No content since 2004
Feel free to donate
Chris @ MyITforum
Subscribe in a reader
Subscribe to Chris Mosby at myITforum.com by Email
There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 220.127.116.11 are reported to be at risk. However — chatter on the security lists we frequent suggest version 18.104.22.168 is not vulnerable and that the attacks are only reliably effective against version 22.214.171.124 and earlier (using CVE-2007-0071).In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.Adobe is aware of the issue and is investigating but does not yet have a full report. We'll update you later on whether or not version 126.96.36.199 is affected.In the meantime, there may be some mitigating strategies you'd like to employ.First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.ActiveX component for Internet Explorer:Firefox Plugin:Update to the most recent version. You can test your installation from this page.What are your options once you're up to date?For Internet Explorer, you can use the Manage Add-ons option to disable Flash:But then you'll get this annoying prompt on Flash enabled sites:An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.A big hat tip goes to John Haller's Useful Stuff site for the .reg files.And for Firefox?We suggest Flashblock and NoScript:NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from noscript.net.Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org.