Wow their first one - but at least they will have it fixed in a flash.
Seriously though, does anyone really still use Flash - now that virtually every system can support HTML5.
Adobe today issued an emergency security patch for Flash, which squashes a bug being used in the wild right now by hackers to infect Windows PCs with spyware. The flaw, CVE-2017-11292, was discovered by Kaspersky Labs, and affects all current versions of Flash for Windows, macOS, Linux and Chrome OS. A programming cockup in …
That's like asking if anyone still uses Windows XP. Of course! And they'll never stop.
Years from now, when Adobe stops patching it and every major browser has dropped support, there will still be web services that say, "Please downgrade your browser." Their developers won't be arsed to update their site, especially if it's a paid service particular to an industry. Their customers are locked in and they would only lose money if they took the time to modernize it.
I think the Flash 0-days of the future are only going to get scarier.
I have several browsers that support HTML5, of course. But I have no control over what corporations and governments choose to do with their Web pages. The BBC, to pick a name more or less at random, still cheerfully asks you to install Flash if you want to watch a variety of videos.
So far the attack has only been spotted in highly focused attacks against political targets, Team Kaspersky said.
Hmm, could it be that Kaspersky just got its revenge on that nonsense with the US market by exposing NSA malware? That would be rather exquisite irony.
:)
Can some explain to me why Windows 10, which according to Microsoft, is the most secure version of Windows yet, bundles Flash? It seems extremely stupid to me given how many security holes Flash has in it. I don't want it on my system, but, don't know how to get rid of it. It makes you wonder whether Microsoft puts it there intentionally so that the NSA can use it.
The main reason was to bring it under patch management from a source of patches that would regularly get applied. From my experience in end user computing stuff, Flash installed standalone almost never gets updated. Sometimes that's for good reason to prevent a garbage internal application from failing, but usually it's just because no one is keeping an eye on it. This was one of the reasons Flash is such a huge target for malware...tons of consumer systems have old versions installed. See also the Java and Silverlight plugins for examples of client-side apps with lots of system access and no easy update mechanism!
Bundling it with the browser is also partially historical. Microsoft bundled Flash with IE going way back, but didn't release periodic updates until recently. Almost nothing uses Flash on the Internet at large, but there are a lot of internal applications, especially in the training field, that haven't moved on yet. They'll have to when Adobe finally kills Flash completely, but don't hold your breath waiting...
It should be an optional component, not installed by default. Corporations that want it installed can install it then. I think there is a way to disable it. I'm not sure that you can actually uninstall it and completely remove it though. I would rather just not have it there than to constantly have to patch it.
"From my experience in end user computing stuff, Flash installed standalone almost never gets updated."
That surprises me. My experience with Flash a long while ago was that I had to manually select "NO, don't fucking update automatically whenever you feel like it" after EVERY update. I like stuff to check for update and inform me they are available, but Flash was one of the most nagging ones to try to default to automatic updates every time, not respecting my choice to upgrade when it;s convenient to me. (and to try to install bloody toolbars or other crapware as part of the update.)
Can some explain to me why Windows 10, which according to Microsoft, is the most secure version of Windows yet, bundles Flash?
Because it is NOT the most secure version of Windows, it maybe at best the least unsecure one (big conceptual difference). Flash simply establishes another backdoor in case you disable Windows' "sharing" of your personal information. It's a backup.
The most secure version of Windows exists, but it's one that isn't installed.
Some things that I would find beneficial in the article:
-It would of been helpful to provide some of the known hostile server addresses. Firewall rules could be established as a safe guard.
-Adobe's Distribution portal shows 27.0.0.170 as the official version. This version has been around for quiet awhile now. It seems the affected version is *.*.*.159/130 . I only bring this up because the wording of this article implied this was a new release.
But with news of the flaw now public, script-kiddie morons are likely to pile in and exploit it further.
Script-kiddie morons, IT in San Francisco? You really think so? That would be a lucky escape from woes which just isn't going to happen, is it?
There a whole new different class of classy different new penetrations testing of crippled and crippling systems at their work out there. And they aint interested in taking prisoners or shoring up big failed defences.
Yes.
:)
Slightly more serious, I am suspicious of a sudden outbreak of anti-marketing, that tends to point at manipulated information. I have seen Kaspersky refuse to play the government malware collaboration game, so I'm inclined to give them the benefit of the doubt.
That said, they had their back end broken into which should not have happened, but that makes me wonder if it was only Kaspersky as that would be uncharacteristically, nay, unfeasibly sloppy for the Israeli..
Yo should report these attacks to the sites involved and accuse them of hacking attempts. They choose to use the advertising engines and the advert engine suppliers choose to allow the adverts. Maybe if more people did that, eventually the sites will chose more ethical advertising engines or the advert engine people will be more careful of who they allow to advertise.
I've done so a number of times. Some sites do reply, but usually to say it's out of their control and blame the 3rd party advert supplier. They need more people to complain, loudly, before anything will ever happen.