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.

disable flash!

[Gravis+Zero]

i said it before and i'll say it again.

there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

Simpler fix: uninstall

Youtube uses HTML5 now. Why does anyone still have a reason to use flash? (I mean besides for watching pr0n, which you do inside a virtual machine, and you restore to a checkpoint afterwards to completely avoid any possibility of malware infestation or cross-session cookies, right?)

tl;dr: Uninstall flash. You don't need it anymore.

Re:Simpler fix: uninstall

[ShaunC]

Youtube uses HTML5 now. Why does anyone still have a reason to use flash?

Most functionally useful weather radars, including NOAA's, require Flash. My state's Department of Transportation uses Flash for their traffic cameras. Livestream.com, which hosts my local TV news broadcasts along with other stuff like SpaceX launches, is still Flash. And if I want to view any cable TV programming on the computer, Comcast's player is Flash based.

I'd love to have uninstalled Flash a long time ago; for the time being I have to keep it around and use Flashblock.

Fortunately, I do not need to care

[gweihir]

I have de-installed the "Flash" malware some time ago and it will _not_ find its way on my computer again. This thing is a solution for nothing, but a persistent problem. It really is a pity, Adobe used to make good software. Not anymore.

Re:not another one. FUCK!

[geekmux]

The issue is that Flash's functionality hasn't changed in years, but it needs a security update every other week. You'd think that Adobe could've have sorted that all out by now. If this is the quality of a simple playback plug-in, what conclusion can be drawn about the quality of the rest of their software.

Adobe Acrobat Reader v5 was about 15MB in total size after installation.

Adobe Acrobat Reader v11 is over 400MB in total size after installation.

I really don't think there's any question as to the quality of their shitty bloatware.

In fact, one could argue the main functionality that Adobe has brought to the desktop and browser in the last 10 years is plenty of attack vectors.

And all this bloatware bundling bullshit won't go away until we start holding vendors accountable for the vulnerabilities they create.

Re:not another one. FUCK!

[Mashiki]

Oh it gets better. Since the last release, they now force mcafee on you.