Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

It's like a greatest hits album of terrible security policies
>theregister.co.uk/2018/12/05/flash_zeroday_adobe/

Attached: ClipboardImage.png (442x293, 125.39K)

Other urls found in this thread:

archivecaslytosk.onion/2018.12.06-204125/https://www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/
archivecaslytosk.onion/
archive.is/fXTvF
twitter.com/NSFWRedditGif

I hate you niggers archivecaslytosk.onion/2018.12.06-204125/https://www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/

It's like a greatest hits album of not knowing how to fucking post.


Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band emergency update to patch up the flaw.

In its current form, the attack bundles exploit code for the Flash zero-day (a use-after-free() bug) with an ActiveX call that is embedded within an Office document. The attacker delivers the document via a spear-phishing email. ATR noted that some of the samples appear to mimic documents from a Russian medical clinic, though others were not specifically targeted towards any one company or group.

When the target opens the poisoned Doc, the ActiveX plug-in calls up Flash Player to run the attack code. From there, CVE-2018-15982 is exploited and the malware looks to download its real payload; a remote control tool that collects system info, and relays it to a command and control system.

In the meantime, Adobe has issued a patch to address both CVE-2018-15982 and CVE-2018-15983, a separate DLL hijacking privilege escalation flaw reported by Souhardya Sardar of Central Model School Barrackpore.

Users and admins are advised to test and install the patches as soon as possible – or just dump the damn thing already. ®

sorry, noob here.

archivecaslytosk.onion/

archive.is/fXTvF

Reading through that, it seems more like MS Office is to blame than adobe flash, why the fuck does Office allow you to embed a flash file?
Yeah flash can be used for malicious intent, but the fact that it can download a remote payload isn't a bug, flash was intended for making websites more dynamic and as a consequence can retrieve files from a remote source. So what does adobe's patch fix? Does it remote the ability to download remote files?

ActiveX is retardedly insecure, it's worse than flash.

But who uses flash 2018 ?

The same people who use Microsoft Word and ActiveX.
Flash is probably big in the "instructional video + quiz + certificate about how to not jokingly reference women's lingerie in an elevator" business.

Corporate America

So when are we making the GoFundMe to buy Flash and liberate it?

Flash games are still pretty great in spite of how simple most of them are, or maybe it's the nostalgia talking.
I started trying to make a standalone swf viewer with python+qt5 using web plugins but had little success with it (no browser wants to run local flash files these days, which is ironic considering you can run them from within a office doc). First I had no luck in loading web pages with flash embeds, caused the application to crash. Fixed it finally but it required setting a couple variables in /etc/environment
Now pages with flash load, and it's definitely loading the file but doesn't display anything. Exact error prints repeatedly while swf is running:
IA__gdk_colormap_alloc_colors: assertion 'GDK_IS_COLORMAP (colormap)' failedIA__gtk_widget_modify_bg: assertion 'GTK_IS_WIDGET (widget)' failedIA__gtk_widget_get_visual: assertion 'GTK_IS_WIDGET (widget)' failed


Never, because anyone in charge of such a campaign would invariably seize the profits and promptly fuck off.

What about Gnash? Is it compatible with at least some flash games?

I never had any luck with gnash, I think it always croaked on flash games for me.

it's not a zero day after people know about it

So far I've tested:
and using a browser made from pyQt5 widgets fails because of some issue with gtk, it is technically loading the flash plugin and you can hear it, but it wont render it

I mostly use it for older Flash files. Anything that currently uses Flash started years ago and someone doesn't want to start over. Even animation studios that use it are slowly phasing it out.


Gnash is very hit or miss for me. I tried using the old standalone linux flashplayer, but that's also hit or miss. (It can be better or worse.)
A Windows VM set up with the current version of Adobe Flash (and then immediately disconnected from internet) might be the best option.

I recall total commander has a plugin for playing flash files

only allow flash for the site that requires it, like dagobah.net otherwise keep it off.


you mongols.

I work in animation and we heavily rely on Flash.
But soon switching to Toonboom, for reasons.

Nobody uses flash, grandpa


Fucking retard.

Why are you on a PHP site with a proprietary Perl cache server, Papa?

You're spot on, at work the higher ups made everyone take 5 training courses on various kinds of harassment and they were all running in flash the job wasn't shit, my manager told us to cheat on them by copying the answers

Société Générale uses flash in their online banking site. If you ever want to increase the meagre amount your bank card is allowed to withdraw per week or month, you need flash plugin. Or else I guess you can go down to the branch office and do it in person. But yeah, some places still use flash.

Some websites I use for school/work still use Flash. I don't know why.

Same user here, so for whatever reason the error I get with the pyqt5 browser on my native environment fails, where testing it inside a vm running ubuntu works, but with a caveat. My native environment requires python3 and is in some kind of limbo with qt5 because of webkit being deprecated but has not fully adopted webengine... flash files will load, but not display due to the aforementioned gtk/gdk errors, you can hear them but not see them.

On ubuntu I went through a lot of trouble getting said browser to work, because webkit/webengine are missing even after installing what I thought were the required packages, however, with python2 and some obscure pyside package, the browser functions as it should and actually will load flash files without issue, except an error coming from the open source video driver which makes me wonder if the problem on my native environment is the video driver, but different distro so it's hard to say.
It will probably be hell getting it to work on any other system because qt5 seems to be all over the fucking place.
Now I am not very good with python or anything for that matter, so is there a way I can package the working python script with it's dependencies so that it would work cross-platform? I think it could be a decent flash browser, at least until flash stops working entirely.

Since it ties into other things you've said, you should set up a Python virtual environment first with something like virtualenv. That way, you can test out various versions of Python and packages on your machine without fucking up the main install and have a controlled base. Another thing to test would be how QT4 behaves vs. QT5. Then, once you're set, I'd just distribute the entire environment you've created, maybe with a platform-specific Python executable as well.

I'll try to do that.
In the mean time, I've made a python script that you can put into a folder (I have one main swf folder with everything put into subdirectories) and it will recursively go through and create a list.html file in each one that contains a script and button list for calling a parent script in the main flash.html file in the topmost directory, the flash.html file has a button for each subdir that loads the list.html into an iframe, and clicking any button in the iframe loads the flash file, there's also a button for quickly hiding/showing the flash embed.
I just have to add one thing to the python script to generate the flash.html file, and for now it's as elegant a solution to playing flash files as I can manage.
Guess I could also add a couple buttons to change the resolution of the flash embed.

Okay, I think I'm done with this script.
It just needs to be dropped into a directory with flash files or folders of flash files, and run once.
Anything I should add to this?

Attached: flashbrowser.png (1164x821, 194.92K)

that looks like qute?

Personally, I'd just make the Python side a local web server instance that your PyQT browser talks to. Saves you the trouble of generating all the HTML files, as you'd need only one or two templates and you can have a separate about:config style page for adding directories where Flash files might be stored. Scanning that on startup for new files is all you'd have to do. Optionally, it can also have a Sqlite instance containing tags for easier library searches.

It is, despite requiring the pepperflash plugin it runs far better than firefox.


I wanted to avoid doing a local web server, otherwise I could have used better scripting languages embedded in the html for generating the DOM at runtime. It only generates an html file for every directory and I know a lot of people aren't very organized, so they may only end up with 2 or 3 files.
Forgot to mention that the script also removes the html files that match list.html and flash.html so that it can generate new ones when run again. It only needs to be run unless flash files are added to directories though.
For me it generates 8 files that are only around a few hundred kilobytes, and the script itself is only 28 lines.