nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

bombastic bob
Silver badge
Facepalm

Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

what it says in the title.

AAAARRRRRGGGGHHHH!!!!!

(yeah it's a bit like Charlie Brown and Lucy Van Pelt and the football... the only way to win, is NOT to play)

And *STOP* accepting e-mailed "office format" documents at the firewall!

icon, because, facepalm.

it's not like these 3 security craters haven't been KNOWN for DECADE(s).

steelpillow
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Yeah, but we have so much legacy flash/office stuff that our business depends on, we cannot just turn it all off.

We are too dumb to plan migration to a secure policy. We just have to learn and not do it again. This time we really will learn, we really believe that.

Except, we are still as dumb as Charlie Brown when it comes to being suckered one more time.

BTW, it's spelled AUGH!

hellwig
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

The problem is, some VP really needs that email from "Doctor@hospital.com" with a document titled "IMPOTENT: Concerning in regards of the health status - Pleas Read.docx".

chivo243
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Sounds like someone got the band back together!

arctic_haze
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Exactly my thoughts. However ActiveX means IE is needed for this perfect storm of bugginess. Or am I wrong?

Shadow Systems
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Bob, I've always wondered why Charlie didn't get sick & fekkin' tired of Lucy's constant bullshit with the ball, decide to get even for a change, & ignore the ball to kick her in the ass instead. Laugh as she screams a nice high arc over the goal posts, throw up the arms in classic Spanish soccer announcer delight & scream "GOAL!" at the tops of his lungs.

But then I also wondered why Linus didn't pause in his piano playing at Lucy's interruption, tell her to fek off, then slam her nose in the key cover when she refused to leave him alone. "Listen bitch, the blade cuts both ways & NO MEANS NO! Go away! You're a bitch! Die already you cockwomble! AAAAHHHHH!"

*Cough*

I never did like that girl... =-Jp

Teiwaz
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

The problem is, some VP really needs that email from "Doctor@hospital.com" with a document titled "IMPOTENT:

A shame, and end to his bloodline maybe, but not the end of the world - some of us don't get the opportunity to have offspring in the first place.

Nevermind

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Nah, Word has a section called "developer" and in it are a whole selection of activeX non-goodies. I regularly receive embedded MS docs from an evilcorp that thinks it is the ballon de chien at security... cockwombles.

Fred Dibnah

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

I consulted some reference documents in The Beano and can confirm it’s definitely ‘Arrgh’

Anonymous Coward
Anonymous Coward

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Yes, but; Charlie Brown is in Peanuts, not The Beano, and they speak’n’spell a different dialect/accent in the USA!

Chairman of the Bored
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

All the girls in Peanuts seem a little over the line. It makes you wonder if Charles Schultz had some issues with a sister or something growing up...

A.A.Hamilton

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

Thanks for this very stark warning. As an 'adviser' to foreign students studying at UK Universities, I have become used to receiving significant volumes of MS Word documents, like theses, containing multiple media types. Is there a practical alternative? If not, what effective precautions can be taken?

Anonymous Coward
Anonymous Coward

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

I have become used to receiving significant volumes of MS Word documents, like theses, containing multiple media types. Is there a practical alternative?

I tend to open external docs with LibreOffice - it's about the strongest argument to have at least an install on the PC (and, let's face it, it doesn't burn a hole in the IT budget either).

If not, what effective precautions can be taken?

Start with killing off anything "automatic". Do some surfing, plenty of advice out there.

And get rid of Flash. Just do it.

mrobaer
Coffee/keyboard

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

I had one pleasant sip left, and now my laptop is wearing it. Thank you!

Florida1920
Silver badge
Headmaster

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

But then I also wondered why Linus didn't pause in his piano playing at Lucy's interruption
The piano player in "Peanuts" was Schroeder.

Anonymous Coward
Anonymous Coward

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

"If not, what effective precautions can be taken?"

-------------------------------------------------------------------

Run Linux with LibreOffice as your office suite, and a suitable email client (such as Thunderbird, though there are other choices) that includes support for PGP signing and encryption.

Run necessary windows programs in wine, or if that won't work, a VM.

Always run from a user level, nonprivileged account.

Keep the software updated. Personally I like a rolling release for this, but you can use a point release and still be orders of magnitude better off, with perhaps a bit more stability, though proper testing should keep a point release distribution working reliably too. Just don't upgrade everything in a the first week, except for 'hot' vulnerabilities.

