Adobe To Fix Another Hacking Team Zero-Day — Krebs on Security


Jul 15

Adobe To Fix Another Hacking Team Zero-Day

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

In an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacking Team data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.

This entry was posted on Saturday, July 11th, 2015 at 12:38 am and is filed under Latest Warnings, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

44 comments

  1. Hayeito

    Great report. You should make a graph or list of all patches of flash and java to show how insecure one could be if they used both

    • Anthony

      I believe you can get info including graphs from secunia.com (free for non-commercial use). It’s been awhile since I used Secunia’s free desktop version inspector as I run a linux desktop these days.

    • JeffJ

      The website FlashTester.org has a history of patches to the Flash Player

  2. JCitizen

    I was ready to dump flash after this latest fiasco, as the circus has become too much; but some sites still do not work for IE-9 and Firefox. I only need the active x and the PPAPI version for functionality. I realize I should probably update to Win7, but it is just too much at this time; I guess I’m willing to risk the slings and arrows to maintain functionality for now.

    • Atombath

      If you have the ability, install a modern browser like Chrome or Firefox.

      • AtomSmash

        It is affecting firefox too. I have it

  3. Ronald Rump

    I can’t say that any of this surprises me – when reports first came out about what was leaked, you knew that there were various zero-day bugs that were in there that were going to need to be fixed.

    I maintain and use multiple machines. The vast majority of which do not have flash. But there are a handful of things that we use at the office which seem to require it, and I keep on having to put the stupid thing back again.

  4. Brad

    Flash needs to just go away, and websites dependent on it should look elsewhere. Too many patches upon patches upon patches. But several music streaming sites do seem to use it.

  5. Chriz

    I did remove flash 5 months ago and sure doesn’t miss it one bit. I keep it installed on a VM if I really need it. Same thing for java. Sorry, but 1 update a week is just unbearable for me. Let alone for a company who has to repackage to redeploy.

  6. President Donald J Trump

    No sense on using Flash anymore, many websites like Youtube are moving or have moved to HTMl5

  7. markD

    There are now alternatives to Flash, and nearly no consequence whatever to just dropping it entirely. Media will only have a reason to drop it if they find they are losing eyeballs of people who no longer have it.

    In that regard the very best thing everyone can do is to just drop Flash and hang on until those straggling media that only run Flash catch on by losing all those precious eyeballs, having been given the incentive by everybody just dropping flash and thereby “moving the food.”

  8. OldGnome

    Other than not using Flash, what are the alternatives to Flash? Are these alternatives truly better, or just more sloppy coding waiting to be attacked?

    • CooloutAC

      in general for me, html5 uses less cpu power and has less screen tearing and smoother play.

    • Cavoyo

      The big replacement for Flash is the HTML5 standard, as the other commenter pointed out. There are at least two security benefits to HTML5 compared to Flash:

      1. The HTML5 implementation is specific to each browser. What this means is that a security vulnerability in one browser’s HTML5 implementation is unlikely to be duplicated in other browsers. Compare this to Flash. HackingTeam was able to get code running on any Windows system with any browser using just a Flash vulnerability and a Windows vulnerability. Without Flash, HackingTeam would have to find one vulnerability each in Internet Explorer, Firefox, Chrome, and so on, which is considerably more work.

      2. Because HTML5 is implemented in the browser, updates to the browser also update its HTML5 implementation. Right now, the only browsers that auto-update Flash are Internet Explorer on Windows 8.1 and Chrome on all OSes. This leaves about half of Windows users reliant on Adobe Flash’s shoddy auto-updater, which can miss patches that came out weeks ago. By contrast, Chrome and Firefox have very good auto-updaters that can detect a patch on the day it comes out, and Internet Explorer gets updates through Windows Update for every OS after XP.

      So bugs in an HTML5 implementation affect less users and they get patched sooner. Both of these make HTML5 bugs less valuable to attackers.

  9. Old School

    After reading this article, I said: Enough is enough. I removed the Flash plugin for Firefox and decided that today is going to be my first flashless day. So far so good because my favorite websites do not use Flash. If I can go flashless for one week then I will remove the code for IE thus allowing Flash to join the eight inch floppy disk in Heaven.

  10. Example

    Funny story about removing Flash. I uninstall flash from any computer I am using. But on my work machine, Amazon IT insists on claiming I don’t have the latest security updates and they keep reinstalling Flash. I gave up and let then install it.

  11. Austin

    I applaud Adobe for their actions. Finally a company being proactive about these issues. Breath of fresh air.

    • JJ

      That was sarcastic, right? The first one was there for five years. If there is one thing Adobe is not, it’s proactive about security. They now have a worse track record than Java and it’s not getting better. After they deprecated Flash, rather, after people finally got tired of the security issues and deprecated Flash for them, that security issues seem to have gotten worse. If Flash is no longer making money for them ,why should they put resources on it?

