Adobe's Latest Zero-Day Exploit Repurposed, Targeting Adult Websites 203
MojoKid writes Adobe issued a patch for bug CVE-2015-0311, one that exposes a user's browser to become vulnerable to code injection, and the now infamous Angler EK (Exploit Kit). To fall victim to this kind of attack, all someone needs to do is visit a website with compromised Flash files, at which point the attacker can inject code and utilize Angler EK, which has proven to be an extremely popular tool over the past year. This particular version of Angler EK is different, however. For starters, it makes use of obfuscated JavaScript and attempts to detect virtual machines and anti-virus products. Its target audience is also rather specific: porn watchers. According to FireEye, which has researched the CVE-2015-0311 vulnerability extensively, this exploit has reached people via banner ads on popular adult websites. It was also noted that even a top 1000 website was affected, so it's not as though victims are surfing to the murkiest depths of the web to come in contact with it.
Adblock, FTW (Score:5, Insightful)
Seriously, who even sees ads anymore?
Re: (Score:3, Interesting)
Youtube just switched to HTML5 video by default, so perhaps we can uninstall Flash for good now!
Re: (Score:1)
Re: (Score:3)
Re: (Score:3)
Hulu works fine on an Apple TV. No flash available.
Re: (Score:2)
Re: (Score:1)
flash = video drm for PCs now.
Re: (Score:2)
Pretty much.
Re: (Score:3)
BBC still uses them. Probably the most important site left for me that does.
But can it play ... (Score:2)
Youtube just switched to HTML5 video by default, so perhaps we can uninstall Flash for good now!
But can it play "Badger Badger Badger"?
Re: (Score:1)
I do, I could turn on adblock at any time, but I really don't care. Most of the sites I visit I would like to give money to. Webcomics, slashdot, and so on. I have no problems with them having banners. Porn sites are an interesting breed though, maybe people should be firing up a web blocker before hitting up some of those sites, or sites that don't seem to filter their own ads.
Re: (Score:3, Interesting)
or sites that don't seem to filter their own ads.
Oh, you mean like Google Adsense? They've been known to run malicious ads on countless occasions.
Re: (Score:2)
Considering ad revenue is the biggest revenue stream for the internet. I'd say quite a lot of people.
Re:Adblock, FTW (Score:4, Informative)
Seriously, who even sees ads anymore?
People using iPhones and iPads.
Re: (Score:2)
Aren't there ad blockers for iOS? I hate it when web sites don't work with ad blockers. :(
Re: (Score:2)
And HOSTS files can't block inlined advertising (of which your spamvertising posts are a great example), whereas adblockers can do that effortlessly.
Go get some help. You need it. I await your replies where you pretend to be a whole different bunch of people all agreeing that I'm some sort of messed up lunatic. Maybe you'll link to some of my comments and you and your made-up friends will judge me on them? I can't wait!
Re: (Score:3)
Re: (Score:1)
Maybe if Adobe fixed their broken updater... (Score:5, Insightful)
Maybe if Adobe fixed this, there wouldn't be so many success Flash-based attacks.
Re: (Score:3, Insightful)
I totally agree. I solved this by disabling any Adobe stuff on any browser or platform or device.
And when you go to Update it. It takes you to a web page. If you're not paying attention, it will try to install other stuff like the useless Mcaffee. The Adobe web page downloads a shim installer - not the real thing. The shim installer downloads the real thing and then installs that...
Do Adobe programmers smoke crack or something?
Re: (Score:2)
Re: (Score:2)
Just because the shady back-alley freeware does it, does not in any way make a good excuse for a AAA software vendor to do so
And AAA vendors don't. Adobe products are simply shady back-alley freeware as proven by their installer. Java too, of course.
Re:Maybe if Adobe fixed their broken updater... (Score:5, Interesting)
Re: (Score:3)
Re: (Score:2)
My favorite part where after every update it re-asks whether you want to auto-update.
Re: Maybe if Adobe fixed their broken updater... (Score:2)
I don't have this problem and yes I use a standard user account. Newer flash in the last few years runs as a service so it can update
Re: (Score:3)
Run this command from the named Administrator account:
@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin
Add this to the machine startup script or acceptable alternative of your choosing.
choco install flashplayeractivex
choco install flashplayerplugin
Flash is now less retarded.
Also, the site for direct download of Flash installers is: http://www.adobe.c [adobe.com]
Re: (Score:3)
The powershell stuff installs the Chocolatey.org software repository on a client. It's also entirely readable as pseudocode.
