Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash

timothy posted about 5 years ago | from the in-some-contexts-8%-is-really-good dept.

Security 286

CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."

cancel ×

286 comments

Sorry! There are no comments related to the filter you selected.

Noscript (1)

fpophoto (1382097) | about 5 years ago | (#28852299)

Browsing the web without a few browser mods is the only to surf these days anyway.

Re:Noscript (-1, Troll)

larry bagina (561269) | about 5 years ago | (#28852367)

The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

Re:Noscript (5, Informative)

ground.zero.612 (1563557) | about 5 years ago | (#28852389)

The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

Sounds like someone doesn't keep current on events, as this problem was worked on some months ago.

Re:Noscript (0)

Anonymous Coward | about 5 years ago | (#28853049)

The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

Sounds like someone doesn't keep current on events, as this problem was worked on some months ago.

Like that's let SONY, Microsoft, Amazon, etc. etc. off the hook so far? :)

As the noscript author wrote: "I did something extremely wrong, which I will regret forever."
A part of the community he serves, the holds-grudges-forever part, will make sure of that last part.

Re:Noscript (1)

Antidamage (1506489) | about 5 years ago | (#28853199)

I for one am glad that Slashdot was on the scene and prepared to offer vital urban advice. In order to protect myself from this malware, I have closed all the curtains and moved my office to the back of the house. No fucking driveby is gonna get me, dawg.

Re:Noscript (4, Insightful)

trifish (826353) | about 5 years ago | (#28853651)

as this problem was worked on some months ago.

It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

The character of the author of NoScript is that of the authors of

1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)

2) spyware/malware (changing configuration without the user's consent).

Re:Noscript (4, Informative)

causality (777677) | about 5 years ago | (#28852651)

The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

He admitted his error and has stopped doing this. See this link [hackademix.net] . The very first line? "I screwed up. Big time."

Any fool can make a mistake. It takes some guts to admit it, correct it, and try to move on especially in public like that. For that reason I do not count myself among the folks who still want to figuratively crucify him.

Horseshit. (3, Insightful)

Anonymous Coward | about 5 years ago | (#28853043)

If it were an actual mistake, then I would agree with you. It wasn't an error.

He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.

Re:Horseshit. (-1)

Anonymous Coward | about 5 years ago | (#28853557)

How is that Offtopic? It's exactly spot on. Mod parent up, if you're not Noscript shill.

Re:Horseshit. (2, Interesting)

causality (777677) | about 5 years ago | (#28854037)

How is that Offtopic? It's exactly spot on. Mod parent up, if you're not Noscript shill.

Agreed. Mods, please promote the GP post. This really should be discussed and resolved.

I also disagree with the GP but censoring him is not the Way. I do think it is akin to censorship because nothing he said is detrimental to the discussion. Also, a lot of people feel the way that he does and they should have their say. At least, this is what I believe. I have written a post describing why I disagree and why I think there is a better way to handle the situation. I think that in an open discussion, the truth will win out, and on this one I also believe that I have summarized the truth of the matter. If I'm wrong about that, modding down the "other side" of the discussion will not help me to discover where I have erred.

Re:Horseshit. (4, Insightful)

causality (777677) | about 5 years ago | (#28853873)

If it were an actual mistake, then I would agree with you. It wasn't an error.

He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.

This is a hard thing to understand and you raise a very valid question. I hope to answer that without just dismissing it or pretending like it isn't important. I don't know the man personally and have to go by what he and others have written, so please consider this just my opinion as I cannot speak for him.

You are right that he deliberately coded the functionality that made unauthorized and underhanded modifications of another, unrelated add-on (ABP). The mistake or error was in believing that the ends justify the means, that there is ever a good reason to do such a thing. All improper actions he took were rooted in that one error. But not for that belief, he would have probably regarded the temptation as "what the hell, I can't do that." Sometimes people get lucky and they see what's wrong with such an error on their own, before anything has to blow up in their face. Other times they have to see for themselves why it's harmful, often by being harmed by it or harming others by it, before their regret at having spectacularly failed reveals the error of their ways. It's sort of like the religious idea of "forgive them because they know not what they do," though if you asked them what they were doing they could describe their behavior accurately -- this is not really a contradiction.

I'm not an impeccably perfect person either. I have had to learn some lessons the hard way and I suspect every other human being could say the same. So no, I don't share the willingness to condemn someone who has fully come clean and has turned away from what he was doing. I think doing that would say more about me than about him. If anything, I celebrate his courage and wish it were more common.

