+Comment If you patched Adobe's screen door of the internet – its Flash plugin – last week, and thought you were safe, even for a few weeks, you were sadly mistaken.
The Photoshop goliath is warning that yet another programming blunder in its code is being exploited in the wild, and says it won't have a patch ready to deploy until later this week. Buckle up, in other words.
This latest security vulnerability is, as always, triggered when the plugin tries to play a malicious Flash file – allowing hackers to download malware onto PCs and effectively hijack the computers so passwords and more can be stolen.
According to Trend Micro, the Angler exploit kit was updated to leverage this particular flaw, and used to inject malware into PCs visiting web video site dailymotion.com via a dodgy ad network.
Web browsers were told to fetch
retilio.com/skillt.swf, which was booby-trapped to exploit the zero-day security hole.
"So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," said Peter Pi, threats analyst at Trend.
Trend first noticed miscreants exploiting the bug in the wild on January 14. The biz is holding on to the rest of the technical details of the vulnerability until a fix is available, and that's not going to be for a while.
Monday's advisory is very similar to the previous two critical holes discovered in Flash, which were revealed just two weeks ago and also used in the Angler exploit kit. Both have now been patched, but not after infecting ads served on smut site xhamster.com and to slurp the privates of onanistic internet users.
Using compromised ad networks to infiltrate machines is a popular technique, since it takes a layer of human interaction out of malware delivery. Rather than convince someone to download a software nasty as a disguised spreadsheet, porn pic, or an app upgrade, the ad network serves it to the passing browser, which hands it to Flash, and there everything falls over.
"Any time you have an attack vector that's so widely exploited you'll need to minimize its use," Craig Williams, technical leader at Cisco's Talos Security Intelligence and Research Group. "If - in the real world - you can't do without it, then you have to make sure you run it in a particular browser that isn't susceptible," adding he personally uses Chrome – which goes out of its way to sandbox Flash, limiting the plugin's reach if it is compromised.
Flash has been around in one form or another for nearly 20 years, and it's time for those who are still supporting its use to accept the inevitable: it's time to take the software round the back of the shed and shoot it.
In its day, Flash was the kind of product Adobe does so well; like Reader, so handy and straight forward they become near-ubiquitous. Unfortunately that makes them ideal targets for hackers, and Flash has been hit more than most.
Malware spreaders focused on Adobe's software because Microsoft and others started to get a lot better at hardening up their operating systems and bundled programs about a decade ago. Windows, OS X et al are not perfect – just look Redmond's Patch Tuesday every month, for example – but the situation on that front is better than before.
With so many people browsing through the web, crooks took the easier route of going for popular apps – ultimately exploiting Adobe's inability to secure its software. The biz has touted new security tools for its document portfolio, but Flash security has lagged well behind.
Even if Adobe put its top programmers working on Flash, a free piece of software, a lot of people around the world are very keen to find exploitable bugs in the plugin so they can break into victims' computers.
Many netizens have recognized that Flash is too old and doddery to be worth the hassle. YouTube finally dumped the technology in favor of HTML5 video. Twitch doesn't need it any more, neither does Netflix and others.
"The reality is there's a market out there and people are going to exploit it," Williams said. "Java has been a top vector, as has Flash, and now the attackers are moving to Silverlight as well."
The fact is, Flash is just not fit for purpose. It will ruin your month. It will fill your hard drive with raw sewage seeping in from the grotesque underbelly of internet. It's the Lego brick in your foot when you're feeling your way through a dark kitchen at 3am.
It's not even good for funny animations any more – we have HTML5 and a GIF resurgence for that. If you're still using the plugin, you may as well hang a sign out for hackers reading: "Here's my arse, please kick it. And then empty my back account."
Uninstall it and see how you get on across the web. If you really need it, go into your browser settings and make it click-to-play. That means Flash files aren't automatically opened on every page, reducing the risk of being owned by a dodgy advert or injected .swf file.
In Chrome, go to Settings, click on the Advanced Settings link, click on Content Settings under Privacy, scroll down to Plugins, select "Click to play" and save. In Safari, open Preferences, go to the Security tab, click on Website settings alongside Internet Plugins, select Adobe Flash, and alongside "When visiting other websites", select "Ask" or "Block". You can whitelist certain sites in the box above.
In Firefox, browse to about:config and click on the "I'll be careful" button, and search for
plugins.click_to_play. If it says "false" in the Value column, double click on it to change it to "true". Then restart Firefox.
And relax. The worst, very worst, part of it all is that Steve Jobs was right. ®