My next class:

Ongoing Flash Vulnerabilities

Published: 2015-10-15. Last Updated: 2015-10-15 23:40:06 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

We got a number readers asking about the ongoing issues with Flash. Adobe released it's regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645) is being exploited. Adobe is currently talking about targeted and limited attacks. 

Sometime next week, an update to Flash will be released to address this vulnerability.

So what should you do and what does this all mean?

Next week's patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.

What should you do?

If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This "Click to Run" behavior should be enabled for all plugins that support it (e.g. Java). 

Here are some quick tips on how to enable click-to-run:

Firefox: It should be enabled by default. Check the "plugins.click_to_play" setting in about:config to make sure it is enabled.

Internet Explorer: Click the gear icon and select "Manage Add-ons". For the Shockwave Flash Object, select "More Information". By default, all sites are approved due to the wildcard "*" in the approved site box. Delete it.

Google Chrome: In chrome://settings click on "Show advanced settings..." at the bottom fo the page. Click on the "Content Settings" button under "Privacy" and select "Let me choose when to run plugin content" under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.

Safari: Check the "Security" tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.

[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
13 comment(s)
My next class:

Comments

Another "middle ground" option with Internet Explorer is to enable ActiveX Filtering, which disables ActiveX add-ons by default, Flash Player included. This can be done in the UI (gear icon > Safety) or by Group Policy. When content has been blocked, a blue circle-with-slash shows in the address bar, and can be clicked to temporarily override the filtering for that visit.

This works pretty well IRL. People do occasionally forget to look for the symbol when a site doesn't do what they expected. If you're not ready to banish Flash completely, this would be worth a look.
The number one problem with Flash Player is that it is everywhere, and as you are stating here this makes it a target!

We like to think that standards will remove the need for a third party software, but in the end we will probably see that one standard has multiple implementations - and that many companies will have to respond to vulnerabilites and threats that arise. And they will arise.

This could make reponse slower than in the "Flash world" we are now. And it could make our options fewer, today I can choose NOT to install Adobe Flash Player - is the same true when any browser I use offers the full range of multimedia features? We have seen WebRTC security issues, such as information disclosure of computer IP address.

I don't think Flash Player is going away anytime soon, so I think we as IT Security Professionals should take the time to read through
http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

I believe in community sharing, and would love for people to point me to the "best of breed" in Flash Player deployment strategies.

dotBATman.

PS: Stepping down from soapbox now.

PPS: From Table of Contents

Chapter 4 – Administration: This chapter describes a number of ways you can create and place files on the end user's machine to manage features related to security, privacy, use of disk space, and so on. This chapter includes sections on privacy and security settings (mms.cfg) and the global FlashPlayerTrust directory.

Chapter 6 – Security considerations: Because it is critical to maintain the security and integrity of your users' computers when installing Flash Player, this chapter provides an overview of security, focusing on those aspects of particular interest to administrators deploying Flash Player. Adobe has developed a number of web pages, white papers, chapters in other books, and TechNotes that address these security issues, as well as others, in more detail. This chapter includes a security overview and discusses security sandboxes for local content, compatibility with previous Flash Player security models, and data loading through different domains. It concludes with a list of additional security resources.
You can download uninstaller for all former installed Flash Player versions for Windows here:
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226

not the 1st time Adobe is not able to provide the correct version on this update page
Does anyone know of EMET 5 or Malwarebytes Anti-Exploit will block this attack?

I have uninstalled Flash for another reason (And may leave it uninstalled).
For those of us that run Sandboxie, there is an issue with an MS update that will BSOD your box if using Firefox+Flash. There are issues with IE and Chrome (built in Flash) as well. They are working on a permanent fix. The beta fix is out as of Last night. More information can be found here: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=21911
I know removing Flash is the best/recommended way, however when we’ve tried to do this in our environment, we found out Adobe Reader broke/wouldn’t run after uninstalling Flash. Adobe has even a link specifically explaining this:

https://helpx.adobe.com/acrobat/11/using/flash-player-needed-acrobat-reader.html

So we pushed Flash back on PCs, but still PC's got a message in Reader that it didn't have Flash. We found that Flash NPAPI is the plugin needed to make Reader work, while the non-NPAPI version is what makes Flash play in your IE browser.

Anybody else has experienced this issue?
[quote=comment#35365]You can download uninstaller for all former installed Flash Player versions for Windows here:
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226

not the 1st time Adobe is not able to provide the correct version on this update page[/quote]

19.0.0226 is now available via Adobe's catalog for SCUP, as well.
Also as for quick tips for enabling click-to-run, sure the approach works for individual machines, but what about doing this on 500 PC's in the corporate environment? How can this be centrally done/managed? This is just not for the Flash issue, but it's universal for managing settings for all (non-IE) browsers in the enterprise. It's a logistical & administrative nightmare!
Any ideas?
Can this be done through the registry in a GP?
The question I get over and over as I push our corporate teams to upgrade Flash yet again is "Will the new version (19) break anything? We just installed (18) last month."

There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE.

How many companies leave the silent auto-update turned on and just let Flash run it's own course?

Diary Archives