Serious Flash vulnerability fixed by Adobe within hours

Adobe has acknowledged a serious vulnerability in its Flash player plugin and has issued a fix to address the issue within hours of a report published by security software firm, FireEye.

According to FireEye, the zero-day exploit was used by attackers to target visitors of the websites of three nonprofit organizations; Peterson Institute for International Economics, American Research Center and Smith Richardson Foundation. The visitors to these websites were redirected to an exploit server using code-injection.

FireEye has identified the attack as codename GreedyWonk and believes that the perpetrators who allegedly speak Chinese, "have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites." The attackers behind GreedyWonk are likely seeking sensitive government data similar to a recent report, as two out of the three websites deal with matters of national security and public policy.

The exploit is reported to affect users with Windows XP, Windows 7 running Java 1.6 and those running Microsoft Office 2007 or 2010 without the latest updates. Adobe has been quick to update Flash player with a fix for the reported exploit and has urged users to update the plugins in case they have disabled the automatic updates.

Source: V3 | Security image via Shutterstock

Report a problem with article
Previous Story

YouTube gets a redesign aimed at large screens, still not there yet

Next Story

Samsung drops a new teaser video for Galaxy S5 ahead of Monday's reveal

25 Comments

Commenting is disabled on this article.

I try not to use flash even though the 2 browsers I use have it built in I try to use HTML5 sites when I can. and try to stay away to flash sites

Microsoft needs to make a package repository which allows auto updates as easy as running 'apt-get update' cause having a million auto updaters running in the background, each requiring user interactions to work, ####ing sucks.

I run apt-get on linux and the whole system os patched and updated cleanly with the latest builds of ALL installed apps/packages... its also waay easier to install new packages. 'Apt-get install flash' installs flash for example, in which it stays updated every time the update command is run (which can be automated with a script/crontab).

The point of this is to make updating easier, and pushing through 0 day updates more streamlined. A push notification feature should be added to even force remote updates to new builds, so everyone is always running the defacto latest.

This should make security that much easier cause hardly no one will be running old builds of anything anymore.

Also, how long did this exploit exist? Like probably years, so whoever found it first could have been using it for ages to exploit people. Lololol at this ####, like all security issues they go years and years before getting fixed or discovered.

Edited by nullie, Feb 21 2014, 3:34pm :

nullie said,
Microsoft needs to make a package repository which allows auto updates as easy as running 'apt-get update' cause having a million auto updaters running in the background, each requiring user interactions to work, ####ing sucks.

While I agree it's convenient to have just one update mechanism, that's just not realistic. There's a bajillion Windows applications all done by different companies, and a like number of users. That's going to be seriously expensive in hosting/storage and bandwidth costs.. who's going to pay for that? Who's going to force each and every author to sync their software to that? Probably going to be all sorts of antipiracy complaints as well, never mind if they did do something like this (which they're already doing with Windows 8.x stuff), then it'll be all sorts of evil Microsoft complaints, walled gardens, etc etc.

Its not actually that much storage, companies like Microsoft and Google already given away hundreds of Gigabytes to people for free, and are using it to store our data in secret or through the use of their services. It doesn't cost them hardly a thing, they just have to built the software to do it.

The system could be changed to distribute new dll s and libaries, exe, snd content files to all machines through a unicast system, maybe adding cache layer on each ISPs network like DNS to reduce bandwidth needs, like a big NNTP or DNS system.

I truly am not seeing the issues you see with it. We could certainly add some sort of license verification, but then again I am not even one to care about software piracy. Like #### copyright and patents, I vote to not recognize those things. I happen to know people will still write books software and make music and movies, and make money off them, even If there is no copyright or methods of information censorship. People are already into it amd generate tons of content with no expectation of a monetary payment for example, and this is the model that deserves to succeed.

Edited by nullie, Feb 21 2014, 9:39pm :

*sigh* The world would be a much better place without Flash and Java! - There's really no need for either in this day and age! Seriously, what can Flash actually do that HTML5/CSS3/JS can't!?!

GreatMarkO said,
*sigh* The world would be a much better place without Flash and Java! - There's really no need for either in this day and age! Seriously, what can Flash actually do that HTML5/CSS3/JS can't!?!

