Thanks to threat-busters Andrew O’Donnell and Fraser Howard of SophosLabs for their timely input to this article.
Wouldn’t you just know it!
Last night we wrote about how Flash troubles come in threes, like those proverbial buses:
- An emergency update against targeted attacks, followed by…
- A concerted effort to milk that exploit by Crimeware-as-a-Service crooks, followed by…
- Kovter, the malware that deliberately patches you against the exploit (but for all the wrong reasons).
Stop the presses!
Make that four buses that just arrived at once.
Earlier this week, a Italian company with the unequivocal name of Hacking Team…
…got hacked, to put not too fine a point on it.
Hacking Team is, indeed, into hacking – controversially, as it happens, because its main line of business is selling hacking and interception capabilities at a country level.
You might therefore expect a company of that sort to have had some vulnerabilities and exploits up its sleeve.
Apparently, that turns out to have been correct, though we say “to have had” because they’re no longer “up its sleeve.”
Thanks to a giant data dump published by the hackers who hacked the hackers, the zero-day cat is out of the bag.
Adobe emergency bulletin
As a result, Adobe just issued APSA15-03, for a Flash bug now named CVE-2015-5119:
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.
Adobe’s bulletin is dated 2015-07-07, which is yesterday (throughout the world) at the time of writing [20150708T12:45Z], and the update is promised for today.
We’ll presume that means that the patch will drop during business hours, US West Coast time (Pacific Daylight Time, UTC-7).
That will be a great result by Adobe, if it can hit that target, not least because the vulnerability affects all platforms supported by Flash: Windows, OS X and Linux.
Given the zest with which the world has fallen on the loot plundered from the Hacking Crew breach, SophosLabs has raised its Threat Level to High.
What to do?
We’re backing up our colleagues in SophosLabs by saying, “Watch out for the update and grab it as soon as you can.”
If you’re looking for something you can do right now before the patch comes out, here’s a list of tips you can try.
They’re great tips anyway, so we recommend them even when there isn’t an update emergency going on:
- Get rid of Flash altogether. Apple iPad and iPhone users haven’t had Flash for ages, and they don’t seem to be in any kind of internet backwater. It’s like a big, heavy backpack: if you don’t actually need any of that stuff, why carry it?
- Turn off Flash in your browser. If you can’t ditch Flash, but you need it only very occasionally, enable it when you actually need it, so your browser doesn’t advertise that you have Flash until you tell it to. Warning: you will need to remember to keep turning Flash back off, so this approach requires a bit more care than the others.
- Use click-to-play. Most browsers allow you to set Flash to “always ask.” Your browser will advertise that you have Flash, but it won’t do anything until you click on a Flash component to allow it to run. This is a safe but handy way of seeing which websites still use Flash.
- Use an anti-virus that blocks suspicious files and web pages in real time. That will help to keep you away from sites known to foist Flash malware on you, as well as blocking malicious Flash content from as-yet-unknown bad web pages.
- Update early, update often. Even if you let Adobe do your Flash updates automatically, keep abreast of security bulletins and published patches.
By the way, occcasional manual verification that your auto-updates are working is a good idea for all updates to all products.
Manual oversight will prevent you getting caught out by the “forget” part of “set and forget,” a security approach that we can understand but not recommend.
NB. Sophos detects Flash attacks in general as Troj/SWFExp-*, short for Shockwave Flash exploit. Specific detection for files known to be associated with the Hacking Team leak include SWFExp-HT, SWFExp-HU and SWFExp-HW, if you want to keep an eye on your logs.
JR
I understand that Flash is a ridiculous situation… they can never seem to get the security right. But advising people to get rid of it isn’t very helpful. There are still piles of apps critically dependent on Flash. I’m sorry, but not everyone can just dump mission-critical apps and re-code them instantaneously every time there’s a security problem. Companies that don’t have multi-million dollar IT budgets will just never be in that sort of position.
Paul Ducklin
Those tips aren’t “do every item,” not least because one says “get rid of Flash” while another says “keep Flash but limit it” :-)
[I tweaked the text to make this clearer, by the way.]
Dumping Flash isn’t for everyone, but unless and until you try uninstalling it, or turning it off altogether, and seeing what happens…you’ll simply never know what you might not be missing, if you get my drift.
If you know you have mission-critical web apps apps that *only* work with Flash, then clearly you can’t ditch it, at least at work. But you may be pleasantly surprised at how many modern cloud apps work perfectly well without it, as more and more web services learn to live without it on the server side, too.
One problem with having Flash turned on is that it can give you the impression that a site *needs* Flash: you keep getting Flash components served into your browser *because the site can see you have it*. But if you uninstall it, then, lo and behold! The site works just as well with HTML5, and there you are.
We used to get exactly this with Java – “I can’t turn off Java, the world will end!” But these days, Oracle’s default install has Java off in your browser, and I haven’t heard anyone say, “Heck, the world ended.”
Andrew Ludgate
Actually, most people CAN just dump flash and re-code it instantaneously; there are free and inexpensive services available that will convert your Flash projects into HTML5 — it won’t work for all assets, but it will work for the majority of them. Use your favorite search engine to search for “Flash to HTML5” and you’ll see a number of options — one of the most popular being Google’s Swiffy. Swiffy can convert already encoded assets for you (for free) and there’s also a plugin for Flash (the development environment) allowing you to export to HTML5 instead of SWF in the first place.
So at this point, unless you’re doing something using very esoteric elements of the Flash platform, there’s really no reason not to be converting your existing assets and your exported assets to HTML5. The added benefit is that you also then have media that’s accessible by pretty much ALL web browsers, not just desktop platforms with Flash installed.
Michael Perry
Flash 18.0.0.203 is already available and is said to ‘fix’ the bug reported. At least until another vulnerability is found.
Worth downloading the update if you use Flash, but try to deselect the foistware bundled with it.
Anonymous
And now there is 18.0.0.209 !
Kasun
If Facebook web version supports videos with out Flash, many users will forget the the flash for ever.
Michael Perry
That could mean they forget to update Flash if it is installed on their equipment, so they could become vulnerable! Either uninstall it if you can manage without it, or update it regularly and not forget to do it.