New Flash Vulnerability Being Exploited In the Wild (trendmicro.com)

← Back to Stories (view on slashdot.org)

New Flash Vulnerability Being Exploited In the Wild (trendmicro.com)

Posted by Soulskill on Tuesday October 13, 2015 @11:57AM from the it-must-be-tuesday dept.

An anonymous reader writes: Researchers from Trend Micro report a new attack on fully-patched versions of Adobe Flash. The attacks originate from an espionage campaign run by the group known as Pawn Storm, and seem to target only government agencies. "Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015."

51 of 101 comments (clear)

Min score:

Reason:

Sort:

Surprise? by Anonymous Coward · 2015-10-13 12:08 · Score: 5, Funny

Really? What would be news here is if Flash DIDN'T have a vulnerability for a change...
1. Re:Surprise? by Anonymous Coward · 2015-10-13 12:19 · Score: 1
  
  Flash makes Windows look secure.
2. Re:Surprise? by Lunix+Nutcase · 2015-10-13 12:46 · Score: 2
  
  If the day ends in 'Y' there's likely to be a Flash exploit in the wild.
3. Re:Surprise? by Mogster · 2015-10-13 15:51 · Score: 1
  
  +5 Funny?
  I would say +5 Informative and +5 Insightful
  Mind you I guess it's funny because it true
  
  --
  ACK NAK RST
4. Re:Surprise? by Big+Hairy+Ian · 2015-10-13 23:07 · Score: 1
  
  I thought flash was the vulnerability! Isn't html 5 meant to be killing it off anyway?
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
5. Re:Surprise? by ememisya · 2015-10-14 07:32 · Score: 1
  
  This just means Adobe ain't playing ball. They surely could have hired competent programmers who can code by now. I'm all for canvas and HTML5 of course, but Adobe is a visionary old man. I have respect for the ones who brought us sites like http://www.eye4u.com/ in the 90s when the Interwebs was just ... plain and we had boxes that blinked. Browsers looked like local car sales commericals, big yellow exclamation marks and flashing text before Adobe came into the scene. Well actually it was Macromedia and Adobe just kind of absorbed them, but that's besides the point.
  
  I'm sorry Adobe, we are the Internet. Your technological distinctiveness will be added to our own.
Uninstall it. by BrendaEM · 2015-10-13 12:13 · Score: 3, Interesting

I uninstalled Flash on my computers, and the world did not end.

--
https://www.youtube.com/c/BrendaEM
1. Re:Uninstall it. by Anonymous Coward · 2015-10-13 12:23 · Score: 1, Insightful
  
  Yeah I'm sorta lost as to why a government agency would have Flash installed in the first place.
2. Re:Uninstall it. by peragrin · 2015-10-13 12:56 · Score: 1
  
  I uninstalled flash on my computers, and then installed chrome for when i needed flash for websites.
  you might be surprised at the number of sites that still use some flash. especially auto manufacturers though that is changing.
  
  --
  i thought once I was found, but it was only a dream.
3. Re:Uninstall it. by PopeRatzo · 2015-10-13 14:06 · Score: 1
  
  I uninstalled Flash on my computers, and the world did not end.
  I threw my computers into the wood chipper, and the world did not end. So that's kind of a low bar, you know?
  
  --
  You are welcome on my lawn.
4. Re: Uninstall it. by Lunix+Nutcase · 2015-10-13 14:50 · Score: 3, Informative
  
  http://kb.vmware.com/selfservi...
5. Re:Uninstall it. by LordWabbit2 · 2015-10-13 19:43 · Score: 1
  
  To watch videos about cats, why else?
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
6. Re:Uninstall it. by nnull · 2015-10-13 22:02 · Score: 1
  
  Me neither. Stopped using flash completely after all the exploits coming out on a weekly basis. Adobe showed how one can destroy a product with their total incompetence, so much for flash being the future. Hope that $3.4 billion was worth it. It's amazing how fast Adobe Flash is disappearing from the web. I wonder what's going to happen to all those flash based games or the companies that have built on top of flash to build their products?
  