Re:Noscript (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28853095)

I still can't adblock to turn off the shit on his website. I'm running the latest version of NoScript.

Hey trut! (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#28853141)

Hello fags, long time no see :)

Re:Noscript (2, Insightful)

trifish (826353) | about 5 years ago | (#28853699)

He admitted his error

You're kidding us right? Look up the definition of the word "error" and compare it with the definitions of the words "willful", "deliberate" and "intent".

Re:Noscript (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28853877)

Damn, you really have a hard-on for this guy. What's your personal involvement?

Re:Noscript (2, Insightful)

RedK (112790) | about 5 years ago | (#28854163)

Wait a minute, you mean errors can't be willful ? So if someone does something willfully, deliberately and with an intent, he can't later realise his mistake and make amends ? I think you need to review your position on this.

Re:Noscript (1)

PIBM (588930) | about 5 years ago | (#28854107)

I do not want to figuratively crucify him either.

The real thing would do just fine! ;)

Re:Noscript (2, Interesting)

causality (777677) | about 5 years ago | (#28852599)

Browsing the web without a few browser mods is the only to surf these days anyway.

Yeah. When I read this headline my first impression was "should I try to act surprised?"

This is just history repeating itself. Even if it required an NDA, if Adobe were smart they'd try to hire the OpenBSD folks to audit their code as they're obviously not capable of securing it themselves.

Re:Noscript (2, Insightful)

hedwards (940851) | about 5 years ago | (#28852727)

Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?

Re:Noscript (4, Insightful)

causality (777677) | about 5 years ago | (#28852863)

Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?

If the FOSS community is any indication, it takes anywhere from a few hours to a couple of days after the vulnerability is disclosed.

I am surprised how Microsoft often gets a pass on these issues, considering the vast resources at their command and the fact that Windows is a monoculture so their mistakes simultaneously affect millions of people. Most FOSS software is written by a "rag-tag band" by comparison, so why isn't Microsoft held to a higher standard of responsibility?

Re:Noscript (0)

toleraen (831634) | about 5 years ago | (#28853087)

Because a "rag-tag band" doesn't have to QA their source change against an entire operating system? Remember how people tend to get pissed when MS releases patches that break functionality?

Re:Noscript (2, Insightful)

MightyMartian (840721) | about 5 years ago | (#28853193)

Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.

Re:Noscript (3, Insightful)

recoiledsnake (879048) | about 5 years ago | (#28853761)

Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.

Huh. The post you're replying to is talking about Windows updates, not Flash, because the discussion got sidetracked at some point. I haven't heard of a Flash update bringing down Windows, except maybe if it messes with boot.ini or MBR or system files. I would imagine the same thing would happen in Linux or OS X.

Now if you're talking about Flash vulnerabilities in Windows, remember that OS X/Linux is similarly exploitable through Flash.

From http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/ [theregister.co.uk]

In an advisory that was updated after this article was published, Adobe says the "vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems."

The company expects to release an update fixing Flash in Windows, OS X and Unix on July 30 and fixing Acrobat and Reader on those same three platforms on July 31.

Re:Noscript (3, Insightful)

gmack (197796) | about 5 years ago | (#28853343)

People get pissed when Open Source patches break things too.

The difference is that in the Open Source world things tend to be more modular so making a change isn't as likely to cause unintended side affects.

The Unholy Shit (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28852313)

The rain was getting harder. It was now precisely 11:51 PM, and Mark was into his fifth beer. He was feeling pretty invincible but the night was young, and he intended to get wasted before it was all over. He had put in a rough week at work and he deserved it.

He lit another cigarette. He and his drinkin' buddies sat in their traditional circle, in Ian's apartment. The talk wandered from sex to work, back to sex, to basketball, finally settling on sex. Mark had eaten lunch at Taco Bell, and had drunk four cups of coffee between lunchtime and quitting. In addition, the beers were beginning to settle in. And now, at 11:51 PM, Mark had to take a shit. He stood up. "Shit break," he announced. It was customary among this group to make such an announcement.

Mark walked to the bathroom. As he locked the door behind him, thunder boomed. It was storming out there.

He pulled his pants down and sat on the toilet. Ian's bathroom was a mess. He counted five empty toilet paper rolls, two paperbacks, and yesterday's newspaper. His friends laughed about something. The lights flickered for a moment, and the pre-shit growl came from within. He could feel the product lined up inside him for disposal. Then, he began to push.

