
Two more Flash 0-days emerge in Hacking Team leak - danso
http://www.theregister.co.uk/2015/07/12/adobe_flash_zero_day_cve_2015_5122/
======
someguy1233
Important PSA for Skype Users: Open up "Internet Options" (yes, the ones in
internet explorer), security tab, and add
[https://apps.skype.com](https://apps.skype.com) to the "Restricted Sites"
list. Skype will still work fine, however there will be no advertisements.

This is important because Microsoft seems to use a lot of Flash advertisements
without checking them (I've had plenty of "MICROSOFT VERIFIED DRIVER FIXING"
ads come up inside of Skype, so I'm sure some zero day could slip though their
ad system)

~~~
aptwebapps
Skype on Windows has ads? Is that a recent thing? The Mac version doesn't, or
not yet, anyway.

~~~
brobinson
It's had ads for at least two years now. That was the last time I used it on
Windows.

------
sobkas
I would like to hear what Adobe have to say about their streak of serious
security problems. Not only that, but they should face some consequences for
that neglect. At least be forced to publish a working spec for Flash.

~~~
pjc50
If there were actually a government body that cared about "cyber"-security,
they'd be hauled up in front of it. They're basically an infosec Bhopal -
creating a toxic mess that other people have to clean up over a period of
decades.

~~~
digi_owl
In essence there are not critical US systems running on Flash and so the
defensive side of NSA don't care. And the offensive side is just happy to let
it rot, as that means more opportunities for them.

~~~
technion
The thorn in the side of removing Flash has been VMware, who, in their latest
vSphere 6 release, clearly made the point that "Flash is the future", with
announcements towards deprecating their alternative clients.

I don't understand what they are thinking - it used to be such a progressive
company.

I don't know about US Government, but many Governments and sensitive
organisations are still using VMware, and this isn't likely to change.

~~~
chm
Where can I find information on this?

------
dhimes
Serious question: why are people still using Flash? I'm surprised by the
number of websites that use it.

~~~
steckerbrett
What websites use it? I've not encountered a single incompatible website
recently, and haven't had flash installed for a long time now.

~~~
archgoon
Facebook's inline video player uses it. On linux, I get a popup saying that I
must install Flash.

~~~
toja92
In Safari on OS X, Facebook does use the native <video> player.

I'm guessing that Facebook encodes video h264 which isn't natively supported
in Firefox; rather it relies on support in the operating system. I'm not sure
if Chrome on Linux supports h264, however since Chrome also includes its own
Flash player I guess that Facebook may be using their own flash player anyway.

~~~
hkmix
Pretty sure there are some settings you need to enable in about:config to get
H264 working in Firefox (assuming you have the right gstreamer stuff
installed).

~~~
nitrogen
Firefox can also install the free Cisco h.264 codec.

------
ceejayoz
And this is just one non-governmental setup's arsenal.

~~~
vtsrh
The good part is that this removes the same vulnerability for everyone.

~~~
ceejayoz
My point, though, is that if a random Italian consultancy can amass multiple
Flash 0-days, the folks at the NSA with the $10+ billion budget probably have
an essentially endless supply of them (not to mention exploits for other
software) at the ready.

------
therealmarv
Is there any Flash security bug recently which makes it outside the Chrome
sandbox?

~~~
steveax
Yep, the one that became public 5 days ago [1]

[1]: [https://krebsonsecurity.com/2015/07/adobe-to-patch-
hacking-t...](https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-
teams-flash-zero-day/)

~~~
bitmapbrother
Only when used in tandem with a Windows exploit:

"A spokesperson for Google confirmed that attackers could evade the Chrome
sandbox by using the Flash exploit in tandem with another Windows
vulnerability that appears to be unpatched at the moment."

------
a3n
Hacking Team developed digital smallpox, and failed to safeguard it.

Thanks.

~~~
tptacek
I'm as grossed out by HT as the next message board nerd, but they didn't
develop these bugs; modern industrial software development did. All HT did was
weaponize them. These guys aren't the sharpest tools in the shed, so I think
you can safely assume other people weaponized these, or worse bugs, as well.

~~~
EthanHeilman
HT purchased these vulnerabilities with an understanding that they would not
be made public and patched. Then they failed to safeguard them. Clearly these
O-days, and conceivably all computer vulnerabilities, are not close to being
as bad as smallpox, but what ethical obligations do actors (companies,
governments, hackers, researchers) have to protect vulnerabilities which they
plan to not protect the public again?

Say you discover a very powerful attack on AES which allows you under many
circumstances to recover the key:

1\. do you have an ethical obligation to warn affected parties?

2\. If you don't and instead secretly sell this decryption capability to
governments and/or private actors, do you have an obligation to ensure that
this capability isn't used illegally or unethically?

3\. What due diligence is required to protect a vulnerability of this scale?

~~~
x0x0
Why don't you 100% blame the people at fault: Adobe / the original developers.

First, they were incompetent enough to not correctly develop their software.

Second, non-assholes would have a standing price-match policy for bugs. Adobe
should give you 110% of the highest bid you get for any 0-day. They could have
fixed these a long time ago if they'd paid the discoverer $45k (or $150k --
times three for exclusivity.) These companies are effectively outsourcing
security testing and remediation of their software, then whinging that
independent developers don't work for free.

~~~
JoshTriplett
Bug bounties are sensible, but price-matching seems too easy to game. How can
the company know a bid is serious, and not just fake to be matched? "Oh, sure,
so-and-so offered $200k for this bug."

(For that matter, while reputation is certainly a thing, what stops a security
researcher from selling the same 0-day to several different buyers, and then
selling it to the company to fix? Do the typical contracts to sell 0-days
involve continued payment based on the amount of time the bug remains
unfixed?)

~~~
BatFastard
How about an escrow contract using a third party and bitcoin? You could call
it silk road 3 Its really not that hard to be taken for a ride if you have the
resource adobe does.

~~~
ipsin
If you know a company is legally obligated to pay up to $x, and that they have
$x, you can offer to pay $x/1.1 in collusion/partnership with the bug-seller,
for a share of the proceeds. You can outlaw the collusion, but setting up this
kind of mechanic seems like a bad idea.

------
chinathrow
[https://twitter.com/BrendanEich/status/619876135623618560](https://twitter.com/BrendanEich/status/619876135623618560)

~~~
stevenh
My Macbook kernel panics and force-reboots itself because of a bug in some
newer Firefox browser feature(s) which are used by a JS-based GBA emulator
which was trending on HN yesterday. I can consistently duplicate the kernel
panic by resizing the browser window while the emulator is running. I've never
in my life experienced such a catastrophic bug from a Flash demo.

At worst, such a devastating bug has a decent chance of harboring its own RCE
which has yet to be discovered or disclosed; at best, it's one of the most
extreme local DOS attacks that a webpage could possibly launch against a
client.

Just because it's much more trendy to bash Adobe than it is to bash Firefox
doesn't mean that Firefox's problems are nonexistent.

Firefox RCE found on January 20, 2015:
[https://community.rapid7.com/community/metasploit/blog/2015/...](https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-
mozilla-firefox-proxy-prototype-rce-cve-2014-8636)

Firefox RCE found on February 25, 2015:
[https://msisac.cisecurity.org/advisories/2015/2015-018.cfm](https://msisac.cisecurity.org/advisories/2015/2015-018.cfm)

Firefox RCE found on March 1, 2015: [https://www.mozilla.org/en-
US/security/advisories/mfsa2015-3...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-39/)

Firefox RCE found on April 22, 2015:
[https://msisac.cisecurity.org/advisories/2015/2015-046.cfm](https://msisac.cisecurity.org/advisories/2015/2015-046.cfm)

etc.

Pot calling the kettle black.

~~~
__david__
I you are panicking the kernel, that is a kernel bug, not a JS/Firefox bug.

------
bohm
guess it's time to disable flash for a few weeks...

~~~
ghshephard
A significant portion of the web using community (including myself) stopped
using flash 6-12 months ago, when all the zero-days became a monthly
occurrence. The plugin is no longer strategic for adobe, they've stopped any
forward-looking development on it, and are now in the mode of whack-a-mole
reactive security patching.

I have not once every missed having flash on my system. It's not just the case
that the web is useable, it's that, with the single exception of the BBC, it
doesn't seem to use it anywhere I visit.

~~~
ExpiredLink
> _The plugin is no longer strategic for adobe, they 've stopped any forward-
> looking development on it, and are now in the mode of whack-a-mole reactive
> security patching._

[citation needed]

~~~
ghshephard
About four years back Adobe committed to HTML5 on mobile platforms, and noted
they would only provide bug fixes and security patches.

[http://www.cbsnews.com/news/adobe-abandons-flash-player-
on-m...](http://www.cbsnews.com/news/adobe-abandons-flash-player-on-mobile-
browsers-for-html5/)

[http://www.telegraph.co.uk/technology/news/8879783/Adobe-
aba...](http://www.telegraph.co.uk/technology/news/8879783/Adobe-abandons-
Flash-for-mobile-devices.html)

~~~
concerned_user
Simply because at that time both Google and Apple have banned Flash on their
respective platforms, otherwise nothing would change.

~~~
ghshephard
I'm not sure what your point is, but the reality on the ground, is that if you
want to provide access to video, or other rich content, flash is incapable of
reaching the largest audience, and the audience that's growing the fastest.
Adobe has made it clear there will no longer be any development of flash on
the mobile platform. HTML5 is the strategic platform for adobe moving forward.

Absolutely _no_ new major content sites as of around 2014 or so support flash
as an option - they are all starting with HTML5 and/or thick local clients.

Flash needs to be EOL'd, and the sooner the better for the security of the
Internet.

------
101914
For me there are generally 3 steps to the process of watching a youtube video.

1\. Get the video id. Retrieve HTML containing youtube /watch?v= urls or other
urls that contain the video id. Extract the urls from the HTML or other markup
garbage.

2\. Retrieve the video. Feed the /watch?v= url to a script that does some
"find and replace" on the absurdly long googlevideo urls. Below I have given
an example of such a script. Complaints welcome. It takes a /watch?v= url on
stdin and retrieves the video in the format specified on the command line.

3\. Play the video. ffmpeg libraries, mplayer, etc.

Whatever it is Flash does in the process of watching youtube videos (I am
quite sure it is not step 3), I do not need it.

Thus even if by not using Flash or a complex "modern" web browser to watch
youtube videos somehow were to reduce my exposure to vulnerabilities that
routinely occur in such software, I would not care. Because the reason I do
not use Flash is.... because I do not need it.

    
    
       # proof of concept: video retrieval
       
       # requirements:
       # sh, sed, tr, openssl, ftp
       
       # Adobe Flash not required
       # HTML5 not required
       # Python not required
       # Awk not required
       # web browser not required
       
       
       curl=ftp 
       file=1.mp4 # default outfile 
       url=www.youtube.com # example
       
       
       # itag #s are on the wikipedia page for youtube
       
       
       
       f061(){
       sed '
       s,%3D,=,g;
       s,%3A,:,g;
       s,%2F,/,g;
       s,%3F,?,g;
       s/

//g; ' }

    
    
       f060(){
       sed -e '
       s/&itag=5//;t1
       s/&itag=1[78]//;t1
       s/&itag=22//;t1
       s/&itag=3[4-8]//;t1
       s/&itag=4[3-6]//;t1
       s/&itag=1[346][0-9]//;t1
       ' -e :1
       }
       
       f062(){
       sed '
       s,http,\
       &,g' 
       }
       
       f063(){
       sed '
       /%3A%2F/!d;
       /videoplayback/!d' 
       }
       
       f064(){
       sed '
       s,%26,\
       ,g;
       s,&,\
       ,g;
       ' 
       }
       
       f065(){
       sed 's/&https/\
       \
       https/g;' 
       }
       
       f066(){
       sed 's/\\u0026.*//' 
       }
       
       f067(){
       sed '/itag='"${1-.}"'/!d;' 
       }
       
       f068(){
       sed 's/%25/%/g' 
       }
       
       
       f069(){
       tr '\012' '&' 
       }
       
       f070(){
       sed 's/&$//'; echo 
       }
       
       f071(){
       local a061 a062 a063;
       while read a; do 
       case $a in 
       https://*)a061=${a#https://*/} ;; 
       http://*)a061=${a#http://*/} ;; 
       *)a061=${a#*/} ;; 
       esac; 
       a062=${a#*://}; 
       a063=${a062%%/*}; 
       printf "%b" "${1-GET} /${a061} HTTP/1.0\r\n" 
       printf "Host: ${a063}\r\n";
       printf "User-Agent: GoogleAnalytics 1.5.1\r\n";
       printf "Connection: Close\r\n";
       printf "\r\n";
       done;
       }
       
       f072(){
       openssl s_client -ign_eof -connect $1:${2-443} -verify 9 
       }
       
       
       
       
       
       
       
       case $# in
       [12])
       {
       f071 \
       |f072 $url \
       |f062 \
       |f063 \
       |f061 \
       |f060 \
       |f064 \
       |f068 \
       |f069 \
       |f070
       } \
       |f061 \
       |f065 \
       |f066 \
       |f067 $1 \
       |{ 
       read a;
       exec $curl -4o ${2-$file} $a ;
       }
       
        ;;
       *)
       exec echo \
       "usage:   $0 itagno [outfile]
       outfile: $file"
       esac

~~~
rasz_pl
holy crap that is convoluted

I simply use mplayer and javascript oneliner extracting direct mp4 link from
YouTubeCenter plugin = streaming video in mplayer without downloading.

