back to article Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug

Adobe today issued an emergency security patch for Flash, which squashes a bug being used in the wild right now by hackers to infect Windows PCs with spyware. The flaw, CVE-2017-11292, was discovered by Kaspersky Labs, and affects all current versions of Flash for Windows, macOS, Linux and Chrome OS. A programming cockup in …

  1. Dwarf Silver badge
    Trollface

    Wow their first one - but at least they will have it fixed in a flash.

    Seriously though, does anyone really still use Flash - now that virtually every system can support HTML5.

    1. PeenTrain

      That's like asking if anyone still uses Windows XP. Of course! And they'll never stop.

      Years from now, when Adobe stops patching it and every major browser has dropped support, there will still be web services that say, "Please downgrade your browser." Their developers won't be arsed to update their site, especially if it's a paid service particular to an industry. Their customers are locked in and they would only lose money if they took the time to modernize it.

      I think the Flash 0-days of the future are only going to get scarier.

      1. Mark 110

        I just don't use any websites that want to run Flash.

    2. MyffyW Silver badge

      "Adobe today issued a bug for Flash, which squashes a long-outdated piece of crapware being used in the wild right now by websites to blight PCs."

    3. Anonymous Coward
      Anonymous Coward

      "Flash support"

      I have several browsers that support HTML5, of course. But I have no control over what corporations and governments choose to do with their Web pages. The BBC, to pick a name more or less at random, still cheerfully asks you to install Flash if you want to watch a variety of videos.

  2. Bob Dole (tm)

    "This is a type confusion bug ...”

    Shouldn’t people stop being confused as to whether Flash is a type of bug in and of itself?

  3. Anonymous Coward
    Anonymous Coward

    Oh, this is just beautiful..

    So far the attack has only been spotted in highly focused attacks against political targets, Team Kaspersky said.

    Hmm, could it be that Kaspersky just got its revenge on that nonsense with the US market by exposing NSA malware? That would be rather exquisite irony.

    :)

  4. rmullen0

    Why does Windows 10 bundle Flash?

    Can some explain to me why Windows 10, which according to Microsoft, is the most secure version of Windows yet, bundles Flash? It seems extremely stupid to me given how many security holes Flash has in it. I don't want it on my system, but, don't know how to get rid of it. It makes you wonder whether Microsoft puts it there intentionally so that the NSA can use it.

    1. Erik4872

      Re: Why does Windows 10 bundle Flash?

      The main reason was to bring it under patch management from a source of patches that would regularly get applied. From my experience in end user computing stuff, Flash installed standalone almost never gets updated. Sometimes that's for good reason to prevent a garbage internal application from failing, but usually it's just because no one is keeping an eye on it. This was one of the reasons Flash is such a huge target for malware...tons of consumer systems have old versions installed. See also the Java and Silverlight plugins for examples of client-side apps with lots of system access and no easy update mechanism!

      Bundling it with the browser is also partially historical. Microsoft bundled Flash with IE going way back, but didn't release periodic updates until recently. Almost nothing uses Flash on the Internet at large, but there are a lot of internal applications, especially in the training field, that haven't moved on yet. They'll have to when Adobe finally kills Flash completely, but don't hold your breath waiting...

      1. rmullen0

        Re: Why does Windows 10 bundle Flash?

        It should be an optional component, not installed by default. Corporations that want it installed can install it then. I think there is a way to disable it. I'm not sure that you can actually uninstall it and completely remove it though. I would rather just not have it there than to constantly have to patch it.

      2. John Brown (no body) Silver badge

        Re: Why does Windows 10 bundle Flash?

        "From my experience in end user computing stuff, Flash installed standalone almost never gets updated."

        That surprises me. My experience with Flash a long while ago was that I had to manually select "NO, don't fucking update automatically whenever you feel like it" after EVERY update. I like stuff to check for update and inform me they are available, but Flash was one of the most nagging ones to try to default to automatic updates every time, not respecting my choice to upgrade when it;s convenient to me. (and to try to install bloody toolbars or other crapware as part of the update.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Why does Windows 10 bundle Flash?

      Can some explain to me why Windows 10, which according to Microsoft, is the most secure version of Windows yet, bundles Flash?

