back to article Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

Stop us if you've heard this one before: An Adobe Flash zero-day vulnerability is being actively targeted in the wild to hijack victims' Windows PCs. Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band …

  1. bombastic bob Silver badge
    Facepalm

    Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

    what it says in the title.

    AAAARRRRRGGGGHHHH!!!!!

    (yeah it's a bit like Charlie Brown and Lucy Van Pelt and the football... the only way to win, is NOT to play)

    And *STOP* accepting e-mailed "office format" documents at the firewall!

    icon, because, facepalm.

    it's not like these 3 security craters haven't been KNOWN for DECADE(s).

    1. steelpillow Silver badge

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      Yeah, but we have so much legacy flash/office stuff that our business depends on, we cannot just turn it all off.

      We are too dumb to plan migration to a secure policy. We just have to learn and not do it again. This time we really will learn, we really believe that.

      Except, we are still as dumb as Charlie Brown when it comes to being suckered one more time.

      BTW, it's spelled AUGH!

      1. Fred Dibnah

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        I consulted some reference documents in The Beano and can confirm it’s definitely ‘Arrgh’

        1. Anonymous Coward
          Anonymous Coward

          Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

          Yes, but; Charlie Brown is in Peanuts, not The Beano, and they speak’n’spell a different dialect/accent in the USA!

    2. hellwig

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      The problem is, some VP really needs that email from "Doctor@hospital.com" with a document titled "IMPOTENT: Concerning in regards of the health status - Pleas Read.docx".

      1. Teiwaz

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        The problem is, some VP really needs that email from "Doctor@hospital.com" with a document titled "IMPOTENT:

        A shame, and end to his bloodline maybe, but not the end of the world - some of us don't get the opportunity to have offspring in the first place.

      2. mrobaer
        Coffee/keyboard

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        I had one pleasant sip left, and now my laptop is wearing it. Thank you!

    3. chivo243 Silver badge

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      Sounds like someone got the band back together!

    4. arctic_haze

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      Exactly my thoughts. However ActiveX means IE is needed for this perfect storm of bugginess. Or am I wrong?

      1. Nevermind

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        Nah, Word has a section called "developer" and in it are a whole selection of activeX non-goodies. I regularly receive embedded MS docs from an evilcorp that thinks it is the ballon de chien at security... cockwombles.

      2. takuhii

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        You hit the nail on the head sir ;)

    5. Shadow Systems

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      Bob, I've always wondered why Charlie didn't get sick & fekkin' tired of Lucy's constant bullshit with the ball, decide to get even for a change, & ignore the ball to kick her in the ass instead. Laugh as she screams a nice high arc over the goal posts, throw up the arms in classic Spanish soccer announcer delight & scream "GOAL!" at the tops of his lungs.

      But then I also wondered why Linus didn't pause in his piano playing at Lucy's interruption, tell her to fek off, then slam her nose in the key cover when she refused to leave him alone. "Listen bitch, the blade cuts both ways & NO MEANS NO! Go away! You're a bitch! Die already you cockwomble! AAAAHHHHH!"

      *Cough*

      I never did like that girl... =-Jp

      1. Chairman of the Bored

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        All the girls in Peanuts seem a little over the line. It makes you wonder if Charles Schultz had some issues with a sister or something growing up...

      2. Florida1920
        Headmaster

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        But then I also wondered why Linus didn't pause in his piano playing at Lucy's interruption
        The piano player in "Peanuts" was Schroeder.

        1. Shadow Systems

          Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

          At Florida1920, re: the piano player.

          Thank you for the correction. I blame my mistake on a lack of sufficient caffeine. =-Jp

    6. A.A.Hamilton

      Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

      Thanks for this very stark warning. As an 'adviser' to foreign students studying at UK Universities, I have become used to receiving significant volumes of MS Word documents, like theses, containing multiple media types. Is there a practical alternative? If not, what effective precautions can be taken?

      1. Anonymous Coward
        Anonymous Coward

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        I have become used to receiving significant volumes of MS Word documents, like theses, containing multiple media types. Is there a practical alternative?

        I tend to open external docs with LibreOffice - it's about the strongest argument to have at least an install on the PC (and, let's face it, it doesn't burn a hole in the IT budget either).

        If not, what effective precautions can be taken?

        Start with killing off anything "automatic". Do some surfing, plenty of advice out there.

        And get rid of Flash. Just do it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Flash, ActiveX, Office doc embedding/scripting - should already be DISABLED

        "If not, what effective precautions can be taken?"

