Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Adobe Flash Player 18.0.0.203 still vulnerable

  • 3 replies
  • 49 have this problem
  • 13 views
  • Last reply by James

pal100x
pal100x
more options

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

Chosen solution

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/

I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

Read this answer in context 👍 2

All Replies (3)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Chosen Solution

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/

I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

pal100x
pal100x Question owner
more options

Thank you for prompt response. I was mostly looking for an advised statement rather than real help considering that this is already the 2nd Adobe Flash zero-days season in this year. I always have flash set to click to play. I use NoScript which supersedes Click to play per element. Yes, I am running Malwarebytes Anti-Exploit and it only has noticeable impact on boot.

Modified by pal100x

James
James
  • Top 25 Contributor
  • Moderator
more options

It has been mentioned in https://support.mozilla.org/en-US/forums/plug-check-page-discussions/711386#post-65949

Pretty much every version of Flash that has been with critical vulnerability since December has been blocked https://addons.mozilla.org/firefox/blocked/ . So the current plugin based versions for Windows, Mac OSX and Linux will likely be blocked once Adobe has updates on Adobe site like at https://www.adobe.com/products/flashplayer/distribution3.html