Thursday, January 22, 2015

Adobe Flash Zero-Day Exploit ITW
Shut Down Flash Plug-In NOW

-- Saturday, January 24, Adobe provided yet-another NEW update to Flash Player v16.0.0.296. I'm providing a new article specifically pointing out how to check for it and install it while we wait for Adobe to make it available on their website, the lazy so-and-sos!


All other versions are being exploited in the wild. Get rid of them now. Or just get rid of Flash altogether.

- - Today Adobe has released a very swift NEW update to Flash Player v16.0.0.287. It patches CVE-2015-0310. At the moment it is unclear whether this is the specific zero-day vulnerability that was reported. I'll keep my ear to the ground as details appear. In the meantime: UPDATE NOW to Adobe Flash Player v16.0.9.287, available here:

Here is Adobe's NEW security bulletin for this update:

Again: Update NOW! In the meantime, please lock down your Macs against Flash security exploits using the information provided below.]

~ ~ ~ ~ ~

The recently updated version of the Adobe Flash Player internet plug-in (v16.0.0.257) is being exploited in the wild (ITW). It is important to disable Flash NOW. I discuss some methods below.

Here is an article about the current situation from Dan Goodin at Ars Technica:

Attack for Flash 0day goes live in popular exploit kit
Attack exploiting fully updated Flash installs Bedep botnet.
If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits. . . . 
Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.
How to disable Adobe Flash Player plug-in:

I. The most direct and permanent way to stop Flash is to trash the Internet plug-in from your OS X system. You'll need to be using administrator privileges. The plug-in will be found here:

~/Library/Internet Plug-Ins/Flash Player.plugin

(You don't have to, but can also trash flashplayer.xpt found in the same location).

After it is removed, you'll need to restart your web browser to remove the plug-in from its memory.

II. Some web browsers allow some control over Internet plug-ins. I'll cover Apple's Safari web browser here as an example:

- A. In Safari, go to the menu item Safari/Preferences.../Security and note the last checkbox titled "Internet plug-ins:". You can be drastic and simply UNcheck 'Allow Plug-ins' and you're safe. But alternatively, you can click the button "Manage Website Settings..." and work with the "Adobe Flash Player" settings. 

- B. First click on "Adobe Flash Player" then move over to the right in the window. There you'll see a list of 'Currently Open Websites' using Flash. 

- - 1. If any of these websites are trusted an important to you, use the popup menu to their right and set them to "Ask".

- - 2. For websites NOT important to you, highlight them one at a time and remove them using the minus sign button at the bottom left of the sub-window.

- C. Go to the bottom right of this same window and notice the setting "When visiting other websites:".  You can also change its popup menu to "Ask". But the safest setting, until Adobe block this exploit, is 'Block'. That's what I'm using.

- D. Click 'Done' in the Security window when finished.

III. There are many Flash blocking add-ons/extensions for web browsers. Here are a few I use:

Safari: ClickToFlash
Firefox: FlashStopper (this works much better with the latest versions of Firefox than Flashblock).
Chromium (and variants thereof): FlashControl.

Be sure to check now whether these add-ons are actually set to 'block' flash. You don't want them set to 'allow' Flash.

That's a quick summary of how to stop being botted by Flash while this and similar crises are ongoing.

I've got a somewhat busy day on my end today. But when I have time, I'll post more about this situation in 'Updates' at the top of the page.



No comments:

Post a Comment