Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Zero-Day Vulnerability Found In Adobe Flash Player (gbhackers.com)

Posted by BeauHD on from the out-in-the-wild dept.

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.

52 of 87 comments (clear)

  1. Again... by JaredOfEuropa · · Score: 5, Informative

    I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:Again... by Anonymous Coward · · Score: 1

      I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.

      Too bad it's embedded in every Windows since 8 ;)

    2. Re:Again... by ChunderDownunder · · Score: 2

      IIRC, non-MS programs can't see the system copy, i.e. Firefox. Google Chrome sandboxes its own installation.

    3. Re:Again... by Oswald+McWeany · · Score: 1

      I hate things like Flash, and Shockwave, and some of those other obsolete technologies that some sites desperately hang on to. I won't use sites that require them.

      Fun fact: "Flash" in the Victorian era was slang for "criminal or nefarious". I think "Flash" was a very appropriate name from Adobe.

      --
      "That's the way to do it" - Punch
    4. Re:Again... by TechyImmigrant · · Score: 1

      >I treat Flash itself as potential malware

      Why? He was the savior of the universe.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:Again... by ayesnymous · · Score: 1

      VMware vCenter requires Flash for full functionality (their HTML5 web client is limited), so our production systems require very old versions of Firefox and Java in order to support Flash.

  2. There are _still_ people using Flash Player? by gweihir · · Score: 2

    Talk about having a death-wish...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:There are _still_ people using Flash Player? by jonwil · · Score: 4, Informative

      There are still streaming video sites out there that need Flash.
      Including the iView catch-up TV site for the Australian ABC (national government-run broadcaster) which refuses to work without Flash on my Windows 7 PC using any of the browsers I have (including Internet Exploder and Mozilla SeaMonkey)

      That said, I do not have the ActiveX version of Flash installed (which is what this exploit is targeting) and I have Flash set in SeaMonkey so it will ask me before activating any Flash content (meaning I can white list those sites that need Flash). So I should be safe from Flash exploits unless someone hacks the iView site to serve out bogus Flash files I should be safe from Flash related nasties :)

    2. Re:There are _still_ people using Flash Player? by AmiMoJo · · Score: 1

      Holy crap you are right! Their web site doesn't work on about 70% of due to lack of Flash support!

      Flash is blocked in Chrome now, except for a whitelist of sites which iView is not part of. It doesn't work on any of the major mobile browsers either.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:There are _still_ people using Flash Player? by Zontar_Thing_From_Ve · · Score: 2

      Yes. I'm a Starbucks shareholder and this week I got email telling me where to get my electronic copy of their annual report. I like to glance at the annual reports for any stocks I own and read shareholder proposals. I rarely vote to approve those but there have been a few really good ones that I voted for. Imagine my surprise to find that the Starbucks annual report was only available in Flash, not PDF.

    4. Re:There are _still_ people using Flash Player? by DigiShaman · · Score: 2

      I love how the VMWare vSphere client recommends using Flash over the HTML5 interface, even for 6.5.

      1. HTML5 based UI should at least be fully implemented by now.
      2. Flash is, and remains to be absolute ass!
      3. The stand-alone vSphere client was perfect, but doesn't support ESXi 6.5 (only 6.0 and below)
      4. How in the fuck can VMWare code ASM and C++ code, but can't get something like HTML5 right, and fallback on Flash.

      The world sucks!

      --
      Life is not for the lazy.
    5. Re:There are _still_ people using Flash Player? by Doctor+Memory · · Score: 1

      The last time I used vSphere, the HTML5 client wasn't anywhere near to parity with the Flash version, and I didn't get the impression that VMware was making it a priority to bring it up to snuff. This was a couple of years ago, sounds like they haven't done much since then either.

      --
      Just junk food for thought...
    6. Re:There are _still_ people using Flash Player? by Eravnrekaree · · Score: 2

      Does Seamonkey sandbox Flash like Chrome does (like Chrome even sandboxes its own content). You think you are being secure but the fact is I bet using seamonkey or palemoon you are actually much worse off than you are with Chrome.

