Earlier this month, security outfit FireEye’s 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not.
Adobe has now responded with a security update with the following recommendations:
Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.104.22.168.
Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 22.214.171.1246.
Users of Adobe Flash Player for Linux should update to Adobe Flash Player 126.96.36.1998.
Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 188.8.131.52.
Here are the affected software versions:
Adobe Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh
Adobe Flash Player Extended Support Release version 220.127.116.112 and earlier 13.x versions for Windows and Macintosh
Adobe Flash Player 18.104.22.1686 and earlier 11.x versions for Linux
Craig Young, Security Researcher at Tripwire, reckons that "Flash, along with ActiveX and Java are remnants of the 1990s 'Web 2.0’ technology boom. The nature of these technologies allows attackers to run code directly on remote computers and revolutionized the attack surface of the Internet." I agree with him, and my response is that Flash should die, so KILL IT. Anyway, Craig continues "There has been a constant barrage of vulnerabilities in all ‘Web 2.0’ technology as well as a constant stream of ‘update’ messages to users. This has given way to a newer and very successful form of attack wherein the attacker spoofs an update message tricking users into downloading malware. These tricks can be particularly effective, as illustrated by the 2012 Flashback malware which exploited Java on roughly 600,000 Apple computers in the 6 weeks it took for Apple to respond with patches." Yep, so KILL FLASH. It's useless, you don't need it and you won't miss it. KILL IT.
Mark James, Security Specialist at IT Security firm ESET, also explains why Adobe Flash is targeted so often and what users should do to protect themselves. "Since Flash is such a widely used plugin, it stands to reason that it will be one of the most targeted apps for vulnerability." Agreed Mark, so let's start a campaign to reduce that popularity by encouraging users to KILL IT or HAVE IT KILLED. Sorry, back to Mark. "If you want to affect as many people as possible then you need an application that a lot of users use and flash is one of them. This is an excellent example of why you should be very aware of updates for software not only operating systems. Checking to see if any updates are available and installing them immediately is the only way to help protect yourself in the minefield of the software world that we use today. There is an excellent link that everyone should save and use as often as they can to check to see the latest version of flash and more importantly see if their version is the same or needs updating. I request that you please be very careful of following links to update sites as these could sometimes be used to direct you to other malicious sites. I would personally recommend that you manually type the link to be absolutely sure if you have any concerns at all." Or better still, go to the uninstall software section of your OS and KILL THE BLOODY THING STONE DEAD. WHY ARE YOU STILL USING THIS DINOSAUR?
Yes, some sites and services still demand Flash for their videos. Usually, it has to be said, to serve you adverts you don't want of course. Anyhow, if you do want something there is a work around that doesn't involve Flash most of the time as far as I can see. That work around is called HTML5. Most sites with Flash will also serve up HTML5 so as not to alienate their iOS using visitors. A little googling pretty quickly turns up tricks to spoof your browser, via the User Agent, into becoming an iOS device for this purpose. You should then be able to switch it into iPad, or whatever, mode for those sites that insist on using Flash and still get the content in HTML5 form.
I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much."
C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...