Adobe Incubates Flash Runtime for Firefox

The Adobe AIR and Adobe Flash Player Incubator program
updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a “sandboxed” version of the 32-bit Flash Player they are calling “Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems”. It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of “offensive research”, resulting in a dearth of Itw exploits on Reader X. As in “none” in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as “authplay.dll” in Adobe Reader v8.x and v9.x and the general Flash component “NPSWF32.dll” used by older versions of Microsoft Office and other applications. Adobe X just wasn’t hit. IE Protected Mode wasn’t hit. Chrome sandboxed Flash wasn’t hit. If there are incident handlers out there that saw a different story, please let me know.

Adobe made and is making substantial investment in their defensive security efforts – they are a part of MAPP, they hired talent that is driving the efforts in the right direction (which is an extremely difficult thing to do in the global corporate software market), they quickly release updates and they are closing holes. Could they do more? I suppose, but the large volume of security effort has been paying off for users of their software that have updated to the most recent versions. Now the problem remains that folks need to upgrade. All too often, people forget that they are running outdated versions of the software, or disabled the software update options of their software. And here is the glaring piece – targeted attackers knew this problem. They hit law firms that didn’t bother to update, they hit directors on boards that think they are too busy or shouldn’t need to know the details of the software on their computers, they hit admin assistants that don’t have admin rights to change the software, they hit targets at organizations that “standardize” on one version or another and roll out patches on their own time. While I won’t provide detailed statistics for attackers’ misuse, unfortunately, Flash continues to be one of the most available vulnerable software packages installed, enabling 2011 APT related results like this:

This latest release helps move defense forward and in the right direction, another big step is getting the software out there upgraded.

Adobe Incubates Flash Runtime for Firefox

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox