back to article Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week

Adobe will next week emit patches to squash a security bug in Flash that can be exploited by malicious webpages and documents, when opened, to hijack and spy on vulnerable computers. The flaw is being abused right now by North Korean hackers to infect victims' PCs. You should update your browser or Flash installation – if you' …

  1. robidy

    You have to wonder why Microsoft has built it into it's desktop and server range...epic fail..or time for foil hat...

    1. Anonymous Coward
      Anonymous Coward

      "You have to wonder why Microsoft has built it into it's desktop and server range"

      On Windows 10 Flash is only enabled by default on a list of trusted sites. And it doesn't run stand alone so this exploit will presumably only work via Excel on OSs that have the full Flash version from Adobe installed. On Windows server 2016 Flash is not enabled at all by default.

      1. JLV

        But it cant be uninstalled from Edge so, if you're security conscious and still on Windows, it's hardly reassuring to have to rely on MS not dropping the ball.

        It's pointless and has little place anywhere in 2018, least of all in a builtin browser (or on the BBC).

        >On Windows server 2016 Flash is not enabled at all by default.

        Really? The mind boggles what Flash should be doing preinstalled on a server in the first place.

        1. Anonymous Coward
          Anonymous Coward

          "The mind boggles what Flash should be doing preinstalled on a server in the first place."

          It isn't installed by default on Server 2016. You don't even have a browser in the default install.

          1. Anonymous Coward
            Anonymous Coward

            You do, you just can't run Edge as Administrator.

            Presumably there have been no privilige escalation bugs on server 2016.

            1. TheVogon

              "You do, you just can't run Edge as Administrator"

              No you dont. You don't even have a GUI by default on Server 2016. Or a browser.

            2. bombastic bob Silver badge
              Unhappy

              "Presumably there have been no privilige escalation bugs on server 2016."

              Spectre is still a possible attack vector. Just sayin'

        2. TheVogon

          Here's how to disable Flash in Microsoft Edge:

          Click the menu button in Edge. It's the three dots in the upper right corner.

          Select Settings from the menu.

          Click the "View advanced settings" button. You'll have to scroll down a little bit to find it.

          Toggle "Use Adobe Flash Player" to off.

          1. JLV

            txs. very rarely run IE or Edge. mostly Firefox. so only noticed un-uninstallable.

            bit like Java 8, possibly 9 too, on OSX, the un-uninstallable bit ;-)

        3. bombastic bob Silver badge
          Unhappy

          "The mind boggles what Flash should be doing preinstalled on a server in the first place."

          This entire situation boggles the mind!

          Keep in mind that in S. Korea, they used to require ActiveX to do ANY kind of online banking. This is partially the fault of the USA, since prior to the late 90's, encryption technology stronger than 60-bit DES couldn't be exported. in the mean time, S. Korea developed its OWN system for banking, USING! ActiveX!! Yes, it's way MORE insecure than Flash.

          And so I have to wonder whether or not, in 2018, banking transactions are STILL using something *like* ActiveX, but via Flash instead... and is THAT the target of the Nork cracking activity??

          I'm being lazy and not googling for all of this, so my apologies ahead of time if I got any of these details wrong. Old brain cells sometimes have parity errors.

          1. bombastic bob Silver badge
            Devil

            should've looked on El Reg

            https://www.theregister.co.uk/2015/04/02/south_korea_to_deport_microsoft_activex/

            not sure if Flash is involved in its replacement, though. however, I wouldn't be surprised...

  2. Planetary Paul

    Flash, begone in a flash

    I have been flash free for about a year now and not once have I needed it to be installed. Of course YMMV, but I'd say get rid of it.

    1. Ian Mason

      Re: Flash, begone in a flash

      Ditto. Been Flash free on this machine since July last year and there hasn't been one occasion where I even needed to notice that it wasn't installed - except when I read about the latest bug/exploit and then I remember that it's not installed and feel smug.

    2. bombastic bob Silver badge
      Devil

      Re: Flash, begone in a flash

      "I have been flash free for about a year now"

      HTML5 has been around way longer, and I set "the default" in my browsers for it because I _had_ to. Flash plugins on FreeBSD have always been flaky and when some changes made GNASH stop working, and GNASH development was basically abandoned, I gave Flash the big middle finger and now disable it, everywhere. It's been several years, now... really since HTML5 was on Youtube.

      [a 2015 article says that youtube "now streams HTML5 by default" and that youtube had support for HTML5 back in 2010 - that would be about right, yeah]

  3. DavCrav

    There are so many bugs in Flash, the question has to be asked: is there any code that isn't a bug?

