Hacker News new | past | comments | ask | show | jobs | submit login
CVE-2015-0311 – Adobe Flash Player Remote Vulnerability (nist.gov)
80 points by guiambros on Jan 25, 2015 | hide | past | favorite | 45 comments

Chrome users: keep in mind that the builtin "click to play" is not actually a security boundary:


Therefore the recommendation, if you can't disable Flash entirely, is choose "Block by default" in Chrome's plugin settings so that you have to right-click and "Run This Plug-in" when you really want Flash to play. You can still whitelist if you want.

Ouch. I was under the impression that click-to-play was in fact treated as a security boundary, and finding out that it isn't severely downgrades my estimation of how secure Chrome is.

I do see how preventing clickjacking is hard, and you wouldn't want click-to-play as the only line of defense, but I think Chrome should at least make the effort to do so. A working click-to-play security boundary would reduce the number of sites that get to attempt to exploit me with Flash by more than an order of magnitude.

Click-to-play can never be a security boundary, and you don't need to know anything about the inner workings of Chrome to know that it isn't a security boundary.

Any website can induce you to click somewhere using a psychological trick (for example, a "Next Page" link in an article). There would be no reason to be concerned--after all, merely following a link on a webpage can't be unsafe, right? (After all, you know better than to download software from untrusted sources, so you won't do that. You're just browsing pages.) Then it could use script to replace that link with a malicious plugin in the instant just before you are most likely to click. There--bypassed security boundary.

I find this "you don't need to know the inner workings" lesson analogous to a thought experiment I sometimes ask tech people. I quiz them: Can a USB storage drive harm your computer (install malware, etc.) merely by plugging it in, even if you know better than to run any executable files on it? The answer is (1) Yes, and (2) You don't need any specialized knowledge of how USB works to know this--you just need to know about the existence of USB keyboards. The USB device, despite appearing to be a thumb drive storage device, need merely identify itself as a keyboard, and it can start typing malicious commands after being plugged in.

Ahh crap. Thanks for this. I did not realize click-to-play was so pointless.

Me too. I am every day more appalled by the lack of security of browsers. That being said, logically, if you also have javascript disabled, I presume click-to-play should be secure.

It's not pointless from a usability perspective, just pointless from a security perspective.


Disable all of them

Edit: if you have a site that requires a plugin, create a separate chrome user with that plugin enabled and run that site in it

That malware is apparently not trying to infect Chrome, but Chrome still carries the vulnerable Flash and runs it by default. Maybe the author of that malware doesn't have or doesn't want to spend a Chrome sandbox escape to attack it, but such escapes have been found in the past, and others are likely lurking.

Thus the advice to disable or block Flash within Chrome, especially since Chrome's Flash hasn't yet been updated for this vulnerability.

> If you can't disable Flash entirely...

I can but there are websites that still rely on Flash for video playback :/

One thing I've noticed is that FAR more sites do video backwards – using Flash if present, falling back to HTML5 if not – than actually do not support it. Spoofing the iPad user-agent gets most all of the remaining sites.

If people keep using Flash, these websites will not adopt another options.

Disabling unsecured plugins will be a long term benefit for us.

Disabled ALL plugins on Chrome about a month ago and barely noticed any change. Seriously advice everyone in favor of disabling all plugins now. [Edit] chrome://plugins/

When I switched to Firefox from Chrome, Flash didn't come with it, and I left it like this. In the very rare case, I pop open IE or Chrome. Works great!

Agreed. Oddly enough, one of the only website I have to open Chrome (which has Flash installed) for is ... Google Music. It has an HTML5 setting, but that seems to do nothing.

As far as I know, the HTML5 option for Google Music does work in most browsers, but not Firefox.

Apparently this is because it needs MediaSourceExtensions with HTML5 MP3 support, neither of which are in Firefox currently - https://bugzilla.mozilla.org/show_bug.cgi?id=911837

Curious, why not switch to Chromium instead? You would still want to disable plugins as you do now, but is there an advantage to using Chrome over Chromium once plugins are factored out?

If you're on Windows or Mac, there's no official binary download for chromium - you have to download it from a third-party blog or build it yourself.

The situation is better on Linux, as several distros include chromium packages.

I'd leave Google Update and Chrome PDF Viewer enabled.

I still get Chrome updates. I don't have "Google Update" as a plugin.

Apparently(1) EMET prevents this Flash vulnerability from working. Might be time to install it from (2) with the extra "Popular Software" settings on your own PC and any you control.

(1) https://twitter.com/SwiftOnSecurity/status/55846182290312806...

(2) https://technet.microsoft.com/en-us/security/jj653751

"InfoSec Taylor Swift" (@SwiftOnSecurity) is a parody account, and I wouldn't trust it on whether EMET prevents this vulnerability or not. Not saying that it doesn't, just that we'd need more serious sources on that.

Here's a more serious source (EMET is mentioned towards the end of the blog post) ...


