Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Flash Zero-Day Attack Underway

kdawson posted more than 5 years ago | from the gone-in-a-flash dept.

Security 246

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


And people (5, Insightful)

Anonymous Coward | more than 5 years ago | (#23567567)

And people wonder why I use noscript and flashblock. When untrusted adds in flash are being served on big "trusted" websites people are eventually going to get bit.

Re:And people (5, Insightful)

mrbluze (1034940) | more than 5 years ago | (#23567607)

And people wonder why I use noscript and flashblock
I imagine those using the malware are not hoping that sensible people such as yourself get infected at all, but the PC's belonging to the members of the unwashed e-masses who wouldn't have the foggiest what anyone's talking about. Their computers are much better because the life of your exploit is likely to be long and chances of anyone chasing and finding you are slim.

Re:And people (5, Informative)

Daengbo (523424) | more than 5 years ago | (#23567713)

That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.

Re:And people (1)

mrbluze (1034940) | more than 5 years ago | (#23567733)

hat's why you should be using Gnash

I tried it once and didn't like it at the time, but I might try again. I remember someone referring to it as "all it really does is let me watch banner ads". Does it work properly yet?

Re:And people (1, Insightful)

NoobixCube (1133473) | more than 5 years ago | (#23567881)

Last time I used it, about two months ago, it didn't show a Youtube video properly. Since that's pretty important to a lot of Flash users, I wouldn't say it's ready yet.

Re:And people (5, Informative)

Anonymous Coward | more than 5 years ago | (#23567899)

It plays them now

Re:And people (3, Informative)

Anonymous Coward | more than 5 years ago | (#23568029)

i find swfdec [freedesktop.org] to be better with youtube atm

Re:And people (4, Interesting)

pizzach (1011925) | more than 5 years ago | (#23568163)

Even if the current version in your distribution's repositories is not able to play YouTube videos, the cvs version at least can. I remember reading somewhere that getting and keeping YouTube movies playable was a top priority.

Re:And people (1)

David Gerard (12369) | more than 5 years ago | (#23568359)

It doesn't play Weebl and Bob [weebls-stuff.com] videos properly yet, so I can't put it into place until it does or my kid's too old for Weebl and Bob (probably around sixty).

Re:And people (0)

Anonymous Coward | more than 5 years ago | (#23568191)

If it worked at all.
I use swfdec to open youtube videos and download them before it crashes itself and firefox. It doesn't even play anything until you ask it to, so it is more secure than Adobe plug-ins even if less stable.
Gnash is yet to display anything right. And what's wrong with you GNU zealots that force us to have no flash in the Windowses we are forced to use. Not that it is a big loss. I wish all those "creative" web designers went to hell and we went back to plain HTML. Something you could(and still can) display with 1k now takes up half a Meg.
Shame on you Web 2.0!

Re:And people (0)

Anonymous Coward | more than 5 years ago | (#23568405)

I'm running a 64-bit fork of Ubuntu Hardy called Ultimate Linux.


Adobe's flash player doesn't work 64-bit, and as far as I know it doesn't even work 32-bit with pulse audio ... which Hardy uses.

So I'm running firefox 3.0 beta 5 and gnash 0.8.2.


As it says on the gnash website:
"Streaming Video
        Gnash supports the viewing of streaming video from popular video sharing sites like Lulu.tv or YouTube.com."

Perfectly correct. On Ultimate Edition 1.8 Linux, gnash supports Youtube videos. Even with Firefox, even with Pulse Audio, and even with a 64-bit OS. ... Probably about the only thing it doesn't support is this 0-day vulnerability ...

Re:And people (0)

Anonymous Coward | more than 5 years ago | (#23568535)

Yeah, Gnash 0.8.2 comes with Hardy Heron as well, and seems to do handle Youtube just fine.

Re:And people (5, Insightful)

Opportunist (166417) | more than 5 years ago | (#23567775)

That's pretty much it.

It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.

And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).

And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.

