back to article Flash HOLED AGAIN TWICE below waterline in fresh Hacking Team reveals

Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines. The use-after-free() programming flaws, for which no patches exist, are identified as …

  1. Snow Wombat
    Facepalm

    Oh Adobe...

    You can't seem to code your way out of a wet paper bag.

    The sooner HTML5 kills flash the better.

    1. Velv
      Terminator

      Re: Oh Adobe...

      One of the problems of an all pervasive item like Flash is that when a fault is found it affects massive numbers. It's one of the reason everyone slags Windows, because one flaws affects 95% of the world.

      As the world converges on a standard, any flaw in the standard will have wider reaching implications. And there will be flaws. Expect more frequent updates with less rigorous but more frequent testing. As we abstract away from the OS to the browser, expect exploits on Linux (inc. Android) and Apple users to increase dramatically (and I'm not blaming the OS before you rush to defend the Fanbois and Fandroids). No longer will your choice of hardware influence your vulnerability.

      1. elDog

        Re: Oh Adobe...

        I agree with the OP, not Velv's reply.

        It is possible to code pretty damn good software. Software that is written understanding things like buffer overflows and freed-area reuse. The pervasiveness of use of a particular package should not be a license to write crappy code.

        Adobe has had multiple problems with many of the products I've worked with. (Cold Fusion, Acrobat, Reader). They have chosen to not have good coding standards and probably to not thoroughly test their products before they spring them on their customers.

        1. Chris 155

          Re: Oh Adobe...

          Of course that's possible, however it's incredibly uncommon and not just at Adobe, the OpenSSL bug last year was the same kind of bug. It might be perhaps telling that we've known about these kind of exploits for 40 years and yet they're still incredibly common in code. They're common because they're really easy mistakes to make.

          Every single bit of non trivial code uses the kind of data structures that are vulnerable to exploits like this over and over again, because they're just that common. All it takes is missing a bounds check on one very specific way of accessing your code that you may never have thought of or saying "no one is ever going to access this code that way" once in a project to get a vulnerability and things like that happen way, way, way more often than once in a project.

          I'll guarantee that if you're actually a developer you've written at least a hundred of them, mostly in little things, only intended to be used internally or only in a specific space. Or you've counted on a library to do something and the library's author has screwed it up.

          Flash is of course particularly vulnerable because Flash was first and never died. It was made when the world was a very different place and all sorts of horrors had to be coded in to make it even remotely plausible. Every attempt at a replacement has failed to date, including the idea that HTML 5 will kill it, as if YouTube videos were the only reason anyone ever used flash.

          1. Peter Gathercole Silver badge

            Re: Oh Adobe... @Chris 155

            "Flash was first..."

            First, unless you count RealPlayer, or possibly xanim.

          2. Fibbles

            Re: Oh Adobe...

            Every attempt at a replacement has failed to date, including the idea that HTML 5 will kill it, as if YouTube videos were the only reason anyone ever used flash.

            I wiped one of my home computers at the start of the year and didn't bother to install flash on it (the Linux version is old and only receives security updates anyway). Most websites have thankfully left behind the days of Flash based menus and I've never been fussed about Flash games so videos are the only things that really concern me.

            It seems I can get by without Flash for the most part but there are some annoyances. The max res Youtube videos seem to offer is 720p. iPlayer refuses to work without Flash (despite the fact that get-iplayer will happily let me download mp4s from the BBC servers). Facebook also keeps telling me that I can't view videos without flash, however if I replace 'www.' in the url with 'm.' the video plays perfectly fine.

            Progress is slow but these days I at least feel that I'm not losing access to half the web by foregoing Adobe's plugin.

    2. Tubz Silver badge

      Re: Oh Adobe...

      The browser makers should just put in some code to disable Flash as default, then html5 uptake would accelerate.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh Adobe...

        Most have.

  2. Anonymous Coward
    Anonymous Coward

    ORLY?

    Adobe just needs to recall the entire enchilada and call it quits with this c4rp. How many flaws in how many years?? How far behind is m$? [SMH]

  3. Shadow Systems

    And folks wonder why I ripped it out years ago?

    Back when I could see to use it, I realized it was such a security cluster fuck that I utilized any means possible to mitigate it from running unless and until *I* wanted it to run. Once I went blind, there was *zero* reason to use it since I couldn't see anything it had to offer. So I uninstalled it, enabled HTML5 for Youtube (I like listening to music & Foamy the Angry Squirrel), and have never looked back.

    It's a security nightmare, offers nothing sufficient to justify it's use, and isn't worth the "Oh hey look! A Zero Day Exploit given to us on the Fifth? Let's get around to patching that sometime ten days from now!" stupidity.

    If Adobe doesn't Give A Fuck about the security of it's users to patch it faster than this, then WHY are any of you using it at all?

    Rip that bastard out by the roots, weld shut that security backdoor, and reduce the number of anti-migraine pills you have to consume like Pez!

    1. Anonymous Coward
      Anonymous Coward

      Re: And folks wonder why I ripped it out years ago?

      I also had it banned from all our websites (on account of not wanting to be part of the problem). It's actually a fun way to select bids for design - the word "Flash" means you're out in just that - a flash.

      Bonus advantage: it stops stupid ads from appearing.

    2. Anonymous Coward
      Anonymous Coward

      Re: And folks wonder why I ripped it out years ago?

      Oh well, if only VMWare didn't use Flash for its vSphere vCenter 5.5 admin tool... or other web applications as well whenever they needed some flashy displays...

      You're lucky your only worries are YouTube.

      1. Shadow Systems

        @LDS, re: Flash.

        Any vendor that uses Adobe Flash for their UI or any control subsystem is instantly given a copy of the American's with Disabilities Act or the (DDA?) rules about Accessibility, a note that Flash *isn't*, and told to go fix it if they want our business.

        VM Ware may be a monolith, but David slew Goliath with a mere rock. (I like to pull the pin on a HE Frag Grenade, drop it down their pants, & wedge the pin up their nose. The looks on their faces is priceless... or so I'm told.)

        *Cough*

        Seriously, if a company, ANY company, uses Adobe Flash as part of the UI or Control subsystems then they obviously don't know shit about Real Programming. If your idea of coding involves reliance on a product that's had more zero day exploits than a frisky crack whore has had tricks, then what's that say about your company?

      2. Anonymous Coward
        Anonymous Coward

        Re: And folks wonder why I ripped it out years ago?

        And UniSphere from EMC

    3. Charlie Clark Silver badge
      Stop

      Re: And folks wonder why I ripped it out years ago?

      And aren't you the clever one?

      While I am actually impressed by the speed at which Adobe is releasing patches for these bugs – faster than say Microsoft of Apple for similar issues – I'm not defending them. But the root cause for our vulnerability is a dependence upon browser plugins for features that browsers don't have but that we users want.

      1. Anonymous Coward
        Anonymous Coward

        Re:features ... that we users want.

        "features that browsers don't have but that we users want."

        OK, I'll start.

        I can't think of any Flash-only features that I want.

        And that's based on

        1) Flash discrimination against those with limited sight (it's the law, not just in the USA)

        2) Flash features that I need (there aren't any)

        I.E. before taking account all the risks that come with Flash.

        I can think of lots of Flash-dependent websites that need fixing.

        Anyone else got anything they *need* from Flash ?

    4. Andy Gates

      You lucky bastard

      You lucky, lucky bastard.

      Critical stuff in Flash. So despite eye-rolling and memos when the decision was made to buy the critical stuff that uses Flash, we're still committed. I need a drink.

      1. AbelSoul
  4. Anonymous Coward
    Anonymous Coward

    Insecure by design ...

    ... at the behest of the TLAs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Insecure by design ...

      Don't they have MSFT for that?

      1. Anonymous Coward
        Anonymous Coward

        Re: Insecure by design ...

        No but they have Java.

    2. Anonymous Coward
      Anonymous Coward

      Re: Insecure by design ...

      IMHO there was never a need to pick up the phone.

      Just get for the source and hack.

      1. Anonymous Coward
        Anonymous Coward

        Re: Insecure by design ...

        True enough but quick phonecall (or more probably "letter") would save a hell of a lot of time and money spent in sifting spaghetti. Time and money that could otherwise be spent on hollowing out mountains in Utah or hacking Angela Merkel's mobe or suchlike.

  5. tony2heads

    Question

    Does this apply to Google's Pepper flash player too?

    1. Paul Crawford Silver badge

      Re: Question

      Most probably, in fact almost certainly. But the earlier one was largely mitigated by Chrome's sandboxing. Not that sandbox technology is anywhere near infallible, of course...

  6. Anonymous Coward
    Anonymous Coward

    lil bird told me

    That even p0rn sites don't use Flash-only for vids all that much any more :)

    Makes sense if the apple fondleslabbers couldn't get in on the action otherwise.

    For sites that still flash their privates, dya think surfing shady websites with a known infection vector a good idea? LOL

    Totally hearsay guv.

  7. Anonymous Coward
    Anonymous Coward

    So frustrating

    There are several machines at our site that need to keep Flash. It's needed for O2 Business, WorldPay credit card accounts and also some HR software. There is no way we can get rid of it yet, just need to keep those machines as locked down as possible.

    1. Anonymous Coward
      Anonymous Coward

      Re: So frustrating

      "as locked down as possible."

      Qubes.

      ..or at least some clunkier, less elegant VM based sandboxing approach?

    2. Roland6 Silver badge

      Re: So frustrating

      Well it is definitely frustrating that only half the story is being publicised.

      From what I can gather from two websites:

      Existing (Windows) users of MalwareBytes Anti-Exploit are protected from (ie. no update required):

      CVE-2015-5119 - Fixed in Flash version 18.0.0.203.

      CVE-2015-5122 - Flash v18.0.0.203 is vulnerable

      They've yet to report on CVE-2015-5123, which has distinct differences to the above and so it would not be wise to assume anything.

      Users of Trend Micro's Browser Exploit Prevention feature in the Endpoint Security component of their Smart Protection Suite, are protected from:

      CVE-2015-5119

      CVE-2015-5123

      With CVE-2015-5122, Trend Micro advise users to disable Flash.

      Whilst it seems neither of these products presently totally secure's a system against all three, (although both will run happily on a W7 system), we do have here clear evidence for the value of these browser monitoring/hardening tools.

      So if you need Flash, there are good third-party tools out there that will help you to increase the security of systems you lock down.

  8. Anonymous Coward
    Anonymous Coward

    Should have done it a long time ago, but flash now disabled on all browsers.

    Why is the BBC still using flash what with spending 174m per month on their online activities?

    1. Anonymous Coward
      Anonymous Coward

      The BBC is a TLA

    2. Ken Hagan Gold badge

      "Why is the BBC still using flash ... ?"

      ...because Murdoch hasn't figured out he can run a smear campaign based on the fact that the BBC site is "forcing" the use of a known malware vector.

    3. Anonymous Coward
      Anonymous Coward

      Why is the BBC still using flash when their own accessibility guidelines state they should use an alternative where possible? "But it isn't possible". "So why does changing my user agent to an iPad one suddenly make all the BBC website videos playable then?"

      1. Anonymous Coward
        Anonymous Coward

        BankOfAmerica needs flash to login!

        I have to allow flash for BofA every time I login.

        1. Bob Dole (tm)

          Re: BankOfAmerica needs flash to login!

          >>BankOfAmerica needs flash to login! I have to allow flash for BofA every time I login.

          I found a really neat trick for that: change banks.

          1. Anonymous Coward
            Anonymous Coward

            Re: BankOfAmerica needs flash to login!

            > I found a really neat trick for that: change banks.

            Ditto!

            Instantly solved a host of other problems too.

            https://client.schwab.com/Login/AccountOpen/GAOLaunch.aspx?application_type=S3

  9. Thought About IT

    Enable click to play?

    "Everyone with Flash installed should remove or disable the software until the critical security bug is patched, or at least enable "click to play" in their browsers"

    How does one enable click to play?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Enable click to play?

      if you have Chrome: Open Settings -> click on Advance Settings -> click on the Content settings button -> scroll to the Plugins section -> Select "Let me choose when to run plugin content" -> click on Done -> Close the tab and restart the browser just to make sure.

      If you have Firefox: follow these instructions.

      All other browsers: reconsider your life choices.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Enable click to play?

        Room for this info in the article bootnotes C? Or perhaps as a new subtitle on the masthead? Methinks a bit more prominence would be a really useful service to quite a few among the not-so-commentarded.

