Ongoing Flash Vulnerabilities - SANS Internet Storm Center

Ongoing Flash Vulnerabilities
We got a number readers asking about the ongoing issues with Flash. Adobe released it's regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645) is being exploited. Adobe is currently talking about targeted and limited attacks. Sometime next week, an update to Flash will be released to address this vulnerability. So what should you do and what does this all mean? Next week's patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything. What should you do? If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This "Click to Run" behavior should be enabled for all plugins that support it (e.g. Java). Here are some quick tips on how to enable click-to-run: Firefox: It should be enabled by default. Check the "plugins.click_to_play" setting in about:config to make sure it is enabled. Internet Explorer: Click the gear icon and select "Manage Add-ons". For the Shockwave Flash Object, select "More Information". By default, all sites are approved due to the wildcard "" in the approved site box. Delete it. Google Chrome: In chrome://settings click on "Show advanced settings..." at the bottom fo the page. Click on the "Content Settings" button under "Privacy" and select "Let me choose when to run plugin content" under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins. Safari*: Check the "Security" tab in preferences. Under Plugin Settings you can enabled/disable individual plugins. [1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4479 Posts ISC Handler Oct 15th 2015
Thread locked Subscribe	Oct 15th 2015 6 years ago
Another "middle ground" option with Internet Explorer is to enable ActiveX Filtering, which disables ActiveX add-ons by default, Flash Player included. This can be done in the UI (gear icon > Safety) or by Group Policy. When content has been blocked, a blue circle-with-slash shows in the address bar, and can be clicked to temporarily override the filtering for that visit. This works pretty well IRL. People do occasionally forget to look for the symbol when a site doesn't do what they expected. If you're not ready to banish Flash completely, this would be worth a look.	Anonymous
Quote	Oct 16th 2015 6 years ago
The number one problem with Flash Player is that it is everywhere, and as you are stating here this makes it a target! We like to think that standards will remove the need for a third party software, but in the end we will probably see that one standard has multiple implementations - and that many companies will have to respond to vulnerabilites and threats that arise. And they will arise. This could make reponse slower than in the "Flash world" we are now. And it could make our options fewer, today I can choose NOT to install Adobe Flash Player - is the same true when any browser I use offers the full range of multimedia features? We have seen WebRTC security issues, such as information disclosure of computer IP address. I don't think Flash Player is going away anytime soon, so I think we as IT Security Professionals should take the time to read through http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html I believe in community sharing, and would love for people to point me to the "best of breed" in Flash Player deployment strategies. dotBATman. PS: Stepping down from soapbox now. PPS: From Table of Contents Chapter 4 – Administration: This chapter describes a number of ways you can create and place files on the end user's machine to manage features related to security, privacy, use of disk space, and so on. This chapter includes sections on privacy and security settings (mms.cfg) and the global FlashPlayerTrust directory. Chapter 6 – Security considerations: Because it is critical to maintain the security and integrity of your users' computers when installing Flash Player, this chapter provides an overview of security, focusing on those aspects of particular interest to administrators deploying Flash Player. Adobe has developed a number of web pages, white papers, chapters in other books, and TechNotes that address these security issues, as well as others, in more detail. This chapter includes a security overview and discusses security sandboxes for local content, compatibility with previous Flash Player security models, and data loading through different domains. It concludes with a list of additional security resources.	dotBATman 70 Posts
Quote	Oct 16th 2015 6 years ago
You can download uninstaller for all former installed Flash Player versions for Windows here: http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html and find the latest update installers http://www.adobe.com/products/flashplayer/distribution3.html The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226 not the 1st time Adobe is not able to provide the correct version on this update page	ELBE 13 Posts
Quote	Oct 16th 2015 6 years ago
	ELBE 13 Posts
Quote	Oct 16th 2015 6 years ago
Does anyone know of EMET 5 or Malwarebytes Anti-Exploit will block this attack? I have uninstalled Flash for another reason (And may leave it uninstalled). For those of us that run Sandboxie, there is an issue with an MS update that will BSOD your box if using Firefox+Flash. There are issues with IE and Chrome (built in Flash) as well. They are working on a permanent fix. The beta fix is out as of Last night. More information can be found here: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=21911	Tri0x 17 Posts
Quote	Oct 16th 2015 6 years ago
I know removing Flash is the best/recommended way, however when we’ve tried to do this in our environment, we found out Adobe Reader broke/wouldn’t run after uninstalling Flash. Adobe has even a link specifically explaining this: https://helpx.adobe.com/acrobat/11/using/flash-player-needed-acrobat-reader.html So we pushed Flash back on PCs, but still PC's got a message in Reader that it didn't have Flash. We found that Flash NPAPI is the plugin needed to make Reader work, while the non-NPAPI version is what makes Flash play in your IE browser. Anybody else has experienced this issue?	AAInfoSec 51 Posts
Quote	Oct 16th 2015 6 years ago
Quoting ELBE:You can download uninstaller for all former installed Flash Player versions for Windows here: http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html and find the latest update installers http://www.adobe.com/products/flashplayer/distribution3.html The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226 not the 1st time Adobe is not able to provide the correct version on this update page 19.0.0226 is now available via Adobe's catalog for SCUP, as well.	Jaybone 27 Posts
Quote	Oct 16th 2015 6 years ago
Also as for quick tips for enabling click-to-run, sure the approach works for individual machines, but what about doing this on 500 PC's in the corporate environment? How can this be centrally done/managed? This is just not for the Flash issue, but it's universal for managing settings for all (non-IE) browsers in the enterprise. It's a logistical & administrative nightmare! Any ideas?	AAInfoSec 51 Posts
Quote	Oct 16th 2015 6 years ago
Can this be done through the registry in a GP?	Anonymous
Quote	Oct 16th 2015 6 years ago
The question I get over and over as I push our corporate teams to upgrade Flash yet again is "Will the new version (19) break anything? We just installed (18) last month." There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE. How many companies leave the silent auto-update turned on and just let Flash run it's own course?	Paul 47 Posts
Quote	Oct 16th 2015 6 years ago
FYI, Adobe released the update related to CVE-2015-7645 (and others) today: https://helpx.adobe.com/security/products/flash-player/apsb15-27.html	Ron M 1 Posts
Quote	Oct 16th 2015 6 years ago
Quoting Paul:The question I get over and over as I push our corporate teams to upgrade Flash yet again is "Will the new version (19) break anything? We just installed (18) last month." There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE. How many companies leave the silent auto-update turned on and just let Flash run it's own course? We stopped testing Flash. Now, this is with the caveat that we're not a very large company, under 1500 users, and we don't have anything in house that uses flash. But we haven't found anything that breaks so far when we update.	Anonymous
Quote	Oct 16th 2015 6 years ago
Here is the bulletin for 19.0.0.226. https://helpx.adobe.com/security/products/flash-player/apsb15-27.html Sigh, time to create more confusion with the patch team by rewriting the change requests just submitted for .207 to point to .226...	Paul 47 Posts
Quote	Oct 16th 2015 6 years ago

We got a number readers asking about the ongoing issues with Flash. Adobe released it's regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 19.0.0.207. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645) is being exploited. Adobe is currently talking about targeted and limited attacks.

Sometime next week, an update to Flash will be released to address this vulnerability.

So what should you do and what does this all mean?

Next week's patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.

What should you do?

If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This "Click to Run" behavior should be enabled for all plugins that support it (e.g. Java).

Here are some quick tips on how to enable click-to-run:

Firefox: It should be enabled by default. Check the "plugins.click_to_play" setting in about:config to make sure it is enabled.

Internet Explorer: Click the gear icon and select "Manage Add-ons". For the Shockwave Flash Object, select "More Information". By default, all sites are approved due to the wildcard "*" in the approved site box. Delete it.

Google Chrome: In chrome://settings click on "Show advanced settings..." at the bottom fo the page. Click on the "Content Settings" button under "Privacy" and select "Let me choose when to run plugin content" under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.

Safari: Check the "Security" tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.

[1] https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4479 Posts
ISC Handler

Oct 15th 2015

Another "middle ground" option with Internet Explorer is to enable ActiveX Filtering, which disables ActiveX add-ons by default, Flash Player included. This can be done in the UI (gear icon > Safety) or by Group Policy. When content has been blocked, a blue circle-with-slash shows in the address bar, and can be clicked to temporarily override the filtering for that visit.

This works pretty well IRL. People do occasionally forget to look for the symbol when a site doesn't do what they expected. If you're not ready to banish Flash completely, this would be worth a look.

Anonymous

The number one problem with Flash Player is that it is everywhere, and as you are stating here this makes it a target!

We like to think that standards will remove the need for a third party software, but in the end we will probably see that one standard has multiple implementations - and that many companies will have to respond to vulnerabilites and threats that arise. And they will arise.

