NEWS FROM THE LAB - Tuesday, March 5, 2013

Flash: Click to Play Posted by Sean @ 16:57 GMT

Adobe released several security updates for its Flash Player during February.

Security bulletin APSB13-04:

"Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content."

Adobe APSB13-04

Attacks on Macs via Firefox and Safari are something we noted on February 8th.

Security bulletin APSB13-08:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."

Adobe APSB13-08

"This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643)."

Breaking out of Firefox's sandbox? Not good.

Fortunately, Flash Player auto-updates rather well on Windows.

And on Macs, Apple is now blocking old versions with its XProtect component.

Apple staggered the requirement, and started with version 11.5.502.149:

XProtect 2013.02.26

The minimum version required is now 11.6.602.171, which is the most recent:

XProtect 2013.02.28

Updates and minimum requirements are great, but there is something else Chrome and Firefox users can take advantage of: click to play. Turning on click to play will limit plugins from running unless it's actually something that the user wants to run.

For Chrome, go to "chrome://settings/content" and look for Plug-ins:


For Firefox, open the about:config settings page and look for "plugins.click_to_play" and set the value to true.

Firefox, plugins.click_to_play