Re:And people (4, Funny)

NoobixCube (1133473) | more than 5 years ago | (#23567887)

An example of the knowledge of the masses: When I commented to my mother that I spent the day watching flash cartoons, she thought I meant animated porn.

Kids these days... (2, Funny)

Digestromath (1190577) | more than 5 years ago | (#23568435)

Back in my day the only way to animate porn was flip the pages real fast. When technology does all the hard work for you, you lose any sense of personal accomplishment.

Re:And people (3, Insightful)

Anonymous Coward | more than 5 years ago | (#23568073)

And these people are a problem.
Only in the sense that people who get the flu are a problem. The real troublemaker here is a tiny program called Flash which needs updates every few weeks to fix yet another vulnerability. The quality of that program is atrocious, especially considering its market penetration and the size of the company which spawned it. Pointing fingers at people who do not make system maintenance their mission does exactly nothing to solve the problem. The only people who can solve it are the people who write bad software, and with very few exceptions that's all software today.

Re:And people (1, Insightful)

Anonymous Coward | more than 5 years ago | (#23568501)

>life of your exploit is likely to be long...

Made all the more so due to a lack of an automated update mechanism for adobe flash

Re:And people (5, Insightful)

Anonymous Coward | more than 5 years ago | (#23567657)

Protip: Noscript will not save you.

I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.

I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.

I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)

What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.

"I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.

Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.

NoScript won't protect me against any sites that I visit often, really.

Re:And people (1, Informative)

Anonymous Coward | more than 5 years ago | (#23567675)

NoScript is like a condom. It will only protect you if you use it properly. If you know one of your lovers is sleeping around with hundreds of others, perhaps it is time to see someone else. Otherwise you're going to get the HIV^Wmalware.

Re:And people (2, Informative)

Anonymous Coward | more than 5 years ago | (#23567789)

That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.

Flash dependent sites (5, Interesting)

Mathinker (909784) | more than 5 years ago | (#23568247)

> That's what temporary permissions are for.

Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".

Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)

I never enable JS or Flash in order to see sites which I get to through advertisements, however.

Re:And people (0)

Anonymous Coward | more than 5 years ago | (#23568483)

Protip: don't play flashgames on the internet.

It's basically the dancing pigs problem.
Using NoScript, but disabling it to use those funny sites is the same as having a dual-boot machine and using Linux for work, but when you play games or browse the internet using Windows which shares the same drives.
You can still get infected by a windows virus, run the risk of having critical data stolen or having files corrupted.

Just don't play those webgames, or run it in a sandbox (VM machine that you scrub every time).

NoScript WILL Save You (most of the time) (4, Informative)

Giorgio Maone (913745) | more than 5 years ago | (#23568525)

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases [hackademix.net], the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects [hackademix.net], with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

Re:And people (1)

stzein (738194) | more than 5 years ago | (#23567679)

noscript block flash too, no need for flashblock. I do recommend noscript to everyone I know, but most people just don't care.

Re:And people (1, Insightful)

Anonymous Coward | more than 5 years ago | (#23567837)

Yes, but if you use both you can run java-script on a site and still not get the Flash crap from the same site. It's a little easier for me than to run noscript alone.

Adding adblock into the mix is good too.

Re:And people (1)

lgw (121541) | more than 5 years ago | (#23568341)

The sure way to block flash: just uninstall it! http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157 [adobe.com]

Do I need flash for anything but watching Youtube these days? C'mon Google, you guys are supposed to be the masters of all web technology, won't you please change Youtube to use some more secure technology so I can abandon Flash entirely?

