A Classic Day of Security Advisory


#1

As mentioned in the #news

there is a CVE concerning Flash out there in the wild, if reading the very formal announcement give you a headache let me translate it for you with normal words

  • a vulnerability exists in the latest Flash Player 21.0.0.197
  • this vulnerability concern all operating systems:
    Windows, Macintosh, Linux, and Chrome OS
  • but so far the vulnerability is only exploited on Windows 7 / XP
    that still use the Flash Player 20.0.0.306 (or earlier versions)
  • if you happen to run Windows 7 or Windows XP
    but use the Flash Player 21.0.0.182 and later, you are safe
  • Adobe will release an update the 7th of April for all operating systems

That’s our reality now, not only there are CVE every day, some days more than other, but it is not something exceptional, you have also documents that get leaked by the TeraByte, big corporation get hacked and have millions of users login/passwords/email/credit-card compromised, all that happen almost every day …

so that Flash vulnerability waht’s about it ?

Does Adobe try to hide it ?
nope

They announce they are aware of it and also commit to provide a fix for it by … tomorrow!

not in 1 week or 1 month, but tomorrow, so in about 24h
that’s quite fast

but now you gonna see online medias exploiting the news and off course distorting it every which way, today, tomorrow and next few days after … while in the mean time Adobe would have already provided a fix for it

first one to pile on is The Register with
Adobe preps emergency Flash patch for bug hackers are exploiting
subtitled: As if the world needed yet another reason to finally flush Flash forever
dated: 6 Apr 2016 at 00:45, Iain Thomson (important for later)

yes they are biased, I’m not sure why, I think it’s the clickbait effect eg. if you trash Flash it just bring a lot of viewers arguing about it etc.

so here we go, cover your ears it gonna get dirty real quick

Adobe will this week issue an out-of-band patch for Flash after spotting a critical flaw that is now being “actively exploited” in the wild.

it’s about accurate except for “this week” which can lead to think it will take a full week (more drama) to fix the problem when Adobe announced they will have a fix for it tomorrow.

The flaw, CVE-2016-1019, affects Flash Player version 20.0.0.306 and older for Windows, OS X, Linux, and Chrome OS. Adobe made the jump to patch after learning that users of Windows 7 and Windows XP are being actively targeted by malware writers exploiting the flaw. It hopes to have the fix out by April 7 or as soon as possible afterwards.

the version is wrong, the operating systems are mixed … more or less accurate

If you’re running a version of Flash later than 21.0.0.182, then a mitigation for the attack is already in place in the plugin. Full details can be found here.

again wrong version and not mention of the operating system, not accurate at all

“Adobe would like to thank Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc), as well as Clement Lecigne of Google for reporting CVE-2016-1019,” the Photoshop giant said in today’s advisory.

OK, mention of the security team/researchers involved

so far, not a big deal but off course The Register can not resist to go beyond the news

No doubt Flash users are getting used to the patching business: on Adobe’s Patch Tuesday every month, but also with regular out-of-band patches.

that’s the professional thing to do (eg. to patch as much as possible on a regular basis) but it is presented as “if you use flash you gonna have to patch it all the time”, as if it was possible to have security without regular patches.

As one of the most-used third-party browser tools (for the moment at least),

oh … first little kick, another way to say it would be “Flash is very popular for now, but we don;t think it gonna last”

Flash remains very popular with the verminous end of the coding business.

OK I’m French, I consider myself pretty good with the English language but here the use of “verminous” is done in such a way that I’m not sure if the journalist is “elegantly” insulting the flash users or the flash producers or maybe both

anyway, vermin ?

It’s Adobe’s blessing and its curse that it invented Reader and Flash – two immensely popular bits of code that then proved the perfect conduit to get around browser security.

could be said for any bit of popular code out there

All is not lost for Flash, but it might be time to dump it and save the energy.

always dangling the probable “death” of Flash … a classic

and ensue the comments where everyone is hating on Flash

another clickbait achievement unlocked

think I’m reading too much into the bad faith of such journalist ?
well … I got proof

see, another article was posted earlier
Adobe preparing critical out-of-band Flash patch
5 Apr 2016 at 23:42, Iain Thomson

Adobe is releasing an emergency patch for Flash after spotting a critical flaw that is now being “actively exploited” in the wild.

Users of Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier are vulnerable to an externally forced shutdown that can be used to mask remote code execution on a target system. The threat was deemed serious enough to issue the patch out of schedule and Adobe hopes to have it out by April 7.

If you’re running a version of Flash later than 21.0.0.182 then a mitigation for the attack is already in place.

Full details can be found here.

that’s a regular news without the snarky comments by the same journalist, but apparently it did not generate enough viewership so he felt obligated to post the same article later but this time with a more clickbaity title


but guess what, it was not the only security news of today
let’s see if maybe other products and vendors have some patches and fixes related to security issues …

Millions of Firefox users vulnerable to browser extension flaw

and you thought you were safe by disabling the Flash plugin in Firefox, not so fast

Security researchers have warned that hundreds of popular extensions for the Firefox browser have exposed millions of users to hack attacks.

Researchers from the Northeastern University in Boston discovered a flaw that allows hackers to stealthily execute malicious code hiding behind a seemingly benign extension, such as NoScript and Firebug, and steal data.

wow, and when can we expect a patch for that?

The flaw is likely to be bypassed when Mozilla moves Firefox to its new WebExtensions model that isolates extensions. The company has given developers 18 months to migrate add-ons to the new model before the old extensions are purged.

18 months … :scream:

ok let’s move on
http://www.theregister.co.uk/2016/04/05/kinder_app_security_flap/

some details

Hacktive Security alleges that a malicious user could “read the chat of the children, send them messages, photographs and videos or change user profile info such as date of birth and gender,” as explained in detail in a blog post here.

The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.

still … the Register provide no snarky comments there

ok let’s find another one

Apple iOS 9.3.1 Passcode Bypass

in the details you get

The vulnerability allows local attackers to bypass the physical device
protection mechanism of the iphone 6s and plus models.

The 3d touch sendor with the apple display hardware allows to open the
basic context menu and new options by low and intensiv
push interaction. For example by pushing in the default mail app the
messages another context menu for interaction becomes available.
The new functions are only available for the apple products like iphone
6S and the iPhone Plus that do support the new hardware.

oh noes … impossibru there is no Flash plugin on iOS how come it get hacked like that ?

because it is popular …
I will repeat that again and again, everything that is popular will get exploited one way or another

ok that was the raw news, let’s see what The Register have to say about it, I mean this time I demand snarky comments

http://www.theregister.co.uk/2016/04/06/security_bods_disclose_lock_bypass_bug_in_ios/

I must say I’m disappointed, not a single snarky comment about Apple failure at securing their latest and shinest gadget …

we don’t even know when it will be fixed, but I guess it’s OK to spend hundred of dollars on something that can be hackled in few minutes

I will spare you the dozen of Debian / Ubuntu / Red Hat / Slackware / etc. security notices


Here my point,

It’s a meme, it’s funny because it is true

Firefox vulnerability that put millions of users at risk, and maybe fixed in 18 months?
nobody care

Hacked Android app that put at risk 500.000 kids?
pfff it’s small potato

Latest iOS update on the latest Apple iDevice that lost all protection?
all cool bro

Flash vulnerability that gonna get fixed tomorrow?
vermin should die in a fire