    7. Re:There are _still_ people using Flash Player? by gweihir · · Score: 1

      Well, true. But why are people using them? If these sites would see a massive drop-off in views, the Flash-problem would be solved pretty fast.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:There are _still_ people using Flash Player? by DigiShaman · · Score: 1

      When it comes to VM infrastructure, we're a pretty conservative shop. Whatever the bleeding edge is, often we're a full version back. v6.5 is mature about now, so when I spoke with someone from VMWare (a BTW question for an unrelated technical issue) how well the HTML5 UI was with v6.5 over 6.0, the response I got was that it's better, but still go with Flash.

      I really wanted Flash killed in fire. No, scratch that; I want it devoured by a black hole never to be seen again with zero chance of ever coming back.

      --
      Life is not for the lazy.
  3. Is this really a problem? by Anonymous Coward · · Score: 1

    Who the fuck still uses flash or has it installed these days?

    1. Re:Is this really a problem? by Opportunist · · Score: 1

      Every MS-Office User. Whether you like it or not.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Is this really a problem? by DontBeAMoran · · Score: 1

      Good thing I stay away from the office packages from the big corporations and use Apple iWork instead!

      --
      #DeleteFacebook
    3. Re:Is this really a problem? by Anonymous Coward · · Score: 1

      VMWARE administrator ( crying :'( ) . I am going to install HTML interface soon, but some plugins are not compatible.

    4. Re: Is this really a problem? by Anonymous Coward · · Score: 1

      Same here. And I have about a dozen Enterprise management tools which rely on Flash to some extent.

    5. Re:Is this really a problem? by Opportunist · · Score: 1

      Irony or ...?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Is this really a problem? by DontBeAMoran · · Score: 1

      Sarcasm.

      --
      #DeleteFacebook
    7. Re:Is this really a problem? by Anonymous Coward · · Score: 1

      If you have vCenter 6.x installed you should be able to already access it via https://vcenterhost/ui

      It's nice, but not yet completely in parity with the flash version, and yeah many plugins don't work.

  4. OMFG by NoNonAlphaCharsHere · · Score: 4, Funny

    A Flash SWF file embedded in a MS Word file. What could possibly go wrong?

    1. Re:OMFG by AmiMoJo · · Score: 2

      Better replace it with an ActiveX control ASAP.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:OMFG by NoNonAlphaCharsHere · · Score: 2

      On further reflection, I'm thinking that the fopen() would probably cause an explosion that would make matter/antimatter look like Alka-Seltzer.

  5. The problem. by Anonymous Coward · · Score: 4, Informative

    The problem is that in China, nearly every video website used Flash-based video players.Also, some major e-banking websites require Flash.
    I do not know the exact reason, but someone said that Flash-based "web apps" are easier to make and Flash is easier to implement DRM (you know those ____ing sites that do not want you to download those videos by any means unless you sign up and pay)

    1. Re:The problem. by jbmartin6 · · Score: 2

      A lot of cloud based security camera systems have the same problem.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  6. Qui Bono? by mentil · · Score: 1

    Ya know, I'm wondering what the benefit of NK hackers using ransomware, or stealing cryptocurrency is. Ok they manage to transfer it to a bank in Switzerland or South Korea or whatever... now what? They can't transfer it to a NK bank because of the sanctions (not like numbers in a NK database help them). They can't buy a truckload of food and drive it over to NK because of sanctions/blockades. They can't rent a DC10 and airdrop food into NK because of DMZ/no-fly-zone/sanctions. I was wondering why the hackers, who are presumably reasonably intelligent, are doing their hacking from outside of NK, have access to the wider internet, and realize the NK propaganda is mostly BS, don't just run away, giving the middle finger to NK. Sure, maybe their family back home is being threatened by the NK government... but chances are good that their family is gonna be fucked by war and/or famine, so why wouldn't a young man just say "fuck it all" and never look back?