Re:And people (2, Interesting)

grm_wnr (781219) | more than 5 years ago | (#23568511)

There is no alternative to Flash. Flash would likely be marginalized by now if FLV hadn't come along; it saved Flash's ass and, to Adobe's credit, made ubiquitous video on the web a reality. Seriously, remember the olden days? Quicktime and WMV, of which the former works fine on Mac OS but is an abomination of a plugin on Windows (easily worse than Flash), and the latter being what you went with if you wanted shit to work for at least the majority of people, even though it was horrible and, philosophically speaking, just plain WRONG? Or use Java, with its massive startup time and memory footprint, to play the pretty laughable (right now) Theora codec? Flash is (relatively) fast, crossplatform, and EVERYWHERE, so it's the smallest of a whole lot of evils. Unless you want Google to include a video layer in their toolbar, and therefore be forced to istall it, your best bet is to bother Adobe to make Flash more secure.

Re:And people (2, Interesting)

zwei2stein (782480) | more than 5 years ago | (#23567697)

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I have seen it quite few times, someone had problem with noisy ads, someone else suggests adblock, site admin appears, has long sad speech how adblockers are worst thing ever and bans person suggesting use of adblock and tells person which has problem with ads to deal with it or move on.

There is some pressure NOT to use such tools. And nice people do listen.

Re:And people (3, Insightful)

Opportunist (166417) | more than 5 years ago | (#23567799)

Well, ads are a necessity for many pages. Someone has to pay for it. So of course they don't enjoy adblockers.

On the other hand, invasive and outright obnoxious ads tend to kill the experience, so people start looking for ways to get rid of them.

As usual, the best way is something both sides can "live" with. Take /. Yes, the page has ads. Yes, I see them (sometimes I even click on some). They don't bother me. They are topical. Often even interesting. So I don't block them. And I'm fairly sure nobody here took /. as the reason to start hunting for an adblocker.

It's pages that run full page in-your-face ads that make their users turn to adblockers. And those ads will be blocked. Some pages turned to tools that ensured that, if you block their ads, you don't get to see their content. Which in turn often backfired and kept people who didn't block the ads but just happened to have some sort of freaky setup to be locked out as well.

Hmm... honestly, I didn't want to turn this into a tirade about DRM.

Re:And people (2, Insightful)

Anonymous Coward | more than 5 years ago | (#23567827)

and tells person which has problem with ads to deal with it or move on.
To which the correct response is "screw you, your crappy ad-riddled forum and the horse you rode in on".

These asshats just don't get it. If I have configured MY browser not to obey every link on your shitty page, that is none of your business.

Re:And people (4, Insightful)

obi (118631) | more than 5 years ago | (#23568017)

It's not as if there never have been any exploits for the JPG or PNG decoders in common browsers. Will you now browse the web with images blocked too?

Re:And people (0)

Anonymous Coward | more than 5 years ago | (#23568199)

Or you can just not install flash.
Slightly more obvious solution.

SNAFU (4, Funny)

Anonymous Coward | more than 5 years ago | (#23567597)

Situation Normal, All Flashed Up

Re:SNAFU (3, Interesting)

bill_kress (99356) | more than 5 years ago | (#23567649)

I would have said: Situation Normal, Adobe's Fucked Up

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

At one point, they had some competition from some other terribly flashy web software, but they quickly rectified that by buying the company so they could retain their title of Extreme Web Fuckups and earn the SNAFU title.

(Second use of the F was quite gratuitous, but in for a penny, in for a pound)

Re:SNAFU (1, Funny)

Anonymous Coward | more than 5 years ago | (#23567751)

Their TrueType patenting and PDF hogging weren't too cool either, but wanted to note that Flash is too often abused to flash your computer, in the trench coat variation. Once exposed, it's in the memory. Am sure other Adobe products could be similaryly listed as well. Executives get sucked into telling tech to add Flash to their web pages, because like far too many gamers they like the "oohh, PRETTY" over real substance and worth.

Re:SNAFU (3, Insightful)

jimmypw (895344) | more than 5 years ago | (#23567753)

How exactly is it the worst company ever to supply software for the web. I fail to see where your coming from. Dont forget that until a while ago they didnt own macromedia and their neiche was high quality still and moving images which back in the day of windows 3.0 wasn't anywhere near web software.

