Flash Player plagued by third zero-day flaw in a month

[Borg 386]

Here we go again.....

Adobe Systems warned users that hackers are exploiting another unpatched vulnerability in Flash Player—the third one in the past month—to infect computers with malware.

There are reports that the vulnerability is being actively exploited in drive-by-download attacks that target systems running Flash Player under Internet Explorer or Mozilla Firefox on Windows 8.1 and below, Adobe said in a security advisory published Monday.

The company plans to release Flash Player updates that will address the flaw later this week.

The vulnerability, which is tracked as CVE-2015-0313 in the Common Vulnerabilities and Exposures database, affects Flash Player on all supported platforms: Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Mac OS X; Adobe Flash Player 13.0.0.264 and earlier 13.x versions; and Adobe Flash Player 11.2.202.440 and earlier versions for Linux.

Flash Player plagued by third zero-day flaw in a month, but updates are coming | PCWorld

 

[Callender]

Again already?

I notice that the article mentions malvertising and ads with flash content. It also mentions "Click to Play"

So for Firefox users:

As for flash content I tend to use this FF add on in Cyberfox 64bit browser (no java enabled or even installed).

Restore Plugins Click To Play Per Element

It enables content only for the chosen element rather than the whole page. In the image shown below - if you click the "Allow Now" button it activates flash for the whole webpage/ website. If you click the green arrow "Activate Adobe Flash" - it's only activated for that element on the page/

There's a similar feature built into the version of Opera that I'm using and it doesn't require an add on to activate it. I can't comment on IE as I don't often use it except to say that I never found a way to selectively enable flash content in IE.

More info on configuration:

http://www.sevenforums.com/browsers...still-works-fine-post2758767.html#post2758767

 

[Tookeri]

First I thought this thread had to be a duplicate of the previous and newly reported Flash zero-day, but unfortunately I was wrong. On the upside, from what I've read the previous zero-day was blocked by both EMET and MBAE, so having one of those installed do make a difference.

Another good thing: I get to test once again how fast/slow Flash's auto-update is

Callender, good advice on Click-to-play. IE has Active-X filtering which works like on/off per site. After you enable Active-X filtering you have to turn if off per site.
You could also go to manage add-ons and doubleclick on Shockwave Flash to see what sites are approved for it to run.

 

[groze]

Unfortunately most movies/shows are in flash. I thought I would ask this over here instead. Can you still use flash in Google chrome? The reason flash is sand boxed in chrome and possibly in chromium as well.

 

[ThrashZone]

I believe in ie it manage add-ons and switch to Show- Run without permissions,
It's a shocking list :shock:

 

[Tookeri]

I have Flash in that list, but I also have Active-X filtering enabled, so you can't trust that list. But I know I can trust the fact that Flash won't start automatically on a new site unless I first approve it.

 

[ThrashZone]

If the wording is correct I doubt active x filtering would matter,
Most would have to also be set in the player options too,
Run without permissions is pretty clear description

 

[Tookeri]

Yes it's a pretty clear..... mistake by MS

 

[ThrashZone]

MS built in flash because users wanted it,
I didn't but other people not able to figure out how to make sure it's 1 downloaded 2 updated 3 enabled to watch their stupid little videos on many websites including youtube.

Got to give the morons what they want

 

[Tookeri]

Found this advice for IE:

Enabling Click-to-Play for Flash in Internet Explorer

Click the gear icon on Internet Explorer’s toolbar and select Manage Add-ons.
Select Toolbars and Extensions, and choose Show All add-ons. Locate the Shockwave Flash Object plugin under Adobe Systems Incorporated. Double-click on it, and then click Remove All Sites to remove the default * (which allows all websites to run Flash).

 

[Callender]

Enabling Click-to-Play for Flash in Internet Explorer

Found this advice for IE:

Enabling Click-to-Play for Flash in Internet Explorer

Click the gear icon on Internet Explorer’s toolbar and select Manage Add-ons.
Select Toolbars and Extensions, and choose Show All add-ons. Locate the Shockwave Flash Object plugin under Adobe Systems Incorporated. Double-click on it, and then click Remove All Sites to remove the default * (which allows all websites to run Flash).

I think that's about the closest you'll get to Click-to-Play per Element for Flash in Internet Explorer. Maybe someone can try it on a page with mixed flash content and see if it works - say a site with an embedded flash video (hosted on an external site) and also containing flash banner ads or other flash content on the same page. Click to play per Element actually only enables flash for the element that's clicked on rather than allowing a whole site or domain.

 

[ThrashZone]

The best way to get to flash settings is to enter from control panel open flash and all of the setting are there
Switch to ask every time,
How to configure your Flash Player settings for maximum privacy and security

 

[Tookeri]

The best way to get to flash settings is to enter from control panel open flash and all of the setting are there
Switch to ask every time,
How to configure your Flash Player settings for maximum privacy and security

Those settings are not really related to what we are discussing here which is how to prevent or allow the entire Flash Player object to load on certain sites and/or part of a site.

The global settings are more about limiting different parts or features in the Flash Player, for example access to your microphone or camera. Those settings are more privacy related compared to exploit related.

 

[ThrashZone]

Darn did you stop reading after the first paragraph or some thing ?
Global storage is further down

 

[Tookeri]

No. Sorry but I don't understand what you mean. I've set all those to ask and never seen a prompt. Ever.

 

[Callender]

Enable per site?

Doesn't that mean enable on a per site (domain) basis?

Here's an example:

Page with two embedded flash videos on the same page. Click on the first one and the second one doesn't load. Using IE allowing flash content for the first one also allows any other scripts on the page to run? Or maybe it doesn't?





Content only loads for the first script if clicked.

 

[Tookeri]

Callender, you're correct! It shouldn't and it isn't called Click-to-play in IE. Unfortunately they described it that way in the blog I copied from. It's allow by domain only in IE. Blame Graham Cluley (and me for copying it)
I never meant I didn't understand or agree with you about this IE "click-to-play" thing. It's ThrashZone's post about the Flash Player settings I don't get how it's related to this.

 

[ThrashZone]

When you don't get a prompt,
Open the setting via the player on the webpage,
Right click and global settings,
It's good to compare the settings but also good to clear all sites/ domains or what ever you want to call the caches of sites,
In all honesty I haven't had flash installed in some time now it's completely unneeded or unwanted by me
Possibly ie11 is different another reason I don't use it either ie10 is good enough for me

 

[Tookeri]

ThrashZone, I still don't see the relation to those settings in preventing Flash Player to load automatically. The article was last updated 2009 and the author mentions several times he's never received a prompt, example: "Personally, I've never encounter a situation where this setting came into play. Your safest bet is to configure the Player to prompt."

Let's leave the discussion here and help out in more important threads instead

 

[ThrashZone]

Actually the ending should be it's best and most secure to not have flash installed at all