Sophos Cloud Optix
Just two days after this month’s Adobe Patch Tuesday, the company published an emergency fix for Flash.
Dubbed APSB16-08, the update didn’t make it out on Tuesday, but it fixes 23 CVE-labelled vulnerabilities, so make sure you don’t miss it if your processes are still geared towards a calendarisable cycle of updates.
The bugs fixed in this release include holes that “could potentially allow an attacker to take control of the affected system.”
In fact, one of the vulnerabilites, denoted CVE-2016-1010, is “being used in limited, targeted attacks,” according to Adobe, and therefore qualifies as more than just a potentially exploitable hole.
We’d love to be able to tell you what sort of cyberattacks were being launched using this new exploit, and how much damage they were able to do, but we aren’t yet sure because no one’s saying.
This sort of “silent period” might seem both frustrating and dangerous – if you think that knowledge is power – but according to Ars Technica, the attacks were spotted by Kaspersky Lab and are being kept quiet for now because they have been reported to law enforcement.
Presuambly, saying too much, too soon, might jeopardise some parts of the investigation.
💡 LEARN MORE: Visit the SophosLabs vulnerability assessment page ►
Vulnerability versus exploit
There’s often a big gap to cross to go from a vulnerability, even one by which you can reliably crash an application, to an exploit, especially a Remote Code Execution exploit (RCE).
An RCE is where you crash an application in such a well-orchestrated fashion that instead of simply being killed off by the operating system, the offending process actually turns control over to you.
Modern-day protections such as DEP (data execution prevention) and ASLR (address space layout randomisation) make remote code execution tricks much harder to figure out.
DEP helps the operating system to treat data (e.g. the untrusted stuff you receive across the network, such as in a web request) differently to code (e.g. the program running locally that processes untrusted data).
In other words, even if you deliberately package up some devious program code inside the data you’re sending from outside, it ought never to be able to run, because the operating system stores it in memory that is flagged as No Execute (NX), also known as Execute Disable (XD).
Of course, DEP doesn’t stop you from deliberately crashing an app so that it tries to run code that is already loaded, such as a handy subroutine that just happens to exist in the program that you are able to crash.
ASLR helps prevent tricks like that by loading programs and their associated system libraries into different locations in memory each time they run.
That way, crooks who try to transfer control, say, to the LoadLibrary() function in the browser’s memory space, will have to guess where their needed code is going to be.
If they guess wrongly, as they almost certainly will if ASLR is in use, then the application will almost certainly crash in an uncontrolled way.
The operating system will then step in, kill the offending process, and avoid an remote code execution.
What to do?
- Patch Flash now if you have it installed, or check that your auto-update has run if you are set up for that.
- Configure Flash in your browser so it asks you first before running.
Better yet, consider uninstalling Flash altogether, at least for a while, and see if you can live without it.
After all, Apple iPhone users have lived without Flash since the iPhone first came out, and you don’t hear them clamouring for Flash support!
Umm, Paul…your statement that “iPhone users have lived without Flash since the iPhone first came out, and you don’t hear them clamouring for Flash support” is not really correct. Lack of Flash support was one of the main reasons for people to start “jailbreaking” their iPhones. Also, it’s the main reason the Puffin Web Browser exists…and roughly 50 other apps that can render Flash content.
The fact that iProducts can still be manipulated to bypass features implemented by the manufacturers (regardless if for security or other reasons) also shows that Apple is nowhere near as “safe” or “secure” as iAholics would like those products to be.
I hear you. But I have met quite a few jailbreakers in my time, including myself, and not one of them did it for Flash, not even as a minor reason, let alone the main reason. (Indeed, not one of them installed Flash after jailbreaking.)
(Also…the Puffin *browser* app doesn’t support Flash, does it? It’s a client-server browser, isn’t it? The rendering is done in the cloud, and it feeds you a view of the what the site looks like, as far as I can see. In other words, it lets you watch Flash videos by rendering them elsewhere and feeding you the video to the browser component via Puffin’s proxy. (If that’s correct, it also means that the owners of Puffin get to keep track of where and what you’re browsing, which seems like a LOT to pay for Flash video 🙂
People still use Flash? Weird.
I know I’m adding *zero* useful content to the discussion but…
Execute Disable
I see an emoticon. It’s my phone smugly disallowing the app I merely wanted to run
XD
I signed up to listen to a MicroSoft webcast on security earlier this week. I clicked on the system check for the webcast, and one of the components required was Flash plug-in Version 10.0. This was listed as a critical component. I decided to login to the webcast using my iPhone instead, but setting the User Agent to iOS on the OS X Safari browser worked too.
Since the webcast allowed questions I asked if they considered the use of Flash a security problem. The answer I got was that they didn’t make use of Flash on their websites. I took this to mean that the person answering wasn’t aware that the webcast required Flash.
I’ve tried to raise the issue with the BBC too. In order to watch content they require Flash (unless you watch on iOS). They even seem to require in order to add new downloadable items to the iPlayer app.
The response I got from the BBC suggests that they’ll get around to replacing it when they find an alternative technology that gives them the features they like in Flash. I suspect this may be to do with content control, but who knows. Maybe the BBC is just slow to change, or unaware of the security issues. Microsoft has no excuse.
Perhaps you could have a word with both of them, Paul.
I’m surprised to hear of a Microsoft website requiring Flash (sure it wasn’t a partner website?), but the BBC is a notable holdout, which is an enormous pity, considering the BBC’s influence.
I e-mailed NPR about their continued use of Flash. Their response was that they are going to HTML5 but that the conversion will not be immediate because of the amount of content.
Telling us to update Flash is fine, but when one uses Chrome and it’s integrated into the browser, it’s not that easy.
You still need to update Flash, regardless of how difficult your own browser choice may have made it. (I don’t use Chrome myself – but I am under the impression that Google pushes out updates involving Flash quickly, as does Microsoft for its Flash-containing browser versions.)
(You could always try calling Google’s tech support line 🙂