Therefore the recommendation, if you can't disable Flash entirely, is choose "Block by default" in Chrome's plugin settings so that you have to right-click and "Run This Plug-in" when you really want Flash to play. You can still whitelist if you want.
Ouch. I was under the impression that click-to-play was in fact treated as a security boundary, and finding out that it isn't severely downgrades my estimation of how secure Chrome is.
I do see how preventing clickjacking is hard, and you wouldn't want click-to-play as the only line of defense, but I think Chrome should at least make the effort to do so. A working click-to-play security boundary would reduce the number of sites that get to attempt to exploit me with Flash by more than an order of magnitude.
Click-to-play can never be a security boundary, and you don't need to know anything about the inner workings of Chrome to know that it isn't a security boundary.
Any website can induce you to click somewhere using a psychological trick (for example, a "Next Page" link in an article). There would be no reason to be concerned--after all, merely following a link on a webpage can't be unsafe, right? (After all, you know better than to download software from untrusted sources, so you won't do that. You're just browsing pages.) Then it could use script to replace that link with a malicious plugin in the instant just before you are most likely to click. There--bypassed security boundary.
I find this "you don't need to know the inner workings" lesson analogous to a thought experiment I sometimes ask tech people. I quiz them: Can a USB storage drive harm your computer (install malware, etc.) merely by plugging it in, even if you know better than to run any executable files on it? The answer is (1) Yes, and (2) You don't need any specialized knowledge of how USB works to know this--you just need to know about the existence of USB keyboards. The USB device, despite appearing to be a thumb drive storage device, need merely identify itself as a keyboard, and it can start typing malicious commands after being plugged in.
Me too. I am every day more appalled by the lack of security of browsers. That being said, logically, if you also have javascript disabled, I presume click-to-play should be secure.
That malware is apparently not trying to infect Chrome, but Chrome still carries the vulnerable Flash and runs it by default. Maybe the author of that malware doesn't have or doesn't want to spend a Chrome sandbox escape to attack it, but such escapes have been found in the past, and others are likely lurking.
Thus the advice to disable or block Flash within Chrome, especially since Chrome's Flash hasn't yet been updated for this vulnerability.
One thing I've noticed is that FAR more sites do video backwards – using Flash if present, falling back to HTML5 if not – than actually do not support it. Spoofing the iPad user-agent gets most all of the remaining sites.
Disabled ALL plugins on Chrome about a month ago and barely noticed any change.
Seriously advice everyone in favor of disabling all plugins now.
[Edit] chrome://plugins/
When I switched to Firefox from Chrome, Flash didn't come with it, and I left it like this. In the very rare case, I pop open IE or Chrome. Works great!
Agreed. Oddly enough, one of the only website I have to open Chrome (which has Flash installed) for is ... Google Music. It has an HTML5 setting, but that seems to do nothing.
Curious, why not switch to Chromium instead? You would still want to disable plugins as you do now, but is there an advantage to using Chrome over Chromium once plugins are factored out?
Apparently(1) EMET prevents this Flash vulnerability from working. Might be time to install it from (2) with the extra "Popular Software" settings on your own PC and any you control.
"InfoSec Taylor Swift" (@SwiftOnSecurity) is a parody account, and I wouldn't trust it on whether EMET prevents this vulnerability or not. Not saying that it doesn't, just that we'd need more serious sources on that.
Swift on Security tends to be surprisingly on the pulse with respect to this sort of stuff. Of course check a second source but don't write Tay Tay off right away!
Note: under Windows, Chrome will install Flash by default, so it's not enough to uninstall the standalone Flash Player. The latest Chrome has Flash 16.0.0.287, which is vulnerable.
If you use Chrome, and want to be safe, go to about:plugins, and disable it manually.
Under Linux the latest is 15.0.0.223, which is not vulnerable (but I'm using Chrome 40.0.2214.10 beta, so YMMV).
Do you know that Chrome is vulnerable, or are you just going by the version numbers?
Chrome sandboxes plugins in order to give an extra layer of protection against exactly these kind of exploits. The interesting question will be how it helps in this case. Do you have any info?
I think it was the version bundled with Google's Chrome browser being referred to, and not the standalone Adobe Flash Player for Linux, which is quite old now.
It isn't actually very old – not much older than current releases on other supported platforms, because quite often security bugs affect it as well, and Adobe updates it as well.
Adobe has promised to support the NPAPI Linux plug-in for a few more years (IIRC till 2017). It doesn't get any new features, but security issues will be fixed, usually at the same time as on other platforms.
Note that Google provides newer versions of Flash player for Linux with alongside Chrome. That version works on any browser that supports the Pepper plug-in interface (currently Chrome/Chromium (+forks)/Opera/? – and not Firefox).
And what is funny is that I noticed this morning some users with admin privs (long story) were ahead of my already delayed patching schedule (I am not in the US). Adobe has a distribution page for companies to deploy Flash and other stuff internally with "enterprise-y" installers, and I had to refresh until like mid-afternoon local time to see 16.0.0.296 and wondered if it was laziness or rushing.
Shame on you Adobe! Yet another hole in Flash, isn't it time to pack up your tent and move onto the dust bin of history?
Furthermore it's more shameful to release an update for the manual update users two days after the automatic update users get it. Get over yourselves already. This is already being exploited, push fixes out faster or atleast at the same time.
And are you going to bin Apple and Microsoft too? Not going to use USB? Not going to DNS? What hardware and software do you use that had no security flaws in the last year?
This is not the point. When you definitely can do something, you should do it. Other problems should not distract you from removing this particular software.
adobe flash_player has just under three hundred CVE entries for software flaws. (note to pedants: the NVD search includes GNU bullshit clones if you run a simple search on 'flash player')
apple quicktime has over two hundred -- and that's ONLY counting from OS X days (i.e., not including Mac OS days).
Writing network-enabled rich-content delivery platforms is a hard task. flash player is installed on a tremendous number of devices across a staggeringly diverse operating system segment. Problems are sadly impossible to avoid.
Firefox has more than 1100 -- again, not counting Mozilla days. Chrome has more than a thousand. Safari, commendably, has little more than five hundred. The point is nobody gets it right. Not even Steve Jobs.
>Shame on you [Company]! Yet another hole in [Product], isn't it time to pack up your tent and move onto the dust bin of history?
There haven't been many major pieces of software that didn't have at least one major security vulnerability reported in the last year. Apple's products being no exception.
I think the same thing would have resulted from almost any closed-source binary parsing remote data deployed on a huge number of different browsers. Flash, Java, and Adobe Reader, present almost uniquely-attractive attack surfaces due to their cross-browser ubiquity as well as their fragility.
That isn't making excuses for them, of course, but it gives us an important data point as to what behaviour to avoid in future. (I'm looking at you, Silverlight.)
https://crbug.com/174963
Therefore the recommendation, if you can't disable Flash entirely, is choose "Block by default" in Chrome's plugin settings so that you have to right-click and "Run This Plug-in" when you really want Flash to play. You can still whitelist if you want.