Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers.
Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE-2015-5119 ) as part of the Hacking Team cyber defiling.
He built an exploit against the first vuln in demonstrating how the likely common mistake of uninstalling Flash only from browsers can still leave users open to phishing attacks.
"What all this means, unfortunately, is that disabling the Flash plugin in your browsers isn't a complete solution," Lui said.
"Flash files can not only be embedded in a web page but also in various document formats such as Microsoft Office documents and PDF files.
"Even if you have disabled Flash in your browsers, exploits can still leverage Flash Player vulnerabilities through software like Microsoft Office and Adobe Reader."
Lui demonstrated how exploiting Hacking Team's CVE-2015-5122 proof of concept could pop up the calculator program from within Powerpoint or Reader files.
"There is no need to modify the Flash exploit at all. It works well inside a PPT and PDF document until I uninstall the Flash Player on my computer."
Such attacks are already underway with a campaign spotted targeting US Government agencies. Those entities could be popped if a targeted staffer had not completely removed Flash.
Users could alternatively run Microsoft's Enhanced Mitigation Experience Toolkit (EMET) which is reported to block the Flash exploits.
The call to dump the oft-ruptured runtime gained renewed momentum after Facebook security head Alex Stamos leads the Flash killer vanguard took to Twitter calling for the platform to be given end-of-life treatment.
That suggestion was soon followed by Mozilla, which announced it was dumping the platform in its FireFox browser. ®