  12. mike~acker

    I’ve been trying to get a handle on why flash is such a disaster.

    apparently it just runs as a browser plug-in and as such should not be capable of doing much harm. that however is not the case.

    apparently flash is fed .swf files — which are actually containers and as such can pass a wide assortment of inputs into the flash player. any of these could be loaded with data designed to get code execution which would then seek to exploit and un-protected system program having escalation privileges . this is all the more dangerous because the .swf can be an active feed, feeding data from anywhere directly into the victim’s player…

    the key i’ve been looking for is to determine if flash installs a driver module into the kernel . if so it cannot be controlled with sand-boxing or named spaces — it will have to be killed.

    • JJ

      One reason why Flash is so dangerous to targeted companies that use Flash on their web sites is that it is an interpreted language. That means the .swf is compiled and executed at runtime, not in advance. HP has a freeware tool called SWF Scan that decompiles .swf files into their original code, complete with developer comments and all.

      It makes it absolutely trivial to find developer mistakes, figure out how the backend application works and exploit it.

      Then go into your Internet temp files folder and copy a .swf file to another folder. Set SWF Scan to point to that file and run it. Voila.

  13. Phoenix

    I deleted Flash (again) this morning because it kept hanging up on the New York Times site. I had added it to EMET 5.1. I wondered the what might be going on. Now I read this post…

  14. JJ

    Because people want to buy features, not security. Have you ever, ever heard someone brag about spending fifty or a hundred dollars for their new anti-virus program? of course not. They want free security and free does not pay the bills.

    The only thing taking a hit is a small bit of their reputation, not their stock price or their bonuses. If you’ve ever gone into a retirement planning meeting, was the first question you get asked “How’s your reputation?” Nope, it’s “What’s your net worth?”

  15. IA Eng

    It almost makes me think that there is an insider in some major corporations that simply ignores, hides or modifies a vulnerability report for these zer0-days.

    Its as if the corporations don’t fuzz their product enough, or – at times – pushing the patch out too fast and opening new holes. Again, fuzzing would reveal some of these issues.

    There are alot of smart individuals in these corporations, but many may have their hands tied on what is to be fixed, and what is to be left alone.

    I remember reading about a few holes left in software on purpose in order for an agency to take advantage of that hole. I am sure it happens more often than what is advertised.

    Lets just hope the people who create these holes, and the communication paths they use are free and clear of any unknown malware or other evil software.

    • pboss

      Hardly. Debugging software is incredibly hard. Especially code written early as it’s unlikely to be well-commented. Even innocent looking statements can be a vulnerability because you didn’t check that the function you called doesn’t verify inputs or something similar.

      • Sasparilla

  16. anonymous

    Flash is data that executes. Data that executes is otherwise known as a buffer overflow. Flash is bad news.

  17. Biff Henerson

    Isn’t it amazing how many bugs are in such a tiny piece of software?

  18. grayslady

    Until the other day, the only occasion I had to use Flash was for a small, idiot game available on Yahoo games that I’ve enjoyed playing, from time to time, for years. However, I decided to try Mango, now available from my local library, as well as many other libraries around the country. It’s a fairly decent language learning program (according to a Dutch friend of mine, the program suggestions, while not sufficiently broad to encompass the true options Dutch people use in common speech, is perfectly correct in the basics). When you first log into the program, there are two questions you are asked before you can proceed: one of them is, “Do you have Flash installed?” Only if you use Flash can you proceed with the program. So, while many people here may think of Flash as only being a video alternative for watching movies, or the type of videos posted on YouTube, here is an educational program being offered by most libraries to home users that depends on Flash. Just an observation.

  19. Pookie

    Does anyone know, how many 0-days had Flash had over the years, looking for a total number, out of curiosity… could help develop convincing arguments to move away rom Flash dependency.

    • SeymourB

      Every security fix was a 0 day at one point. 0 day just means it’s an unpatched vulnerability that others know about (and 99 times out of 100 the miscreants know about them before they’re patched). So just total up every published security fix for Flash… and Acrobat… and Java… and Windows… and…

  20. Jungle Jim

    Recently Chrome changed how to do the “click to play” function. Brian’s 2013 article describes the old way.

    This article from Berkeley’s security page describes new way.

    1. Open Chrome Preferences/Settings
    Scroll to the bottom and click Show Advanced Settings (Note: this link will say Hide Advanced Settings if you have previously revealed them)
    2. Privacy section
    3. Content Settings
    4. Plugins section
    5. Select Let me choose when to run plugin content option in the Plugins section
    6. Lastly, click the Manage individual plugins link and make sure the Always allowed to run option for each plugin is unchecked. Click to Play functionality will not work for any plugins with Always allowed to run selected.

This content was originally published here.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email