Plop. The first piece fell to the water. Then some movement, and Mark felt the main feature inside him, the mother lode. He grunted softly as he squeezed it out. It crackled past his sphincter, and splashed neatly into the bowl.

Then another one queued up, and came out. It was almost as big as its predecessor. Mark would have well-purged bowels tonight, he realized with a smirk. He heard thunder again, closer this time.

Another one? Jeez, he thought. When was my last shit? It ventured forth, Mark's muscles helping it out. It was the biggest one so far. The shit's passage through his anus, that rarest mix of pain and pleasure, was longer than any he could remember. Ahhhh...the stout log advanced with conviction. This was definitely going to be his finest creation; this was a huge one. Still grinning, he wondered if Ian had a camera.

He pushed. Peering between his legs, past his genitals, he saw that it had reached the water. This was like seeing the longest freight train ever. Damn, it was a wide one. And it was still attached! And there was more! He pushed more, harder. It kept coming. He couldn't even feel the end of this one yet; soon it was bending, folding on itself like a sundae topping. Mark stopped pushing and caught his breath. He was sweating; he realized that however long this piece of shit was, it wasn't nearly all the way out yet. He still couldn't feel the end.

He pushed, he strained, it kept coming. His intestines couldn't be that damn long, but this shit just wouldn't quit. In fact, he was feeling the diarrhoeal urgency of *having* to shit. He dutifully answered nature's call, and pushed harder. His efforts were rewarded with more shit. His sphincter was too strained to even pinch the loaf off. It was whole and complete.

He couldn't feel the end.

Fear now came to Mark. He flushed the toilet to make room for more. Even as the bowl refilled, the cramps rose up, and he pushed. Within seconds, the shit extended from his anus to bottom of the bowl. The harder he pushed, the more he had to shit. And it was getting worse. He scarcely had time to catch his breath; his face was quite red as he grunted and struggled to keep up. The shit seemed endless. He looked between his legs again, and gasped as he saw that the bowl was fully a quarter filled with his product, the water dangerously high. The tank wasn't even done filling, but he flushed again. Unfortunately, the plumbing was unable to handle the volume of feces, and the toilet backed up. Mark jumped when the cold water touched his buttocks.

It was now 11:57. Thunder roared outside as water and shit particles flowed onto the tile.

Mark's pants were bunched about his ankles, and he was in pain. The shit advanced relentlessly as he stumbled into the bathtub. He was almost panicking now, and didn't notice the trail of solid feces he had left. Gripping the tub for support, he squatted and kept pushing.

The conversation in the front room had stopped. Eddie smelled it first, and blamed a fart on Ian, but this was no fart. This was pure and concentrated; this was the smell that only the freshest shit can make. The four looked at each other, puzzled. Then they heard Mark's groaning from the bathroom.

"Mark, are you beating off again?" Doug asked. No answer.

The smell was worse. Brian sniffed deeply and gagged. "Jesus H. ...". Ian grimaced. "Goddamn...". They all went for the bathroom door at the same time. Ian jiggled the locked doorknob. Brian pounded on the door. "Dude, what the FUCK did you eat today?" No answer. Mark groaned. "You all right in there, Mark?"

They looked at each other again. Eddie sniffed and winced. There was no answer from inside. Brian knocked again. "Hey man, you OK?" No answer. A short scream came from within the bathroom.

Brian kicked the door open. Nobody spoke.

The odor was intense, feces was piled on the floor and in the bathtub. Mark was squatting next to the wall, his face impossibly red, his eyes helpless and terrified. Firm stool thrust forward from his anus like meat from a grinder. It landed in his pants bunched about his ankles, spilling over and piling up. He gritted his teeth and strained; all he could do was keep pushing. There was a sound like a ripping sheet and Mark's colon came loose from his now shapeless sphincter, oozing to the floor. His friends watched as the slimy organ descended, with shit still flowing from it. Mark screamed again, and somebody's watch beeped.

Brian got the worst of it, since he was closest to the door. He would later tell the police that he thought he had seen Mark's abdomen expand for an instant before it happened. None of the others had reported this. But they had all described the sound as a "dull thud", they had all been splattered with innards and feces as Mark's torso separated from the rest of his body.

"Massive gastrointestinal rupture/trauma secondary to indeterminate blockage" was noted in the medical examiner's report. An "unusually large amount of fecal matter" is also recorded, though the amount was not measured.

The funeral was closed-casket. Brian and Eddie seem to have recovered pretty well, though they never talk about Mark. Doug moved away, and nobody has heard from him lately. Sometimes, when he has to shit, Ian waits until the rain stops.

Re:The Unholy Shit (0)

Anonymous Coward | about 5 years ago | (#28854133)

Hmm, I actually liked that one. At least it wasn't about some jackass trying to eat it or anally raping themselves. More original, for this site anyway.

Flash can DIAFF (flash fire) (2, Insightful)

hattig (47930) | about 5 years ago | (#28852355)

Well at least the iPhone is safe...

Will Flash just die already! We have the video tag, IE users can suck it up as well. FlashBlock for Firefox, but what to use for Chrome?

Re:Flash can DIAFF (flash fire) (0)

Anonymous Coward | about 5 years ago | (#28852553)

Don't worry, there's always Silverlight.

With the incredible track record of ActiveX, Silverlight has number one Web Site Crapifier status dead in it's sights!

Re:Flash can DIAFF (flash fire) (0, Troll)

jafiwam (310805) | about 5 years ago | (#28852793)

Interesting assertion.

It's also bullshit.

If only I had a mod point... (1)

Mr. Firewall (578517) | about 5 years ago | (#28852935)

Well at least the iPhone is safe

+1 Funny!

Re:Flash can DIAFF (flash fire) (2, Insightful)

ByOhTek (1181381) | about 5 years ago | (#28853077)

People wonder why I don't install flash, all web sites have a perfectly usable non-flash variant of the site, and get extremely PISSED OFF when an enterprise software manufacturer requires the use of flash for important parts of their site.

Re:Flash can DIAFF (flash fire) (0)

Anonymous Coward | about 5 years ago | (#28854027)

Nothing fucks me off more than trying to obtain drivers for an old workstation only to find that the OEM's website REQUIRES flash (i.e. has no non-flash based navigation).
It's almost enough for me to seek parts elsewhere - if a manufacturer is clueless enough to make their website in flash, what can be said of the components quality?

Re:Flash can DIAFF (flash fire) (3, Funny)

Frosty Piss (770223) | about 5 years ago | (#28853117)

Will Flash just die already!

There's always Silverlight... No, really!

This is why... (1, Interesting)

Darkness404 (1287218) | about 5 years ago | (#28852365)

This is the reason why we either need diversity in software or OSS. Flash is installed on practically ever computer, and for good reason, many sites require Flash. However relying on a single software and single software versions is a bad idea, even more so when it is closed-source.

Re:This is why... (0)

Anonymous Coward | about 5 years ago | (#28852643)

no, we dont need to as a patch will work for all of them, and evey computer is then secured...
the computer will not die with a virus and will be totally fresh and clean once patched.
the analogy with diversity as a life form is totally stupid.
annoying but then what...the advantage of a near monoculture in comupters outweight greatly this annoyance.

Re:This is why... (1)

hedwards (940851) | about 5 years ago | (#28852795)

It's not stupid, that's been pretty solid for sometime. Ever wonder why so few crackers target anything other than Windows? The smaller the segment of the market a bit of software takes up the smaller the reward for breaking it.

Benefits to monoculture? You mean the benefits to MS and Apple for not really having to properly compete with platforms that Adobe doesn't support? Or the benefit of being largely left to the mercy of a company whose software regularly crashes, freezes and randomly covers parts of the screen?

I'm sorry, I'm just not seeing any particular benefit to allowing a monoculture to develop. Sure you don't need millions of implementations, but it's kind of hard to justify trusting one company when they seem to care so little about the trouble they cause.

Re:This is why... (0)

Anonymous Coward | about 5 years ago | (#28853311)

'Ever wonder why so few crackers target anything other than Windows? '
Nope, plenty dumbass on windows that will click and install whatever crap is possible, easiest path.

'You mean the benefits to MS and Apple for not really having to properly compete with platforms that Adobe doesn't support'
You are free to make product that compete with Adobe products on whatever platform you want, not Adobe fault...

'I'm sorry, I'm just not seeing any particular benefit to allowing a monoculture to develop.'
Cause you live in your basement ? People in real like help each other, so if they have a problem they can reliably ask someone for a fix, and if platform is the same they will find a solution.
Kinda like all cars have the same controls..
Differents windows version never changed as many things than a single upgrade in unbuntu did (and I still have some programs working on windows7 than on win98..)
'but it's kind of hard to justify trusting one company when they seem to care so little about the trouble they cause.'
trust is not a problem, liability is, but then open stuff is not a solution either 'no guarantee'

Re:This is why... (0)

Anonymous Coward | about 5 years ago | (#28853511)

trust is not a problem, liability is, but then open stuff is not a solution either 'no guarantee'

No one is liable, dipshit. All software comes with an EULA or disclaimer to that effect. If you weren't so obviously illiterate you'd know that.

