Homeless in Vancouver

Homeless in Vancouver: Need Adobe Flash Player? It needs to be updated…again

by Stanley Q. Woodvine on July 3rd, 2015 at 11:35 AM
    1 of 4 2 of 4

      Last week, analysts found another big security hole in that dusty piece of Swiss cheese that is the Adobe Flash Player.

      So far, in 2015 alone, Adobe has had to fix 78 bugs in its 19-year-old Player—that’s about three bug fixes every five days!

      The most recent update to the Adobe Flash Player (at least the one released on June 23)  fixes a bug in the way the player handles (or mishandles) video files. Chinese hackers have recently been using this particular Flash Player bug in order to install malicious code on targeted computers and gain control of them.

      Adobe says that the vulnerability has been exploited with systems running Internet Explorer for Windows 7 and Firefox on Windows XP, but that it potentially affects all users of Flash Player.

      Furthermore, pre-written hacks using the bug are turning up in easy-to-use exploit kits.

      Windows, Macintosh and Linux users are therefore advised to make sure that their particular Flash player is updated to the latest version:

      • Adobe Flash Player Desktop Runtime for Windows and Mac: version 18.0.0.194
      • Adobe Flash Player Extended Support for Windows and Mac: version 13.0.0.296
      • Adobe Flash Player for Linux: version 11.2.202.468

      The Flash Player on the vast majority of Windows and Macintosh computers is the Desktop Runtime, though, for updating purposes, Adobe seems to just goes by the version number, not the particular version names.

      The Adobe Flash Player Help page will tell you what version you have installed and if it’s the latest version for the browser and operating system that you are using. This page also links to the download page and to instructions for enabling Flash Player in all the major browsers: Internet Explorer, Firefox, Safari, Chrome, and Opera.

      The basic Adobe Flash Player page will simply tell you the version number of the Flash Player that you have installed and allow you, if need be, to download and install the latest version for your system.

      If you use multiple browsers, Adobe says that you need to perform the check for each browser you have installed on your system.

      Remember: whenever you install the Adobe Flash Player, look for and uncheck any options to install add-on software—like McAffee Security Scan—that Adobe lets piggyback (for a fee) on its normal Flash Player installers.

      The Adobe Flash Player Distribution page allows you to get the exact version you need (if you know what it is) without the “optional” software.

      Aimed at the “we don’ need no stinkin’ updates” crowd

      The computer press has been fairly screaming about this update to the Adobe Flash Player because it’s serious, damn it! And because a lot of computer users (myself included) tend to tune out the constant stream of Flash Player updates.

      The shouting is particularly intended to alert users of browsers that do not automatically update the Flash Player, including pre-Windows 8 Internet Explorer and all versions of Firefox and Firefox forks, such as Pale Moon.

      It’s especially important that the message gets through to users who disable automatic updating of the Flash Player.

      And once again, Windows XP users are in the spotlight because—it’s understood—they need extra coaxing to manually update anything and because, unlike every newer operating system in use today, hacking an XP user’s account guarantees a hacker total administrative control of the computer by default.

      And there are still so darn many Windows XP users—an estimated 250 million—and they’re not all retired people with nothing but pictures of pets and grandkids on their aging tower computers.

      It’s been more than a year since Microsoft officially ended support for XP, but last month the United States Navy signed a USD$9.1 million contract with Microsoft to continue receiving extended support for XP (security patches) for any of its 100,000 computer still running the obsolete operating system as it continues to migrate its systems to a newer Windows platform.

      Reportedly, that contract could extend into 2017 and end up costing U.S. taxpayers $30.8 million.

      Hopefully the City of Vancouver has, at least, finally put Windows XP behind it.

      In March 2014, a month ahead of Microsoft’s deadline for withdrawing technical support to Windows XP, a spokesperson for the City of Vancouver explained to me by email that the city’s information technology department, in consultation with Microsoft, was in “support [of] plans to move towards migration by April 2014″; meaning migrating from Windows XP to Windows 7.

      If you don’t have the Flash Player installed, fine, otherwise…

      If you’ve left Adobe Flash Player set to automatically update itself, or if you have manually allowed an update to proceed within the last week, then your Flash Player isprobably the latest version.

      If you use Chrome as your browser, or Internet Explorer on Windows 8.x, or Safari on Macintosh OS X—or even Windows 10’s new Spartan browser—then the Flash Player should be automatically updated, either with the browser (as with Chrome and Spartan) or the operating system.

      You can force the installation of an available update to Chrome: click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button, and restart the browser.