Your arguement is essentially flawed as this exploit has probably been in flash player since macromedia owned it and yet your blame gets directed at adobe.

Re:SNAFU (2, Insightful)

0xygen (595606) | more than 5 years ago | (#23567927)

Must say though, if I were Adobe, staking my reputation on the reliability of some of the highest exposure software on the web, one of the first tasks after the acquisition would have been a thorough review of the Flash client codebase.

Not that this vulnerability would necessarily have been picked up...

Adobe is an advertising company (0)

Anonymous Coward | more than 5 years ago | (#23568201)

Right click on your next youtube video. See the privacy manager? Click through all the options and see that it's recorded EVERYTHING you've ever done and seen, including flash ads. And better than googlecookies.

The Adobe ad network is even more lucrative than Adsense.

Re:SNAFU (5, Insightful)

Divebus (860563) | more than 5 years ago | (#23568021)

How exactly is it the worst company ever to supply software for the web.
Here's my short list:

1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.

Re:SNAFU (0)

Anonymous Coward | more than 5 years ago | (#23567905)

You do, of course, realise that Flash was not created by Adobe but rather by Macromedia, and that they only bought Macromedia relatively recently?

If you had said "Situation Normal, Flash Fucked Up", I would've agreed (although that wouldn't have worked for the acronym), but you rather make it sound like Adobe magically corrupts all software they come in touch with, and that Flash was all pure and golden before that.

Neither's true.

Re:SNAFU (1)

1u3hr (530656) | more than 5 years ago | (#23567915)

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

Sorry, I find this absurd. I've been using ATM ever since Win 3.0 too. Never had any issues with it. T1 fonts are essential (to DTP anyway). I use Acrobat every day (though I stick with Acrobat 4 mostly, it has all I need). There are many, many more obnoxious web software products -- who can forget RealPlayer? And many weird and wonderful "enhancements" whose main and often only function was to deliver ads and spy on you while using your bandwidth and hogging your cycles. I'm sure a quick tour of some porn sites would find many more hostile/useless/spammy programs.

Flash perpetual vulnerability (5, Insightful)

amrik98 (1214484) | more than 5 years ago | (#23567617)

This isn't the first or the last time Flash will have vulnerabilities discovered, and I understand this can happen with any software. It is just the frequency and consistency of these vulnerabilities that concerns me. When I install a binary blob from Adobe its always in the back of my mind that I could be opening up my system to attack.

Re:Flash perpetual vulnerability (1, Interesting)

Anonymous Coward | more than 5 years ago | (#23567759)

I wonder if you could mitigate this threat reasonably painlessly by running a flash enabled browser in an isolated virtualized application environment, using something like Thinstall http://www.thinstall.com/ or Codeweavers crossover http://www.codeweavers.com/products/ ?

Re:Flash perpetual vulnerability (1)

hairyfeet (841228) | more than 5 years ago | (#23568223)

Actually I would suggest SandboxIE [sandboxie.com] which,despite the name,will let you sandbox any app without having the overhead of most other VMs. It is free(Windows 2K-Vista only,I'm afraid) and if you are like me and have to run Windows on an Internet enabled machine I can vouch for the fact it does run very nice,even on this old 1.1Ghz with 512Mb of RAM.

And to the earlier poster who said limit whitelists in Noscript: Why use whitelists at all? I mean,it only takes a couple of seconds to click allow and since on flash objects doing so allows you to see the URL,isn't it safer to just take the extra few seconds? I know there have been a few times in the past where I have gone to watch a flash on a site I trusted only to see the URL redirecting all over the web and passed. Sure enough in a day or two I would read about some massive hack hitting thousands of sites. I personally would rather take the time than be boned.But that is my 02c,YMMV

Re:Flash perpetual vulnerability (0)

Anonymous Coward | more than 5 years ago | (#23568003)

Solution: don't install flash. (There are gnash and swfdec if you're sadly addicted to the content.)

I personally require none of that dada.

