back to article Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

In case you needed another reason not to open Adobe Flash or Microsoft Office files from untrusted sources: ThreadKit, an app for building documents that infect vulnerable PCs with malware when opened, now targets a recently patched Flash security bug. This means less-than-expert hackers can use ThreadKit to craft booby- …

  1. Anonymous Coward
    Anonymous Coward

    Forced to use Flash

    A lot of Educational Institutions outsource their entire IT to WhatsApp / Google-Docs / Office365 etc... And for dessert? - Flash!

    1. Anyone know what the threat landscape is like for Firefox -> Add-ons -> Adobe-Flash -> Always-Ask??? Can a loaded webpage bypass this in-browser setting... Has there been any reports?

    2. How about Office365 / Google-Docs virus-scanning etc, are these tech giants successful at rooting out these types of attacks, anyone know?

    1. Anonymous Coward
      Anonymous Coward

      Re: Forced to use Flash

      Yes, I had to have Flash on our house PC just so my kids could do their primary school maths homework. I made sure it was removed as soon as they left that school.

      Using Flash for anything in 2018 is just an exercise in pure unadulterated laziness.

      1. Anonymous Coward
        Anonymous Coward

        Re: Forced to use Flash

        I presume you're referring to mymaths?

        In addition to requiring that children use flash for their homework, my children's school also send out emails containing .pdf and the occassional .docx attachments. They also provide advice on Internet safety!

        Security aside, flash is also unavailable for the growing tablet/mobile user base.

        My current solution is to restore from a backup image once a week or so to remove all traces of flash.

        1. Anonymous Coward
          Anonymous Coward

          Re: Forced to use Flash

          My current solution is to restore from a backup image once a week or so to remove all traces of flash.

          It comes with windows 8 and higher on IE, so removing all traces of flash can be time consuming if you are using windows OS (disregarding macOS and linux).

          Instead of restoring from a backup once a week, you might be better off keeping a hard drive with flash and removing it when you don't want it to be used. Or install/ use flash in sandboxie/ VM, and delete the box as soon as you finished to save a lot of your time.

        2. Martin an gof Silver badge

          Re: Forced to use Flash

          Security aside, flash is also unavailable for the growing tablet/mobile user base.

          Or, indeed, on the Linux boxen I force everyone to use at home. Or at least, that's what I tell them. Some sites are improving though, many of the games on Cool Math Games (which the school likes) are now usable without Flash.

          The primary school is well aware that we don't "do" certain technological things, though that didn't stop one of the children coming home with homework to "write short reviews of your five favourite apps". Erm... not a tablet in the house, and the only Android phone in the house had no access to the Play Store (LineageOS without Google apps).

          Teacher was very apologetic, but it was very upsetting for a normally diligent 9-year-old, who really loves school, not to be able even to attempt the homework. I suppose a school iPad could have been borrowed to do the homework one lunchtime, but that's sort of missing the point.

          M.

        3. Robert Helpmann?? Silver badge
          Childcatcher

          Re: Forced to use Flash

          My current solution is to restore from a backup image once a week or so to remove all traces of flash.

          You might find it just as secure but less of a hassle to use a non-persistent VM and not restore the host machine so often. This essentially automates what you are doing now.

    2. Tom 64
      Coffee/keyboard

      Why does anyone still use this garbage?

      Flash should have been taken out back and shot years ago. Why is it still a thing?!?

      Oh yeah, because Microsoft took some Adobe money to default install it on Windows 10.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why does anyone still use this garbage?

        Flash is very useful for vendor lockin from Microsoft's point of view, simple as that, nothing odd. You cant escape.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why does anyone still use this garbage?

          "Flash is very useful for vendor lockin from Microsoft's point of view, "

          Flash still runs on Linux, even if Adobe no longer maintain it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why does anyone still use this garbage?

        "Oh yeah, because Microsoft took some Adobe money to default install it on Windows 10."

        I doubt that. Flash is disabled by default on Windows 10 except for a small list of trusted websites and doesn't run outside of the Edge browser.

        1. Tom 64
          Coffee/keyboard

          Re: Why does anyone still use this garbage?