~~~
101914
Q: "... why aren't you using youtube-dl?"

A: "holy crap that is convuluted"

I do not use Python nor a Javascript-enabled web browser to download video.

Both are big, convoluted, slow(!) and unnecessary.

But I do agree with using mplayer for playback.

------
curiousjorge
does Chrome and Firefox automatically update the Flash? I can't turn it off
because...well lot of video sites made for men that are not Youtube or Twitch
but more popular than Vimeo ever will be, requires flash.

~~~
DavideNL
Google Chrome - yes, it has Flash built-in.

Firefox - "no", it doesn't have Flash built-in but uses Flash installed in the
operating system. However, Flash installed separately for example in
Windows/OS X also updates itself.

However, you are screwed either way: always running the latest Flash player
version which is known to be constantly full of security bugs, just like in
the past 3 years... :)

------
mahouse
What? I mean, how is this news?

~~~
sobkas
What is news?

~~~
mahouse
Isn't the record of infinite vulnerabilities in Flash widely known by
everybody?

~~~
sobkas
So if it is so widely known, why no action was taken by anyone to stop them
from undermining Internets security?

Also not everyone knows how bad Flash is for their security, only few geeks
care about reading cve-s. So until it goes to mainstream media not enough
people will care.

~~~
anarazel
Apple dropped it and it was a large, if not the largest, reason for work on
sandboxing plugins.

------
hobarrera
0-day exploits? I though that flash had been discontinued years ago.

The last release I've found is 11.2, which seems to be years old and the last
ever.

~~~
Buge
[http://www.adobe.com/software/flash/about/](http://www.adobe.com/software/flash/about/)

~~~
hobarrera
Huh, I hadn't researched this before, but it looks like flash for Linux has
been frozen for years, while the windows and OS X releases keep getting
updates.

So I guess Linux users are immute to this new zero-day?

------
thrownaway2424
What are the people doing now who formerly developed Flash? Are they all
diesel mechanics and baristas or what? I wouldn't even considering calling
back a candidate why had Macromedia on their work history.

~~~
scrollaway
> I wouldn't even considering calling back a candidate why had Macromedia on
> their work history.

And I wouldn't even sort of consider hiring or even working with anyone that
thinks work experience in a language makes them a liability.

------
Animats
Flash is decades old, not that big, and still has use-after-free
vulnerabilities? Tools for catching those have been widely available for
years. That makes one suspect those vulnerabilities aren't there by accident.

We need public disclosure of the code check-in that created the bug, with
names. People need to be fired for this.

~~~
wmt
Work on a massive decades old software project and get ready to have your eyes
opened. All the automated static and dynamic software analyzers catch only the
easiest flaws, but can catch the more serious ones only if you're skilled and
lucky.

Firing people for software bugs is the stupidest thing I've heard in a while.
Everyone writes horrific software flaws. Everyone. The best of the best
programmers just write less of them. Firing people for bugs is a job perk that
will only motivate any good developers to find a less stupid employer as soon
as possible.

~~~
PhantomGremlin
_All the automated static and dynamic software analyzers catch only the
easiest flaws_

In a 64-bit environment, at least for development purposes, why can't every
single malloc() cause an allocation from new memory page(s)? Then free()
removes the page(s) from accessible virtual memory.

Too much overhead for production, but it would sure catch a lot of use-after-
free bugs during development. Is nobody doing something like that, or is that
part of what you consider "the easiest flaws"?

~~~
wmt
Wait, you mean like _CRTDBG_DELAY_FREE_MEM_DF which will just mark freed
blocks as freed and inaccessible? [https://msdn.microsoft.com/en-
us/library/5at7yxcs.aspx](https://msdn.microsoft.com/en-
us/library/5at7yxcs.aspx)

