Qualys Blog

www.qualys.com
wkandek

Out-of-band Patch for Adobe Flash

Adobe just released an out-of-band update (APSB14-04) to their Flash player, which fixes a vulnerability (CVE-2014-0497) that is being exploited in the wild. Flash version 12 and 11 is affected on Windows and Mac OS X and Flash version 11 is affected on the Linux platform. Users of Google Chrome and Microsoft Internet Explorer 10 and 11 will get their updates automatically through a browser update, but should still verify if they need to update Flash on the operating system itslef as well, if a browser is installed that does not bring its own version of Flash (for example, Safari on Mac OS X, Firefox or older versions of IE).

We recommend installing the update as quickly as possible. Adobe Flash is widely installed and used in the majority of webpages to provide active content: videos and games. It is difficult to restrict its use and users cannot be expected to present any obstacle to an attack that in embedded in a well-known, trusted web-page.

If you are a Firefox user, take a look at the latest release v27. While it does not address this latest Adobe Flash problem, Mozilla fixed 13 vulnerabilities, including four critical vulnerabilities. Recommended to install as quickly as possible as well.

3 responses to “Out-of-band Patch for Adobe Flash”

  1. In article: Adobe Flash is widely installed and used in the majority of web pages to provide active content: videos and games. It is difficult to restrict its use

    In Firefox 27 it can be set: Tools | Add-ons | Plugins tab | Shockwave Flash – drop down menu set to Ask to Activate. Now on every web page (per web server) there will be a question to allow to run a Flash and user can set Allow or Block and the setting is remembered in the future.

    This is also a good protection against auto run video or similar, also a malicious flash code.

    The settings is reset if Tools | Clear Resent History | Time=Everything and Site Preferences is checked when Clear Now is clicked.

    • Exactly. Too hard/annoying for the average Internet user. I cannot see IT Security implement a restriction like that without incurring major user backlash.

      I am really not sure how Flash can be contained any better than what we do today (fast updating, etc). I am more optimistic about Java in that sense. The new EMET 5.0 tool has some powerful new features that can be used to restrict where plugins run in Internet Explorer and I can see them used efficiently in the Java case, but I have a hard time seeing them used for Flash.

      • Yes, now I understand what you are saying. End-users should not be computer scientist and make decisions if flash should be allowed to run or not, if we ignore the annoying question problem…. Most of the end-users don’t have knowledge, time and interest to deal with this kind of "nonsense’s". The web should just work.

        FAST PLUGINS UPDATING

        Currently I also can’t see any better solution that fast plugin updating. Maybe it could be improved with automatic install of Flash. For Firefox I know that if the plugin (Flash, Java) is old, then warning info will appear that plugin should be updated. But this is still a annoying way of solving the problem. Many users will just ignore the warning.

        PLUGIN, BROWSER AND OS SANDBOXING

        One of solutions that was a lot of talk is sandboxing.

        1. Adobe is developing Flash sandboxing. Details for example:

        http://arstechnica.com/information-technology/2012/06/flash-player-11-3-will-support-sandboxing-in-firefox-on-windows/

        2. Browsers are developing its own sandboxing to run processes in isolated environment. Details for Firefox: https://wiki.mozilla.org/Security/Sandbox

        3. Operating system have sandboxing like on Linux SELinux and AppArmor. On Windows XP that I am still using I have configured DropMyRights http://download.cnet.com/DropMyRights/3000-2144_4-10722877.html to run Windows with administrator account, but running browser, e-mail and any other program that accesses internet with non-privileged account, so if there is a security problem in Adobe Flash it only has non-admin access and have minimal impact on my system.

        We are actually getting at the No. 1 security problem and that is applications are running with too much of privilege. You know you have to be admin to install application and many use super user to browse the net. And there is also a No. 2 security problem, most of the applications are not designed to be secure and also redesigning application is not a question, because it is just too costly. So fixing security bugs when then appear. But if security design is broken, then not much can be done to fix the problem.

        ABANDON FLASH WITH NEW TECHNOLOGY LIKE HTML 5

        But finally I think the only real solution is to abandon Adobe Flash completely like with HTML 5 technology. I know this will take for several years, but it is clear that this can be done. For videos for example Youtube HTML 5 solution: https://www.youtube.com/html5 and HTML 5 can also be done for games, for example see lichess.org: http://en.lichess.org/ (to test this quickly click on Play with the machine button).

        The question now is not if technology exists to abandon Adobe Flash, but why should companies invest into HTML-5 if current solution with Adobe Flash is working fine? To get rid of video flash files all of the content would need to be converted to one of the video format, but because of video codecs license problems, browser vendors are not uniform on video codec to use. So to get HTML-5 video support for all major browsers multiple video format should be supported by web content companies – but I can’t really imagine e.g. youtube.com using multiple video formats just because of disk storage costs.

        Maybe there will be faster move from Adobe Flash to HTML 5 if/when tablet vendors decide not to support a Adobe Flash. Apple has already decided this. Detailed article: http://ipad.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=ipad&cdn=gadgets&tm=24&f=20&su=p284.13.342.ip_&tt=12&bt=9&bts=9&zu=http%3A//www.apple.com/hotnews/thoughts-on-flash/ and there was also a lot of talk of Flash not beeing supported on Android anymore, like: http://www.engadget.com/2012/06/28/adobe-confirms-it-wont-support-flash-on-android-4-1/

        When the number of tablet and smart phones users increases enough web companies will be forced to invest in non-Flash technology to reach tablet users and HTML 5 is promising technology.

Leave a Reply