Avatar for Username

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

此討論串已被封存。 如果您有需要幫助,請新增一個新問題

Adobe Flash Player 18.0.0.203 still vulnerable

  • 3 回覆
  • 49 有這個問題
  • 4 次檢視
  • 最近回覆由 James

pal100x
pal100x
more options

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

Sorry to bring bad news but Flash Player is still vulnerable. On July 10, 2015 a second zero-day has been discovered in the Hacking Team's leaked data. External links: Adobe security advisory APSA15-04: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Malwarebytes Unpacked blog: https://blog.malwarebytes.org/exploits-2/2015/07/new-hacking-team-flash-player-0day-uncovered/ It appears it was already integrated into exploit kits according to Kafeine from MalwareDontNeedCofee and Malwarebytes.

被選擇的解決方法

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/

I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

從原來的回覆中察看解決方案 👍 2

所有回覆 (3)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

選擇的解決方法

Thank you for the update.

If there's no update available from Adobe that fixes this issue, it's unlikely that the current version of the Flash plugin would be blocked (the Java Deployment Toolkit seems to be a rare exception).

For one's own purposes, limiting use of Flash to trusted sources and "necessary" media is a good idea. You can do that using the click-to-play feature as follows:

Open the Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Plugins. Look for "Shockwave Flash" and change "Always Activate" to "Ask to Activate".

When you visit a site that wants to use the Flash, you should see a notification icon in the address bar and one of the following: a link in a black rectangle in the page or an infobar sliding down between the toolbar area and the page.

If you do not see an immediate need to run Flash, you can simply ignore the notification.

Unfortunately, because Flash can be embedded from other sites, this is not a complete solution. Even if you trust SiteA, if it is compromised with media from SiteB, the embedded media will play.

You can make the click-to-play feature more granular, rather than trusting all media on a site-by-site basis, using an extension. For example: https://addons.mozilla.org/firefox/addon/click-to-play-per-element/

I notice you linked to an article about Malwarebytes Anti-Exploit, which has a free version that should help protected against this exploit. Have you tried it? Does it affect browser performance much?

https://www.malwarebytes.org/antiexploit/

pal100x
pal100x 提出問題者
more options

Thank you for prompt response. I was mostly looking for an advised statement rather than real help considering that this is already the 2nd Adobe Flash zero-days season in this year. I always have flash set to click to play. I use NoScript which supersedes Click to play per element. Yes, I am running Malwarebytes Anti-Exploit and it only has noticeable impact on boot.

由 pal100x 於 修改

James
James
  • Top 25 Contributor
  • Moderator
more options

It has been mentioned in https://support.mozilla.org/en-US/forums/plug-check-page-discussions/711386#post-65949

Pretty much every version of Flash that has been with critical vulnerability since December has been blocked https://addons.mozilla.org/firefox/blocked/ . So the current plugin based versions for Windows, Mac OSX and Linux will likely be blocked once Adobe has updates on Adobe site like at https://www.adobe.com/products/flashplayer/distribution3.html