    Last I heard, chances are good that China of all nations is going to be at war with NK, as early as next month. I'm sure they'll have zero compunction about glassing the entire country, papering over the literal fallout with propaganda if necessary. Easy way to take care of that 'refugee problem', eh? I imagine other countries would have a difficult time poo-pooing out one side of their mouth while breathing a sigh of relief from the other; ya know, aside from the actual fallout-caused problems (which would still be preferable to an errant NK nuke, assuming China doesn't use salted warheads).

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Qui Bono? by Opportunist · · Score: 1

      Run away? Heck, why? They have a very well paying job (not just for NKor levels) and when they're home, they are basically above any and all laws as long as they don't piss off anyone higher up in the hierarchy.

      Imagine you, as a US citizen, could have all the hookers and blow you want, could treat everyone but politicians like garbage up to the point of pretty much getting away with murder if you so please and everyone has to do your bidding OR ELSE, because you're simply more valuable than anyone else in the country to the big and mighty, and no pesky "human rights" or constitution getting into your, or their, way.

      Would you want to get out?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Qui Bono? by gbjbaanb · · Score: 1

      a regime like that... damn right I'd want to get out.

      But then I'm a grown up adult with a sense of responsibility to the wider world and humanity. This is also why I'm dead set against the "liberals" with their sights set on their totalitarian fascist desire to tell everyone else what to do while profiting from it.

    3. Re:Qui Bono? by jrumney · · Score: 1

      There is no DMZ or no-fly zone between China and North Korea or Russia and North Korea. Driving a truck across those borders without being stopped for 'sanctions reasons' probably doesn't cost much in bribes either.

  7. What's Flash? by pikester · · Score: 1

    Steve Jobs declared the end of Flash in 2007. 10 years later (or 11 if your round really up), it has been true for a couple of years. I'm still surprised that I see Flash video from a local major content supplier. I'm not the guy to fix it, but I'll be happy to enlighten people (let's talk in fact).

  8. Re:Great response Adobe by Hal_Porter · · Score: 1

    " And because Adobe programmers were very sinful God revealed a zero day on a Friday and did say 'Only 5 days from public disclosure to a patch... Wouldn't wanna force y'all to work weekends, fucking jokers'. An lo! Adobe engineers trying to sneak out of work at 4:50pm were caught by God in his 'Lumbergh' form and asked to work at the weekend "

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  9. Did BeauHD slip? This isn't RUSSIA'S!!!! fault?!? by Anonymous Coward · · Score: 1

    I'm surprised BeauHD didn't find a way to pin the very existence of Flash on RUSSIA! RUSSIA! RUSSIA!

    Oh, yeah, this is The Onion's take on the Nunes memo:

    FBI Warns Republican Memo Could Undermine Faith In Massive, Unaccountable Government Secret Agencies

    WASHINGTON—Stressing that such an action would be highly reckless, FBI Director Christopher Wray warned Thursday that releasing the “Nunes Memo” could potentially undermine faith in the massive, unaccountable government secret agencies of the United States. “Making this memo public will almost certainly impede our ability to conduct clandestine activities operating outside any legal or judicial system on an international scale,” said Wray, noting that it was essential that mutual trust exist between the American people and the vast, mysterious cabal given free rein to use any tactics necessary to conduct surveillance on U.S. citizens or subvert religious and political groups. “If we take away the people’s faith in this shadowy monolith exempt from any consequences, all that’s left is an extensive network of rogue, unelected intelligence officers carrying out extrajudicial missions for a variety of subjective, and occasionally personal, reasons.” At press time, Wray confirmed the massive, unaccountable government secret agencies were unaware of any wrongdoing for violating constitutional rights.

  10. Re:Great response Adobe by rjune · · Score: 2

    They are getting better. I posted on February 20, 2009 that it took Adobe 18 days to release a patch for a critical flaw. I think this URL will get you to the discussion: https://slashdot.org/comments....

    With regard to Adobe and security flaws, check out this URL: https://en.wikipedia.org/wiki/...

  11. Who the hell is selling them computers? by sabbede · · Score: 1
    And how are they getting online? Hardline across their Northern border? Since China is so "great" at controlling internet traffic, how about we get them to help keep the DPRK's activities in check?

    There aren't a whole lot of addresses for the DPRK, they can't have that many computers or people with the skills to do this. Is there nothing we can do to monitor and control their access and activity?

    1. Re:Who the hell is selling them computers? by Picodon · · Score: 1

      Russia also is an active economic and diplomatic partner of North Korea. And that includes Internet connectivity.

  12. vSphere still uses it for some stuff by Joe_Dragon · · Score: 1

    vSphere still uses it for some stuff

  13. South Korea Computer Emergency Response Team by 140Mandak262Jamuna · · Score: 1

    South Korea embraced the internet and jumped in early. So early it forced all the banks and other agencies to use some Active X based protocol. Not sure if the country has recovered completely from that fiasco.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:South Korea Computer Emergency Response Team by jrumney · · Score: 1

      The government didn't force banks to use ActiveX. It forced them to use South Korea's homegrown encryption algorithms. For a long time an ActiveX control was the only off the shelf way to deploy those algorithms. They have since been added to TLS and are natively supported by all major browsers by now.

  14. There's a shocker by DaMattster · · Score: 1

    Flash has been riddled with security holes since it came into use. Since it is not based on any kind of standards whatsoever, no one can really review it for compliance. It's been a broken technology since its inception.

  15. Please die already Flash by sn0wflake · · Score: 1

    This news angered me so much that I tried seeking out removing Flash, and I was astonished at how hard it was, technically and what I'd have to give up. First surprise was Windows 10. I honestly thought Flash was just a component that could be uninstalled. How wrong I was. Turned out I would have to change ownership of system-reserved files. Cumbersome and not a pretty solution, so I postponed that project. Next I checked Google Chrome 64. Again I assumed it would just be a simple option of disabling Flash. Again wrong. Older versions of Chrome had a flag to disable Flash, Chrome 64 does not, and I honestly don't know if it's even possible to disable Flash in the latest Chrome version. All I could do was clean up white-listed websites, and while doing so I noticed one websites that I wouldn't like to part with. So, my big project of removing Flash from Chrome and Windows 10 stopped there. It's incredible that this piece of garbage Flash is still around with more holes than Swizz cheese. If holes could have holes they still wouldn't compare to crappy Flash that just don't want to die.

  16. Only at work by AbrasiveCat · · Score: 1

    I removed Flash from my home computers some time ago. Now I only have access at work where it is a required application. (Boneheads.)

  17. Re: To anyone still using Flash in 2018 ... by junk · · Score: 1

    You'd be sadly amazed by the number of companies that think flash is an acceptable avenue for building interactive web properties. I frequently see it with online classes. Think school lessons, driver's education after s ticket, HR training, "security" tutorials, etc. It's sad but there are so many "developers" that adopted it a long time ago that just aren't picking up HTML5.

  18. Refreshing... by rnturn · · Score: 1

    While Meltdown and company are getting all the attention lately, it's sort of nice to hear about something new from the folks that gave us so many classics.

    --
    CUR ALLOC 20195.....5804M
  19. Flash included with Windows 10 by h4ck7h3p14n37 · · Score: 1

    I recently purchased a cheap laptop running Windows 10 to manage an ESXi server. The voice directed setup was great, but I was shocked to see Flash installed by default. What was Microsoft thinking?

  20. Yawn by bi$hop · · Score: 1

    I uninstalled Flash and stopped using Microsoft Office years ago. Haven't missed them at all.

  21. Breaking news! New Flash vulnerability! by Mike+Van+Pelt · · Score: 1

    In other astonishing news, the sun came up this morning, water is wet, and it's dang cold in Point Barrow in February.

  22. Re:Breaking news! New Flash vulnerability! by Mike+Van+Pelt · · Score: 1

    (but the sun didn't come up in Point Barrow, Alaska.)

  23. Why are people trusting applications? by ka9dgx · · Score: 1

    Why does anyone trust any application to do what it claims it will do on the tin? Isn't it the job of the Operating System to allocate and determine access to system resources, as specified by the user? We need better OSs.

  24. Re:Using flash by zwarte+piet · · Score: 1

    Loads of fun?