Once it's installed, it's like have ports or apt, but on a Windows machine.
Re:Maybe if Adobe fixed their broken updater... (Score:5, Insightful)
Re: (Score:1)
Selecting "automatically update" doesn't actually automatically update. It just causes it to complain that an update is available every time you reboot and/or log on.
It is necessary to do it that way, otherwise they wouldn't get permission to install malware. Without that dialogue box the installed malware wouldn't be legit.
Well I guess it's a good thing... (Score:4, Insightful)
I block ads on ALL websites.
Re: Well I guess it's a good thing... (Score:2)
As soon as sites stop putting in 40 freaking ad networks each page perhaps we will sTop. They are getting worse and worse with MOST SHOCKING
Re: (Score:2)
Ironically, they're all owned by Google, those ad networks. Maybe if you went to shadier sites you'll find the 2% (Google has around 98% marketshare in online advertising thanks to ownership of such fine ad networks like DoubleClick and other purveyors of pop ups and pop unders) that Google doesn't have.
Re:Well I guess it's a good thing... (Score:5, Insightful)
Hey, there will always be people who don't block ads. Some sites have subscriptions, which people are free to use.
But the reality is, most sites with ads are infested with literally dozens of third party crapware, places which sideload junk into your system (specifically through crap like Flash), and which want to collect collate and sell your private information.
I will allow a site which serves its own advertising to show ads as long as they're not overly intrusive. But doubleclick, discus, scrorecard reasearch, quantcast, facebook, twitter -- and literally hundreds of other shit sites I have no interest in, well -- that's not my problem.
I'm visiting your website. Unless you lock me out via subscription (in which case I'll ignore your site), I do not owe you ad revenue, and I sure as shit don't owe the 20 other sites embedded in your website anything.
Honestly, if you eventually go out of business ... that is not my problem. Protecting myself from marketers and malware is my problem, and quite frankly, Flash gets reported as loading up malware pretty regularly. I've treated it as malware for over a decade now.
But let's not act like I owe you something. And let's certainly not act like just because you collect your money from a bunch of shady assholes that I owe them anything.
Re: (Score:1)
I will allow a site which serves its own advertising to show ads as long as they're not overly intrusive. But doubleclick, discus, scrorecard reasearch, quantcast, facebook, twitter -- and literally hundreds of other shit sites I have no interest in, well -- that's not my problem.
Unfortunately they are the only ones that probably pay well enough to generate profit. I know, profit is evil. But yeah, it will kind of be your problem when the "free" content or service you get used to using is no longer available.
This is what makes subscription services great (no ads) but then everyone complains about the prices of the subscription, again evil corporate profit.
But let's not act like I owe you something. And let's certainly not act like just because you collect your money from a bunch of shady assholes that I owe them anything.
Clearly. The operating entity of the site owes you their content.
Personally, I'll take the good with the bad as not every situati
Re:Well I guess it's a good thing... (Score:4, Insightful)
They don't owe me a damned thing, and I don't owe them anything -- but until they find a technology solution to stop me, too damned bad.
I'm still going to block as many advertising and analytics companies as I can, using as many plugins as I can find. In every browser I use.
The sites I read aren't in any danger of going under because I don't give them ad views -- and even if they were, I still don't trust the companies involved.
But blocking Facebook and Twitter and the big ad/a analytics companies? If you think I give a crap about that, you're sadly mistaken.
So you go ahead and be a well behaved little consumer, me, I'll continue to not give a crap about the revenue of large corporations.
Re: (Score:1)
They don't owe me a damned thing, and I don't owe them anything -- but until they find a technology solution to stop me, too damned bad.
This is exactly the entitlement mentality that puts said evil corporation in an arm's race to beat your technology and become more intrusive in the first place.
They feel entitled to make a profit by any means necessary, while you feel entitled to their content or service by any means necessary.
So you go ahead and be a well behaved little consumer, me, I'll continue to not give a crap about the revenue of large corporations.
The point is obviously lost on you. No one is advocating that; I was, and still am pointing out that everything comes at a cost. You can't have it both ways.
Re: (Score:2, Insightful)
We don't feel entitled to their content.
They are free to remove their content from the internet, or put it behind a paywall. But we ask them for a page, they give us a page. What we do with the page after we get it is up to us.
Re: (Score:2)
They feel entitled to make a profit by any means necessary, while you feel entitled to their content or service by any means necessary.
