New Flash Vulnerability Being Exploited In the Wild (trendmicro.com) 101
An anonymous reader writes: Researchers from Trend Micro report a new attack on fully-patched versions of Adobe Flash. The attacks originate from an espionage campaign run by the group known as Pawn Storm, and seem to target only government agencies. "Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015."
Re: (Score:2)
Surprise? (Score:5, Funny)
Really? What would be news here is if Flash DIDN'T have a vulnerability for a change...
Re: (Score:1)
Flash makes Windows look secure.
Re: (Score:3)
If the day ends in 'Y' there's likely to be a Flash exploit in the wild.
Re: (Score:2)
+5 Funny?
I would say +5 Informative and +5 Insightful
Mind you I guess it's funny because it true
Re: (Score:2)
Re: (Score:2)
Uninstall it. (Score:4, Interesting)
I uninstalled Flash on my computers, and the world did not end.
Re: (Score:1, Insightful)
Yeah I'm sorta lost as to why a government agency would have Flash installed in the first place.
Re: Uninstall it. (Score:4, Informative)
http://kb.vmware.com/selfservi... [vmware.com]
Re: (Score:1)
That's the most nondescript URL I've seen in a while. Why the hell do companies still do that?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I uninstalled flash on my computers, and then installed chrome for when i needed flash for websites.
you might be surprised at the number of sites that still use some flash. especially auto manufacturers though that is changing.
Re: (Score:2)
I threw my computers into the wood chipper, and the world did not end. So that's kind of a low bar, you know?
Re: (Score:1)
But oh well, I don't even use Adobe's PDF viewers anymore. The alt
And here we go....... (Score:5, Insightful)
..........another excellent reason to use AdBlock and NoScript.
Flash not allowed to run? No Flash exploit, simple as that.
Re: (Score:1)
go to russin wed site
http://syria.crap/ [syria.crap]
Keep your shit-spam to yourself, asshole.
Re: (Score:1)
I already have a russian bride. Thanks though.
Re: (Score:3)
You mean another reason to not use Flash?
AdBlock... nothing to do with Flash. This is for blocking ads. While some ads are built in Flash, most are images or text or HTML5 based.
I'd say that ~50% of all the ads I see (well, used to see, lol) were Flash. And sadly, Flash is still used all over the place, especially on older sites.
So for me, blocking Flash is a no-brainer.
As for NoScript, it blocks a lot of the javascript that's often used to launch the ads you see on sites, including the ads that use Flash.
If you've ever run ads from Advertising.com, Doubleclick, FastClick, etc etc, they're almost always pulled from the ad company's servers by a snippet of javascript that you paste
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Yeah, no, fuck that. Just uninstall Flash to begin with if you have it on your system;
Well, sometimes I like to play some of the silly Flash games I have to kill a little time. I turn it on when I'm bored and turn it back off when I'm done.
But for browsing the web? No way, not a chance.
Re: (Score:1)
Or, you know, do what a smart person would do and just put Flash on click-to-play.
You need neither of those extensions for that.
Adblock and Noscript aren't going to stop a website from being hacked and serving you an infected flash file anyway.
Equally this is why your browsers should all be sandboxed as well.
99% of infections will never get through it, and if they do, it is because you were stupid, or you pissed a government off.
Solved (Score:5, Funny)
No problem, I'll just put my gov't work on a home server.
Re: (Score:2)
Thank you, Madame Secretary, but that's the other story (http://politics.slashdot.org/story/15/10/13/1951232/clinton-home-servers-had-ports-open#comments).
Flash is either VERY buggy, or deliberately buggy. (Score:4, Insightful)
This is a comment from a reader of that story who called himself Tidewind: "I might be in the minority on this, but under Bruce Chizen, I felt Adobe became, well, arrogant." That was my experience, also.
Part of the attraction of Flash has been that it is used to violate the privacy provisions of browsers. Flash can be used to generate what are called Flash-cookies, Local Shared Objects (LSOs), or Super-Cookies, which are files placed on a visitor's computer by the Flash plug-in.
(To avoid permanent tracking: In Firefox, use the BetterPrivacy add-on [mozilla.org].)
Now Adobe is trying to make money by making its very expensive products even more expensive by charging monthly for them.
Microsoft followed that monthly business model with Office 365 [time.com]: Pay every day, 365 days each year, even if some of those days you don't have internet access. (Read the comments about Microsoft's other methods of abuse, such as restricting each copy to one country.)
Flash is either VERY buggy, or deliberately buggy. Possibly one way Adobe Systems makes money is by allowing vulnerabilities supplied by secret government agencies. Those agencies can spend billions of dollars of taxpayer money without public oversight.
The new software company business model is apparently "Be abusive".
Re: (Score:2)
I would like to see someone with some resources dump something towards creating a nice open source replacement for Flash that doesn't have all the security holes and problems of the Adobe product.
Of course the real problem is all the content sites out there that (for some idiotic reason) are relying on Flash for DRM and which cant be made to work on any flash alternative due to the US DMCA and other similar laws around the world.
Re: (Score:1)
I would like to see someone with some resources dump the source code of all Adobe products, that would be an interesting read!