Another reason I despise swf on webpages (1)

rts008 (812749) | more than 5 years ago | (#23567647)

I always use noscrpt and flashblock extensions in firefox on Linux, so I'm not too concerned about this.

Re:Another reason I despise swf on webpages (0)

Vectronic (1221470) | more than 5 years ago | (#23567699)

Every site? every time?

I'm not concerned either, and I dont use and blocking stuff (other than Opera and a few blacklisted sites)

See, im being stupid, and just going by odds... if something crazy happens that a virusscanner doesnt detect (when i decide to run it) and I can't fix it, reformat! w00t...

Re:Another reason I despise swf on webpages (0)

Anonymous Coward | more than 5 years ago | (#23567767)

That's fine as long as you don't care who controls your computer. Malware tries to stay undetected while doing who knows what in the background.

You may not notice anything for years, while your computer participates in ddos attacks, serves as a warehouse for who knows what illegal files, gathers information about you and sends it to some nice people who then sell it in the black market to identity thieves, scammers, spammers, any folk wanting to know what things you like, read, buy, watch, listen to...

Damn we should all be as irresponsible, I mean there's infinite bandwidth out there who cares if botnets roam it, it's not like they can clog it or anything...

I can even give you a car analogy:

Why bother locking the car? I mean so what if it gets stolen and used in a bank robbery, you can just buy a new one or your insurance does it for you.

Re:Another reason I despise swf on webpages (1)

Vectronic (1221470) | more than 5 years ago | (#23568045)

Buying a new car envolves money though...reformatting on the off chance something does happen (or about every 6 months regardless), doesnt.

And I never said i was completely careless, everything is pretty much locked down, and I monitor my traffic from time to time just to see if anything odd is going on... plus other than telling people I meet online my real first name, I dont do any online banking, buying, or other transactions that could be "dangerous". And scan everything I download that isnt from a reliable (HTTP/FTP) source. And if this PC gets hit with something, one of my other PC's will tell me eventually...

I just see it as more of a problem to be paranoid, than not be, my computers are for the most part work horses, everything I dont need is disabled or removed, and virus scanners and firewalls are included in those things most of the time, I have a single port blocked in my router (Helkern spam)... so be it.

Re:Another reason I despise swf on webpages (1)

Vectronic (1221470) | more than 5 years ago | (#23568077)

Oh, and to continue babeling...

I also always at least dual boot, all my machines, with XP or Vista, and then either Slackware or (pick random Linux)

The one im typing from at the moment has all four... XP/Vista/Slackware and Mandriva currently... so the odds of it hitting all 4 are slim, and the odds of none of the 4 seeing something odd are just as slim.

Dual of xkcd's "virus zoo"! (1)

Mathinker (909784) | more than 5 years ago | (#23568325)

> XP/Vista/Slackware and Mandriva .... and the odds of none
> of the 4 seeing something odd are just as slim.

You're telling me that from each of those 4 OS's you run virus/malware scans on the other 3? I'm impressed at that setup. It's the dual situation to the following widely-posted-on-Slashdot xkcd comic [xkcd.com].

When do you have time to do real work / play with them?

BTW, I wouldn't be so sure that your scanners are going to pick up everything. Anything which is specially targeted has a fairly good chance of slipping under the wire, the scanners mainly pick up "mass infection" tools and attacks. Of course, unless there is something special about your computers (like being in an especially interesting IP address block) you probably won't get specially targeted.

Welcome to the proprietary internet. (5, Insightful)

NotZed (19455) | more than 5 years ago | (#23567681)

A taste of what it could've been and what it might yet become?

Re:Welcome to the proprietary internet. (0)

Anonymous Coward | more than 5 years ago | (#23567711)

I am glad that MSN ... that is the MS _Network_ (as apposed to the MS non-standard closed messeging client) didn't take off. Imagine if 'internets' were still like AOL, MSN, Prodogy et al with no interoperability etc.


