Bye Bye Flash! Part 2.5. Microsoft Edge Is Going “Click To Flash”

https://labsblog.f-secure.com/2016/07/25/bye-bye-flash-part-2-5-microsoft-edge-is-going-click-to-flash/

http://labsblog.f-secure.com/?p=1895

After last Thursday’s article on how Firefox will start reducing support for Flash, I received some comments pointing me to an announcement from Microsoft, back in April, where they stated that their Edge browser would also move towards a “Click to Flash” approach. The announcement notes that Flash plugins not central to the web page will be intelligently paused, and that content such as games and video will continue to run normally. This change to Edge will be delivered in the anniversary update of Windows 10.

I’d like to point out that we did notice this news back in April, and kudos to Microsoft, and the Edge team, for making this happen.

Microsoft Edge Logo

Microsoft Edge Logo (source: microsoft.com)

Why didn’t we talk about this at the time? Well, Edge only works on newer Windows versions. It seems that Microsoft won’t make their 1 billion target for Windows 10 installs, and at current count, Windows 7 still has about 50% market share. So, we’re still waiting for that all-important announcement about Flash and Microsoft Internet Explorer.


Tagged: Edge, Exploit Kits, Flash, Internet Explorer, Kyb3r

Bye Bye Flash! Part 2 – Firefox Plans To “Reduce” Support For Flash

https://labsblog.f-secure.com/2016/07/21/bye-bye-flash-part-2-firefox-plans-to-reduce-support-for-flash/

http://labsblog.f-secure.com/?p=1859

Earlier this year, in our 2015 Threat Report, our own Sean Sullivan predicted that Chrome, Firefox, and Microsoft would announce an iterative shift away from supporting Flash in the browser by 2017. Last month, we covered the announcement made by Google.

As predicted, just yesterday, the Firefox developers made a similar announcement on their blog.

Mozilla Firefox logo.

Mozilla Firefox logo. Source: https://www.mozilla.org/

Firefox will begin dropping Flash support by blocking specific SWF files via a blocklist. The list will initially contain just plugins designed for “fingerprinting”. As stated by the Firefox developers, the criteria for adding content to the blocklist are:

  • Blocking the content will not be noticeable to the Firefox user.
  • It is possible to reimplement the basic functionality of the content in HTML without Flash.

The blocklist will be expanded to cover more types of content throughout this year, and by the beginning of next year, Firefox will require click-to-activate approval from users before a website activates the Flash plugin for any content. The next major Firefox ESR (Extended Support Release) release, scheduled for March 2017, will, unfortunately still continue to support plugins such as Silverlight and Java until early 2018.

The guys at Mozilla state that these changes will improve browsing stability, battery life, and performance. For us, the great news is that these changes will improve browsing safety, by greatly reducing the attack surface exploit kits have to work with.

And with that announcement, it’s two down, one to go.


Tagged: Exploit Kits, Firefox, Flash, Kyb3r

Malware History: Code Red

https://labsblog.f-secure.com/2016/07/19/malware-history-code-red/

http://labsblog.f-secure.com/?p=1851

Fifteen years (5479 days) ago… Code Red hit its peak. An infamous computer worm, Code Red exploited a vulnerability in Microsoft Internet Information Server (IIS) to propagate.

Infected servers displayed the following message.

Welcome to http://www.worm.com !

Description: Worm:W32/CodeRed

See @mikko‘s Tweet below for a visualization.


Tagged: Code Red, Historical, Kyb3r, Worm