    1. Mark 85

      There might just be a bit. I think it's the one that some sites use that still ask you download it and then when you get the Flash part, it asks (well actually you need to uncheck the box) to install McAfee or some other bit of nonsense.

  4. Lord_Beavis

    Flash?

    Aaaaaa aaaahhh

    Sorry, just had to do it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Flash?

      Zero Day of the Universe

      Flash a-ah

      It'll bork every one of us

      1. Anonymous Coward
        Anonymous Coward

        Re: Flash?

        Zero Day of the Universe, Flash a-ah, It'll bork every one of us

        That's a very promising start, gentlemen! How about doing the whole song?

        1. Anonymous Coward
          Anonymous Coward

          Re: Flash?

          Challenge accepted.

          (Seemingly there is no reason for these extraordinary intergalactical upsets)

          (Ha Ha Ha Ha Ha Ha Ha)

          (What's happening, Flash?) (note the extra comma)

          (Only Doctor Hans Zarkhov, formerly at Adobe, has provided any explanation)

          Flash a-ah

          It's a miserable

          (This morning's unprecedented adobe exploit is no cause for alarm)

          Flash a-ah

          Fix of the impossible

          It's for every one of us

          Crash for every one of us

          He save with a mighty hand

          Every man, every woman

          Every child, with a crappy

          Flash

          (General Kala, Flash bug approaching.)

          (What do you mean Flash Bug approaching? Open firewall! All weapons! Dispatch war rocket McAfee to bring back it's body)

          Flash a-ah

          (Flash's alive!)

          Flash a-ah

          It'll malware every one of us

          Just an app

          With an app's exploits

          You know he's

          Nothing but a app

          And it can always fail

          No one but the pure at heart

          May find the Golden Grail

          ...Oh..Oh........Oh..Oh....

          (Flash, Flash, I hate you, but we only have fourteen hours to patch the Earth!)

          Flash

          1. Anonymous Coward
            Anonymous Coward

            Re: Flash?

            I prostrate myself before your lyrical talent, and nominate you for Comment of The Year So Far.

            Now, onwards and upwards: Who's going to sing that, and risk a copyright infringement rap by dubbing it over the original music vid and posting to Youtube?

          2. bombastic bob Silver badge
            Devil

            Re: Flash?

            if I had the time to devote to it I'd start on the guitar part right away, and add the 5 or 6 Freddy-like vocal tracks [I think Freddy used to do all of the harmonies himself]. Interesting thing I've discovered, Freddy's overbite was a key factor in his vocal sound. I've actually tried using an ace bandage around my lower jaw, to temporarily re-create the overbite, so I can do a good Freddy impersonation. it sorta works... but is painful.

            (no, seriously, I _DID_ try that, with only limited success, and I'll never try it again).

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    And the biggest offender Award goes to....

    Education!

    Govt agencies / Private Firms don't care, don't think about liability, don't have time / budget to go back and fix large programs of online courses and tests etc. Its a nightmare for me as its the area where my SO works....

    So I'm constantly fighting the decisions her organization takes. Flash is needed on every machine and often for new unexpected sites too. So white-listing isn't the savior you'd hope for. They even use Googhoul-docs for everything. Welcome to slurp-ville folks! How f'in lazy is that! It gets worse too.. They insist that students install Java as a prerequisite... But they haven't audited their courses in years to see which actually need it. 99% of courses don't. So WTF??? Wake up education tech support!

    Education bodies are often government run / sponsored as well, so you can imagine, changing hearts and minds, or creating awareness, isn't something that's comes easily. My workaround so far, has been to dual-boot Mint, and seal-off the Windows partition by hibernating it. This has drawbacks obviously, you can't share your old files etc.

    Plus the Mint's + Adobe flash downloader doesn't work and is seriously out of date anyway (had to stumble around looking for old canonical links as Mint's Software Manager doesn't help here). I can nuke Mint occasionally if it catches something, that is unless its rootkit based, then I'm probably screwed!....

    1. veti Silver badge

      Re: And the biggest offender Award goes to....

      Makes sense. It's a sector where people are most likely to be encouraged/forced to use shit that they personally had no hand in making, that's never been properly vetted or audited, and doesn't even have any proper trail of accountability showing who chose it in the first place.

      As a result of which, if a teacher does have reservations about a particular course or resource, there are many lines of resistance to challenging it that kick in automatically, quite regardless of what it is:

      1. That's mandated by (insert agency here). Or at least we think it is, frankly the guidance is so vague it's very hard to tell, but we know that if we get it wrong we'll be subject to months of inspections and possibly loss of funding, so how strongly do you feel about this exactly?