      2. arrbee

        Re: Enable click to play?

        Would that be similar to "Enable plugins only on demand" ? Had that set 5 years ago.

      3. JoshOvki

        Re: Enable click to play?

        Don't you consider it a bit silly for The Reg staff to be giving instructions on how to disable flash, when some of the adverts use flash?

  10. Anonymous Coward
    Anonymous Coward

    Flash - brought to you by the NSA

    Making breaking into your private life easier since the dawn of the internet

    1. Ilgaz

      Re: Flash - brought to you by the NSA

      I bet NSA people are doing urgent meetings with Adobe right now.

      Remember, even Obama has Flash installed and vulnerable.

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Meanwhile...

    In a just and equitable world, and given what happened to Gary McKinnon, how many years should the management and staff of Hacking Team be going down for?

    All criminals exploit vulnerabilities, the fact that they are there doesn't stop them being criminals.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile...

      something ceases to be recognised as a crime once it makes enough profit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile...

        ..or is useful to The Man.

    2. Ian 55

      Re: Meanwhile...

      How long should Adobe be going down for?

  13. John Tserkezis

    I no longer have to care anymore.

    I had hundreds of dollars invested in two longer term online magazines that were delivered by flash and flash only.

    This last installment of flash refuses to install into my copy of Firefox (both offline and onine installers) so that broke the camel's back. Especially since older versions of flash will not work.

    So that's it. Any site that requires flash is going to go without me seeing it ever again. Good fucking riddance, and don't let the door hit your arse on the way out.

    1. Shadow Systems

      @John Tserkezis, re: Caring.

      You've brought up another one of my angers/frustrations about the use of Flash. When a site decides to use it as the delivery mechanism for their content, it *deliberately* excludes the Visually Impaired from accessing it at all. Even if the article authors were writing about Accessibility with the intent on as wide a distribution as possible, the fact that none of the buttons let us know what they're for (assuming we can get to them at all), none of the controls let us know what they do (ditto), and the only way we have to "interact" with it is to kill the page/tab/program that spawned it, it makes me want to drag the folks at Adobe out into the parking lot & beat the shit out of them with a very large clue.

      "But it can be made Accessible!"

      Really? And in what percentage of all the instances of Flash content out there, in what electronmicroscopicly miniscule proportion of those were so much as the tiniest fraction of the beginning of the spark of the inkling of the thought towards Accessibility was it given? And of those what THREE whole instances, how many of them carried through on it? Oh yeah. NONE. So if the default isn't Accessible out of the box, & the vast majority of the uses of the product are not, then the rare instances of someone having actually gone ahead & activated the Accessibility bits is the exception not the rule. If a car manufacturer claims that their cars "Can go over 200!" but it takes having the engine retuned with the "speed options" enabled, activated, & tweaked to actually WORK, then the claim of 200+ may be technicly true but the average user/driver will never ever ever get their car to go that fast, then it's still BullShit. If you want to claim that Flash is Accessible then make it that way out of the box, not after enabling a zillion hidden options, forcing the content authors to consciously, intentionally build Accessibility into their creations, and make it a major migraine for us to... oh, I dunno... USE THE BLOODY PROGRAM?

      *Cough*

      Anyway, thanks John for pointing that out & giving me another chance to vent my spleen at Adobe. If you give me a second I'll go fetch a squeegee & some towels to clean off the vitriol off your shoes.

      *Sheepish grin*

  14. Bucky 2

    Trustwave

    It's amusing to note that a company that certifies PCI compliance uses Flash for its UI.

  15. jason 7

    How much of Flash...

    is original code compared to patches?

    1. Pascal Monett Silver badge

      By now ?

      Zero.

      And they still manage to fail.

  16. bill 36

    question

    I've searched the web including the forums and read the detailed report about the newly found holes and privilege escalation.

    However, as regards Mint 17 and Firefox it all seems a bit vague especially when the write up includes referencing Kernel32.dll to exploit the code

    It seems to me that this exploit can only crash the Flash player in Mint and not escalate privileges.

    Anyone got the definitive answer or a pointer? Thanks

  17. mike acker

    OTH

    it would be news,-- if flash went for a week without needing a patch

  18. Rick Giles
    Joke

    Hurry up!

    Someone make Altimit OS. The world needs it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like