Flash works the same on every browser.
html5 still doesn't work the same everywhere (lots of browser specific bugs, prefixed implementations, ...).

for example if you want some 3d rendering, your need flash to target all browsers as Safari on osx, and previous versions of IE don't support webGL. And even Chrome/firefox are likely to have compatibility and performance issues (see the number of people complaining of the new google maps being slow due to the use of webGL).

same for audio processing. It's highly crappy on most browsers.

not to mention the lack of MPEG4/MP3 support on some browsers.

Flash does not work on mobile.

The W3C did standardize on HTML 5 and CSS 3 for basic things. Advanced stuff like animations and stencils in WebGL are still being worked on. But IE 9 with its very basic and primitive HTML 5 supports h.264 fine. DRM also is in the spec too.

Really it is old XP users and corporations who lock things down to IE 8 because well ... it is what they are used too thanks to IE 6 from last decade.

Until things change users won't. It is 2014 and we should NOT be using flash at this time. Not to sound like a rapid IE hater, but if it never existed flash would have died in 2010. Old releases are endemic for that browser compared to others.

sinetheo said,
Flash does not work on mobile.

and that's the reason why websites with premium content don't work on mobile.

all these sites require flash player because they can't serve unprotected music and video (music streaming sites, video on demand, ...) since the content creators forbid it.

the only alternative is to build platform specific (ios, android, wp) apps to allow content to be viewed without disclosing an unencrypted stream that would be too easy to download and save with basic tools.


The W3C did standardize on HTML 5 and CSS 3 for basic things. Advanced stuff like animations and stencils in WebGL are still being worked on. But IE 9 with its very basic and primitive HTML 5 supports h.264 fine. DRM also is in the spec too.

the w3c did NOT standardise the video and audio codec to use, making the whole thing an useless mess.

it's only a few months ago that Firefox decided to finally support MPEG4 video using the underlying platform codecs, which means it doesn't work on XP.


Really it is old XP users and corporations who lock things down to IE 8 because well ... it is what they are used too thanks to IE 6 from last decade.

if content provider want to switch to HTML5 video, they can do so while still supporting IE6-8 through flash fallback, without requiring an additional format (like webM).


Until things change users won't. It is 2014 and we should NOT be using flash at this time. Not to sound like a rapid IE hater, but if it never existed flash would have died in 2010. Old releases are endemic for that browser compared to others.

if IE didn't exist, browsers would still be slow as hell when doing graphical/video rendering.

remember when IE9 was released in 2011. At that time people were saying that chrome/firefox supported HTML5 canvas and video well before IE.

but as benchmarks have demonstrated, both Firefox and chrome really sucked at doing multimedia rendering. They were much slower than IE9 or equivalent rendering in Flash, and chrome didn't even support compositing videos. That means that even though Google/mozilla like to brag about being the first in implementing things, their browser were nowhere ready to do in html5 in 2011 what was being done in Flash since 2005.

many benchmark have showed that flash player was much faster than chrome/firefox/opera at rendering video and animations.
http://www.themaninblue.com/writing/perspective/2010/03/22/

even today Flash Player is still faster and offer more media capabilities than HTML5.

and the real reason why flash will still be there in 5 years: DRM support.

DRM support in HTM5 is a mess. The w3c didn't not standardise content decryption modules, which means that Chrome's DRM support is incompatible with IE11's DRM support.
and mozilla said they don't plan to support DRMs.

so please stop saying crap. The reason people still use flash is not because of IE, it's because HTML5 is still unable to compete.

native apps on mobiles are more likely to compete with Flash than HTML5, because they provide more platform capabilities and performance.

Step 1 on any computer
-Install flashblock and or adblock

Targeting web browsers is so last decade. With flash and java they target that and get all 3. I hate flash! Shoot youtube had HTML 5 mode for 5 years now and yet it still says flash required and lazy users wont leave IE 8 which is why it is still around.

... and the fact advertisers love it too and send annoying ads.

If only MS responded so quick with a Windows update for IE rather than wait a freaking month and leave their users to the wolves.

sinetheo said,
Step 1 on any computer
-Install flashblock and or adblock

Targeting web browsers is so last decade. With flash and java they target that and get all 3. I hate flash! Shoot youtube had HTML 5 mode for 5 years now and yet it still says flash required and lazy users wont leave IE 8 which is why it is still around.

... and the fact advertisers love it too and send annoying ads.