        -------------------------------------------------------------------

        Run Linux with LibreOffice as your office suite, and a suitable email client (such as Thunderbird, though there are other choices) that includes support for PGP signing and encryption.

        Run necessary windows programs in wine, or if that won't work, a VM.

        Always run from a user level, nonprivileged account.

        Keep the software updated. Personally I like a rolling release for this, but you can use a point release and still be orders of magnitude better off, with perhaps a bit more stability, though proper testing should keep a point release distribution working reliably too. Just don't upgrade everything in a the first week, except for 'hot' vulnerabilities.

        Always validate hashes on software.

        Run antimalware including antivirus and a web page scanner.

        Lock down default browsers with things like uBlock or NoScript.

        If something absolutely needs to be run, and run on Windows, run it in a VM.

        If you are concerned about a site, or particular data, access via a locked down Linux in a VM - possibly a read only distribution - and be ready to delete that VM and replace it with a clean backup.

        When feasible, use software in a VM to strip data down to macro free text files for documents and spreadsheets before moving to a filesystem accessed by your primary OS instance.

        Block ads and trackers with Ghostery, PrivacyBadger, and the like to reduce attack surfaces.

        Always run a VPN for anything outside your local network, or even on your local network, both to protect data and privacy and to reduce attack surfaces.

        Never connect to any network you or your competent IT staff do not control, without a VPN.

        When in doubt use a bootable read only Linux distribution.

        When travelling remove your HDD, and carry two or three Linux DVDs for appropriate uses (Tails, Knoppix, and Mint would be a good toolkit). Use the most restricted choice for your current task. Carry your data on a flash drive or SD card, encrypted with a travel only key. If need be, store the key on a secure internet accessible location, encrypted with a passphrase written down at your home or office, and nowhere else. Do not take the key across borders. Do not use your travel computer except while travelling (which means you could re-use the HDD elsewhere).

  2. Anonymous Coward
    Anonymous Coward

    leveraging ActiveX

    "Leveraging"? Bloody "leveraging"? What are you, some kind of HR consultancy reject?

    1. steelpillow Silver badge
      Coat

      Re: leveraging ActiveX

      Probably thinks he's Archimedes.

      1. Inventor of the Marmite Laser Silver badge

        Re: leveraging ActiveX

        @steelpillow

        Screw that

  3. Pen-y-gors

    Qihoo 360?

    Having the same sort of availability issues as Office 361.5 ?

  4. Nick Ryan Silver badge

    ActiveX? Again. A ridiculously stupid idea from the outset... as in cobbling together one layer of dangerous instability on top of another layer of dangerous stupidity on top of another layer of dangerous stupidity?

    Combine with Flash? Seriously? The most insecure mess since, erm, anything else that came out of Adobe. Or Microsoft. or possibly Sun.

    What's the commonality in this mess? Largely unnecessary proprietary extensions in place of standards. It's not that standards based systems are invulnerable (far from it) but their legacy is much less. And they can be fixed. ActiveX can never be fixed - ban and block it. Flash almost certainly can never be fixed either. As for the other insecure stuff that comes out of Adobe, as in a document format (PDF reader) that suddenly "needs" Flash, JavaScript (homebrew abortion version of course) and local system access to all kinds of unnecessary resources... just no. No. never.

    1. Zippy´s Sausage Factory

      A load of Word plugins are ActiveX these days. As are a lot of Excel and Outlook ones. The "social connector" they bundle with Outlook that snoops someone's LinkedIn profile and annoys you with it is an ActiveX plugin.

      It's a technology they should have taken out and shot, years ago.

  5. sanmigueelbeer
    Trollface

    Flash quiz, genius: The answer to the riddle resides in this DOCX file. (Plus the location of the pot of gold.)

    C'mon, what's the worst that can happen? Don't hesitate. This offer won't last long.

  6. Shadow Systems
    Joke

    *Comical wailing & sobbing*

    I can't enjoy the fun zero day exploits with everyone else! No Adobe, no ActiveX, & no MS Word means I can't experience the fun. What shall I do?!?

    *Giant arcs of rainbow sparkly crocodile tears of sarcasm*

  7. elvisimprsntr

    So the key take aways are don't run:

    1. M$ Windows - Check

    2. IE - Check

    3. ActiveX - Check

    4. Anything from Adobe - Check

    5. M$ Office - Check

    1. phuzz Silver badge

      At this point it's quicker to make a list of software that's not vulnerable. Full list presented below:

      .

      .

      .

      .

      .

      .

      .

      .

      .

