Adobe Flash 0-Day Vulnerability APSA18-01
Adobe released the security advisory APSA18-01 for Flash Player that confirms a critical security vulnerability in Flash Player 28.0.0.137 and earlier.
Flash Player 28.0.0.137 is the most recent version of the program which means that all installed versions of Flash are affected by it.
Update: Adobe released a security update for Adobe Flash player products affected by the issue. The company fixed the issue in Adobe Flash Player 28.0.0.161.
Affected products:
- Adobe Flash Player Desktop Runtime on Windows, Linux and Mac platforms.
- Adobe Flash Player for Google Chrome on Windows, Mac, Linux and Chrome OS platforms.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 8.1 and 10.
Adobe plans to release an update for Flash Player in the coming week that patches the security issues. The company confirmed in the advisory that the vulnerability is exploited in the wild, and that it is aware of attacks against Windows users that use Office documents with embedded Flash content that is malicious and distributed via email.
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
Adobe suggests that administrators enable Protected View to open documents in read-only mode. This is done with a click on File > Options, and the enabling of Protected View options under Trust > Trust Center Settings > Protected View.
This mitigates the current attack type but it may not protect systems against other attacks that exploit the vulnerability.
It is recommended to uninstall Adobe Flash in the meantime, disable it, or at the very least set it to "click to play".
Günter Born's article on disable the native Adobe Flash implementation offers instructions on how to do that. I don't want to quote the full article, but here are the basics.
Internet Explorer
Windows admins may use the following two Registry files to disable or enable the native Flash implementation on Windows in Microsoft Internet Explorer.
To disable Flash
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
To enable Flash
Windows Registry Editor Version 5.00
; Unblock Flash Player in Windows 8, 8.1, 10
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
We have uploaded the Registry file to our own server for your convenience: (Download Removed)
Group Policy
You can deactive Adobe Flash using the Group Policy as well if you administrate PCs with professional editions of Windows:
- Tap on the Windows-key, type gpedit.msc and hit the Enter-key. This opens the Group Policy Editor.
- Use the hierarchy on the left to go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management
- Double-click on "Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects" to open the policy.
- Set it to enabled, and click on ok.
Microsoft Edge
The Internet Explorer changes don't affect Microsoft Edge. You can disable Adobe Flash in Microsoft Edge directly or through policies.
Settings
To disable Adobe Flash in Microsoft Edge using the browser's settings, do the following:
- Open Microsoft Edge.
- Select Menu > Settings.
- Scroll down and click on "show advanced settings".
- Locate "Use Adobe Flash Player" and flip the preference to off.
Group Policy
- Tap on the Windows-key, type gpedit.msc and hit the Enter-key. This opens the Group Policy Editor.
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge.
- Double-click on "Allow Adobe Flash".
- Set the policy to disabled, and click on ok.
Related articles
- After ignoring Linux for years, Adobe releases Flash 24 for Linux
- Adobe retires Flash in December 2020
- Chrome: How to allow Flash on sites
- How to force Flash updates in Chrome
- How To Open The Adobe Flash Player Settings In Google Chrome
https://get.adobe.com/flashplayer/about/ now shows for Opera under Windows 10 Home, I now have Flash 28.0.0.181 installed successfully. For me, Microsoft and Google have not yet provided a Flash fix for Edge, IE11, or Chrome yet.
Haven’t used Flash in years. Yet to miss it.
Seems to me it can only ever be a security risk as long as daft people continue to be drawn in.
Why this program still alive? Chrome has it built-in
The built-in in Chrome is Flash itself, a version maintained by Adobe and Google
And not everybody uses Chrome
Some sites still use Flash and if you uninstall or desactivate it, these sites no longer work o no longer work entirely
In Internet Explorer (if some one still uses it) Flash may be disabled more easily by : tools, add-ons manager (?), in French : gérer les modules complémentaires
@Pierre: ‘Manage Add-ons’
:-)
so basically this only affects win 10 users with office and flash, lol.
Also Chrome on all platforms and if you have Flash installed separately.