      If you’re not sure what version of Flash Player your browser is using, it’s easy to test using the Flash Player Help page.

      The Chinese aren’t phishing for compliments

      This latest Flash Player flaw, designated as CVE-2015-3113, is described as a buffer overflow flaw.

      buffer overflow could be visualized as too much grain (alpanumeric data) being poured into an open top hopper train car (temporary buffer) which then overflows into the adjacent hopper train cars (other buffers).

      Without sufficient safeguards, hackers can apparently exploit such a flaw to inject their own new instructions into a train yard, I mean a program.

      CVE-2015-3113, was discovered by the security company Fireeye, which immediately notified Adobe. On June 23, Fireeye publicly disclosed the CVE-2015-3113 vulnerability to coincide with the release of Adobe’s patch.

      The Adobe security bulletin announcing the patch on June 23 summarized the threat posed by the CVE-2015-3113 vulnerability:

      Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system.

      Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.

      Fireeye’s June 23 public disclosure explained that the Flash Player flaw was seen being exploited by a shadowy China-based “threat group” called APT3 (Advanced Persistent Threat 3) in a large phishing campaign targeting computer users in a wide rage of infrastructure industries, including telecommunications, transportation, and construction, as well as aerospace and defence.

      “Phishing” refers to any attempt to steal something from a computer system by using a bait that the computer’s user trusts, in order to “hook” them just like a fish. Typically this bait takes the form of a legitimate-looking email offer and/or web site that is tailored to trick the user into unknowingly downloading and installing malicious software that will facilitate the theft.

      In the case of the APT3 phishing trip, computer users were enticed by legitimate-sounding emails (offering, among other things, refurbished iMacs), into clicking URL links which took them to compromised servers, where they were directed to download an Adobe Flash Player SWF file and an FLV file—both concealing malicious code. This ultimately resulted in custom backdoor software being installed in the victim’s system, which gave the APT3 group complete access to the computer.

      On June 27, only four days after CVE-2015-3113 was publicly announced and patched, it was reported by the French security researcher Kafeine that the Flash Player exploit, CVE-2015-3113, had already turning up as a pre-written module in two so-called exploit kits designed for and sold (or rented) to would-be criminals with little or no programming knowledge.

      Also on June 27, the Magnitude exploit kit was seen successfully exploiting Flash Player, version 18.0.0.160, on Internet Explorer 11 in Windows 7, to drop two instances of the rather nasty Cryptowall Ransomware.

      Between then and yesterday (July 1), the Flash Player bug has been exploited in at least four other easy-to-use exploit kits.

      Things to do, including doing without

      Five years ago it was commonly said that the open standard of HTML5, particularly its <video> element was going to render the proprietary Adobe Flash largely redundant as its core functionality would be built into the web and web browsers. This clearly hasn’t entirely happened.

      The highest-profile example of HTML5 adoption that I know of is YouTube which has strongly moved away from Flash. Today, many YouTube videos will play using HTML5 in supported browsers. You can request the HTML5 player be used if your browser doesn’t use it by default. However, videos not covered by a Creative Commons license can’t be viewed on YouTube in HTML5.

      Whether a person can completely do without the Adobe Flash Player entirely depends on what a person does, or doesn’t do, on the web.

      Brian Krebbs, a noted Internet security person, went a month without Flash and said that he only missed having the Flash Player twice.

      Your experience may vary but if you want to give it a try, Occupy Flash, “the movement to rid the world of the Flash Player plugin” has instructions for uninstalling or disabling the Flash Player in every major browser.

      Click to play might be the way

      If you must use the Flash Player then, you also must also put up with Adobe’s weekly updates. But you don’t have to leave the Player plugin turned on all the time.

      For the latest versions of Firefox for Windows, Macintosh and Linux, click on the Firefox menu items Tools > Add-ons > Plug-ins.

      Change the pull-down option for “Shockwave Flash” from “Always Activate” to “Ask to Activate”.

      Now Flash content on websites will display as a grey or black box with a little building block and the line: “Activate Adobe Flash”.

      HowToGeeks has a page showing how to enable click-to-play in every major web browser: Firefox, Chrome, Internet Explorer, Safari, Opera.

      And, if you are using Windows, you can improve your web security by adding Microsoft’s free Enhanced Mitigation Experience Toolkit 5.1.

      I haven’t installed EMET yet,but I can see that it is has more than a trivial learning curve.

      @%#&! Adobe Flash Player! 

      Stanley Q. Woodvine is a homeless resident of Vancouver who has worked in the past as an illustrator, graphic designer, and writer. Follow Stanley on Twitter at @sqwabb.

      Comments