  But oh well, I don't even use Adobe's PDF viewers anymore. The alternatives offer more options and less exploits than their own reader. I can't wait till they destroy their main flagship products as it seems they excel at destroying everything they've built and acquired than actually doing something useful.
7. Re:Uninstall it. by FrozenGeek · 2015-10-13 23:40 · Score: 2
  
  Having worked for a government agency, let me just say that the level of computer savvy, not even to mention the level of computer security savvy, in government is appalling. People who know better have to work very hard to keep their heads from exploding at the stuff that goes on in government. It is worse than in private industry because the likelihood of being fired is so low.
  
  --
  linquendum tondere
8. Re: Uninstall it. by KGIII · 2015-10-14 01:31 · Score: 1
  
  That's the most nondescript URL I've seen in a while. Why the hell do companies still do that?
  
  --
  "So long and thanks for all the fish."
And here we go....... by JustAnotherOldGuy · 2015-10-13 12:14 · Score: 5, Insightful

..........another excellent reason to use AdBlock and NoScript.
Flash not allowed to run? No Flash exploit, simple as that.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:And here we go....... by JustAnotherOldGuy · 2015-10-13 13:59 · Score: 2
  
  You mean another reason to not use Flash?
  AdBlock... nothing to do with Flash. This is for blocking ads. While some ads are built in Flash, most are images or text or HTML5 based.
  I'd say that ~50% of all the ads I see (well, used to see, lol) were Flash. And sadly, Flash is still used all over the place, especially on older sites.
  So for me, blocking Flash is a no-brainer.
  As for NoScript, it blocks a lot of the javascript that's often used to launch the ads you see on sites, including the ads that use Flash.
  If you've ever run ads from Advertising.com, Doubleclick, FastClick, etc etc, they're almost always pulled from the ad company's servers by a snippet of javascript that you paste into the page (or into your ad rotator). Blocking javascript knocks that shit out, period.
  NoScript and AdBlock are indispensable for me, together they're a one-two punch that knocks out most of the stuff I'd normally have to worry about.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re:And here we go....... by DigiShaman · 2015-10-13 15:51 · Score: 1
  
  Yeah, no, fuck that. Just uninstall Flash to begin with if you have it on your system; and don't ever EVER install it again. Be done with it already!
  
  --
  Life is not for the lazy.
3. Re:And here we go....... by JustAnotherOldGuy · 2015-10-13 16:06 · Score: 1
  
  Yeah, no, fuck that. Just uninstall Flash to begin with if you have it on your system;
  
  Well, sometimes I like to play some of the silly Flash games I have to kill a little time. I turn it on when I'm bored and turn it back off when I'm done.
  But for browsing the web? No way, not a chance.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
4. Re:And here we go....... by Anonymous Coward · 2015-10-13 23:02 · Score: 1
  
  Or, you know, do what a smart person would do and just put Flash on click-to-play.
  You need neither of those extensions for that.
  Adblock and Noscript aren't going to stop a website from being hacked and serving you an infected flash file anyway.
  Equally this is why your browsers should all be sandboxed as well.
  99% of infections will never get through it, and if they do, it is because you were stupid, or you pissed a government off.
5. Re:And here we go....... by phishybongwaters · 2015-10-14 01:26 · Score: 1
  
  congrats on not knowing what the hell you are talking about. How are most ads delivered? Javascript. What do most ads do once loaded? Execute Javascript. How do ads deliver malware? Javascript. How do most nefarious sites check for, and execute, exploits? Javascript. If you remove flash you likely won't see THAT much of a difference. Many sites have already switched seamlessly to html5 for video, but not all. I happen to frequent a few that still use flash. If you are like me, you have a few options. #1 install noscript on whatever browser you use # Use chrome to load any pages which require flash Here's the option part. You can either do the above and HOPE you don't get nailed, or you can run a sandbox for the browser and only view flash content that way. Or... you can avoid entering passwords or doing anything like online banking on the machine, and just wipe and reinstall every few days. This won't fix you up if you get hit with something really nasty that stays resident on the service partition of your disc, or a rootkit / infected bios. But this will resolve 90% of the issues you'll get from running flash and actually connecting to the internet.
Solved by Tablizer · 2015-10-13 12:36 · Score: 5, Funny

seem to target only government agencies
No problem, I'll just put my gov't work on a home server.