The former is true
The latter isn't. If the "content providers" suddenly put all their stuff behind paywalls, I'd ignore them. I wouldn't even bother trying to "subvert" such paywalls. You know that "you've used up your free views for this month" BS that you run into with the NYT and such? My panties don't get in a twist, I just close the window and go elsewhere. I don't
Re: (Score:2)
Re: (Score:2)
Re: Well I guess it's a good thing... (Score:2)
Yes, the typical
Besides, it's only a matter of time before the subscription users start seeing ads again. They'll start off small but will be right back to full on annoying soon enough. T
Re:Well I guess it's a good thing... (Score:4, Interesting)
But the reality is, most sites with ads are infested with literally dozens of third party crapware, places which sideload junk into your system (specifically through crap like Flash), and which want to collect collate and sell your private information.
This.
And you know what I've found out? The "serve ads" and "collate demographics to sell" industries have merged completely. There is probably nobody left that merely serves ads and doesn't track across websites. Go ahead and delete Adblock Plus and run /only/ Ghostery and Privacy Badger. You get nearly the exact same results as if you ran an adblocker that uses a popular list.
Why Privacy Badger on top of Ghostery? Because it gets the things whitelisted by Ghostery. You didn't think that Ghostery was pure as the driven snow, did you?
--
BMO
Re: (Score:2)
Let's be clear here ... fuck yeah.
I don't surf little private vanity sites, I hit major news agencies, and sites owned by large corporations.
Let me be perfectly clear: I don't give a crap about the revenue of large corporations. Not now, not ever.
You think I should give a shit if Dice gets ad revenue? Or cnn? or google? Or Microsoft? Of Ziff Davis? Or Facebook? Or Twitter?
Fuck that.
Re: (Score:3)
This entire discussion is a great example of the tragedy of the commons. Consider why you only view the large corporation sites - they offer something superior (for you, and many people), which is why they are larger, but also their revenue size is required to provide that superior service (professional journalists, double-checking by editors etc.).
So your own browsing habits reveal that you actually do care about their revenue, indirectly. The world wouldn't end if we were all forced to get our news from
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Insightful)
They choose to put info up at a public website. What internet users do with their respective browsers is irrelevant.
Re: (Score:2)
I'm curious... At this point do we just expect everything to be 100% free?
The website should be a way for the business to reach new potential customers. Not an ends to producing profit in itself.
I buy plenty on Amazon despite blocking those affiliate third-party retailer ads at the bottom of the pages.
There are porn websites that operate on giving away short video samples, and subscribers paying for full videos.
Re: (Score:1)
Good luck only buy from companies, or even private parties for that matter, that don't expect to make profit.
Re: (Score:2)
If they can't make a profit without bombarding people with ads, maybe they fail at being entrepreneurs. It's not my job as a consumer to prop up bad business plans.
Re:Well I guess it's a good thing... (Score:5, Insightful)
At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?
I used to agree with you, but at this point, it's too dangerous to not block ads. You never know when one of them will be malware, and it's not a risk I want to take.
Last time this conversation came up, someone suggested that the internet was better before advertising. I think there's some truth to that.
Re: (Score:1)
I merely asked a question. I wasn't advocating for the behaviour of the adware companies, blocking or not blocking.
I was simply trying to point out the sense of entitlement that seems to be pervasive.
Everyone seems to jump on the "f*ck the evil corporate profit monger" bandwagon, but no one ever seems to think about who's going to keep the lights on.
Like that blog site? Guess what?
That guy blogging needs to eat, pay his rent and provide for his family. How is he going to pay for that: with high ideals? I th
Re:Well I guess it's a good thing... (Score:5, Interesting)
Now look at all the negative stuff. Buzzfeed, wired.com, all those websites that spew crap in order to attract your eyeballs. Out of all of that, are there any websites that would die without advertising, which you would also not be willing to subscribe to?
The only one I can think of is Facebook, and if that one died, it would only encourage a distributed model, where everyone essentially ran their own RSS feed for their friends to look at (or something similar).
So let the advertising die, I say, the internet will be a better place for it.
Re: (Score:2)
I'm hoping that advertising dies as a primary revenue stream purely so that sites like Buzzfeed can die. Not just Buzzfeed, but there are entire networks of websites that do two things:
1) Repost someone else's original content
2) Display one at a time along with three ads
Sets of these kinds of sites use the same network and just have different domain names in order to get around any blocking. They seem to target StumbleUpon, which is where I primarily run into them, hence the need for different domains since
Re: (Score:2)
I'm hoping that advertising dies as a primary revenue stream purely so that sites like Buzzfeed can die.
The world would be a better place.
Re:Well I guess it's a good thing... (Score:5, Insightful)
I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?
i'm curious...at this point should we accept malware as just a regular part of going to websites?
the question's rhetorical of course - until websites prevent malware from being distributed through their ad networks, i will block ALL ads to defend my computer.
Re: (Score:3)
It's an arm's race.
FYI, a great way to "defend" your computer is to not intentionally put it on the front-line.
by "not putting it on the front line", do you mean not going to websites? like, at all?
i mean, the article specifically notes adult websites here, but these sorts of drive-by installs and sideloading exploits occur on more mainstream sites, too [reviewjournal.com]. are you saying to simply not use the web?
Re: (Score:2)
Yeah, because there's never been a security or privacy exploit on a Linux-based OS made by Google.
Re: (Score:2)
I can and have donated directly to web sites or content publishers whom I choose to support. I don't owe anyone else anything, least of all the opportunity to partake of their malware vectors.
Re: (Score:3)
I'm curious... At this point do we just expect everything to be 100% free? Or do we think money fairies give companies the capital to pay for bandwidth and processing power?
Umm... if the advert sites go away for want of revenue, so what? I am currently involved in development work on a site in which we expect a lot of traffic, fill a niche not addressed in the chosen field, and we have no plans to run ads or charge for the service; that goes against all of our principals. And we will pony up the dough to run it ourselves, no contributions asked, expected or accepted. I also belong to a couple of private sites that are of interest to me and I contribute cash a few times a ye
Re: (Score:1)
if the advert sites go away for want of revenue, so what?
I think a lot of people that use stuff like Facebook etc will be bummed, but will move onto a pay-to-play service.
that goes against all of our principals. And we will pony up the dough to run it ourselves, no contributions asked, expected or accepted.
Sounds very altruistic, great. So where did the dough to run it come from? Evil corporation or magical fairies?
I run completely free services like this too, right out of my pocket, with zero profit; the money to pay for bandwidth and hosting comes from my day job: a corporation.
Re: (Score:2)
So where did the dough to run it come from? Evil corporation or magical fairies?
My savings. I worked in education, so I guess magical fairies?
Re: (Score:1)
I stand corrected.
Re: (Score:2)
>clarityray
Is dead.
Acquired by Yahoo.
Just so you can update your spam. HTH.
--
BMO
Re: (Score:2)
Alex, your multiple repostings of identical content is spam.
I have used your software. It works as advertised. However, it doesn't justify multiple copies of the same message in the same thread. That doesn't do anything except make people tune you out as "mere noise" even if what you have to contribute might not be.
Honestly.
And you don't have to talk about yourself in the third person. OK?
Peace.
--
BMO/Dan
Adblock (Score:1)
And Pornhub displays a message saying:
You have AdBlock enabled. Adblock is known to cause issues with site functionality. If you are experiencing any issues, please try disabling the extension.
HAH!
OUTRAGE! (Score:1)
They're infecting our porn now? The bastards!
Something Suspicious (Score:5, Interesting)
... About Adobe's plug-in.
How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities. And not just bugs, but zero-day exploits too. Do I need a tinfoil hat? Or is it just a tad suspicious that this one product continues to have so many vulnerabilities found in it. After all this time. After all these previous bugs.
Or is it the case that this is just yet another vector sponsored by the likes of the NSA or others, to infect machines of potential targets?
This isn't an attempt to be flippant or to trash-talk Adobe. This is a serious question asked of a well-established software house and what must by now be one of the most heavily-scrutinised software packages in widespread use. Can anyone out these with specific knowledge of this product give us any insight as to why it is so regularly found to contain exploits? If we could look at the defect-per-thousand-lines-of-code, I am guessing that Adobe's products must be the worst in the industry... Can that really be the case?
Re:Something Suspicious (Score:5, Insightful)
Re: (Score:3)
Re: (Score:1)
Actually, there ARE browsers built on Flash. They've got an entire platform people can use should they care to. However, Adobe's revenue stream comes in mostly via the reseller market -- so they make more money off of things like ADS and being an ePub certificate authority -- hence, no reason for them to focus too much time/money on their actual products.
I guess that's what you get for building with mud.
Re: (Score:3)
It's a problem born from software bloat. It was originally intended to be a means of drawing vector graphics and simple animations, but there was a void in functionality in the days before PCs were fast enough to handle Javascript (or even had browsers that could cope with the highly abstracted pages written now).
Did you mean Java or JavaScript (*)? JavaScript of the time (late 90s) was too simplistic to be usable for serious client-side apps on its own, but I don't think it was especially slow. It was Java that was just too heavyweight for PCs of the time to handle; (**) and I think that explains *why* Flash succeeded.
I've said it before, and I'll say it again [slashdot.org]- Flash basically snuck in via the back door to (eventually) end up filling almost the exact same role that Java Applets were supposed to meet (i.e. embedde
Security Issues (Score:5, Insightful)
Flash didn't start out as a media player, per se, but an interactive presentation layer for animations and for a while imagined itself as browser-independent web based user interface programming language.
So it is a complex unwieldy beast.
Re: (Score:2)
How come such a relatively simple files - something that essentially plays media content - continues to be such a hot-bed of vulnerabilities. And not just bugs, but zero-day exploits too. Do I need a tinfoil hat? Or is it just a tad suspicious that this one product continues to have so many vulnerabilities found in it. After all this time. After all these previous bugs.
No, it's not suspicious, it's exactly what you would expect from corporate programmers in a system that wasn't designed with security in mind.
When people try to make code secure, it's difficult. When people don't even try, it's impossible.
Re: (Score:3)
The elephant in the room .. (Score:2)
These are not vulnerabilities in Adobe's plug-in, these are defects in the underlying platform, the name of which must never be mentioned on slashdot.
Re: (Score:2)
Adobe Flash Installer Download Knows About These (Score:2)
Re:Adobe Flash Installer Download Knows About Thes (Score:5, Insightful)
Re: (Score:3)
And it might not be so insulting if McAfee was good at anything besides eating hardware resources...
Oh, they're rather good at marketing and processing credit card payments too.
Re: (Score:1)
Is there a preference or a killbit to block McAfee from hitching a ride? Java's installer lets you set a registry key to suppress the Ask.com toolbar offer from appearing, would be nice to see something similar for Flash.
"Specific" Audience? (Score:1)
This sounds serious! (Score:3)
So do action shots of me in my Captain Cocktastic costume (girlfriend's crotchless panties, Captain America helmet, red cape, and big, hairy winter boots), leaping to the attack over a suspiciously-shaped beanbag chair, constitute pornography, comedy or educational material?
If the first is true, should I worry that I may fall victim to this security threat should the pictures accidentally become public?
porn watchers? (Score:2)
Re: (Score:1)
So the summary says that this thing targets porn watchers specifically, but I couldn't find any stats on what percentage of the total net population that is.
It's 118%.
Re: (Score:2)
Detects virtual machines (Score:1)
So if I make all my computers look like they are running as a virtual machine, I'm safe from this exploit?
So now I'm happy... (Score:1)
Internet ads are self-defeating (Score:1)
The advertisers don't seem to realize that the harder that they try to get our attention via more and more garish, disgusting, crap that they try to shove in our faces on web pages, the more people will decide to block ads and scripts etc... on web pages. People go to web sites to see content, not to be distracted by ads. People do not go to web sites to have malware, spyware, or crapware installed on their computers. I bought my computer. It mine. I and I ALONEwill control what is installed on it, wha
All hail anonymous sites and advertisers (Score:1)
Re: again for the naysayers (Score:1)
How's that ascii porn looking?
Re: (Score:3)
Re: (Score:2)
Wow you have ANSI color on your terminal?
luxury.
Re: (Score:2)
Matrix 1 quote dude
Re: (Score:2)
and to all you all that scoffed as I wait minutes for each GIF pr0n via compuserve dial-up, well WHO'S LAUGHING NOW??
Re: (Score:2)
Actually, a text fetch of this comment thread is about 250KB, 59 seconds at 33.6kbs
maybe I should splurge for the 128kbs ISDN line, could get that load time under 20 seconds, w0h00
Re: (Score:1)
Re: (Score:1)
Maybe Mozilla will create a better version of Flash to replace this shitty one Adobe plagues us with, and it will actually be cross-browser in the process. I'm sick of Adobe hugging Google with both arms, and leaving NPAPI and Linux support in the lurch.
HTML5 much?
Re: (Score:2)
NPAPI is on life support, with Mozilla whitelisting some plugins temporarily
https://wiki.mozilla.org/Plugi... [mozilla.org]
B2G doesn't support NPAPI and I doubt servo will either.