Ongoing Flash Vulnerabilities
We got a number readers asking about the ongoing issues with Flash. Adobe released it's regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645) is being exploited. Adobe is currently talking about targeted and limited attacks.
Sometime next week, an update to Flash will be released to address this vulnerability.
So what should you do and what does this all mean?
Next week's patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.
What should you do?
If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This "Click to Run" behavior should be enabled for all plugins that support it (e.g. Java).
Here are some quick tips on how to enable click-to-run:
Firefox: It should be enabled by default. Check the "plugins.click_to_play" setting in about:config to make sure it is enabled.
Internet Explorer: Click the gear icon and select "Manage Add-ons". For the Shockwave Flash Object, select "More Information". By default, all sites are approved due to the wildcard "*" in the approved site box. Delete it.
Google Chrome: In chrome://settings click on "Show advanced settings..." at the bottom fo the page. Click on the "Content Settings" button under "Privacy" and select "Let me choose when to run plugin content" under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.
Safari: Check the "Security" tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.
[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
This works pretty well IRL. People do occasionally forget to look for the symbol when a site doesn't do what they expected. If you're not ready to banish Flash completely, this would be worth a look.
Anonymous
Oct 16th 2015
9 years ago
We like to think that standards will remove the need for a third party software, but in the end we will probably see that one standard has multiple implementations - and that many companies will have to respond to vulnerabilites and threats that arise. And they will arise.
This could make reponse slower than in the "Flash world" we are now. And it could make our options fewer, today I can choose NOT to install Adobe Flash Player - is the same true when any browser I use offers the full range of multimedia features? We have seen WebRTC security issues, such as information disclosure of computer IP address.
I don't think Flash Player is going away anytime soon, so I think we as IT Security Professionals should take the time to read through
http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html
I believe in community sharing, and would love for people to point me to the "best of breed" in Flash Player deployment strategies.
dotBATman.
PS: Stepping down from soapbox now.
PPS: From Table of Contents
Chapter 4 – Administration: This chapter describes a number of ways you can create and place files on the end user's machine to manage features related to security, privacy, use of disk space, and so on. This chapter includes sections on privacy and security settings (mms.cfg) and the global FlashPlayerTrust directory.
Chapter 6 – Security considerations: Because it is critical to maintain the security and integrity of your users' computers when installing Flash Player, this chapter provides an overview of security, focusing on those aspects of particular interest to administrators deploying Flash Player. Adobe has developed a number of web pages, white papers, chapters in other books, and TechNotes that address these security issues, as well as others, in more detail. This chapter includes a security overview and discusses security sandboxes for local content, compatibility with previous Flash Player security models, and data loading through different domains. It concludes with a list of additional security resources.
Anonymous
Oct 16th 2015
9 years ago
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226
not the 1st time Adobe is not able to provide the correct version on this update page
Anonymous
Oct 16th 2015
9 years ago
Anonymous
Oct 16th 2015
9 years ago
I have uninstalled Flash for another reason (And may leave it uninstalled).
For those of us that run Sandboxie, there is an issue with an MS update that will BSOD your box if using Firefox+Flash. There are issues with IE and Chrome (built in Flash) as well. They are working on a permanent fix. The beta fix is out as of Last night. More information can be found here: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=21911
Anonymous
Oct 16th 2015
9 years ago
https://helpx.adobe.com/acrobat/11/using/flash-player-needed-acrobat-reader.html
So we pushed Flash back on PCs, but still PC's got a message in Reader that it didn't have Flash. We found that Flash NPAPI is the plugin needed to make Reader work, while the non-NPAPI version is what makes Flash play in your IE browser.
Anybody else has experienced this issue?
Anonymous
Oct 16th 2015
9 years ago
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226
not the 1st time Adobe is not able to provide the correct version on this update page[/quote]
19.0.0226 is now available via Adobe's catalog for SCUP, as well.
Anonymous
Oct 16th 2015
9 years ago
Any ideas?
Anonymous
Oct 16th 2015
9 years ago
Anonymous
Oct 16th 2015
9 years ago
There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE.
How many companies leave the silent auto-update turned on and just let Flash run it's own course?
Anonymous
Oct 16th 2015
9 years ago