--
Table-ized A.I.
1. Re:Solved by mbourgon · 2015-10-13 14:00 · Score: 1
  
  Thank you, Madame Secretary, but that's the other story (http://politics.slashdot.org/story/15/10/13/1951232/clinton-home-servers-had-ports-open#comments).
  
  --
  "Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
Flash is either VERY buggy, or deliberately buggy. by Futurepower(R) · 2015-10-13 12:48 · Score: 3, Insightful

It seems to me that Adobe Systems is no longer a well-managed company, and hasn't been since Bruce Chizen got tired of managing Adobe, which was well before he resigned in 2007. Here is a story from 2007 about that: Bruce Chizen's legacy.

This is a comment from a reader of that story who called himself Tidewind: "I might be in the minority on this, but under Bruce Chizen, I felt Adobe became, well, arrogant." That was my experience, also.

Part of the attraction of Flash has been that it is used to violate the privacy provisions of browsers. Flash can be used to generate what are called Flash-cookies, Local Shared Objects (LSOs), or Super-Cookies, which are files placed on a visitor's computer by the Flash plug-in.

(To avoid permanent tracking: In Firefox, use the BetterPrivacy add-on.)

Now Adobe is trying to make money by making its very expensive products even more expensive by charging monthly for them.

Microsoft followed that monthly business model with Office 365: Pay every day, 365 days each year, even if some of those days you don't have internet access. (Read the comments about Microsoft's other methods of abuse, such as restricting each copy to one country.)

Flash is either VERY buggy, or deliberately buggy. Possibly one way Adobe Systems makes money is by allowing vulnerabilities supplied by secret government agencies. Those agencies can spend billions of dollars of taxpayer money without public oversight.

The new software company business model is apparently "Be abusive".
Re:Flash is either VERY buggy, or deliberately bug by jonwil · 2015-10-13 12:57 · Score: 1

I would like to see someone with some resources dump something towards creating a nice open source replacement for Flash that doesn't have all the security holes and problems of the Adobe product.
Of course the real problem is all the content sites out there that (for some idiotic reason) are relying on Flash for DRM and which cant be made to work on any flash alternative due to the US DMCA and other similar laws around the world.
Re:Flash is either VERY buggy, or deliberately bug by Anonymous Coward · 2015-10-13 13:19 · Score: 1

I would like to see someone with some resources dump the source code of all Adobe products, that would be an interesting read!
Re:Flash is either VERY buggy, or deliberately bug by 0123456 · 2015-10-13 13:25 · Score: 1

Adobe software has been bugware for as long as I remember. Adobe Premiere was the software that taught me to hit CTRL+S every few seconds, and save a backup copy every half hour.
'Crap, Premiere just crashed again.'
'Double crap. It corrupted my save file just before it crashed.'
Really? by gstoddart · 2015-10-13 13:27 · Score: 1

Ministries of Foreign Affairs
*sigh* I would really think those agencies would have people who are sufficiently paranoid as to not allow Flash on those computers. Or are government officials all demanding they be able to watch YouTube videos?
Flash has been a gaping series of security holes for almost 20 years now, why the hell do people keep trusting it?

--
Lost at C:>. Found at C.
1. Re:Really? by Anonymous Coward · 2015-10-13 19:50 · Score: 1
  
  Pornsites have always been ahead of the curve when it comes to video streaming on Internet, and it isn't the Ministries that are behind the curve, they aren't even streaming video.
  News pages on the other hand are far behind on that part and journalists have never been on the side of science and technology.
2. Re:Really? by wbr1 · 2015-10-13 22:43 · Score: 1
  
  Unprotected sex has been a gaping source of STDs for 1000's of years now, why the hell do people keep having it?
  
  --
  Silence is a state of mime.
3. Re:Really? by KGIII · 2015-10-14 01:47 · Score: 1
  
  I was using a little hand-held Tandy with an external modem to upload content to a newspaper a long time ago when I was doing some freelance work for extra money. So, I dunno... I'm not sure where I'm going with that but I don't think you're *quite* accurate.
  