Re: (Score:2)
Adobe software has been bugware for as long as I remember. Adobe Premiere was the software that taught me to hit CTRL+S every few seconds, and save a backup copy every half hour.
'Crap, Premiere just crashed again.'
'Double crap. It corrupted my save file just before it crashed.'
Re: (Score:1)
What has a pink/red color got to do with the application, anyhow? Perhaps you meant 'rogue?' I don't know if it is always you but this seems to be a common one for ACs. Well, I finally got bored enough to point it out. While maybe not you, 'alot' is not a word and there's a difference between fewer and less.
Re: (Score:1)
Don't mention Nethack. Or Zork. I'm not even sure if half the people who play Fallout actually played the first two. I stopped gaming around the time of my enjoyment of the Fallout 2 game. It was awesome. I've not really gamed since but I remember (and played) Rogue. Or, ahem... Rouge... *sighs* Yes, yes I played the French word for Red. I dunno what people do with their spare time but it doesn't appear to be learning new things or improving themselves. I'm glad I'm not a people.
Adobe Reader (Score:2)
It seems to me that Adobe Systems is no longer a well-managed company, and hasn't been since Bruce Chizen got tired of managing Adobe, which was well before he resigned in 2007.
"no longer"??? Adobe Reader was one of the biggest attack vectors that has ever existed in the history of the web, going back way before 2007. I kid you not, a new exploit came out month after month after month. It was ridiculous. Adobe Flash is actually slightly better in that regard, if that tells you anything.
Re: (Score:2)
Remember when we just had to worry about making things functional? It's hard to imagine that just a few decades ago, someone thought it was a great idea if, when you inserted a CD (later DVD, then USB drive) your computer would automatically execute binaries found on that media? Or that you could attach a random executable to an e-mail, send it to anyone in the world, and they could execute said binary with a single click? Remember when Windows computers were attached to the internet with default ports o
Might be legit (Score:2)
Given that Adobe, while being the major vector of insecurity on the web, has never even been lashed with a wet noodle by the Feds, one can only conclude they are given cover for exactly this.
It's almost as funny as the US public still believing their elected officials are actually in control of the organs of
Really? (Score:2)
*sigh* I would really think those agencies would have people who are sufficiently paranoid as to not allow Flash on those computers. Or are government officials all demanding they be able to watch YouTube videos?
Flash has been a gaping series of security holes for almost 20 years now, why the hell do people keep trusting it?
Re: (Score:1)
Pornsites have always been ahead of the curve when it comes to video streaming on Internet, and it isn't the Ministries that are behind the curve, they aren't even streaming video.
News pages on the other hand are far behind on that part and journalists have never been on the side of science and technology.
Re: (Score:1)
I was using a little hand-held Tandy with an external modem to upload content to a newspaper a long time ago when I was doing some freelance work for extra money. So, I dunno... I'm not sure where I'm going with that but I don't think you're *quite* accurate.
Re: (Score:2)
Definition of Flash (Score:2)
Re: (Score:1)
Hmm... Fucking Long-term Assinine Security Hazard.
There IS the "HTML5" alternative... apk (Score:1)
See subject: HOWEVER, we haven't seen all the "ins-&-outs" of that yet either - give it time! Bet it shows glaring vulnerabilities too (despite the state of modern computer science being what it is, one HELL of a LOT better than it was when I started it in 1981 but, men made it - men, screwup!).
Sad truth coming from experience over decades in the art & science of computing here on that above. We're not 100% guaranteed solid in LOTS of things out there now.
On HTML5 - I've tried it in IE11 "latest/gre
Zero-day exploit hits fully patched Flash??? (Score:2)
Really? By definition, a zero-day exploit would affect fully patched versions of anything. Duh! If they had time to patch it to fix the exploit, it wouldn't be zero-day any more, would it!
Re: (Score:2)
This information is brought to you by the Department of Redundancy Dept, who has brought you this information.
Re: (Score:3)
Does anything but ads actually use Flash in this day and age? I haven't had it installed for several years!
Let's see... these are just some results using Firefox 41.0.1 on OS X Mavericks:
Spotify [spotify.com]: "To enjoy Spotify, please install Adobe Flash. It's free."
Pandora [pandora.com]: "In order to use Pandora internet radio, please upgrade to a more current browser or install a newer version of Flash (v.10 or later)."
Hulu [hulu.com]: "Hulu requires Flash Player 11.0.1.152 or higher. Please download and install the latest version of Flash Player before continuing."
I'm sure there are plenty more, but just these three are enough to prove that
Re: (Score:1)
Re: (Score:2)
Even though I don't use those services, I just tried your links. Spotify works and Pandora works as well (Music plays fine). Hulu is the only one that does not work without flash.
Interesting... what browser/OS combination? The latest Safari complains in exactly the same way.
RT.
Surprised... (Score:2)
I am surprised...not that there's another Flash exploit, but that people still use flash.
Re: (Score:1)
Insert free advert for Trend Micro .. (Score:2)
Does this Flash Zero-Day work on OS or Linux?
Yes, Youtube Works without Flash (Score:2)
Unless you play games, or need DRM content, you might be okay.