Critical Adobe Flash bug under active attack currently has no patch

[Chiefcrowe]

DejaVu

http://arstechnica.com/security/201...ug-under-active-attack-currently-has-no-patch

 

[MustISO]

Well at this point anyone using Flash kinda deserves what they get.

 

[Red Squirrel]

adLOLbe.

I don't understand how a company can suck that much at making software, they have one job! Even Microsoft has gotten better at security.

 

[PliotronX]

The patch is called uninstalling Flash...

 

[TheRyuu]

As mentioned in the article EMET[1] is effective at mitigating this vulnerability. I wouldn't be surprised if Chrome mitigates it as well although it's not mentioned so I may be wrong (probably). The article is very generic and no specifics are given so it's hard to say how EMET mitigates it.

[1] https://technet.microsoft.com/en-us/security/jj653751

 

[Yakk]

Really? Flash should be classified as malware at this point.

 

[TheRyuu]

Well at this point anyone using Flash kinda deserves what they get.

The patch is called uninstalling Flash...

Really? Flash should be classified as malware at this point.

To everyone who says something like this please do keep in mind that certain legitimate sites still use Flash for certain content such as videos and other things. Although their may be alternative ways to watch videos on certain sites that use Flash (youtube-dl[1] + mpv[2]) the truth is that the overwhelming vast majority of people are still going to be using the Flash player.

I've said this before but if you have to use Flash I would recommend doing so in Chrome since I believe it to have the most secure implementation (or as secure as you're going to get with Flash). So depending on what your primary browser is I think it's useful to keep Chrome around for at least this use case if it's not your primary browser and you don't often use or need Flash.

[1] https://rg3.github.io/youtube-dl/
[2] https://mpv.io/

 

[Yakk]

I'm actually not worried about known flash vulnerabilities, it's the undocumented ones currently being used by hackers that are more worrisome. The ones not in the media yet. At this point I think it safe to say there should be a good number yet to be announced.

 

[TheRyuu]

I'm actually not worried about known flash vulnerabilities, it's the undocumented ones currently being used by hackers that are more worrisome. The ones not in the media yet. At this point I think it safe to say there should be a good number yet to be announced.

Well I guess that was sort of my point in suggesting Chrome. It even has the added benefit of being able to use the win32k lockdown mitigation in Windows 8+ on plugin processes which AFAIK no other browser does and is the only way to reduce the kernel attack surface on Windows.

 

[Chiefcrowe]

Thanks. Can you explain what win32k lockdown mitigation is when you have a chance?

Well I guess that was sort of my point in suggesting Chrome. It even has the added benefit of being able to use the win32k lockdown mitigation in Windows 8+ on plugin processes which AFAIK no other browser does and is the only way to reduce the kernel attack surface on Windows.

 

[PliotronX]

To everyone who says something like this please do keep in mind that certain legitimate sites still use Flash for certain content such as videos and other things. Although their may be alternative ways to watch videos on certain sites that use Flash (youtube-dl[1] + mpv[2]) the truth is that the overwhelming vast majority of people are still going to be using the Flash player.

I've said this before but if you have to use Flash I would recommend doing so in Chrome since I believe it to have the most secure implementation (or as secure as you're going to get with Flash). So depending on what your primary browser is I think it's useful to keep Chrome around for at least this use case if it's not your primary browser and you don't often use or need Flash.

[1] https://rg3.github.io/youtube-dl/
[2] https://mpv.io/

All the streaming sites worth a damn have transitioned to HTML5. I know of one unfortunate implementation that was surprising (though not at the same time), the Cisco ISE web interface. I know of no one who is constantly using Flash so it is just a security risk sitting there in the background waiting for compromised malvertising to victimize users with ransomware. It's out of hand so uninstallation is the best advice.

 

[TheRyuu]

Thanks. Can you explain what win32k lockdown mitigation is when you have a chance?

It allows a process to restrict access to User and GDI system calls[1]. These are often used by exploits because their design and implementation have been (easily) abused by exploits. This mitigation is the only way to reduce the kernel attack surface on Windows (which is why I think it's pretty neat that they're using it now). It is similar to seccomp on Linux, although unlike on Linux where you can specify which system calls you want to use/disable there is no such configuration on Windows, it's just a switch.

You can enable it by adding the following to your Chrome shortcut as launch options:

--force-fieldtrials="EnableWin32kLockDownMimeTypes/Default/*EnableAppContainer/Enabled/" --enable-win32k-lockdown-mimetypes=* --enable-appcontainer --enable-win32k-renderer-lockdown

You have to force the field trial to default otherwise regardless of what you specify the field trial can disable it (I think this is unintuitive but it's supposedly for testing their rolling out of the feature). Also I added the appcontainer flag as well which may actually get enabled by default at this point (I'm not sure). These features also exist in the chrome://flag page although the field trial settings will still have to be added to the launch options.

