Category: Flash

Oct 14 2015

“USB Killer” flash drive can fry your computer’s innards in seconds

USB sticks have long been a mechanism for delivering malware to unsuspecting computer users. A booby-trapped flash drive, for instance, was the means by which the US and Israel reportedly infected Iran's Natanz uranium enrichment facility with the Stuxnet worm. And, in case anyone thought USB stick attacks had lost their novelty, last year's Bad USB proof-of-concept exploit delivered a highly programmable attack platform that can't be detected by today's defenses.

Now, a researcher who goes by the name Dark Purple has created a USB device that can permanently destroy much of a computer's innards, rendering the machine little more than an expensive doorstop. Within seconds of being plugged in, the USB stick delivers a negative 220-volt electric surge into the USB port. As the video below demonstrates, that's enough to permanently damage the IBM Thinkpad receiving the charge.

As viewers can see, the USB stick looks normal, and there are no outward signs it's malicious. But the USB Killer 2.0, as its creator calls it, takes computer attacks on a less-traveled road that leads to physical destruction. According to this post from The Daily Mail, an earlier and less powerful version of the device drew power from USB ports using a DC-to-DC converter until it reached negative 100 volts. At that point, the power was directed into the computer. The process ran on a loop until the circuitry failed. It's likely Version 2 works similarly.

Read 1 remaining paragraphs | Comments

Jul 20 2015

Firm stops selling exploits after delivering Flash 0-day to Hacking Team

Security firm Netragard has suspended its exploit acquisition program two weeks after it was found selling a potent piece of attackware to the Italian malware developer Hacking Team.

Netragard has long insisted that it sold exploits only to ethical people, companies, and governments. An e-mail sent in March and leaked by one or more people who compromised Hacking Team networks, however, showed Netragard CEO Adriel Desautels arranging the sale of an exploit that worked against fully patched versions of Adobe's Flash media player. Hacking Team, in turn has sold surveillance and exploit software to a variety of repressive governments, including Egypt, Sudan, and Ethiopia.

"Our motivation for termination revolves around ethics, politics, and our primary business focus," Desautels wrote in a blog post published Friday. "The Hacking Team breach proved that we could not sufficiently vet the ethics and intentions of new buyers. Hacking Team unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations."

Read 6 remaining paragraphs | Comments

Jul 17 2015

0-day attacks exploiting Flash just got harder thanks to new defenses

A string of weaponized attacks targeting Adobe's Flash media player—including three in the past 10 days—has kept software engineers scrambling to fix the underlying vulnerabilities that make the exploits so dangerous. Fortunately, they have also been busy making structural changes to the way the program interacts with computer operating systems to significantly reduce the damage that can result not only from those specific attacks but entire classes of similar ones.

At the moment, the defenses are fully implemented only in the Flash version included in Google Chrome, having made their debut earlier this week. One of the two mitigations is available in other versions of Flash, and the remaining one is expected to be added to other browsers in August. Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities, which were leaked following the thorough hack of Hacking Team, the malware-as-a-service provider that catered to governments around the world. To block entire classes of new exploits, Adobe engineers, with the help of their counterparts at Google's Project Zero team, have made two key changes.

The first, which is currently available only in Chrome, is a new partition added to the heap, which is a large pool of computer memory. The partition isolates different types of memory contents, typically known as objects, from each other so one can't be used to hijack or otherwise tamper with another. Heap partitioning has long been a mainstay in Chrome and other browsers. Now it's a key defense in Flash.

Read 7 remaining paragraphs | Comments

Jul 15 2015

Ubuntu PC maker System76 abandons Flash, says it’s too dangerous

Ubuntu PC maker System76 will stop installing Adobe Flash on its laptops and desktops, saying the software is too dangerous and is no longer necessary."In 2007 System76 was granted a license from Adobe to pre-install Flash on all our laptops and desktops," the company said in a blog post yesterday. "In terms of making a great first impression with our customers, especially those new to Ubuntu, this was an important detail."

But Web content generally works well without Flash these days, and the software has been afflicted by repeated security problems, System76 noted.

This week, Adobe issued an emergency update for Flash Player to patch two critical zero-day vulnerabilities that allow attackers to install malware.

Read 4 remaining paragraphs | Comments