Emergency patch issued for Flash

Next story

Image

Adobe have released an emergency patch for Flash Player after evidence of “limited, targeted attacks”. Limited or not it’s a serious issue in such a ubiquitous product. How can individual users and business protect themselves?


It’s safe to say that every Internet user has at some point interacted with Adobe Flash Player: it’s used to display various videos, animated ads and other such web-based content.

Anyone familiar with Info security will also most likely be aware: let’s just say it isn’t the first time that Flash has featured on the front page of my news sites for all the wrong reasons.

This time it’s a pretty serious one, as illustrated by the “limited, targeted attacks” and “emergency” patch, and users are being prompted to update immediately. Which you can check here

In terms of what the exploit is capable of we are talking full control of the target system on Windows, Mac, or Linux. Not good. Although Flash have been fairly quick to react.


Repeat Offender


Mark James, ESET security specialist, explains why Flash is such a target and how to update. Mark’s comments can also be seen on the BBC and many other news outlets here.

“Since Flash is such a widely used plugin it stands to reason that it will be one of the most targeted apps for vulnerability.

“This is an excellent example of why you should be very aware of updates for software not only operating systems. Checking to see if any updates are available are installing them immediately is the only way to help to protect yourself in the minefield of the software world that we use today.

Use the link already posted above to ensure that you are using the most up-to-date version of Flash.

A good way to minimise the effects that a Flash bug can have is to enable “click to play”. This can be done in most browsers and simply stops Flash, and other plugins, from running automatically. Of course if a legitimate site is compromised then you might still become infected but it will certainly help if you are redirected to a dodgy website or with nasty pop-ups.


Flash: Exposing Your Business


Wouldn’t it just be simpler to remove Flash completely? Rather than having to shut any back door into your system you could just brick it up and be done with it.

“It’s unrealistic: many solutions use Flash for video and or audio that banning it would probably cause more problems than controlling the updates.

“End user’s just want their content delivered, they don’t want nor understand the hassle of using alternate software to achieve the same goal. Having said that Flash is not as commonplace as it used to be and is now thankfully being superseded by HTML5,” click-to-play will also help with mitigating your potential infection vectors.

The first steps and another extremely valuable method of avoidance when it comes to Flash exploits, and any other malware for that matter, is “awareness and education”.

Awareness being the ability for the average user to spot potential phishing email, fake websites, or other attacks and sufficient education of what to do once something has been spotted.

The key to both awareness and education is knowing where you are vulnerable and how it can be exploited as Mark explains.

“Attackers are able, through a phishing email, to direct the end user to a compromised server/website hosting scripts that will, after checking your systems are vulnerable, download a malicious Adobe Flash SWF file that if successful will inject a backdoor known as SHOTPUT onto your system.”


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our new ‘In the news’ section.


Do you use ‘click-to-play’? Would you be willing to go without Flash?