Flash Patch Targets Zero-Day Exploit
From
KrebsOnSecurity. The attack leaves your PC open to the Angler Exploit Kit (see this
link);
Systems compromised by this particular campaign will be infected with click-fraud software and a downloader. Click-fraud software uses the compromised systems to issue impressions—"clicks"—to advertising networks, which results in the criminals getting paid an affiliate fee through the advertising network.
"Unfortunately it is very hard to tell apart real users from fake ones and advertisers essentially end up paying for 'impressions' or 'clicks' where a human being was never involved," Malwarebytes stated in a blog post on the issue.
While click-fraud may not directly impact the owner of the infected system, the attack also installs a downloader, which allows the attacker to install additional — and likely, more malicious — software at a later date. |
Right now, IE users on Windows seem to be vunerable, but Mac and Linux users may be targeted, so if you're going to use Flash, please update as soon as possible. The bad news is that Adobe has not patched all the attack vectors yet, so expect to install an updated patch later as well.
Windows users may want to install the latest free version of Malwarebytes (who say they have some protection against this). If your version of Windows is unsupported, then the best thing to do is uninstall Flash until this is fully patched.
FYI, be careful when you update Flash, as Adobe has a NASTY habit of trying to make you install other software (Chrome, McAfee, etc) during the install. Unclick everything you don't need, and just don't click through the screens!!! (good advice for any Windows install!!!)
Here's a MAC
link. The Krebs article I linked to on top has the best summary of all of this, and I suggest checking Krebs out regularly as this unfolds.
It's a poorly coded POS that was never properly refactored, just one bandaid after the next.
Problem is what John points out, so much of the net is reliant on it that it's hard to remove it from clients entirely.
Krebs' suggestion of installing the EMET toolkit for Windows and Click to Play, as well as having something along the lines of Malwarebytes running is a good idea. Disabling Flash altogether, if you can get along without it, is even better.
And yeah, Flash is total garbage. Adobe prioritized speed of release/low R&D budget so it's often bloated and vulnerable. Adobe is by far the easiest vendor to exploit and they don't even really seem to give a shit.
Poor coding with Flash has roughly the same effect as poor materials in a roof. Flash was originally developed by a company called FutureWave, who sold it to Macromedia. That company was bought up by Adobe back in 2005. I don't remember it having issues until Adobe took it over.
Adobe is the home of bloated, poorly coded software (why the heck is their PDF reader over 100 mgs larger than others like Foxit??). Flash, though, got popular because the tools to use and install it other than Adobe were free, and easy to use.
All those FLV files are going to have be converted, and re-coded for Web Sites, new browsers and different formats (phones, tablets, PC's, Mac's, etc) (see this link for coding info). That's a massive job that will take years. A lot of video will be lost, too, as the original people who did those videos may not want to do the work, or pay for it.