Always validate hashes on software.

Run antimalware including antivirus and a web page scanner.

Lock down default browsers with things like uBlock or NoScript.

If something absolutely needs to be run, and run on Windows, run it in a VM.

If you are concerned about a site, or particular data, access via a locked down Linux in a VM - possibly a read only distribution - and be ready to delete that VM and replace it with a clean backup.

When feasible, use software in a VM to strip data down to macro free text files for documents and spreadsheets before moving to a filesystem accessed by your primary OS instance.

Block ads and trackers with Ghostery, PrivacyBadger, and the like to reduce attack surfaces.

Always run a VPN for anything outside your local network, or even on your local network, both to protect data and privacy and to reduce attack surfaces.

Never connect to any network you or your competent IT staff do not control, without a VPN.

When in doubt use a bootable read only Linux distribution.

When travelling remove your HDD, and carry two or three Linux DVDs for appropriate uses (Tails, Knoppix, and Mint would be a good toolkit). Use the most restricted choice for your current task. Carry your data on a flash drive or SD card, encrypted with a travel only key. If need be, store the key on a secure internet accessible location, encrypted with a passphrase written down at your home or office, and nowhere else. Do not take the key across borders. Do not use your travel computer except while travelling (which means you could re-use the HDD elsewhere).

Shadow Systems
Silver badge

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

At Florida1920, re: the piano player.

Thank you for the correction. I blame my mistake on a lack of sufficient caffeine. =-Jp

takuhii

Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

You hit the nail on the head sir ;)

Anonymous Coward
Anonymous Coward

leveraging ActiveX

"Leveraging"? Bloody "leveraging"? What are you, some kind of HR consultancy reject?

steelpillow
Silver badge
Coat

Re: leveraging ActiveX

Probably thinks he's Archimedes.

Inventor of the Marmite Laser
Silver badge

Re: leveraging ActiveX

@steelpillow

Screw that

Pen-y-gors
Silver badge

Qihoo 360?

Having the same sort of availability issues as Office 361.5 ?

Nick Ryan
Silver badge

ActiveX? Again. A ridiculously stupid idea from the outset... as in cobbling together one layer of dangerous instability on top of another layer of dangerous stupidity on top of another layer of dangerous stupidity?

Combine with Flash? Seriously? The most insecure mess since, erm, anything else that came out of Adobe. Or Microsoft. or possibly Sun.

What's the commonality in this mess? Largely unnecessary proprietary extensions in place of standards. It's not that standards based systems are invulnerable (far from it) but their legacy is much less. And they can be fixed. ActiveX can never be fixed - ban and block it. Flash almost certainly can never be fixed either. As for the other insecure stuff that comes out of Adobe, as in a document format (PDF reader) that suddenly "needs" Flash, JavaScript (homebrew abortion version of course) and local system access to all kinds of unnecessary resources... just no. No. never.

Zippy´s Sausage Factory

A load of Word plugins are ActiveX these days. As are a lot of Excel and Outlook ones. The "social connector" they bundle with Outlook that snoops someone's LinkedIn profile and annoys you with it is an ActiveX plugin.

It's a technology they should have taken out and shot, years ago.

sanmigueelbeer
Bronze badge
Trollface

Flash quiz, genius: The answer to the riddle resides in this DOCX file. (Plus the location of the pot of gold.)

C'mon, what's the worst that can happen? Don't hesitate. This offer won't last long.

Shadow Systems
Silver badge
Joke

*Comical wailing & sobbing*

I can't enjoy the fun zero day exploits with everyone else! No Adobe, no ActiveX, & no MS Word means I can't experience the fun. What shall I do?!?

*Giant arcs of rainbow sparkly crocodile tears of sarcasm*

elvisimprsntr

So the key take aways are don't run:

1. M$ Windows - Check

2. IE - Check

3. ActiveX - Check

4. Anything from Adobe - Check

5. M$ Office - Check

phuzz
Silver badge

At this point it's quicker to make a list of software that's not vulnerable. Full list presented below:

.

.

.

.

.

.

.

.

.

.....errrm

Anonymous Coward
Anonymous Coward

Monsieur, a wafer-thin link?

Oh sir! It's only a tiny little thin one.

