Emergency Adobe Flash Patch Fixes Zero-Day Under Attack

msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Actually, a tall whiskey now and them makes the Flu quite a bit more bearable. I do agree on your intended meaning though.

Re: Relation to CryptoWall virus?

[Redmancometh]

Are you insane? From a business standpoint they don't give a shit about your privacy. If anything it should have already been blocked.

Re:

[Penguinisto]

I still don't get why this isn't filtered / stopped on a national level. Surely the cost would be justified in savings to the masses.

Protocol spoofing, VPNs... yeah, good luck with that.

Re:

[iMouse]

We started seeing exploits of Flash Player (CVE-2015-3105) containing CryptoWall payloads last week. This new one probably has the ability to carry out a very similar payload, but is instead concentrating on backdoor access, potentially for botnet building or data extraction.

disable flash!

[Gravis Zero]

i said it before [slashdot.org] and i'll say it again.

there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

Re:

[NotInHere]

Disabling since 2011 and very unhappy with site adoption. At least if the site is popular, its targeted with 3rd party software, like twitch for example.

Re:

[grimmjeeper]

Yep. Keeping flash installed and running on your computer is like going around licking people in the infectious disease ward in the hospital.

Re:

[catsRus]

LOL Great comment, Flash is trash, and it must die a painful death.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

You are quite right. Flash is un-fixable. I de-installed and disabled it some months ago because I was finally fed up.

Re:

[Kjella]

Click to play will protect you against most exploits, since they usually depend on either a) redirects to random malware page or b) infecting ad banners. Sadly there's a lot of decent content built on last decade's technology. And some that are adopting that tech today, but I can't really say more....

Re:

[jbmartin6]

Except for exploits, including the one in the article, which use Flash embedded in Word and other documents sent by email. The HTTP browser isn't the only application which can use Flash content.

Re:

[dos1]

On my system, it is.

Re:

[gstoddart]

Except for work computers, which almost always require at least one annoying thing per year which needs Flash ... I've had Flash disabled or simply not installed for as long as there has existed Flash.

Because it's been a horribly broken security hole since it has existed.

My solution to broken videos that require Flash? I simply don't give a damn.

I'm sure there are things people feel they can't live without that require Flash ... for me, I have yet to find a single one.

After over a decade of simply not usin

Re:

[Somebody Is Using My]

I finally removed Flash two weeks ago. Even with white-listing and Flashblock/Click-to-Enable, the few video sites and online apps that use it weren't worth the continued risk of having it installed. Occasionally I run across a site that requires Flash, but these are rare enough that I can skip by the site without too much worry (if I really /really/ need to access a Flash-enabled site, I'll just fire up a virtual image and install Flash on that).

Only downside is that controls for HTML5-video aren't quite

Re:

[Grishnakh]

As long as he's getting paid well, why should he change? (Unless something better comes along of course.) This isn't his personal computer, it's his work computer. If you have shitty software on your work PC and it causes problems, who cares; just call IT, and when your manager complains about slipped schedules you can blame the crapware and IT.

For personal stuff though, you can't blame others when flash fucks up your PC. So he should find another bank.

not another one. FUCK!

[AndyKron]

Fuck. Another goddamn Adobe update? Fuck Adobe updates.

Re:

[geekmux]

Fuck. Another goddamn Adobe update? Fuck Adobe updates.

Are you new to Adobe, Windows, or just computers in general?

Dunno how the hell you're gonna survive the future when your fucking toilet is gonna need a weekly update to avoid those shitty vulns.

Yeah, yeah, yeah...I know it's just a smart toilet. It was in the EULA. Right there on page 743. You should learn to read those things.

Re:

[geekmux]

The issue is that Flash's functionality hasn't changed in years, but it needs a security update every other week. You'd think that Adobe could've have sorted that all out by now. If this is the quality of a simple playback plug-in, what conclusion can be drawn about the quality of the rest of their software.

Adobe Acrobat Reader v5 was about 15MB in total size after installation.

Adobe Acrobat Reader v11 is over 400MB in total size after installation.

I really don't think there's any question as to the quality of their shitty bloatware.

In fact, one could argue the main functionality that Adobe has brought to the desktop and browser in the last 10 years is plenty of attack vectors.

And all this bloatware bundling bullshit won't go away until we start holding vendors accountable for the vulnerabilities they create.

Re:

[Anonymous Coward]

Adobe Acrobat Reader v11 is over 400MB in total size after installation.

I just want to know - if there's anybody from Adobe still here, what the blueberry fuck is all that shit supposed to be doing? A fucking PDF reader. Half a fucking gigabyte. What. The. Blueberry. Fuck.

Re:

[ArcadeMan]

Yeah, yeah, yeah...I know it's just a smart toilet. It was in the EULA. Right there on page 743. You should learn to read those things.

You may be joking, but now I'm really wondering if toilets in Japan can have their firmware updated, etc.

Re:

[Megane]

I just got an update downloaded like two days ago for 18.0.0.160 and hadn't installed it yet. Now it's already two numbers obsolete? And the number one use of this festering pile is to deliver ads that take over your page and scream at you.

Re:

[Mashiki]

Oh it gets better. Since the last release, they now force mcafee on you. [imgur.com]

Re:

[gnupun]

If only Flash had been implemented in a safer programming language, like Pascal, these bugs would've been rare and few. But all the macho programmers love C/C++, so more vulnerabilities and updates for you every day.

Simpler fix: uninstall

[Anonymous Coward]

Youtube uses HTML5 now. Why does anyone still have a reason to use flash? (I mean besides for watching pr0n, which you do inside a virtual machine, and you restore to a checkpoint afterwards to completely avoid any possibility of malware infestation or cross-session cookies, right?)

tl;dr: Uninstall flash. You don't need it anymore.

vmware vsphere is still flash based

[Anonymous Coward]

vmware vsphere is still flash based

Re:

[Penguinisto]

Even worse - no more C-based fat client from which to avoid using Flash.

Re:

[Actually, I do RTFA]

You can get porn over HTML5.

But Hulu and Netfllix both still require 3rd party plugins (Flash, Silverlight)... if I recall correctly.

Re:

[Gizan]

Youtube isnt HTML5 default like it claims, i recently had problems with youtube after new chrome install, and it was still on flash, now i have it forced to html5.

Re:Simpler fix: uninstall

[ShaunC]

Youtube uses HTML5 now. Why does anyone still have a reason to use flash?

Most functionally useful weather radars, including NOAA's, require Flash. My state's Department of Transportation uses Flash for their traffic cameras. Livestream.com, which hosts my local TV news broadcasts along with other stuff like SpaceX launches, is still Flash. And if I want to view any cable TV programming on the computer, Comcast's player is Flash based.

I'd love to have uninstalled Flash a long time ago; for the time being I have to keep it around and use Flashblock.

Re:

[MrL0G1C]

Except for some youtube embeds - they still require flash to use. I have to enable flash for pages pretty regularly.

The unwashed masses

[stoned_ritual]

need to crush their candy and blitz their jewels.

Ok, I'm confused.

[fuzzyfuzzyfungus]

How does Adobe distinguish between 'normal' and 'emergency' when it comes to attacks facilitated by the Adobe Malware Runtime?

Fortunately, I do not need to care

[gweihir]

I have de-installed the "Flash" malware some time ago and it will _not_ find its way on my computer again. This thing is a solution for nothing, but a persistent problem. It really is a pity, Adobe used to make good software. Not anymore.

Nuremburg 2.0

[ThatsNotPudding]

I look forward to the Flash programmers soon being tried for their crimes against humanity.

Hmm. Maybe not, as it will probably be broadcast using Flash.

APT3

[SeaFox]

If they were a female hacker group, they should haven take the name APT3-G [wikipedia.org]. That would have made the "Clandestine Fox" attack even more deliciously-named.

Why can't it auto-update?

[CODiNE]

Drives me nuts ever week or so asking me to install updates. It's a stupid pop-up updated app that gets triggered when a page with flash is loaded.

Yes I understand that running a browser non-stop for weeks goes against their updating philosophy. Too bad. The constant "Update now!" alerts just make their users more likely to fall for phishing scams.

Instead, if you can't update your plugin on already loaded pages... Refactor your app.

Make the bit loaded by the browser a wrapper that can allow its back end to

Re:

[Virtucon]

update now, reboot.. FTFY

Plugin check page broken

[MrL0G1C]

Mozilla couldn't run a piss-up in a brewery these days, I went to the plugin check page and it is broken, no plugin check, no link to adobe.

People are going to use it

[WoodburyMan]

Despite me or my predecessor not loading Flash onto any systems we images and put out, I found it's on about 85% of our user's systems. Today I finally caved after seeing this and pushed the latest MSI from Adobe with this patch included out via GPO. Nearest I figure you're better controlling the beast than letting it run rampant and make sure users stay up to date. Tomorrow I will checking with management and pushing Chrome MSI as well to force users to use Chrome for all non local-Intranet sites.