Oh... dear... God (5, Funny)

religious freak (1005821) | more than 5 years ago | (#23567685)

What kind of horrible, horrible update scheme will Adobe come up with to try to combat this?! The thoughts are too terrible to imagine...

Re:Oh... dear... God (1)

naz404 (1282810) | more than 5 years ago | (#23567741)

Flash has had auto-update since version 8 and up.

Once Adobe's fixed up the patch, they just have to command all players to update themselves to the latest fixed version.

Re:Oh... dear... God (0)

Anonymous Coward | more than 5 years ago | (#23567891)

so you're saying... Adobe is in command of their Flash botnet?

Re:Oh... dear... God (1)

WK2 (1072560) | more than 5 years ago | (#23568113)

That wouldn't even work. Flash runs as a regular user, but needs administrator access to update its own code.

Hmm Windows only... and SQL injection? (0)

foniksonik (573572) | more than 5 years ago | (#23567705)

Once again Windows is open to attack from some 3rd party app... and what's this, SQL injection is being used... is that another MS product being abused or is it a free for all on open source DB driven websites?

Seems like there is plenty of blame to go around... Adobe included but certainly not alone. If Windows wasn't so easily subverted by a 3rd party app with a bug this wouldn't be an issue (as it's not for Mac and Linux users)... but of course were it not for lax security in countless websites, there would be no vector... so shame on web developers...


Re:Hmm Windows only... and SQL injection? (0)

Anonymous Coward | more than 5 years ago | (#23567739)

SQL injection is being used... is that another MS product being abused or is it a free for all on open source DB driven websites?
As far as I understand it SQL injection attacks exploit sloppy handling of user input in the web app code, not the database management systems. This makes every DBMS "vulnerable" to SQL injection, since there's little you can do to protect against it on the DBMS level.

Why is SQL injection even still a problem? (4, Insightful)

MichaelCrawford (610140) | more than 5 years ago | (#23567871)

And I'm not saying the web application developers need to prevent it: it needs to be fixed in the database and its communication protocols. I think it's quite an outrageously bad architecture that has payload and control data together on the same channel.

After all, it's my God-Given Right to name my son Robert'; DROP TABLE STUDENTS [xkcd.com]. I shouldn't be getting nasty phone calls from every school he's ever attended!

MOD PARENT INSIGHTFUL!!11 (1, Informative)

Anonymous Coward | more than 5 years ago | (#23568275)

He's absolutely right about the idea of separating the control from the data. No other well-designed architecture does things this way. Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data. Or Ethernet where you have to have two pairs of wires, one for control data and one for real data. Other examples where this is employed are RPC, UDP, and even the telephone system.

At first glance, it might seem like you'd need to introduce control characters into the data to differentiate the various parts of the data, in case you ever needed to put multiple fields with a single control statement (I know, it's rare, but some people _do_ need this). However, the TCP people invented an ingenious way of dealing with this by designating a special character for separating fields. All you need to do is escape it every time it occurs naturally in the stream. Then, all your problems are solved.

Well, you've still got the problem of associating the control data with the payload. They are, after all, on two different channels and could arrive at different times. That's a trivial problem, though, because you just send the control data first and wait a short time before sending the real data. Electronic signals always travel at the same speed.

Oh, we're not quite done yet. What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. I think that should work perfectly.

Re:Hmm Windows only... and SQL injection? (1, Informative)

Anonymous Coward | more than 5 years ago | (#23567743)

And who says it's not an issue on the MAC and Linux besides you? Nowhere in any of the linkedarticles (Yes, I actually RTFA) does it mention that it is a Windows only bug...

Re:Hmm Windows only... and SQL injection? (4, Funny)

Hal_Porter (817932) | more than 5 years ago | (#23567781)

It's Windows only because Microsoft wrote it to promote their Silverlight initiative. Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there.

Re:Hmm Windows only... and SQL injection? (2, Informative)

Anonymous Coward | more than 5 years ago | (#23567823)

Silverlight does run [apple.com] on Mac OS X.