This could make reponse slower than in the "Flash world" we are now. And it could make our options fewer, today I can choose NOT to install Adobe Flash Player - is the same true when any browser I use offers the full range of multimedia features? We have seen WebRTC security issues, such as information disclosure of computer IP address.

I don't think Flash Player is going away anytime soon, so I think we as IT Security Professionals should take the time to read through
http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

I believe in community sharing, and would love for people to point me to the "best of breed" in Flash Player deployment strategies.

dotBATman.

PS: Stepping down from soapbox now.

PPS: From Table of Contents

Chapter 4 – Administration: This chapter describes a number of ways you can create and place files on the end user's machine to manage features related to security, privacy, use of disk space, and so on. This chapter includes sections on privacy and security settings (mms.cfg) and the global FlashPlayerTrust directory.

Chapter 6 – Security considerations: Because it is critical to maintain the security and integrity of your users' computers when installing Flash Player, this chapter provides an overview of security, focusing on those aspects of particular interest to administrators deploying Flash Player. Adobe has developed a number of web pages, white papers, chapters in other books, and TechNotes that address these security issues, as well as others, in more detail. This chapter includes a security overview and discusses security sandboxes for local content, compatibility with previous Flash Player security models, and data loading through different domains. It concludes with a list of additional security resources.

dotBATman

70 Posts

You can download uninstaller for all former installed Flash Player versions for Windows here:
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226

not the 1st time Adobe is not able to provide the correct version on this update page

ELBE

13 Posts

ELBE

13 Posts

Does anyone know of EMET 5 or Malwarebytes Anti-Exploit will block this attack?

I have uninstalled Flash for another reason (And may leave it uninstalled).
For those of us that run Sandboxie, there is an issue with an MS update that will BSOD your box if using Firefox+Flash. There are issues with IE and Chrome (built in Flash) as well. They are working on a permanent fix. The beta fix is out as of Last night. More information can be found here: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=21911

Tri0x

17 Posts

I know removing Flash is the best/recommended way, however when we’ve tried to do this in our environment, we found out Adobe Reader broke/wouldn’t run after uninstalling Flash. Adobe has even a link specifically explaining this:

https://helpx.adobe.com/acrobat/11/using/flash-player-needed-acrobat-reader.html

So we pushed Flash back on PCs, but still PC's got a message in Reader that it didn't have Flash. We found that Flash NPAPI is the plugin needed to make Reader work, while the non-NPAPI version is what makes Flash play in your IE browser.

Anybody else has experienced this issue?

AAInfoSec

51 Posts

Quoting ELBE:You can download uninstaller for all former installed Flash Player versions for Windows here:
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
and find the latest update installers
http://www.adobe.com/products/flashplayer/distribution3.html
The page still says it's v19.0.0.207 but the *.exe installers are already updated v19.0.0226

not the 1st time Adobe is not able to provide the correct version on this update page

19.0.0226 is now available via Adobe's catalog for SCUP, as well.

Jaybone

27 Posts

Also as for quick tips for enabling click-to-run, sure the approach works for individual machines, but what about doing this on 500 PC's in the corporate environment? How can this be centrally done/managed? This is just not for the Flash issue, but it's universal for managing settings for all (non-IE) browsers in the enterprise. It's a logistical & administrative nightmare!
Any ideas?

AAInfoSec

51 Posts

Can this be done through the registry in a GP?

Anonymous

The question I get over and over as I push our corporate teams to upgrade Flash yet again is "Will the new version (19) break anything? We just installed (18) last month."

There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE.

How many companies leave the silent auto-update turned on and just let Flash run it's own course?

Paul

47 Posts

FYI, Adobe released the update related to CVE-2015-7645 (and others) today:
https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

Ron M

1 Posts

Quoting Paul:The question I get over and over as I push our corporate teams to upgrade Flash yet again is "Will the new version (19) break anything? We just installed (18) last month."

There never seems to be good information about what ELSE is changing from version 16->17->18->19, and the desktop team is rightfully worried about having enough time to test and validate the 'new' version. With 15 updates so far this year, keeping up is IMPOSSIBLE.

How many companies leave the silent auto-update turned on and just let Flash run it's own course?

We stopped testing Flash. Now, this is with the caveat that we're not a very large company, under 1500 users, and we don't have anything in house that uses flash. But we haven't found anything that breaks so far when we update.

Anonymous

Here is the bulletin for 19.0.0.226.

https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

Sigh, time to create more confusion with the patch team by rewriting the change requests just submitted for .207 to point to .226...

Paul

47 Posts