      Because it is NOT the most secure version of Windows, it maybe at best the least unsecure one (big conceptual difference). Flash simply establishes another backdoor in case you disable Windows' "sharing" of your personal information. It's a backup.

      The most secure version of Windows exists, but it's one that isn't installed.

      1. Hans 1
        Joke

        Re: Why does Windows 10 bundle Flash?

        The safest Windows version is one burned to a CD-R with the boot manager crippled.

    3. TheVogon

      Re: Why does Windows 10 bundle Flash?

      Flash is only enabled by default for certain white listed websites in W10. For anything else you have to choose to enable it on a per site basis...

  5. macjules Silver badge

    The flaw, CVE-2017-11292, was discovered by Kaspersky Labs,

    And fixed by their FSB dev team. With QA by Mossad and UAT testing by MI6. Should be quite safe now.

    1. Anonymous Coward
      Anonymous Coward

      Yes, but it shows what happens if you let the NSA develop something in isolation. It's as bad as Windows itself.

  6. Mr. Great Sage

    Some things that I would find beneficial in the article:

    -It would of been helpful to provide some of the known hostile server addresses. Firewall rules could be established as a safe guard.

    -Adobe's Distribution portal shows 27.0.0.170 as the official version. This version has been around for quiet awhile now. It seems the affected version is *.*.*.159/130 . I only bring this up because the wording of this article implied this was a new release.

    1. John Brown (no body) Silver badge
      Headmaster

      "would of"

      Would've

  7. amanfromMars 1 Silver badge

    When is a Flaw a Facility? When it is Prime Exploitable Executable ?

    But with news of the flaw now public, script-kiddie morons are likely to pile in and exploit it further.

    Script-kiddie morons, IT in San Francisco? You really think so? That would be a lucky escape from woes which just isn't going to happen, is it?

    There a whole new different class of classy different new penetrations testing of crippled and crippling systems at their work out there. And they aint interested in taking prisoners or shoring up big failed defences.

  8. herman Silver badge
    Pirate

    Confuzled

    So, is Kaspersky good or bad now?

    1. Anonymous Coward
      Anonymous Coward

      Re: Confuzled

      Yes.

      :)

      Slightly more serious, I am suspicious of a sudden outbreak of anti-marketing, that tends to point at manipulated information. I have seen Kaspersky refuse to play the government malware collaboration game, so I'm inclined to give them the benefit of the doubt.

      That said, they had their back end broken into which should not have happened, but that makes me wonder if it was only Kaspersky as that would be uncharacteristically, nay, unfeasibly sloppy for the Israeli..

  9. Anonymous Coward
    Anonymous Coward

    Bwahaha

  10. Anonymous Coward
    Anonymous Coward

    <Nelson>

    Haha!</Nelson>

  11. Version 1.0 Silver badge
    Unhappy

    "highly focused attacks against political targets"

    I've seen multiple malware attempts caught on my machines recently from "adverts" placed on left-leaning sites in the US like Mother Jones. I don't use Flash, run noscript on my generic browser and I'm seeing more of these every month.

    1. John Brown (no body) Silver badge

      Re: "highly focused attacks against political targets"

      Yo should report these attacks to the sites involved and accuse them of hacking attempts. They choose to use the advertising engines and the advert engine suppliers choose to allow the adverts. Maybe if more people did that, eventually the sites will chose more ethical advertising engines or the advert engine people will be more careful of who they allow to advertise.

      I've done so a number of times. Some sites do reply, but usually to say it's out of their control and blame the 3rd party advert supplier. They need more people to complain, loudly, before anything will ever happen.

  12. Anonymous Coward
    Anonymous Coward

    The booby-trapped Flash file

    wrapped in an ActiveX object, and embedded in Microsoft Office documents

    Is this some sort of un-holy trinity (Office, ActiveX, Flash - aka OAF)?

  13. Pascal Monett Silver badge

    "Adobe, [..] proudly trumpeting"

    Um, no Adobe. Just no.

    You have no right to be proud of anything. Not of the ham-fisted way you bullied your Photoshop customers to the cloud, and certainly not of the historical catastrophe that is Flash.

  14. Scroticus Canis
    Holmes

    Fixed this six months back...

    ... just deleted Flash and anything with Adobe in the file or path name. Haven't missed it a bit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020