      .....errrm

  8. Anonymous Coward
    Anonymous Coward

    Monsieur, a wafer-thin link?

    Oh sir! It's only a tiny little thin one.

  9. ElReg!comments!Pierre

    or just dump the damn thing already.

    Which one?

  10. naive

    Thank you VmWare and MS-Edge

    Which either require flash to be working, or use it as an unavoidable plugin in the browser.

    Americans are quite trigger happy when it comes to punishing people guilty of repeated offenses, I don't understand why everyone working at Adobe is not in jail, together with a restraining order for coming close to any computing device.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thank you VmWare and MS-Edge

      There is a Flash-free version of VMware vSphere now, and it’s substantially less clunky, too. (But, yes, why an admin interface for sysadmins, and often used from less, pardon the pun, flashy unix workstations was built around Flash in the first place is somewhat mind-boggling.)

  11. mark l 2 Silver badge

    Another security fail from MS and Adobe. Why is Active-X even switched on by default since it pretty much died when IE? The 1% of people that actually need Active-X on should have to enable it rather than it be a gaping hole ready to be exploited by any bad actors.

    As for Flash, DIE, DIE, DIE! I wish Google would remove Flash support from Chrome, as this would force those developers who are hanging on to it to finally do something about moving to HTML5. Or risk the majority of users not being able to access their websites.

  12. Anonymous South African Coward Bronze badge

    ActiveX = CaptiveX

  13. jms222

    Fly on wall

    Not that I want to use it but I'd be really interested to

    a) see the source code and

    b) know what goes on inside Adobe

    for Flash.

  14. Anonymous Coward
    Anonymous Coward

    BBC

    Why do the BBC insist on installing this?

    Instead of wasting time and money on "Sounds" they should fix this now.

    1. N2
      Devil

      Re: BBC

      Agreed,

      I look forward to the day they are forced to change, but that seems par for the course for them.

  15. TVU Silver badge

    Adobe Flash zero-day exploit...

    Adobe Flash's end of life is thankfully scheduled for the end of 2020 and so that's only just over two years to wait until that joyous day.

    1. A.P. Veening Silver badge

      Re: Adobe Flash zero-day exploit...

      Adobe Flash's end of life should have been about ten years ago as it was already totally bug invested at that time.

  16. Triumphantape

    Why?

    Why does Flash still exist?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      So us Queen fans can stil say "Ahaaaaaa". There's really no other remaining value IMHO.

      :)

  17. Mike Moyle

    "Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc..."

    Sounds like a player's guess in that new fun-for-the-whole-family game "(Haven't A) Clue"!

  18. Anonymous Coward
    Anonymous Coward

    That's what Security is for?

    Why won't my AV / Behaviour Blocker / Exploit protection software / Firewall / Download scanner in browser / uBlock Origin all together or individually detect and prevent flash and active control related malware? Serious question.

  19. Wowbagger123

    I haven't used Flash for a good number of years now. Don't need it or its vulnerabilities.

  20. Chairman of the Bored

    I just remembered what this trifecta reminds me of...

    ...I had an engineering ethics text years ago that had a comic poking fun at some issues we had in the 1970's:

    ...A DC-10 airliner full of Firestone 500 tires loses an engine and crashes into the Three Mile Island nuclear power plant. The resulting fire is put out using asbestos blankets...

    ActiveX + Flash + MS Office ... same damned thing.

  21. Anonymous Coward
    Anonymous Coward

    ASR sig from years ago.

    "I would like to shake the hand of the man who first decided that e-mail clients should slice, dice and run arbitrary programs. Then I'd like to stir, blend and puree his hand."

    -- J. D. Baldwin in the Monastery

  22. takuhii

    WHY IS FLASH STILL HERE!!!!

    Why are people still using Flash?!!! I also find it odd that Adobe, who have publically stated that Flash will not be developed anymore, STILL use it as the main interface for Scene7!!! WTF Adobe!!! WTF!!!!!

  23. whbjr
    Devil

    Flash, Java, and IoT

    In my workplace, which is so far from the cutting edge of technology that we can't even see the handle, we have a device which requires Flash for remote access... and of course, the people selecting this device claim to NEED remote access.

    We also have a device which uses Java... but not any of the new versions, this requires Java from, as I recall, six or seven years ago. Thank goodness for archives of old versions of Firefox (and Portable Apps, so it doesn't interfere with newer versions)! This device does not have a physical control panel, and as far as we can tell there will be no updates to the firmware ("Buy our newer hardware, which is more expensive and not suited to your needs").

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like