3

Many browsers have received updates to protect against the Meltdown and Spectre attacks. I presume these patches relate (solely) to JavaScript execution within the browser. Java in the browser is as good as dead, so that's not affected. But even though the technology is dwindling, Flash is still out there.

I haven't found any information about patches for Adoble Flash Player. Should we be concerned about attacks using the Flash executable code? Is there any other mitigation than the mitigation strategy of disabling it altogether?

Maarten Bodewes
  • 4,562
  • 15
  • 29
  • 1
    I'm not sure that Meltdown/Spectre increase the risk noticeable which you already have accepted by having Flash installed in the first place. – Steffen Ullrich Jan 26 '18 at 13:51
  • Well, officially Flash is still a sandbox environment...possibly by now without any kids or sand. I get your point but the question still stands. – Maarten Bodewes Jan 26 '18 at 13:57
  • 1
    *"Should we be concerned about attacks using the Flash executable code?"* Yes, you should be for 18 years now. The security track record of Flash is abysmal. That's why the browser vendors have decided that it needs to die. – Philipp Jan 26 '18 at 14:00
  • Asked [here](https://forums.adobe.com/message/10132076#10132076) - requires account setup to participate. The last vulnerability of 9 January was an out of bounds, so I guess that shows that Flash remains a rather vulnerable technology. – Maarten Bodewes Jan 26 '18 at 17:31

1 Answers1

5

I cannot find any official statement from Adobe about the problem. But, Flash seems to have bytearrays shared between workers which are similar to SharedArrayBuffer in Javascript and probably can be used for high precision timing. Therefore I think that running Flash content can actually increase the risk of a Meltdown/Spectre attack. Still, given the security track record of Flash I think that there is already a large risk when using Flash in the first place and that Meltdown/Spectre attacks only add a little bit on top of that.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'm afraid this is the correct answer. As I can still download Flash from Adobe I do think this is however a very irresponsible... I'll contact them and see what they have to say. – Maarten Bodewes Jan 26 '18 at 17:02
  • the link offers timers with resolution of 50-100ms and another (metronome) with 10ms resolution. neither one is even close to precise enough for the attacks inquired, which want 1000X+ more precision. – dandavis Jan 26 '18 at 19:56
  • 2
    @dandavis: you are right. I've added that Flash has also shared byte arrays similar to SharedArrayBuffer in Javascript which can be used for timing. – Steffen Ullrich Jan 26 '18 at 20:26