Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security The Internet

New Flash Vulnerability Being Exploited In the Wild (trendmicro.com) 101

An anonymous reader writes: Researchers from Trend Micro report a new attack on fully-patched versions of Adobe Flash. The attacks originate from an espionage campaign run by the group known as Pawn Storm, and seem to target only government agencies. "Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015."
This discussion has been archived. No new comments can be posted.

New Flash Vulnerability Being Exploited In the Wild

Comments Filter:
  • Surprise? (Score:5, Funny)

    by Anonymous Coward on Tuesday October 13, 2015 @08:08PM (#50722369)

    Really? What would be news here is if Flash DIDN'T have a vulnerability for a change...

    • by Anonymous Coward

      Flash makes Windows look secure.

    • If the day ends in 'Y' there's likely to be a Flash exploit in the wild.

    • by Mogster ( 459037 )

      +5 Funny?

      I would say +5 Informative and +5 Insightful

      Mind you I guess it's funny because it true

    • I thought flash was the vulnerability! Isn't html 5 meant to be killing it off anyway?
    • This just means Adobe ain't playing ball. They surely could have hired competent programmers who can code by now. I'm all for canvas and HTML5 of course, but Adobe is a visionary old man. I have respect for the ones who brought us sites like http://www.eye4u.com/ [eye4u.com] in the 90s when the Interwebs was just ... plain and we had boxes that blinked. Browsers looked like local car sales commericals, big yellow exclamation marks and flashing text before Adobe came into the scene. Well actually it was Macromedia
  • Uninstall it. (Score:4, Interesting)

    by BrendaEM ( 871664 ) on Tuesday October 13, 2015 @08:13PM (#50722407) Homepage

    I uninstalled Flash on my computers, and the world did not end.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Yeah I'm sorta lost as to why a government agency would have Flash installed in the first place.

    • I uninstalled flash on my computers, and then installed chrome for when i needed flash for websites.

      you might be surprised at the number of sites that still use some flash. especially auto manufacturers though that is changing.

    • I uninstalled Flash on my computers, and the world did not end.

      I threw my computers into the wood chipper, and the world did not end. So that's kind of a low bar, you know?

    • by nnull ( 1148259 )
      Me neither. Stopped using flash completely after all the exploits coming out on a weekly basis. Adobe showed how one can destroy a product with their total incompetence, so much for flash being the future. Hope that $3.4 billion was worth it. It's amazing how fast Adobe Flash is disappearing from the web. I wonder what's going to happen to all those flash based games or the companies that have built on top of flash to build their products?

      But oh well, I don't even use Adobe's PDF viewers anymore. The alt
  • by JustAnotherOldGuy ( 4145623 ) on Tuesday October 13, 2015 @08:14PM (#50722425)

    ..........another excellent reason to use AdBlock and NoScript.

    Flash not allowed to run? No Flash exploit, simple as that.

    • Yeah, no, fuck that. Just uninstall Flash to begin with if you have it on your system; and don't ever EVER install it again. Be done with it already!

      • Yeah, no, fuck that. Just uninstall Flash to begin with if you have it on your system;

        Well, sometimes I like to play some of the silly Flash games I have to kill a little time. I turn it on when I'm bored and turn it back off when I'm done.

        But for browsing the web? No way, not a chance.

    • by Anonymous Coward

      Or, you know, do what a smart person would do and just put Flash on click-to-play.
      You need neither of those extensions for that.

      Adblock and Noscript aren't going to stop a website from being hacked and serving you an infected flash file anyway.

      Equally this is why your browsers should all be sandboxed as well.
      99% of infections will never get through it, and if they do, it is because you were stupid, or you pissed a government off.

  • Solved (Score:5, Funny)

    by Tablizer ( 95088 ) on Tuesday October 13, 2015 @08:36PM (#50722559) Journal

    seem to target only government agencies

    No problem, I'll just put my gov't work on a home server.

    • Thank you, Madame Secretary, but that's the other story (http://politics.slashdot.org/story/15/10/13/1951232/clinton-home-servers-had-ports-open#comments).

  • It seems to me that Adobe Systems is no longer a well-managed company, and hasn't been since Bruce Chizen [wikipedia.org] got tired of managing Adobe, which was well before he resigned in 2007. Here is a story from 2007 about that: Bruce Chizen's legacy [macworld.com].

    This is a comment from a reader of that story who called himself Tidewind: "I might be in the minority on this, but under Bruce Chizen, I felt Adobe became, well, arrogant." That was my experience, also.

    Part of the attraction of Flash has been that it is used to violate the privacy provisions of browsers. Flash can be used to generate what are called Flash-cookies, Local Shared Objects (LSOs), or Super-Cookies, which are files placed on a visitor's computer by the Flash plug-in.

    (To avoid permanent tracking: In Firefox, use the BetterPrivacy add-on [mozilla.org].)

    Now Adobe is trying to make money by making its very expensive products even more expensive by charging monthly for them.

    Microsoft followed that monthly business model with Office 365 [time.com]: Pay every day, 365 days each year, even if some of those days you don't have internet access. (Read the comments about Microsoft's other methods of abuse, such as restricting each copy to one country.)

    Flash is either VERY buggy, or deliberately buggy. Possibly one way Adobe Systems makes money is by allowing vulnerabilities supplied by secret government agencies. Those agencies can spend billions of dollars of taxpayer money without public oversight.

    The new software company business model is apparently "Be abusive".
    • by jonwil ( 467024 )

      I would like to see someone with some resources dump something towards creating a nice open source replacement for Flash that doesn't have all the security holes and problems of the Adobe product.

      Of course the real problem is all the content sites out there that (for some idiotic reason) are relying on Flash for DRM and which cant be made to work on any flash alternative due to the US DMCA and other similar laws around the world.

      • by Anonymous Coward

        I would like to see someone with some resources dump the source code of all Adobe products, that would be an interesting read!

    • by 0123456 ( 636235 )

      Adobe software has been bugware for as long as I remember. Adobe Premiere was the software that taught me to hit CTRL+S every few seconds, and save a backup copy every half hour.

      'Crap, Premiere just crashed again.'
      'Double crap. It corrupted my save file just before it crashed.'

    • It seems to me that Adobe Systems is no longer a well-managed company, and hasn't been since Bruce Chizen got tired of managing Adobe, which was well before he resigned in 2007.

      "no longer"??? Adobe Reader was one of the biggest attack vectors that has ever existed in the history of the web, going back way before 2007. I kid you not, a new exploit came out month after month after month. It was ridiculous. Adobe Flash is actually slightly better in that regard, if that tells you anything.

      • Remember when we just had to worry about making things functional? It's hard to imagine that just a few decades ago, someone thought it was a great idea if, when you inserted a CD (later DVD, then USB drive) your computer would automatically execute binaries found on that media? Or that you could attach a random executable to an e-mail, send it to anyone in the world, and they could execute said binary with a single click? Remember when Windows computers were attached to the internet with default ports o

    • Possibly one way Adobe Systems makes money is by allowing vulnerabilities supplied by secret government agencies. Those agencies can spend billions of dollars of taxpayer money without public oversight.

      Given that Adobe, while being the major vector of insecurity on the web, has never even been lashed with a wet noodle by the Feds, one can only conclude they are given cover for exactly this.

      It's almost as funny as the US public still believing their elected officials are actually in control of the organs of

  • Ministries of Foreign Affairs

    *sigh* I would really think those agencies would have people who are sufficiently paranoid as to not allow Flash on those computers. Or are government officials all demanding they be able to watch YouTube videos?

    Flash has been a gaping series of security holes for almost 20 years now, why the hell do people keep trusting it?

    • by wbr1 ( 2538558 )
      Unprotected sex has been a gaping source of STDs for 1000's of years now, why the hell do people keep having it?
  • Flash: A reeking bottomless pit of zero-day vulnerabilities, all different.
  • Really? By definition, a zero-day exploit would affect fully patched versions of anything. Duh! If they had time to patch it to fix the exploit, it wouldn't be zero-day any more, would it!

    • This information is brought to you by the Department of Redundancy Dept, who has brought you this information.

  • I am surprised...not that there's another Flash exploit, but that people still use flash.

  • "Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207."

    Does this Flash Zero-Day work on OS or Linux?
  • Unless you play games, or need DRM content, you might be okay.

I THINK MAN INVENTED THE CAR by instinct. -- Jack Handley, The New Mexican, 1988.

Working...