back to article KILLER! Adobe Flash, Windows zero-day vulns leak from Hacking Team raid

Confidential source code stolen from Hacking Team, and subsequently leaked online, has revealed new and extremely serious software vulnerabilities that are exploited by the spyware maker to infect victims' computers. The security holes are used to inject malicious code into PCs; that code installs surveillance tools to monitor …

  1. Snow Wombat

    And this is why...

    I use Adblock for all my web viewing. (Sorry El Reg).

    Ad networks are festering piles of malware disease, but if I never load the ads, I can't be plagued by them, visually or otherwise.

    1. Anonymous Coward
      Anonymous Coward

      Re: And this is why...

      Adblock will help reduce your exposure to the Flash thingy, but not the Windows one. It seems that there is Adobe font-rendering code in Windows kernel-space. What could possibly go wrong?

    2. Mark 85

      Re: And this is why...

      Depending on which version of Adblock.. stuff still gets through. If you haven't already, nuke Flash permanently. And modify your hosts file: http://someonewhocares.org/hosts/ which is updated frequently.

    3. MrRtd

      Re: And this is why...

      Besides using ublock an Adblock alternative, I have set Flash as click to activate. Oh, I wouldn't have any problems with ordinary ads, but it's the damn tracking that built into them.

    4. Richard Jones 1
      Flame

      Re: And this is why...

      I am waiting for the headline that reads;

      at last a day without a Flash problem.

      Until then I will not be running flash. It does make some site's 'wonderful videos' unavailable, but if they cannot use something safe, (including using words, not moving pictures) I cannot be bothered to waste my time on them.

    5. Anonymous Coward
      Anonymous Coward

      Re: And this is why...

      And this is why...

      I use Adblock for all my web viewing. (Sorry El Reg).

      Ad networks are festering piles of malware disease, but if I never load the ads, I can't be plagued by them, visually or otherwise.

      What's more, if you're abroad, YOU are paying to download this crud as well - let's remind people of that every time you get this "ads make things cheaper" argument, advertising happens in that case on your dime. It's like in the days before server side Bayesian spam filtering where a good deal of your email bandwidth was downloading crud before you could kill it off locally (this is what you get when your Chairman is so scared of missing juicy business via a false positive on spam that he doesn't permit basic filtering - until secretaries started receiving seriously nasty stuff and we warned HR this was a harassment suit in the making).

      The problem with Flash is that it's everywhere, and I do have the luxury as yet to just tell the idiots who use it to go stuff themselves - but we too use AdBlocker and a sideload of redirects in the hosts file (will look up a reference by @Mark 85 as well - thanks for that) because we have no choice if we want to keep it safe. You can say what you want about Jobbs, but he called that one right: Adobe seems to be committed to keep computers as exposed as they were in the early days of Windows.

    6. Missing Semicolon Silver badge
      Megaphone

      Re: And this is why...

      Adblock on El Reg.

      Any news of the subscription option?

  2. cantankerous swineherd

    perhaps Mr phineas fisher could do us another favour and nuke adobe?

  3. Stu 18

    Isn't the use of stolen code illegal? Therefore if Adobe or MS patch the problems the company Hacking something or other could sue them for theft?

    Or does that not count when you pinch something like exploit code?

    1. Allan George Dyer
      Pint

      Bring the popcorn! I'd expect Adobe and MS to counter-sue for breach of their EULA - you know, the part where it forbids reverse-engineering? You did read the EULA, didn't you?

      So the ongoing security of users depends on which company can afford more lawyers.

      Hell, no popcorn icon, nevermind.

  4. Anonymous Coward
    Anonymous Coward

    Oh look another Windows kernel font cock-up.

  5. ZSn

    My my

    So, in fact, the most scurrilous rumours about these companies and the worst interpretation on their actions turned out to be true. What else is going to be discovered in the data dump?

  6. ma1010
    Mushroom

    Burn It

    As El Reg stated a couple of weeks ago, Flash is the "The Internet's screen door." Uninstall it. Burn it. Nuke it from orbit. I'm sick of "OMG, You gotta patch RIGHT NOW" zero day Flash vulnerabilities that we seem to hear about weekly.

