Skip to content
Naked Security Naked Security

News in brief: Update Flash now; Heartbleed fine; the $1.9m email

Your daily round-up of some of the other stories in the news

Your daily round-up of some of the other stories in the news

Update Flash now

In a move that will surprise nobody Adobe has released a patch for Flash that fixes two remotely exploitable vulnerabilities rated Critical.

If you’re a Flash user you should update your Flash player immediately and then ask yourself how much longer you’re prepared to go like this. How many more times are you prepared to read that there’s a Critical RCE in Flash and you need to update immediately.

Our advice? Uninstall it and never look back.

The plugin’s days are numbered and everybody knows it. iPad and iPhone users have survived without it since the beginning. The browser vendors are closing their eyes, covering their ears and trying to pretend it doesn’t exist and  the linear successor, HTML5, is nearly old enough to watch PG-13 films.

For all that though, Flash is taking longer to die than the T-1000 in Terminator II. We think it’s time to cut to the end scene and drop that bedevilled plugin into the molten metal. It’s the only kind thing to do.

Heartbleed fine

A municipality in the UK has been fined £100,000 (about $130,000) by the country’s privacy watchdog for not dealing quickly enough with the Heartbleed vulnerability back in 2014.

Heartbleed was a bug in the widely-used OpenSSL encryption software that allowed crooks to trick some web servers into revealing snippets of data from previous web connections.

By hammering vulnerable servers with booby-trapped network packets, crooks could get a peek at up to 64KB of random RAM content each time – fragments that could include data from web forms, passwords, webmail messages and much more.

According to the UK Information Commissioner’s Office (ICO), Gloucester City Council took more than three months to patch vulnerable systems after a patch became available.

Three month’s delay was simply not fast enough, said the ICO, especially considering that hackers were able to abuse the security hole during that period and access more than 30,000 emails, including personal information about 30 to 40 council staff.

As the ICO puts it:

The Commissioner’s underlying motive in imposing a monetary penalty is to promote compliance with [UK data protection laws] and […] to ensure that appropriate and effective security measures are applied to personal data.

The email that cost $1.9m

South Oregon University is the latest institution to fall for social engineering, after scammers conned the university into wiring funds to them.

The Mail Tribune reports that scammers purporting to be Andersen Construction, who were carrying out building work on a student recreation center, emailed the university requesting that their spring payment be made to a new bank account.

The accounts department transferred $1.9 million but a few days later the construction company confirmed that they hadn’t received it.

Following the incident the FBI issued a warning to universities to highlight the risks.

“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said SOU spokesperson Joe Mosley. “We’re not alone.”

Catch up with all of today’s stories on Naked Security

13 Comments

“[Adobe Flash] plugin’s days are numbered and everybody knows it.”

Yea… except I remember hearing the exact same thing about Flash 15 years ago.

And 10 years ago.

And 5 years ago.

For a plugin on it’s alleged deathbed, Flash has still got some legs, apparently.

Flash was once the only way to get certain things done on the web and by far the best way to get video done. Nobody said it was going to be easy.

One of the world’s largest software companies has to give up a monopoly, tens or hundreds of millions of websites have to be reworked, huge numbers of developers and creatives whose is being a Flash developer have to find another way to make a living.

Those are the legs that keep it moving.

Against that you have the pull of HTML5 which is a no-brainer if you’re starting from scratch but offers little if you’re migrating (unless the Flash install base declines). And the push of poor security, which is often way down people’s list.

Thanks but what do I do about all those sites that tell me I need flash if I do as you suggest and uninstall?

because Apple made the at the time brave move to remove flash from IOS some time ago, you can usually get the mobile site without flash

This question has been covered before, here and elsewhere. Some possible solutions are to have a separate browser with Flash enabled that is ONLY used as required for specific needs, or to have Flash installed but set to “click to activate”. Both of these methods have their pros and cons, but either one is better than simply rolling on with Flash ready to assist the crooks.

My experience with Firefox has been that setting Flash to “Ask to Activate” will cause the website to conclude that Flash is available and attempt to use it. However, if you set Flash to “Never Activate” the web site will not detect Flash and use HTML5 if it supports it. By revealing that you have Flash installed you may not be offered HTML5 even though the web site supports it. As a convenience for those that MUST have Flash there is a Firefox add-on called FlashDisable that puts a button on you toolbar allowing you to toggle the Flash setting between Always Activate and Never Activate with a single click. A great convenience to enable Flash when you need it and disable it quickly when you’re done.

I think you are right – in my experience, “Never enable” means that a site that supports Flash will be told that you don’t – so there’s no point in trying to send you Flash at all.

If all else fails, you can often convince Flashtastic sites like the BBC to serve you HTML5 by using a user agent switcher and telling the site you’re an iPad :-)

Evaluate the value of those sites to you. The majority of them at this point are probably using it because they’ve barely updated anything in years, or more likely, to sneak some form of ad tracking data around your browser extensions.

Also: “old nearly old enough” *stares at an editor and some deadline pressure* do you guys have the grammar checker turned on, even? :p

It’s more of a typo than an error of grammar (and have you ever seriously tried to use an automated grammar checker :-), but thanks for spotting it. Needed a hyphen between “old” and “nearly”, or simply the first “old” deleted. I chose the latter edit.

In all honesty, the word grammar checker saves me regularly in work, although I admit I have to suppress at least 50% of the alerts.

Fair point for people who write for a living (and dear god, the windows phone one likes to go crazy, I have to admit. It auto corrected “write” in this comment to “wrote” and has “go” underlined right now as a spelling error…

Apologies for being snarky :(

Sorry, Paul, what you needed wasn’t a hyphen (-) but a dash (—). Hyphens join words: “a part-time job”). Dashes separate them: “Sadly, we must part — time will not ease the sorrow of our parting”.

What exactly is the point in the state fining a municipality? I mean, who is gonna pay that 100k pound, and who will receive it?

Thanks for the link to the ICO document, always nice to have an up to date case to highlight how important security is.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?