Adobe Flash Player 18.0.0.203 still vulnerable
Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.
Chosen solution
Thank you for the update.
If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).
For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:
Open the Add-ons page using either:
- Ctrl+Shift+a
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".
When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.
If you do not see an immediate need to run Flash, you can simply ignore the notification.
Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.
You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/
I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?
https://www.malwarebytes.org/antiexploit/
Read this answer in context 👍 2All Replies (3)
Suluhisho teule
Thank you for the update.
If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).
For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:
Open the Add-ons page using either:
- Ctrl+Shift+a
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".
When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.
If you do not see an immediate need to run Flash, you can simply ignore the notification.
Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.
You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/
I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?
Thank you for prompt response. I was mostly looking for an advised statement rather than real help considering that this is already the 2nd Adobe Flash zero-days season in this year. I always have flash set to click to play. I use NoScript which supersedes Click to play per element. Yes, I am running Malwarebytes Anti-Exploit and it only has noticeable impact on boot.
Modified
It has been mentioned in https://support.mozilla.org/en-US/forums/plug-check-page-discussions/711386#post-65949
Pretty much every version of Flash that has been with critical vulnerability since December has been blocked https://addons.mozilla.org/firefox/blocked/ . So the current plugin based versions for Windows, Mac OSX and Linux will likely be blocked once Adobe has updates on Adobe site like at https://www.adobe.com/products/flashplayer/distribution3.html