    And you web site maintainers, if you're using Flash (I'm looking at YOU, El Reg), STOP IT. Just get rid of it. There are alternatives, and none of them could possibly be as buggy as that pile of fetid waste known as Flash. Just flush it away.

    1. L05ER
      Facepalm

      Re: Burn It

      as of a few months ago (when i finally uninstalled it), it was still calling itself "macromedia flash" when it would hang.

      it almost made me wonder if i was in the right millennia...

    2. Doctor_Wibble

      Re: Burn It

      Agreeing, plus repeating (sorry) a previous remark I made elsewhere about the stupidity of having to use Flash just to look at a sodding phone bill.

  7. Paratrooping Parrot
    Black Helicopters

    This has definitely opened up a huge can of worms. Now we see that private hacking companies are out there searching for vulnerabilities that they exploit without letting the software companies know. This is basically black hat stuff.

    I am sure that if an individual made use of that kind of information for his own benefit, then the US authorities will extradite him and send him off to Guantanamo. If this is one company's information stash, imagine what kind of stuff the NSA and Mossad have with the amount of funding they receive. Imagine how many exploits they have access to. We have seen what has been leaked by Snowden.

    1. Anonymous Coward
      Anonymous Coward

      That's why you need defence in depth

      If this is one company's information stash, imagine what kind of stuff the NSA and Mossad have with the amount of funding they receive. Imagine how many exploits they have access to. We have seen what has been leaked by Snowden.

      That's why you need defence in depth - services and installed apps must be safe on their own without having to rely on an overall shell. The whole "soft centre, hard shell" approach has been invalidated long ago when it became clear that any Internet use can become a side channel attack via weak spots on the system (such as Flash).

      This is why an operating system that needs anti-virus software installed before it is safe is quite simply NOT a good idea, because it makes people that code for that platform lazy when it comes to security and heuristics can only help you so much with zero day exposures.

  8. Snowy Silver badge

    So they will be a patch next week, I wonder what other stuff they are going to also install with the patch.

    1. Tom Jasper

      Replacement exploits mandated by our friendly government safety oversight teams now that these are being closed?

  9. Anonymous Coward
    Anonymous Coward

    ... and if hadn't been for you pesky kids ...

  10. Mark #255

    "Ask to Activate"

    In Firefox, you can set Flash (and all your other add-ons) as "Ask to Activate".

    1. theOtherJT Silver badge

      Re: "Ask to Activate"

      Which every single one of my Windows users would just immediately click "OK" to because they get a million pop up windows a day during the normal functioning of their Windows machines, so have just gotten used to that being a thing they do :(

  11. mike acker

    seriously?

    does anyone still seriously believe this is all due to sloppy work or just oversights? Santa will bring you everything on your Santa Letter! :)

  12. Anonymous Coward
    Anonymous Coward

    If cars

    were released with the amount of inherent bugs that Flash exhibits then the maker would go bust...

  13. Roland6 Silver badge

    Hacking Team's lax security is starting to deliver the goods!

    Whilst we tend to focus on the criminals...

    It is beginning to look that within the 400GB of data extracted from Hacking Team are exploits that have been known in certain circles for a long time, but which have not been previously reported and hence effectively made public.

    It will be interesting to see what other similar exploits are still to be found within the Hacking Team's data; this discovery certainly makes it worthwhile security experts taking the time to trawl through the data.

    Whilst this is unlikely to impact those who's systems have already been compromised by tools supplied by companies such as Hacking Tools, it will help make any future deployments of such tools by such companies/agencies much harder.

  14. lvm

    18.0.0.203 is out

    didn't bother to check wheter it is it, but it is out

    1. Roland6 Silver badge

      Re: 18.0.0.203 is out

      I was a little confused from your comment, were you referring to the 'fixed' version of Flash or are you referring to some IP address that you're now blocking? :)

      Yes it is the fixed version (for Windows and OS/X):

      https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

      Aside: What I found a little worrying was that Flash 18.0.0.194 on Windows, even when explicitly requested to look for updates, didn't see the new version. I had to explicitly download it from the Adobe website, which did update my installation. Whereas Chrome at some stage quietly updated the Flash plug-in to 18.0.0.203.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like