Adobe Flash Remains a Security Liability

Adobe Flash, Security, Security Threats, Updates, , ,
15
Jan 2019

Adobe’s Flash Player has had a bad press in recent years due to the numerous security flaws in its design and these problems remain a major issue.

While we frequently worry about the dangers of malware and ransomware, we seem to have forgotten about the security vulnerabilities that are present in software we use every day. Flash has been exposed as having major security flaws in the last few years, so there’s been a tendency to migrate towards HTML5 code which is similar to Flash and much more secure. However, many people still use Flash online, so it’s likely that your organization will come into contact with it on a regular basis.

Understanding how to combat vulnerabilities in Flash is essential for your organization’s security, so let’s try and get a better understanding of Flash’s latest security crisis.

Flash Hits the Headlines Again

On the same day that Adobe released their latest patch for Flash, an independent security expert revealed that they had identified a glaring vulnerability in the software. This security flaw – given the unwieldy name of CVE-2018-15981 – is a curious software bug that has the potential to execute a malicious code through an instance of Flash hosted on a malicious website. Versions of Flash affected are all those up to version 31.0.0.148 and could affect the following browsers: Firefox, Chrome, Edge and Internet Explorer.

Combating Flash Vulnerabilities

The most recent version of Flash (31.0.0.153) is more than safe to use in terms of this recently discovered vulnerability, but the question remains as to whether more vulnerabilities are lurking within it. So, how do you combat the security flaws presented by Flash?

Many browsers, such as Chrome, Firefox and Edge, now insist that users have to manually activate Flash each and every time it’s encountered, but confidence tricks can easily be employed by hackers to disguise this. Flash, of course, is being discontinued at the end of 2020, so many people are simply disabling the software. With only a small minority of websites still using Flash, the loss of productivity from disabling it are considered minimal due to the alternative solutions on offer such as HTML5.

However, many organizations rely on Flash-based websites to complete essential tasks such as online customer portals etc. In these cases, the importance of monitoring crucial software updates and acting on these immediately should be a priority for all IT teams. Many businesses have been caught out on countless occasions due to a lack of care when it comes to installing patches and software updates. While this latest vulnerability does not appear to have been exploited by hackers, it could have easily led to severe data breaches and a drop in productivity for any organization affected.

Final Thoughts

Flash has been present within the landscape of the internet for over 20 years, but it almost feels as though Adobe have barely concentrated on it for the last few years. As a result, Flash has received nothing but negative feedback due to the security flaws present. Naturally, with just two years left in its lifespan, these issues will soon become irrelevant, but for now it’s vital that you regularly install updates or, where possible, disable it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Flash Malware Comes Embedded in Office Document

Security,
12
Jul 2016

nine-days-later-flash-zero-day-cve-2016-4117-already-added-to-exploit-kits-504356-3Adobe has suffered another embarrassing attack which exploits their Flash software and this time the malware has been hidden in an Office document.

It seems that almost every week another vulnerability is exposed in Flash, a piece of software which once ruled the internet and powered practically every website worth its salt. However, times change and it’s fair to say that Adobe seem to be constantly fighting to plug the flood of attacks on Flash.

And this recent attack is particularly troubling for businesses as it was delivered in an Office document. Now, you would be hard pushed to find a business which doesn’t handle Office documents, so it’s a good idea you get acquainted with this latest attack.

Flash Gets Attacked (Again)

This latest exploit of a Flash vulnerability (named CVE-2016-4117) was first detected on 8th May 2016. It was an exploit which had not been seen previously, so there were absolutely no patches or fixes in place to prevent the malicious attacks. And this lack of ready-made solutions is why it’s known as a zero day attack.

Once the attackers had identified this exploit, they uploaded their payload onto a web server from where it could be distributed to the whole world. However, for this payload to affect even a single computer, it had to be downloaded to a computer first.

By trading on the naivety of individuals for whom internet security is not a recognized risk, the attackers hid automatic instructions within an Office document which would download the exploit. The simplest way to transmit this malicious code around the world was through email as many users trust the presence of an Office attachment.

However, upon opening the Office document, the automatic code within would be activated and download the exploit from the attackers web server. And, as this code was downloaded, a decoy document would be displayed to prevent detection of any unsavory behavior taking place.

After exploiting this initial vulnerability, the malware would then contact a second web server which could then distribute further instructions. The simplest instruction could be to crash the system resulting in a significant and costly downtime. However, there was also the potential for the attackers to take control of the infected systems and extract data.

Thankfully, for anyone using Flash, Adobe managed to release a fix to the CVE-2016-4117 vulnerability, but this was only after four days of panic. And, believe me, a piece of malware can spread and cause a lot of chaos within four days!

How Many More Attacks Will Flash Absorb?

Exploit-Kit-strikes-again-Attackers-taking-advantage-of-unpatched-Flash-vulnerability_LK-635x333

Attackers currently seem hell bent on using Flash to deliver their nasty payloads and it’s becoming embarrassing for Adobe. Many other software developers – such as Firefox – are now actively preventing the usage of Flash due to the security risks connected to it.

We still have to deal with Flash, though, so vigilance is crucial. And this is why you need to ensure that all your staff is aware of the potential dangers of opening email attachments from unknown sources. Only then will you be able to feel confident that your systems are not going to be compromised.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Adobe’s Emergency Patch against Ransomware

Security, ,
24
May 2016

635957083271499585-AP-ADOBE-PARENTAL-LEAVE-75052044

Adobe’s Flash Player – no stranger to security concerns – has recently been forced into issuing an emergency patch to protect its users from ransomware.

Despite the repeated horror stories of Flash Player’s buggy and easily exploited software, it’s still used on a regular basis by a huge number of people. That’s why any vulnerability which comes to light can have an impact on millions of systems.

This time, it’s that contemporary marvel of security scares known as ransomware which is making the headlines again. So, to keep your systems protected, let’s see what we can learn from Adobe’s latest debacle.

Adobe’s Zero-Day Flaw

The vulnerability at the center of Adobe’s woes is known as a zero day flaw, but what does this mean? A zero-day flaw refers to a software vulnerability which is completely new and unheard of. Due to its unexpected emergence, the team behind the software then, quite literally, has zero days to prepare a response.

And it’s this level of precarious defense which means zero-day flaws can spread like wildfire and cause absolute mayhem.

In this particular instance, Flash Player was discovered to contain a memory-corruption vulnerability which allowed hackers to hijack user’s systems. To take remote control of user’s systems, the hackers employed the use of the Magnitude exploit kit.

Using Magnitude, hackers were then able to download ransomware software – such as Locky and Cerber – onto user’s systems. This ransomware was then primed to encrypt personal files and demand a ransom to unlock these files.

All versions of Flash Player up to version 21.0.0.197 have been affected. And it’s not just limited to systems running Windows – Macs, Linux and ChromeOS are all vulnerable as well.

The Emergency Patch

Adobe-Patchday-658x370-6fda846fec7c4caa

The threat was first discovered when security experts Proofpoint were investigating recent changes made to the Magnitude exploit kit. Once the magnitude of Magnitude had been established, Proofpoint swiftly contacted Adobe who was quick to rush out an emergency patch.

Thankfully, for Adobe, they had previously built in an exploit mitigation technique into Flash Player version 21.0.0.182, so this minimized the malicious impact of this zero-day flaw. However, you would be surprised by the amount of users who don’t update their software when prompted. As a result, a significant number of systems were compromised.

Once the emergency patch had been released, Adobe was also quick to advise all its Flash Player users to upgrade to the latest version. This would, hopefully, minimize the risk of further exploitations on older versions of the software.

Is Adode Safe?

This is a question which seems to get asked on a daily basis at present. And unfortunately for Adobe, things do not look great.

Hackers are clearly targeting Flash Player now and Adobe seems helpless in protecting its product. The knock on result of all this negative publicity is that PC manufacturers, such as Windows, are going to question whether it makes sense to bundle Flash Player with their products.

The key piece of information to take away from this article is that you should ALWAYS ensure all your software is up to date. This ensures you have the best protection possible against any potential security flaws.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Is it the End of Adobe Flash?

Security,
20
Aug 2015

Firefox blocks Flash

Many people thought Adobe’s Flash would be playing online videos forever. However, it’s now been blocked in the Firefox browser, so is it coming to an end?

Yes, Mozilla – the makers of the popular internet browser Firefox – have announced that as of the latest update (V. 18.0.0.203) they will be automatically blocking Flash from running in their browser. This comes shortly after Google announced that their Chrome browser would automatically be pausing irritating Flash videos.

Things aren’t looking good for Flash, but what are the basics behind this seemingly enforced retirement of a perennial piece of web software?

What is Flash?

browser-preview-01

Adobe Flash is a design program specially created to design online graphics, create apps and, perhaps most famously, power online videos.

The birth of Flash actually took place during the mid-1990s, but it wasn’t until 2005 that Adobe took control of the software.

And it was around this time that a new generation of exciting web sites hit the internet and ushered in an era known as Web 2.0.

The emerging websites of Web 2.0 were highly innovative and prized usability and user generated content above anything else. And what was powering these amazing websites? It was, of course, Flash.

Problems with Flash

adobe flash player hacked

Flash, however, now finds itself in a precarious position where big players in the online arena appear to be trying to force it out of existence.

But why is this? What exactly is Flash struggling to cope with in the modern age?

.

  • Security Issues – Perhaps the biggest nail in Flash’s coffin has been Adobe’s inability to create a safe piece of software. Riddled with security flaws, Adobe has been accused of failing to protect its users from security attacks. Only recently, the Hacking Team spyware company lost a huge 400gb worth of files thanks to a Flash vulnerability.
  • The Rise of Mobile Devices – Mobile device internet usage is now outstripping desktop internet usage, but Adobe has failed to adapt to this new digital landscape. Steve Jobs – the godfather of mobile devices – famously refused to accept Flash as part of Apple’s iOS as it was too power hungry, unreliable and constantly crashing.
  • HTML5 – What Steve Jobs was backing was a new update of the HTML web programming language called HTML5. And this language was especially designed with mobile devices in mind, so programmers rapidly shifted from the headaches of coding in Flash to HTML5. This is why YouTube, for so long the great backers of Flash, have shifted to HTML5 as their preferred video delivery system.

Is It Game over for Flash?

Mozilla’s dramatic move isn’t actually an outright blocking of Flash. Mark Schmidt of Mozilla has confirmed that this is only a temporary blocking until Adobe can prove that Flash isn’t infested with security bugs.

However, it certainly feels as though Flash is on the ropes with the increasingly powerful HTML5 language outperforming it in almost every area. Maybe it’s time for Adobe to accept that technology has moved on and Flash should be discarded as a relic of times gone by.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Google Chrome Helps Block Flash Ads

Internet, , ,
05
Aug 2015

frame_ext

Wouldn’t it be great if you could block Flash ads which drain your PC’s resources? New features in Google Chrome disable flash ads automatically.

The Problem with Flash Ads

There is nothing more irritating than loading up a webpage and beginning to devour the content on offer when, out of the blue, a noisy Flash advert pops up and takes over your speakers.

It jars your concentration and means you lose focus on that amazing article about Malware you were enjoying.

Yep, we’ve all been there and we’ve all rolled our eyes and tutted aloud!

Unfortunately, for users of Chrome, the only choice they’ve had in these situations is to take a heavy handed approach to Flash plugins (tiny pieces of software embedded in a webpage). The choice has been to either allow all Flash plugins or disable all Flash plugins.

Now, with the dynamic nature of the web these days it’s impossible to disable all Flash plugins or you’ll find that you miss out on key information e.g. some older website still use flash to deliver the content you want.

Taking on the Ads

adobe-and-google-logos

Google, as we all know, are pretty much the guardians of the internet these days. They protect us from dangerous websites, offer us incredibly personalised search results and even find us the best price for a pair of jeans.

It’s this dedication to customer service which has inspired them to go that little bit further and make our web experience smoother than ever.

This is why Google has teamed up with Adobe (creators of Flash) to tackle this advertising nightmare through the Google Chrome browser.

Hitting the Pause Button

By utilising intelligent software, Google and Adobe have managed to program the latest beta version of Chrome to give context to content on a web page.

Say, for example, you’re on a website which features IT tutorials and you want to view their video on how to setup printers. If there’s a series of Flash adverts trying to sell you holidays to Brazil then Chrome will be able to determine which one to silence.

And, believe me, you won’t be hearing about holidays to Rio de Janeiro for long!

No piece of software, of course, is 100% fool proof so, yes, there’s a chance that Chrome could accidentally pause your video tutorial on printers. But the key word here is “pause”. No content will ever be blocked and it will all be readily available at the click of a button.

Thumbs up for Chrome

Google is cooking up something special with this latest advancement in browser software and we can only applaud them for it. We wouldn’t stand for an advert popping up unannounced in the middle of a TV show, so why would we tolerate it online?

The feature is currently only available in the Chrome desktop Beta version, but all the signs are pointing to it becoming a permanent Chrome feature in the near future, so keep your eyes peeled.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2