Adobe Flash Zero-Day Attack Underway

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

Re:SNAFU

[bill_kress]

I would have said: Situation Normal, Adobe's Fucked Up

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

At one point, they had some competition from some other terribly flashy web software, but they quickly rectified that by buying the company so they could retain their title of Extreme Web Fuckups and earn the SNAFU title.

(Second use of the F was quite gratuitous, but in for a penny, in for a pound)

Re:And people

[zwei2stein]

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I have seen it quite few times, someone had problem with noisy ads, someone else suggests adblock, site admin appears, has long sad speech how adblockers are worst thing ever and bans person suggesting use of adblock and tells person which has problem with ads to deal with it or move on.

There is some pressure NOT to use such tools. And nice people do listen.

Re:Flash perpetual vulnerability

[Anonymous Coward]

I wonder if you could mitigate this threat reasonably painlessly by running a flash enabled browser in an isolated virtualized application environment, using something like Thinstall http://www.thinstall.com/ or Codeweavers crossover http://www.codeweavers.com/products/ ?

Make a goodie virus

[Crookdotter]

I think the time has come to make a virus that counters spambots, trojans, viruses and everything else. Limited lifespan, get them into the wild, let them run through networks doing a good deed then martyr themselves. I know people would be worried about any possible damage done by these things, but if your system is open, then it's a risk vs potential damage assessment. If you have the right security in place, then neither goodie or baddie viruses will get near you.

That's sort of what the Welchia worm does

[MichaelCrawford]

When I was staying in a hotel in between moving out of one house and into another, I hooked my Win2k box directly to the Internet via dialup. At my old place I used Linux as an IP masquerading gateway, and never had any trouble.

Well it didn't take long for me to notice that my modem often showed activity even when I wasn't doing anything online. At the advice of a friend I bought the ZoneAlarm firewall.

It informed me that I was infected with the Welchia worm. What it does is apply security fixes to your Windows installation, and then it propagates itself on to other Windows hosts over the Internet!

This drove home to me the importance, when using Windows, of having a firewall that prevents connection coming from my own computer. ZoneAlarm does this.

Most firewalls just prevent attacks from outside. But if you're already infected, you want to know about network traffic originating from your own computer.

Re:And people

[pizzach]

Even if the current version in your distribution's repositories is not able to play YouTube videos, the cvs version at least can. I remember reading somewhere that getting and keeping YouTube movies playable was a top priority.

Flash dependent sites

[Mathinker]

> That's what temporary permissions are for.

Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".

Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)

I never enable JS or Flash in order to see sites which I get to through advertisements, however.

Fucking useless

[Anonymous Coward]

But what operating systems are affected and/or browsers? All of them? Some of them? Windows?
This advisory is fucking useless.

"This advisory is to alert you that if you are using Adobe Flash you're pretty much fucked, oh, there is no fix currently. Have a good day"

Re:And people

[grm_wnr]

There is no alternative to Flash. Flash would likely be marginalized by now if FLV hadn't come along; it saved Flash's ass and, to Adobe's credit, made ubiquitous video on the web a reality. Seriously, remember the olden days? Quicktime and WMV, of which the former works fine on Mac OS but is an abomination of a plugin on Windows (easily worse than Flash), and the latter being what you went with if you wanted shit to work for at least the majority of people, even though it was horrible and, philosophically speaking, just plain WRONG? Or use Java, with its massive startup time and memory footprint, to play the pretty laughable (right now) Theora codec? Flash is (relatively) fast, crossplatform, and EVERYWHERE, so it's the smallest of a whole lot of evils. Unless you want Google to include a video layer in their toolbar, and therefore be forced to istall it, your best bet is to bother Adobe to make Flash more secure.

Re:SNAFU

[gaspyy]

Intentionally or not - you're trolling.

1. Adobe Reader 8 launches almost instantly for me after the first run, when it optimizes its launch (and I always disable the startup option). Version 6 was awful but things have changed. I do agree that it's bloated (over 200Mb) but I had problems displaying complex/cmyk docs in Foxit. YMMV.

2. Flash - use AdBlock. The technology is not at fault as flash is pretty lightweight itself. It's the advertisers who think I'll click their stupid ads if they add annoying sounds and the webmasters who think that by cramming more ads there's a better chance of me clicking on one.

3. The update agent is slow 'cause it downloads only when the connection is idle. I do agree that it's annoying for it to ask to close almost all programs when updating.

5. You do realize that camera and mic are turned off by default, don't you? You need to expressly enable them on a site-by-site basis.

So there you have it.

That's not to say that I don't hate Adobe myself for other things:
- activation is a pain in the ass, especially if you don't get the chance to deactivate the software first from the old computer and activate on the new one (happened to me after a hdd crash).
- the software is artificially segmented in some cases, e.g. Premiere and After Effects should be one software, or Illustrator and Indesign (CorelDraw acts as a combination between the two).

Re:And people

[aliquis]

If only that video-in-webpages-standard was implemented (is in Safari now) and used it would be so sweet to just remove that flashcrap alltogether. Too bad on webpages made only in flash but well, those suck anyway =P

Re:And people

[fishdan]

The difference of course is that the image file itself is benign -- the decoders were flawed. Whereas the Flash decoder is adware BY DESIGN.

The creators of Flash, Adobe/Macromedia, deliberately resist allowing user control of Flash. Why must I go to a 3rd party to selectively block Flash? Why can't I control Flash in my browser to a very simple extent such as "Flash cannot play sound without asking permission." Why does Adobe make Flash an "all or nothing" experience? The answer was given to me straight up by Flash evangelist: "If you could control your experience, it would not be a good advertising platform." As floored as I was by that statement, I realized that is Flash's great selling point for many people -- here is an ad that is unavoidable and will generate a lot of attention.

I block flash with noscript, and I refuse to buy from a site that requires Flash. I certainly enjoy Flash games [handdrawngames.com] at home, but at work I've blocked flash at the firewall level for YEARS now. And I've never had one legitimate complaint of "I need flash to do this" that was work related.

Re:SNAFU

[STrinity]

Don't forget that certain Adobe programs, including Photoshop and Premiere, place DRM in the master boot record [adobe.com], which makes it impossible to run TrueCrypt boot-time encryption and have the Adobe programs work.

Why people use flash...

[argent]

Flash is an overkill for most GUIs on the web

Underline that, set it in boldface, carve it in granite, mod parent up, the works...

I really think the main reason people use flash is because it moderately increases the difficulty of reverse-engineering an interface. Chopping up a .swf package can be done, even without a few hundred bucks worth of Adobe software, but it's more work than running "curl -o filename url" a few times. It's obfuscation, pure and simple.