ElReg!comments!Pierre

or just dump the damn thing already.

Which one?

naive

Thank you VmWare and MS-Edge

Which either require flash to be working, or use it as an unavoidable plugin in the browser.

Americans are quite trigger happy when it comes to punishing people guilty of repeated offenses, I don't understand why everyone working at Adobe is not in jail, together with a restraining order for coming close to any computing device.

Anonymous Coward
Anonymous Coward

Re: Thank you VmWare and MS-Edge

There is a Flash-free version of VMware vSphere now, and it’s substantially less clunky, too. (But, yes, why an admin interface for sysadmins, and often used from less, pardon the pun, flashy unix workstations was built around Flash in the first place is somewhat mind-boggling.)

mark l 2
Silver badge

Another security fail from MS and Adobe. Why is Active-X even switched on by default since it pretty much died when IE? The 1% of people that actually need Active-X on should have to enable it rather than it be a gaping hole ready to be exploited by any bad actors.

As for Flash, DIE, DIE, DIE! I wish Google would remove Flash support from Chrome, as this would force those developers who are hanging on to it to finally do something about moving to HTML5. Or risk the majority of users not being able to access their websites.

Anonymous South African Coward
Silver badge

ActiveX = CaptiveX

jms222
Bronze badge

Fly on wall

Not that I want to use it but I'd be really interested to

a) see the source code and

b) know what goes on inside Adobe

for Flash.

Anonymous Coward
Anonymous Coward

BBC

Why do the BBC insist on installing this?

Instead of wasting time and money on "Sounds" they should fix this now.

N2
Silver badge
Devil

Re: BBC

Agreed,

I look forward to the day they are forced to change, but that seems par for the course for them.

TVU
Silver badge

Adobe Flash zero-day exploit...

Adobe Flash's end of life is thankfully scheduled for the end of 2020 and so that's only just over two years to wait until that joyous day.

A.P. Veening

Re: Adobe Flash zero-day exploit...

Adobe Flash's end of life should have been about ten years ago as it was already totally bug invested at that time.

Triumphantape

Why?

Why does Flash still exist?

Anonymous Coward
Anonymous Coward

Re: Why?

So us Queen fans can stil say "Ahaaaaaa". There's really no other remaining value IMHO.

:)

Mike Moyle
Silver badge

"Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc..."

Sounds like a player's guess in that new fun-for-the-whole-family game "(Haven't A) Clue"!

Anonymous Coward
Anonymous Coward

That's what Security is for?

Why won't my AV / Behaviour Blocker / Exploit protection software / Firewall / Download scanner in browser / uBlock Origin all together or individually detect and prevent flash and active control related malware? Serious question.

Wowbagger123

I haven't used Flash for a good number of years now. Don't need it or its vulnerabilities.

Chairman of the Bored
Silver badge

I just remembered what this trifecta reminds me of...

...I had an engineering ethics text years ago that had a comic poking fun at some issues we had in the 1970's:

...A DC-10 airliner full of Firestone 500 tires loses an engine and crashes into the Three Mile Island nuclear power plant. The resulting fire is put out using asbestos blankets...

ActiveX + Flash + MS Office ... same damned thing.

Anonymous Coward
Anonymous Coward

ASR sig from years ago.

"I would like to shake the hand of the man who first decided that e-mail clients should slice, dice and run arbitrary programs. Then I'd like to stir, blend and puree his hand."

-- J. D. Baldwin in the Monastery

takuhii

WHY IS FLASH STILL HERE!!!!

Why are people still using Flash?!!! I also find it odd that Adobe, who have publically stated that Flash will not be developed anymore, STILL use it as the main interface for Scene7!!! WTF Adobe!!! WTF!!!!!

whbjr
Devil

Flash, Java, and IoT

In my workplace, which is so far from the cutting edge of technology that we can't even see the handle, we have a device which requires Flash for remote access... and of course, the people selecting this device claim to NEED remote access.

We also have a device which uses Java... but not any of the new versions, this requires Java from, as I recall, six or seven years ago. Thank goodness for archives of old versions of Firefox (and Portable Apps, so it doesn't interfere with newer versions)! This device does not have a physical control panel, and as far as we can tell there will be no updates to the firmware ("Buy our newer hardware, which is more expensive and not suited to your needs").

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing