
Hackers Exploit 'Flash' Vulnerability in Yahoo Ads - dankohn1
http://bits.blogs.nytimes.com//2015/08/03/hackers-exploit-flash-vulnerability-in-yahoo-ads/
======
Renaud
I've removed Flash entirely from my computers. I was afraid that it would
degrade my experience, but I'm barely missing it.

Sure there are a few sites that insist on using flash for video or some old
games, but I'm ok with that sacrifice.

Flash has been a tool of evil for too long: either storing permanent cookies
for tracking or as a tool to exploit vulnerabilities in itself or its host.

There is nothing on the web today that should require flash. Using it for
adverts is especially egregious considering that it remains a major vector of
attack despite all attempts at fixing it.

~~~
georgerobinson
I don't know if you use Google Chrome, but Adobe Flash Player in sandboxed in
Chrome as a Native Client module.

All interaction between a Native Client module, the host process, and the host
the operating system must be mediated via the PPAPI (Pepper API). Native
Client has a set of rules which are enforced via the validator to ensure that
untrusted code (that is Adobe Flash itself) cannot jump, load or store outside
to addresses outside the sandbox. More information on how Native Client does
this can be found in the links below.

Note: you should be familiar with the x86 and x86-64 instruction set for it to
make much sense.

Nevertheless, here is some more information:

[1] [https://support.google.com/chrome/answer/108086?hl=en-
GB](https://support.google.com/chrome/answer/108086?hl=en-GB)

[2]
[http://www.eecs.harvard.edu/~greg/cs255sp2004/wahbe93efficie...](http://www.eecs.harvard.edu/~greg/cs255sp2004/wahbe93efficient.pdf)

[3]
[http://static.googleusercontent.com/media/research.google.co...](http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf)

[4]
[http://static.googleusercontent.com/media/research.google.co...](http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/35649.pdf)

~~~
justizin
> I don't know if you use Google Chrome, but Adobe Flash Player in sandboxed
> in Chrome as a Native Client module.

That is, indeed, smart, but I stopped using Chrome on the basis that I don't
want to use a browser that is developed by a company whose customers are
advertises and for whom I am the product. :/ I was an early Chrome adopted and
I saw the tide turning a way I didn't like.

I've actually been pretty happy with Safari and ClickToFlash plugin of late,
I'm not as worried about sandboxing it when I only use it in a couple of
places behind AdBlockPlus.

~~~
georgerobinson
I don't use Chrome either. I like Firefox - even if it is less secure (in
principle) than Chrome (no process separation between domains or sandboxing of
plugins).

The reason Native Client exists extends well beyond Adobe Flash Player. Native
Client exists to enable your browser to run native code from any website
(think compiled C and C++ code) without it being able to compromise the
security of your machine.

------
aikah
> While Yahoo acknowledged the attack, the company said that it was not nearly
> as big as Malwarebytes had portrayed it to be.

Prove it, give us the numbers

> “The majority of attacks we are seeing are exploiting software installations
> that are not up-to-date on the latest security updates,” said Wiebke Lips, a
> spokeswoman for Adobe.

Then your plugin should stop working by itself when a new version is
available, that's how you force users to update if you are a responsible
vendor. But of course you don't do that.

I like Flash as a creative tool, but clearly people should stop using it on
the web,and browsers should ban it like they banned java on the web. It's just
too dangerous and vendors often wash their hands off any consequences.
Hopefully the flash IDE can work with webassembly and give up the plugin. If
Adobe doesn't do that, someone else will and Flash will be buried for good.

~~~
eli
> Then your plugin should stop working by itself when a new version is
> available, that's how you force users to update if you are a responsible
> vendor

That's an interesting idea. Is it practical? I think you'd need to run some
flash code first to determine the flash version before loading the ad code...
I suspect it would take too long.

~~~
TeMPOraL
That's an excellent way to piss off your users. I can forgive it in case of a
legitimate 0-day floating around, but come on - sometimes the user doesn't
want to, or _can 't_ upgrade (e.g. running without installation privileges,
common at universities and in corporate environments).

I like the way Firefox approaches it - it disables the outdated Flash plugin
and in place of Flash content it renders boxes that say why the plugin was
turned off and give option to manually enable it if I'm really, really sure.
It's annoying enough to force people to update while still giving you an
option to run the old version if you absolutely have to.

~~~
Karunamon
Yeah, this. The amount of pure rage inside my department directed at Java
because of their boneheaded security stuff is enough to power a small city.

Okay, so open up the management interface for my SAN. Yes, I want to allow
Java to run. Yes, I know it's not signed _. No, I don 't care.

Okay, now I have to go add the domain to an obscure control panel because a
freakin' popup is too much to ask.

Now I go reload the page, yes I want to run the plugin, no I don't care that
it's unsigned, yes I know that this may hose my computer, _yes* i want to load
the damned applet already.

Combine that with the fact that the Java web plugin sandbox and all this
security appears to be trivially bypassed, and I wish they'd screw off with
the multiple confirmation prompts and let me just control it with the browser.

* The number of times I've cared about the code signing status of any application in the last decade can be counted on one hand.

------
teaneedz
One more reason advertisers and publishers need to stop blaming visitors for
rising ad blocking usage. Until they come to grips with security and good UX,
their arguments of lost revenue continue to fall on deaf ears.

------
nobody_nowhere
Ad networks have been used to distribute malware for years.

When you're an ad sales guy and get a call from a new, big-spending client
with no performance goals, it's hard to say no.

And attackers even exploit ad servers directly. We had a client whose OpenX
credentials were compromised, and the attacker was able to directly modify the
(otherwise legit) ad tags in the database. They turned the exploit code on and
off in the ad tags of legit clients to avoid detection.

We had an outside security technology co scanning the tags who picked that
particular hack up pretty quickly, but not everyone does...

~~~
Renaud
and this should be reason enough to block all ads that require code to run in
the browser, in one form or another.

------
stevenh
The bare minimum any ad network should be doing before allowing an advertiser
to use a Flash .swf file on their network (or even custom HTML/JS for that
matter) is to whitelist certain functions and elements. They need to
automatically decompile the .swf for analysis upon upload and reject it if it
contains any ActionScript commands that aren't specifically whitelisted.

There is no reason for a Flash file on an ad network to be permitted to use
any functions other than those necessary for basic animation, mouse/touch
interaction handlers, and a navigateToURL call. The same principle applies to
custom HTML/JS. Otherwise the advertiser might as well toss a bitcoin miner
into their scripts; it's not like Yahoo is stopping them.

By not implementing the bare minimum of incredibly obvious basic precautions
for handling mysterious executable content before spraying it indiscriminately
across the entire web, Yahoo's incompetence borders on malice and in my mind
that makes them complicit in these crimes.

~~~
simonw
Do you know if any ad networks actually manage to do this?

This strikes me as an extremely hard problem. ActionScript supports an eval()
function, which should make static analysis almost impossible - how can you
tell if someone is compiling together an evil string (that calls functions you
have banned) and then passing that string to eval()?

~~~
jdangu
We (ClarityAd) do this for major ad platforms. We use a mix of static and
dynamic analysis to assess risk. We've been able to detect and stop major
exploit kit campaigns over the last few months. Ads have specific expected
behaviors and their SWFs are not supposed to generate code dynamically.

------
Karunamon
I set the Flash plugin settings in Safari to "When visiting other websites:
Ask" so that it only runs after explicit permission via popup window has been
granted. Two things jumped out at me:

1) How many sites call the flash plugin while doing nothing of any value with
it (tracking and ads are not considered of value). Every time you deny
permission, a line is added in the prefs window with a "block" statement at
the end, and this list is getting quite large...

2) How few websites actually need flash to be useful

Almost nothing of value has been lost.

------
userbinator
Note that there are open-source alternatives to Adobe's official Flash Player:

[https://en.wikipedia.org/wiki/Gnash](https://en.wikipedia.org/wiki/Gnash)

[https://en.wikipedia.org/wiki/Lightspark](https://en.wikipedia.org/wiki/Lightspark)

[https://en.wikipedia.org/wiki/Swfdec](https://en.wikipedia.org/wiki/Swfdec)

They haven't been updated to support the latest features, but could be a good
solution for those wanting to play old Flash games and the like. The chances
that they have the same vulnerabilities as Adobe's implementation is low.

~~~
oddevan
So I'd be able to use these to watch old Homestar Runner cartoons? Sweet.

~~~
coldpie
They're working on it!
[http://www.homestarrunner.com/flashisdead.html](http://www.homestarrunner.com/flashisdead.html)

(Also they've uploaded a good subset of their videos to their official YouTube
channel, but obviously they don't have interactive elements.)

------
billpg
Be careful with using Firefox's click-to-play feature. It's all or nothing.

[https://bugzilla.mozilla.org/show_bug.cgi?id=886792#c41](https://bugzilla.mozilla.org/show_bug.cgi?id=886792#c41)

------
kardos
Those of us running adblockers and/or who have deinstalled flash remain
blissfully unaffected. The ad industry needs to get its shit together.

~~~
justizin
> The ad industry needs to get its shit together.

When I have brought this up at work in ad-driven companies, the numbers I have
seen basically show that the worst ads are the most effective and they don't
give a fuck, and we let them.

And that's why I don't feel one iota bad about running an ad blocker, because
in today's world, it's more effective and important at protecting against
Malware and Identity Theft than anything else.

------
dangerboysteve
I have not run flash on my computers for some time now. If I come across a
site that requires it for content display or playback I go elsewhere. Simple
as that.

If a critical mass of people stop using it then those sites will switch to
something else. And Apple has proved this already.

~~~
justizin
I use a handful of services that still rely on it, but I'm happy with click-
to-activate for them.

------
todd3834
For those that have been saying there is no reason to need flash. I was
recently surprised to find out that if you want to provide clipboard controls
like the copy button on github next to the repo url, flash is the only way I
think you can do that. I think there is a clipboard API in Chrome canary but
I'm pretty certain it isn't available to the general population yet.

~~~
cpeterso
The HTML5 clipboard API (document.execCommand) is available in Firefox 41,
Chrome 42, and IE9. GitHub uses document.execCommand where available.

[https://developer.mozilla.org/en-
US/docs/Web/API/Document/ex...](https://developer.mozilla.org/en-
US/docs/Web/API/Document/execCommand)

~~~
todd3834
I'm using Chrome 44, when I right click the (copy to clipboard) button it
still shows me the Flash dialog

------
agopaul
I've removed it immediately after reading the Hacking Team story and never
looked back

------
Aoyagi
This is so sad. I like Flash for several reasons and just few days ago I heard
that Adobe is trying to get its potatoes together and that they're working on
security patches hard. Oh well...

~~~
stevenh
The patch for this exploit was released by Adobe a month ago, within 48 hours
of discovery. They always fix such exploits extremely quickly.

~~~
Aoyagi
So the reason "everyone" is complaining about or flat out hating Flash is that
they have security holes to begin with?

------
NelsonMinar
How much responsibility do you think Yahoo deserves for this? Personally I
think they bear the brunt of it, since they're in the best position to prevent
the malware distribution.

------
haddr
I think I will use flash only inside some disposable VM... I'm getting really
sad when hearing yet another problems with this increasingly useless plugin...

