Adobe issues emergency update to Flash after ransomware attacks

[Morvotron]

Content source

http://www.reuters.com/article/us-adobe-systems-cyber-ransomware-idUSKCN0X502K

Adobe Systems Inc (ADBE.O) issued an emergency update on Thursday to its widely used Flash software for Internet browsers after researchers discovered a security flaw that was being exploited to deliver ransomware to Windows PCs.

The software maker urged the more than 1 billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible after security researchers said the bug was being exploited in "drive-by" attacks that infect computers with ransomware when tainted websites are visited.

Japanese security software maker Trend Micro Inc (4704.T) said that it had warned Adobe that it had seen attackers exploiting the flaw to infect computers with a type of ransomware known as 'Cerber' as early as March 31.

Cerber "has a 'voice' tactic that reads aloud the ransom note to create a sense of urgency and stir users to pay," Trend Micro said on its blog.

Adobe's new patch fixes a previously unknown security flaw. Such bugs, known as "zero days," are highly prized because they are harder to defend against since software makers and security firms have not had time to figure out ways to block them. They are typically used by nation states for espionage and sabotage, not by cyber criminals who tend to use widely known bugs for their attacks.

A new vulnerability on Adobe's products make IT experts and regular users doubt: should we start looking for alternatives? Is flash becoming an insecure option for users?



READ FULL ARTICLE: http://www.reuters.com/article/us-adobe-systems-cyber-ransomware-idUSK
​

 

[Mineria]

A new vulnerability on Adobe's products make IT experts and regular users doubt: should we start looking for alternatives? Is flash becoming an insecure option for users?

Flash should have gone years ago, same as java and silverlight, the latter has even been decapricated and Oracle is slowly removing support for jscript.
I know that some developers don't welcome changes, but honestly, why run java code client side when it can be done faster and more secure by running it server side with other programming languages?
Almost the same can be said for flash, especially with all the social media sharing.

 

[upnorth]

That's on a Windows 8.1 ( Enterprise ) machine. Wonder what would happen on Windows 10?

Audio sample can be found here : CERBER: Crypto-ransomware that Speaks, Sold in Russian Underground - TrendLabs Security Intelligence Blog

 

[Mineria]

I would say probably the same, there shouldn't be a difference between Windows Defender on 8, 8.1 and 10

Just discovered that Netflix still uses Silverligth instead of HTML5, I wonder what their excuse is, since YouTube seems to run fine on HTML5 with the rent-able movies.
And HBO still uses Flash... good that flash can be blocked and allowed for individual sites, probably best practice to only allow it for well known video streaming services.

 

[Nightwalker]

I would say probably the same, there shouldn't be a difference between Windows Defender on 8, 8.1 and 10

Just discovered that Netflix still uses Silverligth instead of HTML5, I wonder what their excuse is, since YouTube seems to run fine on HTML5 with the rent-able movies.
And HBO still uses Flash... good that flash can be blocked and allowed for individual sites, probably best practice to only allow it for well known video streaming services.

Silverlight has a more robust DRM compared to HTML5, I think this is the reason.

 

[Jrs30]

I did not want to use Flash because it causes crashes in Firefox, yesterday instaei it for sites that I visit sport must have flash installed! Installed to the Vivaldi, so far I'm not having problems! In Firefox that causes crashes from time to time ...
YouTube HTML5 very good!

 

[Mineria]

Silverlight has a more robust DRM compared to HTML5, I think this is the reason.

Could be, but at least it can run via the Netflix app without Silverlight.

 

[Entreri]

Flash, one emergency after another, every other week.

Time to get rid of this trash.

 

[soccer97]

Microsoft has yet to release a patch. I guess we are going to wait until Patch Tuesday 4-12-16 to receive an update. Maybe they do another code review and find more vulns to patch. That would be nice - added security. The delay is a bit surprising, or maybe I am just new to Windows 10.In the past, there were a few occasions when an emergency patch was issued on a Sunday by Microsoft.

IE 11 for Windows 10: 21.0.0.182
Edge 21.0.0.182

IE Active X: 21.0.0.213

Still.


If Flash plans on staying around, why don't they bring in 1 or 2 outside security experts, and take a few employees out of the regular dev team to do a full code review and focus on strictly security for 3 full months. Forget the feature updates. Their reputation is damaged as is, if they wish to salvage it, focus on security and keep it that way.

Microsoft did it with the Trustworthy Computing initiative in 2002. Is it perfect? No, but it's a big step.
Trustworthy Computing - TwC Next

 

[jamescv7]

Lack of competitors for Adobe Flash Player, remember that those holes are just a fine way to make the product regularly improve; so likely no reason why Adobe have no way to revise or abandon it, because of money circulation where can gain more value than expenses.

 

[Mineria]

Flash, one emergency after another, every other week.

Time to get rid of this trash.

I wish that was possible, but currently I still need it for HBO Nordic, which also is the only place where I allow it to run.

 

[Dirk41]

I uninstalled flash, (and Adobe reader and Java )in w7 and XP . Because you can easily uninstall them from control panel. ( who cares, if a video still use flash, chrome has it integrated ).
on w10 I didn't even download flash

 

[soccer97]

I uninstalled flash, (and Adobe reader and Java )in w7 and XP . Because you can easily uninstall them from control panel. ( who cares, if a video still use flash, chrome has it integrated ).
on w10 I didn't even download flash

In general, or at least in the past, I recall them advising us to use their own uninstaller (more thorough). It is updated with every new version. I think that in theory, it should remove older versions as well. Here is the link to the official Adobe Flash Player uninstaller from their help pages:

Uninstall Flash Player for Windows


I uninstall > Reboot > Install new version every now and then.

 

[Dirk41]

Thank you. Too late anyway .I manually deleted the leftovers