NEWS FROM THE LAB - Wednesday, May 28, 2008

Flash w/ SQL Posted by Sean @ 17:16 GMT

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to are reported to be at risk. However — chatter on the security lists we frequent suggest version is not vulnerable and that the attacks are only reliably effective against version and earlier (using CVE-2007-0071).

In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.

Adobe is aware of the issue and is investigating but does not yet have a full report. We'll update you later on whether or not version is affected.

In the meantime, there may be some mitigating strategies you'd like to employ.

First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.

If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.

ActiveX component for Internet Explorer:

Flash 901240 ActiveX

Firefox Plugin:

Flash 901240 Plugin

Update to the most recent version. You can test your installation from this page.

What are your options once you're up to date?

For Internet Explorer, you can use the Manage Add-ons option to disable Flash:

IE Manage Add-ons

But then you'll get this annoying prompt on Flash enabled sites:

Add-on Disabled

An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.

A big hat tip goes to John Haller's Useful Stuff site for the .reg files.

And for Firefox?

We suggest Flashblock and NoScript:

Firefox Add-ons

NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from noscript.net.

Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org.

Update: The Security Focus BID has been retired, see the details here. Adobe also has an updated post available.

Adobe Flash version is NOT vulnerable to the exploits that we're seeing in the wild. But there are a large number of sites hosting exploits for earlier Flash versions, so there is risk. We strongly advise updating your Flash installation as a minimum measure.

Home users can use our free Health Check service to assist in scanning and updating their systems.