Re:Hmm Windows only... and SQL injection? (0)

Anonymous Coward | more than 5 years ago | (#23567857)

It can also Moonlight [asp.net] on Linux.

Re:Hmm Windows only... and SQL injection? (0)

Anonymous Coward | more than 5 years ago | (#23567893)

FYI, "MAC" in uppercase is usually an abbreviation for Media Access Control. You probably meant "Mac" which is short for Macintosh, a line of computers made by Apple, Inc.

As for the topic at hand, I'd like to see more exploit details that more directly confirm the problem is limited to Windows. TFA simply states it does affect Windows, but I didn't see any statement that the bug categorically does not compromise systems running OS X or Linux. Without more details I have to operate under the assumption the same flaw may exist, and may be exploitable, under those systems.

Re:Hmm Windows only... and SQL injection? (2, Informative)

linal (1116371) | more than 5 years ago | (#23567971)

SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB

Flash in the pan (0)

Anonymous Coward | more than 5 years ago | (#23567797)

Plain text is the only way to go! There's nothing more secure than plain text, except Silverlight!
Windows Live Mail: Want to get paid to post on forums? Visit www.microsoft.com today!

Culture of irresponsibility (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#23567845)

How many exploits will it take until the CS community collectively admits that it is irresponsible to continue to write network-facing software in C/C++?

P.S. In this Internet-connected world, every piece of software is network-facing.

Proverb (3, Funny)

Rastignac (1014569) | more than 5 years ago | (#23567883)

In France, a popular IT proverb says "Adobe, c'est de la daube". True one more time today...
(won't translate; lost in translation).

real reason? french simply are not funny - EVER ! (0)

Anonymous Coward | more than 5 years ago | (#23567981)

The french can't be funny.

It just doesn't happen.

Jerry Lewis is NOT funny !!

repeat: Jerry Lewis is NOT funny !!

Re:Proverb (1)

Zironic (1112127) | more than 5 years ago | (#23568047)

Adobe, it's a mess?

Re:Proverb (1)

lgw (121541) | more than 5 years ago | (#23568193)

You can't translate the pun (thankfully), but the closest idiomatic thing might be "Adobe, it's name is mud".

Re:Proverb (1)

sayfawa (1099071) | more than 5 years ago | (#23568369)

I'm guessing the pun is from the fact that the word 'adobe' means some kind of mud-based brick or structure? If so, then the translated pun is just as good (or bad), as adobe means the same thing in english [merriam-webster.com].

Re:Proverb (1)

iminplaya (723125) | more than 5 years ago | (#23568303)

A slightly lees popular proverb says "Adobe, c'est de la merde". This might translate a bit easier? I wouldn't know. No hablo frances.

Does displaying accented characters have to be so difficult?

Re:Proverb (2, Funny)

Gandalf (787) | more than 5 years ago | (#23568391)

And here in Holland the proverb goes "Rather than Adobe, a doobie". (True every day...)

Hey Adobe: Try Using Stack Canaries! (5, Informative)

MichaelCrawford (610140) | more than 5 years ago | (#23567907)

No doubt someone from Adobe will be reading this Slashdot story.

A Stack Canary [wikipedia.org] is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.

So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.

To enable canaries:

The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.

I'll send you my bill in the mail.

Re:Hey Adobe: Try Using Stack Canaries! (1)

LaskoVortex (1153471) | more than 5 years ago | (#23568195)

No doubt someone from Adobe will be reading this Slashdot story.

If the guys who wrote the software that shows up on stories like this actually read slashdot, we probably would stop getting stories like this. I mean, when was the last time Ad0b3Hax0r /. id #113434124 said "Sorry guys, that bug was me. I'll try to do better next time. Thanks for the heads-up."

This is NOT a 'zero day flaw'..... (-1)

OneSmartFellow (716217) | more than 5 years ago | (#23568049)


If you wish to use the idiotic phrase 'zero day', at least use it correctly.