I love Flash, but I uninstalled it. I only have a standalone runtime so that I can open SWF files by double clicking on them.
I uninstalled it because WebAssembly means that feature wise, web standards have FINALLY caught up (geez, so many years of technological advancement lost, we almost ended up with proprietary apps and walled gardens winning over the open web because of this political shitshow).
But also because privacy.resistFingerprinting disables Flash anyway since having it accessible to web content means you look unique no matter what.
“The company confirmed in the advisory that the vulnerability is exploited in the wild, and that it is aware of attacks against Windows users that use Office documents with embedded Flash content that is malicious and distributed via email.”
I would not be surprised to see MS prevent the use of embedded flash in Office documents.
Well I just confirmed that Flash is still installed on my system provided it’s set to Always Activate in spite of being ‘uninstalled’. Here’s the Adobe means of testing that: https://helpx.adobe.com/flash-player.html
Here’s the link to the uninstaller although it isn’t much use if it doesn’t work: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
@TelV, the screenshot shows you have more than one version of Flash installed. This is not good to start with. I had read on an Adobe forum that the running version of Flash should always be uninstalled prior to installing the updated version. True but never explicitly mentioned anywhere else. Doing so prevents issues as the one you encounter.
Try uninstalling Flash again. Is Flash present in Windows Applications’ Uninstaller? If so repeat uninstall. I doubt it’s present. Otherwise you’d have to either proceed manually (by deleting the Macromed Flash directory and then cleaning up the Registry, which I don’t advise unless you really know what you’re doing) either by running an external software uninstaller which can proceed to uninstalls even for applications no longer present in Windows’ apps uninstaller…
Last, you could delete the macromed flash directory manually and the clean the Registry with a Registry cleaner such as “Wise Registry Cleaner” which is not dangerous and rather skilled.
Hi Tom,
Thanks for your response. The old versions of Flash shown in my screenshot are ActiveX versions so only attributable to IE11. I removed those simply by deleting them.
The Flash.ocx is the current version v137 along with the others shown in my screenshot. Those can’t be removed since Flash has been embedded in IE since the advent of Windows 8.1. But I’ve disabled it via Manage Addons in IE so no big deal for the time being since I hardly ever use it anymore.
I managed to remove Flash from Firefox/Basilisk and Waterfox by running the v137 installer again and then using the Windows uninstaller to remove them.
Had second thoughts and decided to uninstall it using Adobe’s own uninstaller. According to that it was removed, but on examination it still appears to be present in both NPAPI and ActiveX formats.
Here’s a pix of it: https://imgur.com/a/9rFIF
Here’s the path to the installation: C:\WINDOWS\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll
I’ve set it to “Never Activate” now, but a bit worrying that the uninstaller doesn’t work anymore.
Well, February 5 is just around the corner so no need to panic ;)
Affected products:
Adobe Flash Player Desktop Runtime on Windows, Linux and Mac platforms.
Adobe Flash Player for Google Chrome on Windows, Mac, Linux and Chrome OS platforms.
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 8.1 and 10.
I take it since it’s not listed that Firefox is safe?
> Adobe Flash Player Desktop Runtime on Windows, Linux and Mac platforms.
I assume this includes the NPAPI plugin. So yes, the NPAPI plugin (which FireFox is able to use) should be affected by this as well.
What a brilliant idea was to integrate Flash player into Windows. Ñарказм
I do still have some occasional uses for Flash, but have it disabled most of the time.
What is disappointing, was the decision on the part of Adobe, to not allow the full offline installer any more. I NEVER used to install the ‘installer’ offering to the general public, preferring always to go the route of the offline package. Then they removed that, as far as I am aware, and mandated that all others should do so. I’m pretty sure that a long time ago, Martin wrote an article about just that.
I did then find another source (I think there may be very few) for the offline installer, but I dare not say who that source is here, because I understand they may be in breach of Adobe’s conditions, and could be liable to law-suit.
My view is that (whatever your views on Flash itself) Adobe are a pretty poor and bullying outfit, that remind me of another company, that happen to make a widely used operating system with the number ’10’ as part of their nomenclature.
Bottom line: if they know that Flash is a vector for all sorts of woes, then is it not highly irresponsible, to make it harder for people to have choice, and get hold of the offline installer in the first place?
Use a fake user agent with the help from a user agent switcher ( f.ex this one: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher ), with ONLY a dot “.” on each line when You create a new user agent, then You can download the full offline installer. I do it every time ! (Note that Flash player is blocked from any online interaction on my computers (i only use HTML5 online), Flash can only be used by installed software.)
“Bottom line: if they know that Flash is a vector for all sorts of woes, then is it not highly irresponsible, to make it harder for people to have choice, and get hold of the offline installer in the first place?â€
I don’t understand–what exactly does the offline installer for Flash Player have to do with this vulnerability and/or Flash Player’s other woes? Thanks!
@HY – the problem is that if you don’t use the offline installer, you have a heavier install, where control is taken away from the user, in terms of what that software does, or might do, and how it interacts with your PC.
Many years ago, I had several PCs endlessly try and update Flash, in a loop, and never do it properly. I found hooks and all sorts of rubbish left by the installer, and I didn’t like that loss of control.
With the offline installer, its much neater, tidier, and I never let it update for me. I always untick the part at the end of the install that auto-updates. I feel much more in control, and its tidy, and then on FF, I have a switch that turns Flash on and off, as needed, and 95% of the time, its off.
@Sophie “the problem is that if you don’t use the offline installer, you have a heavier install…â€
Thanks for your reply. I wasn’t aware of that. I used to use the flash player offline installer, always first dutifully using an exe from Adobe called uninstall_flash_player or something like that. But I got so tired of going through all of that every single time that when Adobe started offering automatic updating of flash player I availed myself of that. This is the first I hear that there’s a difference between the auto-update and the offline installer.
Side note to Martin: It definitely seems that since the new theme change comments are sometimes taking longer–in some cases much longer–to appear. Don’t know if you are already aware of this, and if it can be fixed to make it like it was before, but I hope so!
I uninstalled Flash from my system (Win7) a few months ago and now when I need to use Flash I use a modified version of Chrome Dev, Firefox v58 is my primary.
Below is a link for an Adobe help page that I’ve been using for years to get the manual installer. Annoyingly, this is one of those pages that requires javascript be enabled to view it, normally when I land on a website that requires js to view the content I usually don’t bother, this link has always been one of my exceptions. I also have a link for the archive but I’m not sure if I’ve ever even seen the current version in there so it’s not very useful. Bottom of article, #8:
“https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html”
@Sophie,
> “What is disappointing, was the decision on the part of Adobe, to not allow the full offline installer any more.”
I didn’t know that; before I had put a definitive end to Adobe Flash I used to download its updates, and several sites had them online. Not anymore then? Well, another reason to avoid it.
Adobe’s Flash has been announced some time ago to be removed by the company. I forgot the exact date. Meanwhile the beast continues to harm, carries on its trail of vulnerabilities. As its “Acrobat Reader” is it? Both regularly pointed at as part of the major OS security offenders.
It’s been around for so long. I even know some users who believe Flash is part of their OS, I’ve even heard an hot-line “techie” say so! ‘Was a time Flash was unavoidable to view videos in browsers (and elseewhere on the OS). This is over now. Flash is bound to disappear and my last words will be “Stay there in peace” :=)
@Tom – Yes, have a read of this article if you wish…
https://www.ghacks.net/2015/09/19/adobe-just-lost-over-a-50-links-pointing-to-their-site-after-legal-threat/
You can download the off-line installer at:
https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html
Go to the bottom of the page under the “Still having problems?” heading, and see the links there.
@Ninveh – Many thanks. It looks as though the magic link for Firefox at least, based on your link is….
https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe
I’ll try it. Surprised by that, because they did seem to really lock it down, and a dedicated page they had spoke of decommissioning for some time, before they finally pulled it. Thanks again.
Removed 2 months ago an still havent needed it.
Irrelevant edit: Removed more like 5 months ago and did find a few times could have used flash but found same videos in different format so…