      2. That was licensed back in 2013, we don't have the budget to review or replace it

      3. That is approved by (insert agency here), it represents the latest and best thinking and it knows far better than you do (pleb)

      4. All our other course materials are designed around that. Taking it out would leave a hole that would take months of work to plug, and nobody has time for that.

      5. Yes, we hate that too, but Mr Awkward the deputy head likes it and if we try to scrap it, he'll retaliate by pulling our licenses for these other resources and demanding a full review

      6. I've only been doing this job a couple of years, I don't know which of (1-5) applies in this case, but I'm pretty sure at least one of them does.

  7. thames

    Does it even work on Linux?

    El Reg said: "The Photoshop maker said that – so far – only Windows machines have been attacked, although Windows, Macintosh, Linux, and Chrome OS systems are potentially vulnerable."

    I'm using Ubuntu 16.04. I just had a look in the user reviews in the Ubuntu Software Centre (software installation manager) and most of them are saying it doesn't work. I looked at quite a few reviews, but found only two who said it worked (the most recent from a year and a half ago), but they didn't have anything positive to say about it. I think the ones who did have it were using Ubuntu 14.04, so I have serious doubts that many Linux users these days have Flash installed.

    I haven't had Flash installed in many years, and it is very rare that I see any web sites that make any use of it at all. For some years now the main laggards still using it tended to be ads, and quite frankly I didn't miss them at all.

    If you've got it installed, you can almost certainly just delete it (if you can) without missing anything of value. For the very, very, few people who have a legitimate application for it, you're going to have to find another solution before too long anyway when Adobe finally pulls the plug on it and all the browser vendors blacklist it from being installed at all.

    1. Voland's right hand Silver badge

      Re: Does it even work on Linux?

      I just had a look in the user reviews in the Ubuntu Software Centre (software installation manager) and most of them are saying it doesn't work.

      Works here (100% Debian household). I have to keep it because of several education sites that still rely on it.

      It will be gone the moment 3PLearning finally switches to HTML5.

  8. Michael Thibault

    Unfortunately, the bullet intended for Flash...

    is moving slowly; it will take 1000+ days for it to arrive.

    If Adobe were a tad more responsible they'd make the imminent demise of Flash a visible, obvious part of the update process. And start stripping functionality from it with each iteration. And build into it a suicide gene that completely erases the f*in' thing after the last day of 2020. And let users know that that's the future.

  9. Winkypop Silver badge
    Devil

    Nike - Just do it

    Flash - Just don't do it

  10. Anonymous Coward
    Anonymous Coward

    Accumulated cost of Adobe vulns

    Given the long and shameful history of code vulnerabilities in Flash and Acrobat, I idly wondered what the aggregate global costs were of Adobe's repeated failure to fix their shonky software. So that'c the cost of clean up efforts, IP losses, fraud enabled by Adobe,

    I'm guessing of the order of high double digit billion dollars wasted, just because of one tosspot company. Maybe Adobe should register the slogan "Internet scumbags: Powered by Adobe".

  11. Mr Dogshit
    1. bombastic bob Silver badge
      Pint

      thanks. beer?

  12. Anonymous Coward
    Anonymous Coward

    devil's advocate

    I am not particularly fond of flash, but I can't understand this long standing flash-bashing. Have you actually suffered (or know of one who did) a loss due to a flash vulnerability? Or is it just news stories of "north Korean hackers did it somewhere"?

    or how about the other "scare story du jour", spectre and the rest of it, we have a whole industry in turmoil just because of a theoretic threat that will not touch 99% of people's computers

    give bugbears a rest, register et al!

  13. wolfetone Silver badge

    Evidence

    This line I found ammusing:

    "The flaw is being abused right now by North Korean hackers to infect victims' PCs."

    When you consider one of the software titles released under the Vault 7 leaks allowed the NSA to "spoof" the location of attacks, it makes one wonder whether North Korea are doing these attacks at all and not someone else.

  14. Anonymous Coward
    Anonymous Coward

    Flash vs Java

    $CORP is rolling out an updated enterprise-wide web app that all employees must use.

    They just switched from Java to Flash for the UI. It's 2018, right?

    (eyeroll)

    1. bombastic bob Silver badge
      Facepalm

      Re: Flash vs Java

      "They just switched from Java to Flash for the UI"

      /me flips upside down like an anime character

      icon, because, facepalm too

  15. Anonymous Coward
    Anonymous Coward

    Emitting

    We need more of that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like