Software More Flaws in Adobe Flash Player

[Joe]

[This information is correct as far as I know as of the time of posting. But the situation is volatile and subject to rapid change.]

Critical Adobe Flash bug under active attack currently has no patch

"Attackers are exploiting a critical vulnerability in Adobe's widely
used Flash Player, and Adobe says it won't have a patch ready until
later this week.

The active zero-day exploit works against the most recent Flash version
21.0.0.242 and was detected earlier this month by researchers from
antivirus provider Kaspersky Lab, according to a blog post published
Tuesday by Costin Raiu, the director of the company's global research
and analysis team. It's being carried out by "ScarCruft," the name
Kaspersky has given to a relatively new hacking group engaged in
"advanced persistent threat" campaigns that target companies and
organizations for high-value information and data. Raiu wrote:"

Read the entire article here:

Critical Adobe Flash bug under active attack currently has no patch

 

[Joe]

Here is Adobe's security advisory on this issue:

Adobe Security Advisory

 

[Amy SF]

And yet a lot of websites still use Adobe Flash Player. I do a lot of online surveys for rewards on my iPhone, and a lot of time I can't complete a survey because I'm told I don't have Adobe Flash Player on my device.

 

[Joe]

And yet a lot of websites still use Adobe Flash Player. I do a lot of online surveys for rewards on my iPhone, and a lot of time I can't complete a survey because I'm told I don't have Adobe Flash Player on my device.

I sympathize with you. It might be possible to uninstall it during times of crisis, then reinstall after they have issued a "patch."
But I have not tried this. There are also some controls in Firefox you can set to not allow it to run unless you do some sort of "manual override." But all this stuff is over my head in terms of sophistication.

 

[Second Summer]

There are also some controls in Firefox you can set to not allow it to run unless you do some sort of "manual override." But all this stuff is over my head in terms of sophistication.

My Firefox (on a Linux distro) is configured that way by default. It's quite easy to manually override:

Whenever I see a web page with Flash content, there is a little bar above the page that says Firefox is blocking the content, and also over the Flash content itself. I can click on one of these to choose between allowing the content just now or always.

 

[Jeremy]

Mozilla announced awhile back that Flash Player will no longer be supported in their browser with the exception of Facebook and YouTube... For every other site Flash will be blocked from working. That's the way I understood it at least.

 

[Joe]

Mozilla announced awhile back that Flash Player will no longer be supported in their browser with the exception of Facebook and YouTube... For every other site Flash will be blocked from working. That's the way I understood it at least.

I think you misunderstood what happened. At a certain point in time (July 14, 2015) Mozilla blocked all versions of
Adobe Flash version 18.0.0.203 or older from Firefox. Even these were not totally blocked, but put on an "ask to activate" basis.

Mozilla blocks all versions of Adobe Flash in Firefox - gHacks Tech News

Mozilla did not continue to block all future versions of Adobe Flash. We are up to version 21.0.0.242 now.

Mozilla has a webpage telling people how to install the Flash Plugin in Firefox, and how to deal with various problems and concerns. I did not see a date on it, but it appears to be current.

Flash Plugin - Keep it up to date and troubleshoot problems | Firefox Help

 

[Joe]

This page appears to explain how to put Adobe Flash on a "click to play" basis in Firefox.

Set Adobe Flash to "click to play" on Firefox | Firefox Help

I don't know whether this would be enough to provide total protection against "ScarCruft," but I assume it would help.

 

[Joe]

Adobe has apparently come out with a new version/patch to deal with ScarCruft. The patch had escaped my attention until I Googled for it.

ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks

Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia.

...

Thursday’s Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171. Desktop versions 21.0.0.242 and earlier on Windows and Mac machines are affected and users should upgrade to 22.0.0.192. The majority of the vulnerabilities patched today are memory corruption flaws. The update also takes care of type-confusion, use-after-free, buffer overflow and directory search path vulnerabilities as well a same-origin policy bypass flaw that exposes machines to information disclosure attacks.