Facebook becomes the latest company to ditch Flash, switches to HTML5 for all video

By Rob Thubron | TechSpot

In what may be the final nail in the coffin for Flash, Facebook has now abandoned the technology in favor of HTML5 for all web videos that appear on its News Feed, Pages, and in the embedded Facebook video player.

Facebook says it is continuing to work with Adobe to deliver a reliable and secure Flash experience for games on the platform, but the social network has switched to HTML5 video playback by default in all browsers.

Daniel Baulig, an engineer at Facebook, said: “Not only did launching the HTML5 video player make development easier, but it also improved the video experience for people on Facebook. Videos now start playing faster. People like, comment, and share more on videos after the switch, and users have been reporting fewer bugs. People appear to be spending more time with video because of it.”

Baulig added that Facebook introduced the HTML5 player a while ago to a small number of browsers, but there were several problems stopping the company making a complete switch from Flash across all platforms.

“In theory, most browsers in use support HTML5 video. However, in practice we noticed that a lot of the older browsers would simply perform worse using the HTML5 player than they had with the old Flash player. We saw more errors, longer loading times, and a generally worse experience,” he said. “That’s why we waited until recently to ship the HTML5 player to all browsers by default, with the exception of a small set of them.”

Back in July, Facebook’s chief of security, Alex Stamos, tweeted that it was time for Adobe to announce the end-of-life date for Flash and to ask browser makers to set killbits on the same day. YouTube switched to an HTML5-based player in January this year, and Adobe recently tried to distance itself from the technology by renaming Flash Pro to Adobe Animate CC.

As Facebook joins the ranks of so many other companies in denouncing Flash, will 2016 be the year we finally say goodbye to the aging system once and for all?

Hacking Team’s arsenal included at least three unpatched exploits for Flash Player

Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk.

Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On July 5, a hacker released over 400GB of data stolen from the company on the Internet, including email communications, business documents, source code and other internal files.

On Tuesday, researchers found a proof-of-concept exploit among Hacking Team’s files that worked against the latest version of Flash Player. Cybercriminals were quick to adopt it and were already using it in large-scale attacks by the time Adobe Systems released a patch for it on Wednesday.

By late Friday, researchers from FireEye revealed that they found a second zero-day exploit for Flash Player in the Hacking Team data cache, prompting Adobe to issue an emergency advisory.

This was followed up Saturday by researchers from Trend Micro with yet another find, putting the number of Flash Player zero-day exploits used by Hacking Team to three—at least so far.

Only one of the vulnerabilities targeted by those exploits has been patched so far, with Adobe planning to release fixes for the other two—CVE-2015-5122 and CVE-2015-5123—later this week.

That’s a problem because the cybercriminals behind the Angler Exploit Kit were already using the exploit discovered by FireEye (CVE-2015-5122) by Sunday. The malicious activity was spotted by a malware researcher known online as Kafeine who specializes in tracking drive-by download attacks.

It’s very likely that attackers are also working on integrating the exploit found by Trend Micro (CVE-2015-5123) in commercial exploit kits, if they haven’t already.

“Until an update is available, users should consider disabling Adobe Flash,” researchers from Trend Micro said in a blog post. “Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.”

Web-based exploits are typically used to infect computers when users visit legitimate websites that were compromised or when their browsers load malicious advertisements.

via Hacking Team’s arsenal included at least three unpatched exploits for Flash Player | PCWorld.

Adobe patches zero-day Flash Player flaw used in targeted attacks

Adobe Systems released an emergency security update for Flash Player Tuesday to fix a critical vulnerability that has been exploited by a China-based cyberespionage group.

Over the past several weeks, a hacker group identified as APT3 by security firm FireEye has used the vulnerability to attack organizations from the aerospace, defense, construction, engineering, technology, telecommunications and transportation industries.

The hacking group targeted the companies with generic phishing emails that contained a link to a compromised server, researchers from FireEye said in a blog post Tuesday. The server used JavaScript code to profile potential victims and then served the Flash exploit to the ones meeting attackers’ criteria, the company said.

The attackers use the exploit to install a backdoor known as SHOTPUT or CookieCutter and then move through the organization’s network, using other techniques and exploits to compromise additional systems.

In order to be protected against this vulnerability, which is tracked as CVE-2015-3113, Adobe advises users to update to the newly released Flash Player versions: 18.0.0.194 for Windows and Mac, 11.2.202.468 for Linux, and 13.0.0.296 for the extended support release.

The Flash Player plug-in that’s installed by default with Google Chrome and Internet Explorer on Windows 8.x will be automatically updated. Flash Player users on Windows or Mac who have selected “allow Adobe to install updates” will also get the update automatically.

APT3 is a sophisticated group known for using other zero-day browser-based exploits in the past for Internet Explorer, Firefox and Flash Player, according to FireEye. The group also uses custom backdoors and often changes command-and-control infrastructure, making it hard for researchers to track its activity.

via Adobe patches zero-day Flash Player flaw used in targeted attacks | PCWorld.

Malicious advertisements on major sites compromised many, many PCs

Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers.

Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware.

“We certainly see malvertising on the rise,” said Nick Bilogorskiy, head of security research at Cyphort, a security vendor in Santa Clara, California. “We see it is going to be a major channel of delivering malware this year.”

For the second time in about a month, Cyphort found malicious advertisements popping up on major websites including the Huffington Post and the LA Weekly between Thursday and Monday. The attack is likely a continuation of the first one, Bilogorskiy said.

The malvertisements were distributed by Adtech.de, an AOL-owned online advertising company, and two other companies, adxpansion.com and Ad.directrev.com. The bad ads appear to have been removed from Adtech, Bilogorskiy said, who has been in touch with its security team. He couldn’t reach the other two companies.

The malicious advertisements redirected users through several domains before finally dumping them on pages hosting an exploit kit, an attack tool that scans for software vulnerabilities. It appears this campaign uses the Sweet Orange exploit kit, Bilogorskiy said.

If a vulnerability is found, malware is automatically delivered, a dangerous type of attack known as a drive-by download. “It’s the worst case,” Bilogorskiy said.

The malware installed is called Kovter, which is used to fraudulently generate ad impressions.

It can be difficult for online advertising companies to keep bad ads out of their systems. The companies “are getting millions of ads submitted to them, and any one of them could be malware,” Bilogorskiy said.

“They try their best to detect and filter, but it is challenging,” he said.

Attackers, for example, may enable malicious payloads after their ads have been approved. Other times, they may only attack every 10th user. The ads, Bilogorskiy said, have to be repeatedly checked to ensure they’re not malicious.

On Tuesday, Cisco’s Talos security research group wrote it had analyzed another large malvertising campaign that uses the Angler exploit kit, a potent one known for its quick employment of the latest Flash vulnerabilities.

More than 1,800 legitimate domains were being used as part of that campaign, wrote Nick Biasini, a Cisco threat researcher. It appeared the attackers had gained control of the domains’ accounts, many of which were registered through GoDaddy, he wrote.

The attackers created subdomains on those accounts. People who viewed a malicious ad were redirected to a newly-created subdomain, which then redirected to another subdomain that served up the exploit kit.

The attackers have created so many subdomains that one may only be used once to redirect, Biasini wrote. Since malicious domains are often quickly detected and blocked by security software, rotating them helps ensure an attack will be successful.

The Angler attacks kicked off after victims viewed malicious ads, he wrote.

On Monday, Trend Micro said it discovered a new zero-day in Adobe System’s Flash software after analyzing malvertisement attacks involving Angler. The malvertisement had been seen on the popular website Dailymotion.

The Flash flaw, CVE-2015-0313, is the third one found in the application in a month. Adobe plans to fix it later this week.

via Malicious advertisements on major sites compromised many, many PCs | PCWorld.

YouTube player ditches Flash, defaults to HTML5

YouTube videos on the web now default to using the HTML5 player which should mean better performance, stability, battery life and even security for users.

The decline of Adobe Flash Player seems to be slow but irreversible as the biggest video service online has taken another step in making it irrelevant. YouTube started offering an experimental HTML5 player years ago, but only through the advancement of the standard and by working with browser creators was the service able to fully switch to HTML5.

The new player takes advantage of Adaptive Bitrate streaming (ABR) which allows YouTube to seamlessly switch between higher and lower quality streams for continuous playback regardless of network conditions. It also allows for live-streaming of content on consoles, devices like the Chromecast and regular browsers.

Of course this also means that watching video on mobile devices got better, especially if you were doing that through a web browser.

This change was a long time coming, so we’re glad it’s finally here, especially if YouTube delivers on all its promises. Now if only the company could make a decent player for consoles…

via YouTube player ditches Flash, defaults to HTML5 – Neowin.

Zero-day Flash bug under active attack in Windows threatens OS X, Linux too

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe’s ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google’s Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Kaspersky Lab researcher Vyacheslav Zakorzhevsky said the attacks were carried out in two separate exploits and were detected as early as April 9 by a general heuristic signature in the company’s AV network. Both of the SWF files are able to bypass security mitigations built in to Flash and Microsoft Windows, including Windows 8, he said. One of the exploits, embedded in a file titled include.swf, is designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5×0 installed. The app is used to view documents and images during Web conferences.

“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions,” Zakorzhevsky wrote. “We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”

He continued:

When we entered the site, the installed malware payloads were already missing from the “_css” folder. We presume the criminals created a folder whose name doesn’t look out of place on an administration resource and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.

It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.

Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse.

 

via Zero-day Flash bug under active attack in Windows threatens OS X, Linux too | Ars Technica.

IE’s Flash made Windows 8 most vulnerable Windows OS, research says

According to a new research from the Denmark-based security company Secunia, out of all the Windows operating systems currently supported by Microsoft, Windows 8 is the most vulnerable. Dubbed Secunia Vulnerability Review 2014, the research says that while Windows 7 and Windows XP vulnerabilities doubled in 2013, it was Windows 8 which reported the highest number of flaws.

So, despite of being touted as more secure than its predecessors, why is Windows 8 at the top of the vulnerability chart? Well, the reason is Flash — at least this is what the security firm says in its report. Out of 156 flaws reported in Windows 8, 55 were due to the integration of Adobe System’s Flash Player into IE.

Although Adobe’s Flash is widely known for being one of the most prolific sources of security vulnerabilities in Windows this is the first time it’s directly affecting the image of Windows 8. Will it have any effect on Windows 8 sales? Probably not. While Microsoft’s latest operating system isn’t selling as fast as its predecessor, the software giant recently announced that it sold 200 million copies of Windows 8.

Secunia’s annual report on software vulnerabilities takes a look at 50 of the most commonly used programs and operating systems. This year’s report also says that the time gap between when a flaw is reported and when a fix is delivered is narrowing; 86 percent of the vulnerabilities found in the top 50 software products had a fix available on the day of disclosure.

via IE’s Flash made Windows 8 most vulnerable Windows OS, research says – TechSpot.

Flash Player, Reader and Shockwave Player get critical security updates

Adobe released security updates for Flash Player, Adobe Reader and Shockwave Player on Tuesday to address critical vulnerabilities that could allow attackers to take control of systems running vulnerable versions of those programs.

The Flash Player updates address four memory corruption vulnerabilities that can lead to arbitrary code execution. The updates are version numbers 11.8.800.168 for Windows and Mac OS X; 11.2.202.310 for Linux; 11.1.115.81 for Android 4.x; and 11.1.111.73 for Android 3.x and 2.x.

Users of Google Chrome and Internet Explorer 10 on Windows 8 will automatically receive updates for the Flash Player plug-in bundled with those browsers through their respective update mechanisms.

The same Flash Player vulnerabilities were patched in Adobe AIR, a runtime for rich Internet applications that also bundles Flash Player. Adobe released version 3.8.0.1430 of AIR and AIR SDK (software development kit) for Windows, Mac OS X and Android.

New versions of Adobe Reader and Adobe Acrobat XI and X were released to address eight arbitrary code execution vulnerabilities: three memory corruption issues, two buffer overflows, two integer overflows and one stack overflow.

Users of Adobe Reader or Acrobat XI for Windows and Mac OS X are advised to upgrade to Adobe Reader XI (11.0.04) or Adobe Acrobat XI (11.0.04), respectively. Adobe Reader and Acrobat X for Windows and Mac have also been updated to version 10.1.8.

Adobe’s Shockwave Player, an application required to display online content created with Adobe’s Director software was updated to version 12.0.4.144 for Windows and Mac to address two memory corruption vulnerabilities that can lead to arbitrary code execution.

While not as popular as Flash Player, Shockwave Player is installed on 450 million Internet-enabled desktops, according to statistics from Adobe, which potentially makes it an attractive target for attackers.

via Flash Player, Reader and Shockwave Player get critical security updates | PCWorld.