          > "I doubt that. Flash is disabled by default on Windows 10 except for a small list of trusted websites and doesn't run outside of the Edge browser."

          Have you tried removing flash from Windows 10? You can', not without a lot of hacking anyway. There is no uninstaller.

    3. Anonymous Coward
      Anonymous Coward

      Slow Broadband? BTWholesale's speedchecker still requires antiquated Adobe Flash.

      It's not as though this hasn't been raised before but anyone required to perform a BTWholesale line test still has to have Adobe Flash installed to send line diagnostic data to BT.

      Ofcom has a speedchecker, but it presents glowing rose tinted results (to make Ofcom look good), even when agressive active traffic management by the ISPs is in place, slowing any single thread downloads to a crawl at peak times, with nothing to show if it's BTWholesale and/or the ISP at fault.

      Either the ISPs are 'gaming' Ofcom's speedchecker or Ofocm outsourced the building of the checker with no due diligence.

      1. rmason Silver badge

        Re: Slow Broadband? BTWholesale's speedchecker still requires antiquated Adobe Flash.

        @AC

        there's a non flash version of the common speed test tool.

        beta.speedtest.net

        *edit, and yes, ISPs traffic shape, and ISPs make sure those speed tests are as good as they can be,

        1. Anonymous Coward
          Anonymous Coward

          Re: Slow Broadband? BTWholesale's speedchecker still requires antiquated Adobe Flash.

          "there's a non flash version of the common speed test tool.

          beta.speedtest.net"

          Great, you got an ad in for speedtester Ookla.

          I know there are other methods other than Ofcom to test a broadband connection.

          What do you take the readers on here for?

          What is the point of individual customers testing their speed with Ookla, when the only way to get that data to BTWholesale/Openreach (and passed to your ISP for further diagnostis) is via the antiquanted BTWholesale Speedchecker which uses (the well established) zero day security threat - Adobe Flash.

          (BTWholesale Speedchecker that tells you nothing regards local congestion, BTWholesale congestion, ISP internode congestion, ISP traffic shaping, ISP faults).

          The BTWholesale speedchecker is a complete load of sh.it, to put it bluntly, it tells you NOTHING as a customer, and needs a proper overhaul.

          Spend some money BT so customers can truely see the congestion/traffic shaping in place on your network.

          (The penny drops...).

          Traffic shaping is acceptable in the short term to deal with an increase in traffic but if an ISP does nothing to resolve that issue in the longer term, there needs to be some regulations placed on ISPs to have a deadline to lift traffic shaping, where the core flow of data is constantly hitting those limits either through a local issue, BTWholesale issue, or an ISP Internode / Network issue.

          Aggressive traffic shaping 9-6pm, 5 days a week, permanently - is not what traffic shaping should be used for, but there are UK ISPs doing this, and it doesn't show up on speedcheckers.

    4. John Smith 19 Gold badge
      Unhappy

      Wow. There really *is* an app for everything.

      Including creating docs with malware.

      Yea.

      How thoughtful.

      Who thought this was what the 21st century was going to be like?

  2. Mark 85 Silver badge
    Devil

    Today's belly laugh

    a Microsoft spokesperson said: ".......We continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process."

    The concept of "quality protections" from MS or Adobe....

  3. Grikath
    Angel

    Flash?

    A-haaaaaaaargh!!

    1. BebopWeBop Silver badge
      Joke

      Re: Flash?

      "Flash, I love you! But we only have fourteen hours to save the Earth"

  4. Mayday
    Megaphone

    Flash!!! Brrrrrrrrrrr!

    I wanted to watch the UFC on the weekend and the official UFC site only shows it in Flash.

    I dont trust Flash as far as Conor McGregor can throw heavy items at busses so suffice to say I went to the pub.

    Sites these days only using Flash is a surprise considering the issues and an exercise in laziness.

  5. JakeMS

    Still use it?

    Does anyone still use flash? I haven't had it installed since Adobe dropped support for Linux. There's no real good reason to have it installed. Youtube and co all work mostly on HTML5 now which means they don't require flash.

    Unless you want to play old flash games like "Kill Kenny" or "Strip That Girl" there is no reason to have flash installed these days.