  --
  "So long and thanks for all the fish."
Re:Plugins are for COWS by Memnos · 2015-10-13 13:32 · Score: 1

Considering how much you say MOOOO, perhaps it's you that is the cow.

--
I don't trust atoms -- they make up stuff.
Definition of Flash by Mike+Van+Pelt · 2015-10-13 13:33 · Score: 1

Flash: A reeking bottomless pit of zero-day vulnerabilities, all different.
1. Re:Definition of Flash by KGIII · 2015-10-14 01:50 · Score: 1
  
  Hmm... Fucking Long-term Assinine Security Hazard.
  
  --
  "So long and thanks for all the fish."
Adobe Reader by Dan+East · 2015-10-13 13:43 · Score: 1

It seems to me that Adobe Systems is no longer a well-managed company, and hasn't been since Bruce Chizen got tired of managing Adobe, which was well before he resigned in 2007.
"no longer"??? Adobe Reader was one of the biggest attack vectors that has ever existed in the history of the web, going back way before 2007. I kid you not, a new exploit came out month after month after month. It was ridiculous. Adobe Flash is actually slightly better in that regard, if that tells you anything.

--
Better known as 318230.
1. Re:Adobe Reader by Dutch+Gun · 2015-10-13 17:17 · Score: 1
  
  Remember when we just had to worry about making things functional? It's hard to imagine that just a few decades ago, someone thought it was a great idea if, when you inserted a CD (later DVD, then USB drive) your computer would automatically execute binaries found on that media? Or that you could attach a random executable to an e-mail, send it to anyone in the world, and they could execute said binary with a single click? Remember when Windows computers were attached to the internet with default ports open, so anyone on the internet could see whatever drives and printers they decided to share? How about embedding scripting languages inside documents? Automatically executing binary plugins on the web? Neat stuff!
  This was the era in which these technologies were born.
  Take a look at this list of vulnerabilities in Acrobat Reader and just shake your head. 434 and counting. Since PDF was invented in 1991 (and presumably Acrobat came shortly after), that's on average a new vulnerability discovered every 20 days over the past 24 years.
  Flash is already well ahead at 568 and counting. That's a new vulnerability found every 12 days over the past 19 years. Go Flash!
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
There IS the "HTML5" alternative... apk by Anonymous Coward · 2015-10-13 13:55 · Score: 1

See subject: HOWEVER, we haven't seen all the "ins-&-outs" of that yet either - give it time! Bet it shows glaring vulnerabilities too (despite the state of modern computer science being what it is, one HELL of a LOT better than it was when I started it in 1981 but, men made it - men, screwup!).
Sad truth coming from experience over decades in the art & science of computing here on that above. We're not 100% guaranteed solid in LOTS of things out there now.
On HTML5 - I've tried it in IE11 "latest/greatest patched" etc. - et al, it plays ok - as good as Flash - & I'd wager it's had time & early base design vs. issues that plague flash till it's ultimate dying day... most likely. We tend to learn from our mistakes & build better, next time.
(Only thing I really *REALLY* wonder about HTML5 is, is IF "the infamous they" using it for 'nefarious' purposes, ala tracking & what-not/what have you...)
APK
P.S.=> Honestly? I thought they'd have ALL of Windows "bugs/security issues" gone by 2013-2014 outside @ the latest... hasn't happened yet - same point as above... apk
Re:thank,s by Anonymous Coward · 2015-10-13 16:33 · Score: 1

I already have a russian bride. Thanks though.
Zero-day exploit hits fully patched Flash??? by Tony+Isaac · 2015-10-13 16:37 · Score: 1

Really? By definition, a zero-day exploit would affect fully patched versions of anything. Duh! If they had time to patch it to fix the exploit, it wouldn't be zero-day any more, would it!
1. Re:Zero-day exploit hits fully patched Flash??? by Dutch+Gun · 2015-10-13 20:47 · Score: 1
  
  This information is brought to you by the Department of Redundancy Dept, who has brought you this information.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
Re:Flash? by ReeceTarbert · 2015-10-13 20:47 · Score: 2

