Another month, another Adobe Flash security flaw. The following is a full quote from the most excellent SANS NewsBites Vol. 13 Number 29:
--Adobe Warns of Zero-Day Flaw in FlashYou can sign up for the SANS Institute newsletters HERE.
(April 11, 2011)
Adobe has issued a warning of a zero-day vulnerability in Flash Player that is being actively exploited in targeted attacks. The vulnerability can be used to take control of computers or to cause them to crash. The attack is spreading as a Flash (.swf) file embedded in a Microsoft Word (.doc) file that arrives as an attachment. Adobe did not say when a patch will be available.
Internet Storm Center:
[Editor's Note (Ullrich): In the past, I have observed users using Flash games embedded in Excel and Word documents to bypass corporate controls to prevent users from running these games. It may be a good awareness item to note the particular danger of these embedded flash files.]
I've also been reading about computers being PWNed via infected PDFs and Flash embedded in Excel spreadsheets.
My advice continues to be adherence to the Rules of Computing #1 and #2:
1) Make A Backup. Every day. Two of them. One on site. One off site.
2) Verify every file and application you receive or gather off the Internet as LEGITIMATE before you open it. That means doing homework. It's worth it.
Then add to that:
A) Avoidance of automatically running anything embedded in PDFs or Excel or Word or PowerPoint presentations you receive. Make sure YOU are in control of what runs when and where. No automatic anything. Make yourself the boss of your computer. The LUSER Factor remains a large problem for all of us. But we humans have a lot better scrutiny than a brainless computer program.
B) Don't Use Flash! Or at the very least use one of the many great utilities to stop Flash from running until YOU decide you want to run it. Also use utilities that KILL Flash cookies. These utilities include: The Safari Cookies extension. ClickToFlash.The Flashblock add-on for Firefox. The NoScript add-on for Firefox. The FlashFrozen application.
OF INTEREST: I read this week about a new Adobe initiative that will allow combining Flash with PHP in order to create non-Adobe Air apps for smart phones and all iOS devices. My initial response, knowing the poor security of both technologies, is OMFG. But rather than get all FUDed out, let's simply see what happens.
Stay safe. Stay secure. Laugh at the FUD. Enjoy the facts.