
Flash 0-day exploit - bpierre
https://lists.immunityinc.com/pipermail/dailydave/2011-December/000402.html
======
MHBerryman
I find it amazing that browsers do not block Flash from running by default.
I've posted the Chrome help page[1] that shows how to block and selectively
unblock plugins to my Facebook/Twitter, as I really don't want to return home
for the holidays to have lots of repair requests.

[1] [http://support.google.com/chrome/bin/answer.py?hl=en-
GB&...](http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064)

~~~
noduerme
I find chrome and ff are much more often dead-crashed by a single line of
Javascript than tons of flash. Firefox even re-crashes when you open it again
in many cases, without letting you prevent reloading of the offending
Javascript.

~~~
IChrisI
If Firefox crashes when you restart it, the next time it starts it lets you
choose which tabs to re-open. This solves the problem of something repeatedly
crashing it.

------
trotsky
At least VUPEN restricts who they sell to. "Step Ahead" sounds like they've
dropped even the pretense of being for pen testers.

~~~
dsl
I think you mean Intevydis, "Step Ahead" is the name of the product.

Immunity makes the framework all these exploit packs plug into and acts as the
primary sales channel for them. They do a pretty good job of keeping the
undesirables out, but like any other desirable software product copies do have
a tendency to grow legs and follow employees home.

~~~
trotsky
No, I meant the product line - you don't get this bug in their "pro" version,
only "step ahead" - step ahead of the vendors presumably.

It seems hard to believe that private 0-days are legitimate pentesting
apparatus - what are you testing in this case, whether your enterprise runs
software that someone might find a bug in in the future?

As far as I understand it canvas/Immunity is firmly in the offensive security
market anyway, aren't they actively part of the scene that derides "killing
bugs" aka reporting security bugs to software vendors (for any price)?

I'm sure this bug hasn't been reported to Adobe, all they'd be doing is
closing their marketing window.

------
missing_cipher
I'm expecting Chrome/Google to patch this vulnerability before Adobe does.

~~~
trotsky
Google has a source license for Flash - they just get the fixes from Adobe
before they've passed QA in all of their products. Google doesn't actually
develop their own fixes in these cases - they just ship them faster.

------
ck2
I don't understand - doesn't the security community usually give the vendors a
heads-up before they announce?

Did Adobe just ignore them?

How does the 11.2 beta fair against the exploit?

[http://labs.adobe.com/technologies/flashplatformruntimes/fla...](http://labs.adobe.com/technologies/flashplatformruntimes/flashplayer11-2/)

------
joeybaker
about:plugins in chrome to disable flash.

~~~
piggity
Good tip

I had a surprising number of random players installed too. e.g. Silverlight -
requiring a critical update; amongst other plugins that I never even use any
more.

------
x5315
In the video he says that he's using the latest version of IE, but it's IE8.

I'm not sure it'll make a difference, but maybe it could.

~~~
dedward
Presumably it is win xp? Ie9 doesnt go there.

------
codecaine
one word: Flashblock

~~~
there
flashblock is not good at blocking flash from a security standpoint. with it
enabled, visit <http://lcamtuf.coredump.cx/html5object/> and you'll probably
see at least one flash animation start.

[http://lcamtuf.blogspot.com/2011/03/warning-object-and-
embed...](http://lcamtuf.blogspot.com/2011/03/warning-object-and-embed-are-
inherently.html)

~~~
Natsu
Maybe flashblock isn't good enough, but when combined with noscript, it didn't
let anything on that page slip through.

~~~
there
noscript natively supports blocking embedded things with a click-to-activate
interface, so if you're using noscript there's no need for flashblock.

~~~
bobds
The thing I like about NoScript is that you can set it to block everything,
even on trusted sites. You have to click the placeholder to make it load, or
if there isn't a placeholder (web fonts, hidden flash embeds) you have to look
at the Blocked menu.

------
unabridged
and this is why I don't have flash installed

~~~
wladimir
This was also the last straw for me. It's just not worth the risk anymore of
the extra attack surface it exposes. I've uninstalled flash from all my
machines and disabled it in chrome.