If only MS responded so quick with a Windows update for IE rather than wait a freaking month and leave their users to the wolves.

IE8 users are not the reason.
Flash is still around because everyone uses it. Even google does.

if you switch to youtube html5 mode, you'll see that some videos won't play without flash, because Google prefers the use of Flash to display advertisements on top of some videos, something that some browsers don't handle properly in html5.

the lack of standardised DRM support in web browsers is also the reason why legit streaming sites can't stop using Flash.

IE 8 is the reason it is still around PERIOD.

HTML 5 h.264 has been around for a half a freaking decade already. Flash is a cheap way to hide ancient browser lack of functionality.

Back before IE 6 I remember if you had a browser more than 2 years old you could not go on the internet. Now everyone is locked into browsers and fear changes. The blame on IE 6 was causing it. Now it is corporations who freak out if they have to update every 2 years. Chrome put fire to change things more rapidly which is why Firefox updates quick now too.

There are ways to convert hte videos to a new format. When sites finally leave the 1990s behind and use modern web standards the users and corporations will begrudgingly switch.

MS is on a cycle of annual updates now for IE but still corps are used to +10 year browser cycles left over from IE 6 and websites like youtube still wont get with the times which creates the perpetual cycle.

Misleading title.

the 0day exploit was detected and reported to adobe on 8 days ago.

FireEye has waited for a patch to be available before publishing their report. That's not the same as "fixing within hours"


in addition, the last paragraph is poorly worded :

In addition to Flash, the exploit is also reported to affect users with Windows 7 running Java 1.6 and those running Microsoft Office 2007 or 2010 without the latest updates

the Flash flaw can currently be exploited on these platforms:
-windows XP
or
-windows 7 if java 1.6 or office 2007/2010 is installed. Installing all the security updates of Office 2007/2010 breaks the exploit. Using IE10/11 also breaks the exploit even if you're using an unpatched Office2007/2010 because since IE10, IE forces the ASLR on every plugin even if not marked as ASLR-compatible.

and of course, running Microsoft EMET also breaks the exploit.

Here's the thing, I'm all for Security updates, no soft is perfect, the more complex the more hard to maintain.

But in the last 2 months it's been a joke, seriously it has.

Adobe engineers, YOU are are a security joke, don't you guys have pride on what you do???

If it's lack of manpower or resources, use the Internet and make your bosses become on the spotlight.

Digitalfox said,
Here's the thing, I'm all for Security updates, no soft is perfect, the more complex the more hard to maintain.

But in the last 2 months it's been a joke, seriously it has.

Adobe engineers, YOU are are a security joke, don't you guys have pride on what you do???

If it's lack of manpower or resources, use the Internet and make your bosses become on the spotlight.

Flash doesn't have that many flaws compared to other equally complex products.

it's their market share that makes finding flaws very attractive.

as for Java flaws, Flash flaws have the potential to infect any browser on any platform.

that's much more interesting than targeting a browser that has less than 20% of market share.

Another day, another security hole in Adobe Crash Player. No change there then.

It's the multimedia plugin with more holes than Swiss cheese!

DJGM said,
Another day, another security hole in Adobe Crash Player. No change there then.

It's the multimedia plugin with more holes than Swiss cheese!


actually, webkit has even more security flaws than Flash Player.

but the main difference is that Flash Player is installed on 95% of machines, even in the enterprise market, whereas Chrome/Safari usage in enterprise is pretty low.

that's why hackers usually target old IE versions, adobe reader, flash, and java when they want to target an enterprise.

targeting Firefox, chrome, safari, lynx, foxit reader or whatever else won't allow them to infect enterprise users because enterprises are unlikely to use these products.

link8506 said,


actually, webkit has even more security flaws than Flash Player.

but the main difference is that Flash Player is installed on 95% of machines, even in the enterprise market, whereas Chrome/Safari usage in enterprise is pretty low.

that's why hackers usually target old IE versions, adobe reader, flash, and java when they want to target an enterprise.

targeting Firefox, chrome, safari, lynx, foxit reader or whatever else won't allow them to infect enterprise users because enterprises are unlikely to use these products.

Citation?

Chrome runs with ASLR, sandboxed, and in lowrights mode on Windows 7 and higher with file access at all outside of %appdata file. It makes it more secure unless you run it on XP of course.

At work it makes sense to not install flash as system administrators are always months to years behind security updates and do not have time to do their jobs as the MBAs understaff and treat them like cost centers that add no value. The only use for flash I can see is the marketing department looking at commercials and uploading them to youtube.

Reader is the plague too. I used to never install it until I had a client with a custom actionscript timecard macro that would only run in it. I have it set to disable inside web browser in preferences and use the built in one in Chrome.

DJGM said,
Another day, another security hole in Adobe Crash Player. No change there then.

It's the multimedia plugin with more holes than Swiss cheese!

Don't have to uninstall it... just install the Flash Block extension... and you are good to go.

shozilla said,

Don't have to uninstall it... just install the Flash Block
extension... and you are good to go.


I never actually said anything about uninstalling it though. While so many websites still use Flash,
keeping Adobe Crash Player installed has become a necessary evil. As for the security, or lack
thereof, Flash has become as bad for security holes as IE used to be, if not worse.

DJGM said,

I never actually said anything about uninstalling it though. While so many websites still use Flash,
keeping Adobe Crash Player installed has become a necessary evil. As for the security, or lack
thereof, Flash has become as bad for security holes as IE used to be, if not worse.

Crap.. I got the wrong person / wrong reply button.... it was for Rudy.

DJGM said,

I never actually said anything about uninstalling it though. While so many websites still use Flash,
keeping Adobe Crash Player installed has become a necessary evil. As for the security, or lack
thereof, Flash has become as bad for security holes as IE used to be, if not worse.

every software has lots of security holes.

and believe it or not, IE6 actually had less security flaws than Firefox over the last 10 years.

the only difference is market share. Lot of hackers are looking for 0day flaws that can allow them to target >50% users in one shot.

IE, flash, java flaws are good candidates for that.


if Flash was installed on less than 20% of machines, you would rarely hear about 0day flash player exploit. You would surely say it's a safe product.

sinetheo said,

Citation?

look the browser flaws statistics on sites like Secunia.

you'll see that products considered as "secure" actually have almost as many, or more critical flaws as product considered as insecure.

the main difference is who finds these flaws. Malicious hacker spend more time searching for flaws in IE/Adobe Reader/Flash than they do for Firefox/Chrome/Opera.

but when there are security contests, all browsers get equally owned, because that's the only situation where market share doesn't matter.


Chrome runs with ASLR, sandboxed, and in lowrights mode on Windows 7 and higher with file access at all outside of %appdata file. It makes it more secure unless you run it on XP of course.

IE does, too.
IE is sandboxed since IE7/Vista (the sandbox has been improved in windows 8)
IE8 was the first browser to fully support ASLR and DEP.

still, through kernel bugs, process broker flaws, and some plugin flaws, sandbox escapes are possible, and at every hacking contest browser sandboxes are bypassed.

of course working exploits are harder to develop for chrome/IE10 than firefox/IE6.

But my point is that fundamentally chrome developers are not magically better than adobe developers.

both tend to introduce accidentally as many flaws.

that's why shooting on adobe or MS developers is unfair.


At work it makes sense to not install flash as system administrators are always months to years behind security updates and do not have time to do their jobs as the MBAs understaff and treat them like cost centers that add no value. The only use for flash I can see is the marketing department looking at commercials and uploading them to youtube.

the exploit targeting Flash (and the other exploit targeting IE10 last week) both were designed to infect specific entities in mind.

the US army, and some entities related to defense.

obviously, the attackers have observed what browser/plugin their intended targets were using (which is easy to discover with a phishing mail and a link to a site which read the user agent and list the installed plugins).

then they decided to go with Flash flaw in one situation, and an IE10 flaw with ASLR bypass using flash in the other situation.

that tends to prove they knew exactly what their victims would be running, and apparently they had flash installed.

from what I've seen, most companies continue to install both flash and adobe reader on their PCs. Not just for people working in marketing dept.

I'm getting really really annoyed with all the flash updates. I very rarely use Flash and every time there's a new update I have to close most of my apps. I'm thinking of uninstalling it soon....

Rudy said,
I'm getting really really annoyed with all the flash updates. I very rarely use Flash and every time there's a new update I have to close most of my apps. I'm thinking of uninstalling it soon....

Don't have to uninstall it... just install the Flash Block extension... and you are good to go.

It's easier to uninstall than to install flashblock (one button vs getting some extension for all my browsers)