I prefer using the launch options since I can just consolidate them in a batch file (although editing a shortcut works too) and sometimes you can't be sure with chrome://flags on whether the flag will stay there (or if it'll even get a flag).

You can also disable some background processes and background networking with the following additional launch options which may aid with privacy:

--disable-background-networking --dns-prefetch-disable --disable-component-extensions-with-background-pages

This also stops some of the additional processes from getting launched when you start Chrome.

Generic disclaimer that any of these options could break something. Also they may require that you be running the beta or dev versions of the browser. If stability is a concern then you should be safe with the beta version. I also recommend in addition to these options and good browsing habbits to take a look at running uBlock Origin in (what its Wiki calls) medium mode[2] since I think it has a very low barrier to entry and vastly improves your security/privacy over what filter lists can do.

You can use the latest version of Process Hacker to view the security features enabled for the various Chrome processes. Just right click a running process and go to Properties -> General tab -> hit Details on the mitigation policies (win32k will show up if enabled). You can use the command line to see whether the process is a plugin or renderer process. You can use the Token tab under properties to see whether it has an AppContainer SID and if it does it means it's using an AppContainer for that process. Another way to tell if the win32k lockdown mitigation is being used is by opening the Chrome task manager, right clicking in the white space and enabling GDI and USER handle counts. They will be 0 for both for processes where the flag is enabled and being used.

Edit: Added some info about checking whether these features are being used and a little something about uBlock Origin.

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/hh871472(v=vs.85).aspx (doesn't really explain anything)
[2] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

 

[TheRyuu]

All the streaming sites worth a damn have transitioned to HTML5. I know of one unfortunate implementation that was surprising (though not at the same time), the Cisco ISE web interface. I know of no one who is constantly using Flash so it is just a security risk sitting there in the background waiting for compromised malvertising to victimize users with ransomware. It's out of hand so uninstallation is the best advice.

This is why we have settings which enable the browser to ask us to run plugin content (I hesitate to call it Click to Play since technically it's not actually Click to Play since that would be vulnerable to scripting). You can still have Flash but only run it when you actually want it to be.

 

[KeithP]

As mentioned in the article EMET[1] is effective at mitigating this vulnerability. I wouldn't be surprised if Chrome mitigates it as well although it's not mentioned so I may be wrong (probably). The article is very generic and no specifics are given so it's hard to say how EMET mitigates it.

[1] https://technet.microsoft.com/en-us/security/jj653751

Yeah, it is a little frustrating when these exploits are mentioned and there is no indication if simply running as a standard user, as opposed to an admin, is enough to thwart the exploit.

The cynic in me thinks that when a AV software company doesn't talk about this, it is because running as a standard user will stop the exploit but then you might be less likely to run out and buy their software so that is left out.

-KeithP

 

[Elixer]

To everyone who says something like this please do keep in mind that certain legitimate sites still use Flash for certain content such as videos and other things. Although their may be alternative ways to watch videos on certain sites that use Flash (youtube-dl[1] + mpv[2]) the truth is that the overwhelming vast majority of people are still going to be using the Flash player.

The only reason those "legitimate" sites still use flash is because it isn't worth it to them to convert.
Now, if all the browsers would turn off, and disable any attempts at installing flash, then those "legitimate" sites would drop flash or die.
That is the kind of incentive they need.

The other big flash users is ads. That is the #1 attack vector, and again, there is no reason at all for the ad companies to keep allowing the use of flash ads, except they are paid to look the other way.
Sure, google has said they will stop eventually, but that don't help the tens/hundreds thousands of people who got infected this way.

 

[VirtualLarry]

The other big flash users is ads. That is the #1 attack vector, and again, there is no reason at all for the ad companies to keep allowing the use of flash ads, except they are paid to look the other way.
Sure, google has said they will stop eventually, but that don't help the tens/hundreds thousands of people who got infected this way.

And to think, MS just recently (last 4 months?) added forced Flash-based ads in Skype.

 

[TheRyuu]

Yeah, it is a little frustrating when these exploits are mentioned and there is no indication if simply running as a standard user, as opposed to an admin, is enough to thwart the exploit.

The cynic in me thinks that when a AV software company doesn't talk about this, it is because running as a standard user will stop the exploit but then you might be less likely to run out and buy their software so that is left out.

-KeithP

It may be one of the ROP mitigations in EMET that's doing it. Either that or EAF+ which are the only unique things to EMET that don't otherwise already exist as standard Windows mitigations (EAF+ would have to be configured though and I'm pretty sure it's not out of the box for Flash). Running as a standard user is probably not enough because we know that escalation of privileged vulnerabilities are a thing although a UAC bypass is probably easier I suppose.