Does anything but ads actually use Flash in this day and age? I haven't had it installed for several years!
Let's see... these are just some results using Firefox 41.0.1 on OS X Mavericks:
Spotify: "To enjoy Spotify, please install Adobe Flash. It's free."
Pandora: "In order to use Pandora internet radio, please upgrade to a more current browser or install a newer version of Flash (v.10 or later)."
Hulu: "Hulu requires Flash Player 11.0.1.152 or higher. Please download and install the latest version of Flash Player before continuing."
I'm sure there are plenty more, but just these three are enough to prove that you're dead wrong -- or just trolling. And no, there's no love lost between Flash and me, either.
RT.
Re:Flash? by nnull · 2015-10-13 22:08 · Score: 1

Even though I don't use those services, I just tried your links. Spotify works and Pandora works as well (Music plays fine). Hulu is the only one that does not work without flash.
Surprised... by mschaffer · 2015-10-13 23:04 · Score: 1

I am surprised...not that there's another Flash exploit, but that people still use flash.
Insert free advert for Trend Micro .. by nickweller · 2015-10-13 23:23 · Score: 1

"Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207."

Does this Flash Zero-Day work on OS or Linux?
Might be legit by ThatsNotPudding · 2015-10-13 23:49 · Score: 1

Possibly one way Adobe Systems makes money is by allowing vulnerabilities supplied by secret government agencies. Those agencies can spend billions of dollars of taxpayer money without public oversight.
Given that Adobe, while being the major vector of insecurity on the web, has never even been lashed with a wet noodle by the Feds, one can only conclude they are given cover for exactly this.

It's almost as funny as the US public still believing their elected officials are actually in control of the organs of state security (thems wit everbodys skeletons).
Re:Flash? by ReeceTarbert · 2015-10-14 00:06 · Score: 1

Even though I don't use those services, I just tried your links. Spotify works and Pandora works as well (Music plays fine). Hulu is the only one that does not work without flash.
Interesting... what browser/OS combination? The latest Safari complains in exactly the same way.
RT.
Re:AdBlock+ = inferior & 'souled-out' vs. host by phishybongwaters · 2015-10-14 01:32 · Score: 1

Have fun maintaining that host file you idiot. Routers beat hosts file, so your whole deal falls apart because your network stack still gets involved with hosts. Blocking this stuff on the router means it never even gets on your network, no wasted cycles. But again, this means you will spend the rest of your life maintaining this growing hosts file or block list, when adblock and other browser plugins do this, and update it, for you. That said, since adblock has been sold and no one will say to whom, and this nonsense of "Acceptable ads", I wouldn't recommend using and trusting it for much longer. But I'd still suggest that over whatever crap you are spamming on each and every thread even remotely close to this subject. Gee... I wonder if you might be on the payroll for this "application" that requires administrator permissions to merely update your host file. No thanks.
Re:"Yea though I walk thru the valley of /. ..." by phishybongwaters · 2015-10-14 01:36 · Score: 1

Yup, having to continually spam your questionable software makes it less questionable. Said no one, ever.
Re:Flash is either VERY buggy, or deliberately bug by KGIII · 2015-10-14 01:42 · Score: 1

What has a pink/red color got to do with the application, anyhow? Perhaps you meant 'rogue?' I don't know if it is always you but this seems to be a common one for ACs. Well, I finally got bored enough to point it out. While maybe not you, 'alot' is not a word and there's a difference between fewer and less.

--
"So long and thanks for all the fish."
Yes, Youtube Works without Flash by BrendaEM · 2015-10-14 03:28 · Score: 1

Unless you play games, or need DRM content, you might be okay.

--
https://www.youtube.com/c/BrendaEM
Re:Flash is either VERY buggy, or deliberately bug by KGIII · 2015-10-14 13:41 · Score: 1

Don't mention Nethack. Or Zork. I'm not even sure if half the people who play Fallout actually played the first two. I stopped gaming around the time of my enjoyment of the Fallout 2 game. It was awesome. I've not really gamed since but I remember (and played) Rogue. Or, ahem... Rouge... *sighs* Yes, yes I played the French word for Red. I dunno what people do with their spare time but it doesn't appear to be learning new things or improving themselves. I'm glad I'm not a people.

--
"So long and thanks for all the fish."