This is a previously unknown exploit for several versions, not an exploit which targets the latest version and discovered/released on the same day as that version (which would qualify it for 'zero-day' status)

Re:This is NOT a 'zero day flaw'..... (4, Insightful)

shird (566377) | more than 5 years ago | (#23568095)

That is not the definition of zero day. If you are going to condemn people for using it incorrectly, at least use it correctly yourself. The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed. This day is important due to the fact it is basically impossible for people to be patched against the vulnerability on this day. In other words, tomorrow this will no longer be a 'zero day exploit'. (no doubt it was disclosed several days ago and isn't a zero day exploit today either).

Re:This is NOT a 'zero day flaw'..... (1)

OneSmartFellow (716217) | more than 5 years ago | (#23568333)

The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed

If that's your definition, ('zero day' == <time of publication>) then it still hasn't been used correctly, since the linked article is already a day old.

Given that the phrase 'zero day' is made of two single syllable words, I can understand the propensity for its use. However, it conveys no information, except to indicate that the author is a buzz-word junkie. Why not call it a 'Same Day exploit ' or 'This Day exploit ', or even a 'Today exploit' ?? Because then people would realize that it's a vacuous phrase. Oddly, when there's a number involved, it sounds technical, and confusing, and causes alarm ! Do you think that's a coincidence ?

Furthermore, it is practically inconceivable that a vulnerability could have been discovered, incorporated into a 'Chinese version of the MPack exploit kit', whatever that is - as a side note: do you suppose they do a pre-release test on the new version of MPack kit? - , and reported by Ryan Naraine, 'security evangelist' - another meaningless phrase - at Kapersky Lab - can you say conflict of interest - at "11:19 am" on ZDNet all within the space of 24 hours.

Of particular interest is a phrase in a linked article (published some time on May 27) that states "At the moment these domains [Chinese hosted MPack sites] do not appear to be resolving"

I find it very suspicious that a 'dangerous' exploit was discovered on a 'Chinese' website, analysed, and made public all within the space of a day, and in the same day (presumably within a very few hours) the 'Chinese' had already taken the site offline. It's also suspicious that there are so few real details about when and how it was discovered.

Re:This is NOT a 'zero day flaw'..... (2, Informative)

Gewalt (1200451) | more than 5 years ago | (#23568459)

No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.

Make a goodie virus (1, Interesting)

Crookdotter (1297179) | more than 5 years ago | (#23568057)

I think the time has come to make a virus that counters spambots, trojans, viruses and everything else. Limited lifespan, get them into the wild, let them run through networks doing a good deed then martyr themselves. I know people would be worried about any possible damage done by these things, but if your system is open, then it's a risk vs potential damage assessment. If you have the right security in place, then neither goodie or baddie viruses will get near you.

That's sort of what the Welchia worm does (2, Interesting)

MichaelCrawford (610140) | more than 5 years ago | (#23568151)

When I was staying in a hotel in between moving out of one house and into another, I hooked my Win2k box directly to the Internet via dialup. At my old place I used Linux as an IP masquerading gateway, and never had any trouble.

Well it didn't take long for me to notice that my modem often showed activity even when I wasn't doing anything online. At the advice of a friend I bought the ZoneAlarm firewall.

It informed me that I was infected with the Welchia worm. What it does is apply security fixes to your Windows installation, and then it propagates itself on to other Windows hosts over the Internet!

This drove home to me the importance, when using Windows, of having a firewall that prevents connection coming from my own computer. ZoneAlarm does this.

Most firewalls just prevent attacks from outside. But if you're already infected, you want to know about network traffic originating from your own computer.

Fucking useless (1, Interesting)

Anonymous Coward | more than 5 years ago | (#23568437)

But what operating systems are affected and/or browsers? All of them? Some of them? Windows?
This advisory is fucking useless.

"This advisory is to alert you that if you are using Adobe Flash you're pretty much fucked, oh, there is no fix currently. Have a good day"
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account