Swift on Security tends to be surprisingly on the pulse with respect to this sort of stuff. Of course check a second source but don't write Tay Tay off right away!

I'd love to know who runs it.

It's not too hard to figure out. He/she's on Twitter and admits that he/she hasn't been great with the OpSec. :-)

@SwiftOnSecurity's identity is a parody; the information on it is pretty legit.

Note: under Windows, Chrome will install Flash by default, so it's not enough to uninstall the standalone Flash Player. The latest Chrome has Flash, which is vulnerable.

If you use Chrome, and want to be safe, go to about:plugins, and disable it manually.

Under Linux the latest is, which is not vulnerable (but I'm using Chrome 40.0.2214.10 beta, so YMMV).

Do you know that Chrome is vulnerable, or are you just going by the version numbers?

Chrome sandboxes plugins in order to give an extra layer of protection against exactly these kind of exploits. The interesting question will be how it helps in this case. Do you have any info?

ADDED: initial reports suggest Chrome is NOT affected; whether its thanks to Chrome's sandboxing model or whether its because Chrome has patched it isn't clear: http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerab...

Flash is also sandboxed in Firefox and maybe IE. Different sandboxes, of course, but it is no panacea.

I thought that the latest Flash for Linux was 11.2. Where did you get v 15 from? Thanks.

I think it was the version bundled with Google's Chrome browser being referred to, and not the standalone Adobe Flash Player for Linux, which is quite old now.

It isn't actually very old – not much older than current releases on other supported platforms, because quite often security bugs affect it as well, and Adobe updates it as well.

Adobe has promised to support the NPAPI Linux plug-in for a few more years (IIRC till 2017). It doesn't get any new features, but security issues will be fixed, usually at the same time as on other platforms.

v15.0.0.223 is the latest version bundled with Chrome beta.

NOTE: Adobe Flash Player 11.2 will be the last version to target Linux as a supported platform. Adobe will continue to provide security backports to Flash Player 11.2 for Linux. http://i.imgur.com/A5IFIBF.png Source: http://get.adobe.com/flashplayer/

Note that Google provides newer versions of Flash player for Linux with alongside Chrome. That version works on any browser that supports the Pepper plug-in interface (currently Chrome/Chromium (+forks)/Opera/? – and not Firefox).

And what is funny is that I noticed this morning some users with admin privs (long story) were ahead of my already delayed patching schedule (I am not in the US). Adobe has a distribution page for companies to deploy Flash and other stuff internally with "enterprise-y" installers, and I had to refresh until like mid-afternoon local time to see and wondered if it was laziness or rushing.

Well, question answered.

Following on from https://news.ycombinator.com/item?id=8942395, is Firefox affected when click-to-play ("Ask to Activate" in Firefox terminology) is enabled?

Shame on you Adobe! Yet another hole in Flash, isn't it time to pack up your tent and move onto the dust bin of history?

Furthermore it's more shameful to release an update for the manual update users two days after the automatic update users get it. Get over yourselves already. This is already being exploited, push fixes out faster or atleast at the same time.

Steve Jobs was so right.

They are certainly not going to bin themselves, we have to do it for them.

Uninstall flash, and refuse to reinstall it. And see if your nontechy friends and relatives will let you do the same to protect them as well.

There are a lot of sites that have multiple streaming options, but when flash is installed it's what they default to.

And are you going to bin Apple and Microsoft too? Not going to use USB? Not going to DNS? What hardware and software do you use that had no security flaws in the last year?

This is not the point. When you definitely can do something, you should do it. Other problems should not distract you from removing this particular software.

adobe flash_player has just under three hundred CVE entries for software flaws. (note to pedants: the NVD search includes GNU bullshit clones if you run a simple search on 'flash player')

apple quicktime has over two hundred -- and that's ONLY counting from OS X days (i.e., not including Mac OS days).

Writing network-enabled rich-content delivery platforms is a hard task. flash player is installed on a tremendous number of devices across a staggeringly diverse operating system segment. Problems are sadly impossible to avoid.

Firefox has more than 1100 -- again, not counting Mozilla days. Chrome has more than a thousand. Safari, commendably, has little more than five hundred. The point is nobody gets it right. Not even Steve Jobs.

>Shame on you [Company]! Yet another hole in [Product], isn't it time to pack up your tent and move onto the dust bin of history?

There haven't been many major pieces of software that didn't have at least one major security vulnerability reported in the last year. Apple's products being no exception.

But Adobe's Flash is like a friggin' clown car: vulnerability after vulnerability has been coming out of it for as long as it's been around.

I think the same thing would have resulted from almost any closed-source binary parsing remote data deployed on a huge number of different browsers. Flash, Java, and Adobe Reader, present almost uniquely-attractive attack surfaces due to their cross-browser ubiquity as well as their fragility.

That isn't making excuses for them, of course, but it gives us an important data point as to what behaviour to avoid in future. (I'm looking at you, Silverlight.)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact