Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

The roots go deep: Kill Adobe Flash, kill it everywhere, bod says

Even after deletion you can be p0wned by PowerPoint or whipped by Word

Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers.

Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE-2015-5119 ) as part of the Hacking Team cyber defiling.

He built an exploit against the first vuln in demonstrating how the likely common mistake of uninstalling Flash only from browsers can still leave users open to phishing attacks.

"What all this means, unfortunately, is that disabling the Flash plugin in your browsers isn't a complete solution," Lui said.

"Flash files can not only be embedded in a web page but also in various document formats such as Microsoft Office documents and PDF files.

"Even if you have disabled Flash in your browsers, exploits can still leverage Flash Player vulnerabilities through software like Microsoft Office and Adobe Reader."

Lui demonstrated how exploiting Hacking Team's CVE-2015-5122 proof of concept could pop up the calculator program from within Powerpoint or Reader files.

"There is no need to modify the Flash exploit at all. It works well inside a PPT and PDF document until I uninstall the Flash Player on my computer."

Such attacks are already underway with a campaign spotted targeting US Government agencies. Those entities could be popped if a targeted staffer had not completely removed Flash.

Users could alternatively run Microsoft's Enhanced Mitigation Experience Toolkit (EMET) which is reported to block the Flash exploits.

The call to dump the oft-ruptured runtime gained renewed momentum after Facebook security head Alex Stamos leads the Flash killer vanguard took to Twitter calling for the platform to be given end-of-life treatment.

That suggestion was soon followed by Mozilla, which announced it was dumping the platform in its FireFox browser. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like