    If your applications still require flash, time to either find new ones or take the source and upgrade them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Still use it?

      Sadly Adobe themselves seem in no hurry to get rid of this millstone that is around its neck.

      All the tutorials for say Lightroom etc need Flash.

      Sorry Adobe, I'm NOT going to install flash on my MacBook. It is a bug ridden bit of flea code that should have been exterminated years ago. Didn't the message you received from Steve Jobs about not Flash on the iPhone mean anything? Do you still have your head in your hands and you are singing nanananananana can't hear you?

      Get the shit sorted Adobe.

    2. Anonymous Coward
      Anonymous Coward

      Re: Still use it?

      myfreecams have only recently stopped using flash.

  6. Stork Silver badge

    LibreOffice

    Anyone knows if it emulates well enough to be a risk?

  7. Alperian

    Jobbs wounded Flash, then Adobe drove the stake into it.

    ...but it still breathes under sedation in the critical care unit.

    If I received a file with a SWF in it I would draw the conclusion that it had travelled through a time portal from the Noughties.

    One of the reasons that it can still be imported into various popular packages is simply that there has been nothing to replace it. Nothing with the flexibility and sheer power. Yeah, the same power that made it very annoying too.

    Try and get a complicated Canvas+JavaScript+ Movie+Sound into any document easily. Not going to happen. The encapsulation of Flash is a drug.

    YouTube only stopped using it as default in 2015.

    So the latest exploit is just another symptom of another part of its immune system breaking down. It keeps hanging on, but really someone should give it the last rights.

    Then maybe we can get a suitable successor.

    1. Tom 7 Silver badge

      Re: Jobbs wounded Flash, then Adobe drove the stake into it.

      And yet still people keep using it! I found a flash video that was 43MB - all it was was a flash video someone made of an animated gif running for a couple of minutes ffs.

      We dont need high speed internet connections - we need to kill Flash and anyone who uses things that reduce effective bandwidth to that of two tin cans and no string.

  8. MrKrotos

    Clarification

    Watched the YT vid etc still not sure if this exploit requires access to macros in Word to action?

    All I saw in the YT vid was someone running something in a browser that asked to run, then after hitting "yes" ran an App. What am I missing?

  9. LadyK

    Try accessing online course content for Uni. 95% of it relies on Flash whch means I can't access it from work PC's (break only, I'm not dodging work to study), from my ipad nor from my browser on my tv. I have an old siloed laptop which isn't connected to anything else and I'm not ars@d if it gets bricked but it means I have to wrestle the kids for it if I want to join my classmates and tutor for online lessons.

    And this is a Masters for IT Security Management!!

  10. Scroticus Canis
    Unhappy

    Flash is good, the BBC recommends it so it must be!

    Aunty Beeb still uses this for it's on-line weather forecast video (and other stuff) and recommends you install Flash Player if it doesn't find it; tantamount to recommending downloading malware IMHO.

    Killed Flash on my machine yonks ago and don't have or need M$ Orrifice in any form.

  11. Anonymous Coward
    Paris Hilton

    Gone in a Flash, I wish, I wish, I wish

    It, Flash(32Bit), shows in my Control panel, I cannot remove it or do much else with it.

    Would like Microsoft to provide a "Flash removal update" or something, as they put it there.

    I have avoided Adobe for years, almost since DOS and alternative PDF and SWF viewers emerged.

    Which work better anyway.

  12. mark l 2 Silver badge

    Google could probably kill of Flash in a matter of a few months if they announced that they would be dropping support for it in the next release of Chrome. After all Apple never allowed it in the browser on iOS and it hasn't seemed to have dented their market share.

    Unfortunately there are still some quite a few popular website that require Flash to view the videos, When I last tried a few months ago the websites belonging to UK TV channels ITV, CH4 and CH5 needed Flash to stream the videos from a browser on a PC even though their apps will stream without it.

  13. Anonymous Coward
    Anonymous Coward

    My uni requires both flash and java for things to work right :(

  14. FozzyBear Silver badge
    Gimp

    IT security bod I know once likened using flash to jumping the wall to a high security prison dropping your pants, bending over and yelling "Come get it boys".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020