Sophos Cloud Optix
It’s like 1998 all over again!
OK, perhaps it would be fairer to say that it’s like 2008 all over again…
…there’s a zero-day security hole in Adobe Flash.
In APSA18-01, Adobe’s first Flash Security Advisory of the year, the company warns:
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
To revisit the terminology here:
- CVE-2018-4878 is a placeholder identifier for a security bug, or vulnerability, in Flash.
- The word exploit means there exists a working, booby-trapped file that triggers the vulnerability.
- The use of Office documents as a carrier for the malicious Flash exploit file, plus the use of email to push the malware at your users from outside, means it’s a remote attack.
- An exploit that can trick your computer into running program code sent in from outside without a warning is called an RCE, short for Remote Code Execution, the most dangerous sort of exploit.
- The RCE is dubbed a zero-day because the crooks found and used it first, before a patch was ready, so there were zero days during which you could have been patched proactively.
The good news is that Adobe intends to release a patch next week (the week starting 2018-02-05), rather than waiting until the week after next, when its usual Patch Tuesday (2018-02-13) falls.
The bad news, of course, is that the patch won’t be available until next week, so the vulnerability will remain a zero-day until then.
What to do?
- Uninstall Flash if you don’t need it. The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.
- Try uninstalling Flash anyway unless you are certain you need it. If anything critical stops working, you can always put it back.
- Grab and install Adobe’s update as soon as you can. If you uninstalled Flash as a precaution, don’t reinstall it until the new version is out.
Note that just turning off Flash in your browser isn’t enough – that prevents Flash files embedded in web pages from rendering inside your browser, but doesn’t remove the Flash playing software from your computer as a whole.
We’re assuming that the crooks chose to embed their booby-trapped Flash file inside an Office document to bypass your browser, where many users have already blocked Flash from playing, or only activate it for specific websites.
Edge (yes I use it when I want an entirely unadulterated, off the shelf, and otherwise unmolested browser) has Flash. I suspect it’s hidden well enough not to have to worry. *famous last words*
You can turn off the Flash in Edge by clicking into the three-dots menu, then
Settings→View advanced settings→Use Adobe Flash Player(default isOn.)Hello Paul
thanks for the warning
a request: could Sophos provide a detailed and practical/simple guide for twaks like myself for securing macOS high sierra??
settings etc…
that would be most helpful…simple guide…do 1), do 2) etc
you already help mac users but hey….better safe than sorry.
thanks again Paul
kind regards
zeke
1. Check macOS itelf.
Is Adobe Flash (from Adobe itself) installed? Check by going into
Apple Menu→System Preferences...and looking for aFlash Playericon.If it’s there, use Finder to go to
Applications→Utilitiesand run the appAdobe Flash Player Installer Managerto remove it.2. Check Safari.
Is the built-in Adobe Flash activated? Go to
Safari→Preferences...→Generaland look for thePlug-inssection in the left-hand scrolling list.Untick the
Adobe Flash Playerbox to turn it off.HtH.
Thanks for the recommendations&help Paul but I meant a general guide to hardening security in macOS High Sierra, a security guide with simple recommendations for the whole system.
Again, thank you.
Kind regards
zeke
I play just one game – Farmville 2 which unfortunately needs Flash to run. Is there any way I can protect myself until the update is available without not playing the game – I spend a lot of time stuck in bed so it is my one form of just total escape as don’t watch TV and normally just listen to audiobooks or try and study some courses when up to it and surf FB
Thanks for all the information you share with us I read everything, if not been on FB for a bit I go to your page to catch up on your posts and have learnt so much and pass on to friends and family – they see me as the tech nerd of the family.
Most broswers have a click-to play mode for Flash that requires you choose at run-time whether a web page can use Flash.
Firefox, for example, makes it easy to turn Flash off (as though it weren’t installed in your browser at all) via the
Tools→Add-onsmenu. So you can leave Flash off until you know you’re about to need it, then enable it when you need it and turn if off afterwards.Firefox calls these options
Never Activate(tell websites it isn’t there),Ask to Activate(also known as click-to-play) andAlways Activate(party like it’s 1999).