Wednesday, July 8, 2015

Time to patch Adobe Flash Player. Now.

An exploit for Adobe Flash Player is being actively used to infect computers with ransomware. Here is action you need to take NOW.
This article was written about a specific incident the first week of July 2015, but the instructions are what I have recommended for at least a year - and will continue to be appropriate into the future. Also of note, the recommendation to make browser plug-ins "Click to Play" is effective against exploits in all sorts of plug-ins, including Flash, Java, Silverlight, Adobe Reader, Windows Media Player, and more.

Last updated December 8, 2016. Current latest version is 23.0.0.207.

Early this week, the security firm Hacking Team was the victim of a massive network breach in which a large amount of company data was stolen and made public. This data included among other things a previously-unknown exploit against Adobe Flash Player. 

This exploit was quickly added to popular crimeware exploit kits (products that make it easy for an amateur criminal to create and deploy malware). It is actively being used to deliver "Cryptolocker," a form of malware known as ransomware - malicious software that encrypts all your files and then demands a ransom payment to return the files to you.

In short, a fully-patched PC could be completely owned simply by browsing to a web site carrying a malicious Flash object. Since Flash videos are a common type of advertisement, you do not even need to browse anywhere unusual - a malicious ad slipped into the rotation at your favorite news site would be enough.

Adobe released an update this morning to fix the vulnerability. Here is what you need to do.


Option 1: Uninstall Flash


The most effective way to eliminate vulnerabilities in Flash Player is to uninstall it completely. If software does not exist on your PC, it cannot be attacked. Journalist Brian Krebs wrote of a month-long experiment using the Internet without Flash Player. In his experiment, he only encountered a couple of instances where he simply could not do something without re-installing Flash. For many home users this is an entirely usable option.

For most browsers, the simplest way to remove Flash Player is to go to Adobe's website and follow the instructions. Adobe provides a downloadable uninstaller that will remove Flash from your PC.

Be aware though that Chrome includes Flash as a built-in feature that cannot be removed. It can, however, be disabled as follows:

Type chrome://plugins in the address bar to open the Plugins page. On the Plugins page that appears, find the "Adobe Flash Player" listing and click the Disable link under its name.


Disable Adobe Flash Player on chrome



Option 2: Make Flash "Click to Play"


This is effective not only for Flash Player, but for many other types of browser plugins or extensions. Examples that have been abused by hackers include Windows Media Player, Adobe Reader, and Microsoft Silverlight. I personally have made all plugins click-to-play.

Where Flash Player is still needed (many businesses have custom Flash-based applications), a very useful alternative is to make your browser ask you before running any Flash objects. This is what I personally do - and have found to be next to no inconvenience.

With this setting, when you browse to a web page that contains Flash content, instead of automatically playing (or automatically infecting your PC, depending on the developer's intent), you'll see something like this. Only if you click the Flash object will it begin to play:

With this setting, Flash content will only play after you click it

Chrome

Click the settings menu and select "Settings," then scroll to the bottom and click "Show advanced settings." Under the "Privacy" heading select "Content Settings..." Under the "Plugins" heading, select "Let me choose when to run plugin content." A shortcut is to type "chrome://settings/content" in the address bar, then look for the section entitled "Plugins," and select "Let me choose when to run plugin content."

Let me choose when to run plugins in Chrome

Mozilla Firefox

For Firefox, the process is very similar, though Firefox provides a visual way to get to the plug-ins menu. From the Firefox start screen, simply click the "Add-ons" icon at the bottom, or type "about:addons" in the address bar:

Access the Add-ons manager within Firefox

From the Add-ons Manager, click the "Plugins" tab, and look for "Shockwave Flash." Set Flash content to "Ask to Activate" instead of playing automatically.

Ask to Activate plugins in Firefox

Internet Explorer

Microsoft makes this setting a little less intuitive, and the result a bit more annoying, but it can still be done. From the settings "gear" icon, select "Manage add-ons."

Open the Internet Explorer settings gear and select "Manage add-ons"

From the Manage add-ons window, find the Shockwave Flash Object item by Adobe Systems Incorporated, right-click and select "More information." Note: on Windows 8.0 and newer, the Shockwave Flash Object may be under the group heading "Microsoft Windows Third Party Application Component."

Find the Adobe Shockwave Flash Object and select "More information."

By default, Microsoft allows the add-on to run on all websites. Click Remove all sites. From now on, every time you open a website that contains Flash objects, you will get a pop-up asking if you would like to run the add-on. Annoying? Yes. That's why I stopped using Internet Explorer long ago.

Select "Remove all sites" to prevent Flash from running automatically.



Option 3: Update Flash Player


I call this option 3, but in reality it should be done along with option 2 above. Adobe (the maker of Flash) has released updates to fix each vulnerability as it comes to light. Depending on your browser, the updates may be installed automatically, or you may need to install them yourself.

On all browsers, you may browse to http://www.adobe.com/software/flash/about/; with the Flash plug-in enabled, the website will show the currently installed plug-in version.

Chrome

Google's Chrome browser has Flash Player built in to the browser; Flash Player updates are included with Chrome updates, and are installed automatically. A simple way to verify this is to open Chrome's "plug-ins" window to see the current version of all plug-ins (plug-ins are "helper programs" that hook into the browser to provide additional features). Chrome does not provide a way to get to the plug-ins window through menus, but you can easily find it by typing "chrome://plugins" in the address bar. As of this writing, version 18.0.0.203 23.0.0.207 is the latest.

The current version for Adobe Flash Player in Chrome for Windows is 18.0.0.203

Mozilla Firefox

From the Add-ons Manager, click the "Plugins" tab, then click the link to "Check to see if your plugins are up to date. For "Shockwave Flash," the current version as of this writing is 18.0.0.203 23.0.0.207. Keep in mind that Firefox does not actually update the Flash Player for you. The "Check" link will let you know that a plug-in is outdated and give you a link to Adobe to download an update if needed.

The current version of Adobe Flash Player for Firefox on Windows is 18.0.0.203

Microsoft Internet Explorer on Windows 7

Internet Explorer is somewhat less user-friendly when it comes to updating plug-ins. Unlike with Chrome and Firefox, Flash Player settings and updates are not integrated into the browser; instead, Flash Player settings are controlled through a separate Flash Player Settings Manager in the Windows Control Panel. To get there, open the Control Panel (it ordinarily is included in the Start Menu; if you have removed it, simply type "Control Panel" into the "Search programs and files" box in the Start Menu), and select "Flash Player."

From the Flash Player Settings Manager, use the "Check Now" button to verify you have the latest version. As of this writing, the current version is 18.0.0.203 23.0.0.207.

The current version of Adobe Flash Player for Internet Explorer is 18.0.0.203

Microsoft Internet Explorer for Windows 8, 8.1, and Windows 10

Microsoft provides updates for Adobe Flash Player in its browser for Windows 8, 8.1, and 10 through Windows Update, its update service for Microsoft operating systems and products. If your PC is set up to automatically install updates, it will obtain this update within 24 hours. You can install the update immediately by going to Microsoft's support bulletin and selecting the link for your specific operating system, or by launching Windows Update on your PC. To run Windows Update, press the "Windows" key on your keyboard and type in "Windows Update," then select and install the Security Update for Internet Explorer Flash Player.

Install updates for Internet Explorer Flash Player on Windows 8 or 8.1 through Windows Update


Other Information


Downloads


Vendor bulletins


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen