Monday, October 19, 2015

Quickie: Yet Another Flash Zero Day

Hey everyone!  This will be a quick post, but I wanted to write something about the newest Flash vulnerability that has been a hot topic of discussion this week.  Trend Micro wrote up a short analysis of the vulnerability here, and you can check out the associated CVE here.

I have read a number of posts from people and websites (like this one) that say the best course of action is to uninstall Flash.  This is great advice if you do not visit sites that require Flash.  I always believe that if there is a piece of software installed on your box that you do not need, you should get rid of it.  Each piece of software installed on your box is a potential attack vector.  However, some financial institutions and corporate websites still use Flash, so uninstalling might not be an option for you.  What do you do then?



Obviously, you should always keep up with the latest patches.  Even if you do, this requires the software developer to push a (working) patch out in a timely manner.  Adobe did a pretty good job here since the advisory was released on October 14, 2015, and the patch (version 19.0.0.226) was released on October 16, 2015.  However, since this vulnerability is present in all recent versions of Flash, it is unclear how long this particular vulnerability has been exploited.  Just because it is discovered now does not mean it is a new technique.

In addition to patching as soon as possible, my other piece of advice is to set Flash to manually activate.  This means that you have to click a button to activate Flash.  With this vulnerability, Flash has to execute the malicious SWF (Flash) file, so if it cannot do so, the vulnerability will not be triggered.  When you visit a site that you want to use Flash on (like your banking site), you can selectively enable it for that site.  So how do we do this?

In Firefox and Chrome, it is relatively easy.  In Firefox, type "about:addons" into your address bar, click Plugins, find Flash, and change "Always Activate" to "Ask to Activate."  Then, only activate Flash on sites you trust (like your bank).  You could also disable it, but you will have to restart Firefox every time you enable or disable it.

In Chrome, the process is similar, but you have to remember to activate and deactivate the plugin.  For Chrome, go to "about:plugins" and click the Disable link next to Flash when you are not using it.  When you want to use it, go back to about:plugins and enable it.  Changes take effect immediately.


Internet Explorer is similar to Chrome.  Either disable the plugin or disable ActiveX filtering (since Flash is an ActiveX control in Internet Explorer).  I suggest going the ActiveX filtering route since it is only a few clicks and it is a good idea to keep it enabled unless you have a specific reason to disable it.  If you enable the plugin and keep ActiveX filtering enabled, you have to disable ActiveX filtering to get Flash to work.  If you want to disable the plugin, click the gear icon in the upper right, click Manage Addons, click Flash, then Disable:
To disable ActiveX filtering, click the gear in the upper right, go to Safety, then uncheck ActiveX filtering.  I do not suggest leaving this off permanently however.

Unfortunately, this is not a cure all.  If you are a victim of a man in the middle attack (where a malicious Flash file is inserted into a trusted website), this will not help.  Also, if you forget to disable Flash when you are done visiting a trusted site, you are vulnerable if you visit a site with a malicious Flash file on it.

The bottom line is to be careful with the sites you visit and your Internet browsing habits.  Be careful of the sites you visit, the links you click, and the boxes you click "Yes" on.  While disabling Flash is a good thing to do if you are not using it, being smart about your browsing practices goes a long way.

No comments:

Post a Comment