Re:This is why... (1)

cream wobbly (1102689) | about 5 years ago | (#28853969)

'I'm sorry, I'm just not seeing any particular benefit to allowing a monoculture to develop.'

Cause you live in your basement ? People in real like help each other, so if they have a problem they can reliably ask someone for a fix, and if platform is the same they will find a solution.
Kinda like all cars have the same controls..

Ah, a car analogy.

Have you noticed that the same controls are made by different manufacturers and problems with one manufacturer's implementation do not simultaneously affect all other implementations?

Carry on. As you were.

So true (1)

Ilgaz (86384) | about 5 years ago | (#28854215)

Yes, who are they to support all platforms in equal manner allowing same functionality in all sites?

My suggestions are:
1) Drop PowerPC support
2) Drop Linux support
3) Find some sold out once open source heroes to implement half ass functional thing with a cool name.
4) Go mono! err.. profit!

I haveth 10...87 but I feareth not !! (0)

Anonymous Coward | about 5 years ago | (#28852385)

I feareth not, for I haveth disablethed the abomination frometh Adibe !!

The lord hath spokenth to meith and said I ameth saved.

Re:I haveth 10...87 but I feareth not !! (2, Funny)

noundi (1044080) | about 5 years ago | (#28852807)

You should get that lisp checked out.

Re:I haveth 10...87 but I feareth not !! (0)

Anonymous Coward | about 5 years ago | (#28853015)

Yeth, hith thpuriouth lithp ith abthenth on thertain wordth like "thpoke" and "thaved". Thoundth thtrangsh.

Hmmmm.....! (1)

Monkeedude1212 (1560403) | about 5 years ago | (#28852469)

Everybody, Roll back to Flash player 5 for a little bit. And then have that warm gooey feeling of when you first tried animating with it... Now change your pants.

Re:Hmmmm.....! (-1, Troll)

Anonymous Coward | about 5 years ago | (#28852509)

I wasn't wearing any pants [goatse.fr] in the first place, you insensitive clod!

FlashBlock (3, Insightful)

asdf7890 (1518587) | about 5 years ago | (#28852475)

This makes FlashBlock all the more useful. No flash that I don't explicitly enable ever runs in my browser, which should stop these drive-by attacks in their tracks (unless they somehow infect flash objects I would normally allow, instead of injecting a new "hidden" object into the hacked sites).

FlashBlock may not be fast enough (1)

Animats (122034) | about 5 years ago | (#28852687)

FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.

Re:FlashBlock may not be fast enough (2, Informative)

asdf7890 (1518587) | about 5 years ago | (#28852981)

FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.

I was under the impression that it replaced the flash objects in the page's DOM before Firefox gets chance to call the plugin. I'll have to see if I can't verify that...

Re:FlashBlock may not be fast enough (2, Informative)

fpophoto (1382097) | about 5 years ago | (#28853023)

Do you have a link for that? The info I've read suggests otherwise. AFAIK, Flashbock blocks Flash completely before the page even loads, although this suggests a bypass is very easy. [seclists.org]

Re:FlashBlock may not be fast enough (0)

Anonymous Coward | about 5 years ago | (#28853961)

I Linux, one instance of flash player can (very frequently) crash all others running in that instance of Firefox while loading or closing.
Now this still happens if you are using Flashblock, so does this not show that flash player is still being initialised?

Re:FlashBlock may not be fast enough (3, Informative)

thePowerOfGrayskull (905905) | about 5 years ago | (#28854093)

the exploit demo they link to does not work in 3.5, so it seems the bypass gap was closed...

Squid + Dansguardian can filter it out (1)

blhack (921171) | about 5 years ago | (#28852533)

If you're not using this, or something like it, then your Admin isn't doing their job.

It looks like none of the users are getting flash until thursday. Sorry guys, no pandora for you. (also looks like I won't be getting a cake on sysadmin day).

Adobe (2, Insightful)

sys.stdout.write (1551563) | about 5 years ago | (#28852567)

is like RealNetworks was years ago.

The only difference is that when Real started raping people's computers it was replaced.

I've Always Said... (3, Interesting)

Anonymous Coward | about 5 years ago | (#28852605)

I've always said(for years) that Flash would be the killer infection vector and that its cross platform ubiquity would be the Achilles heel for Linux and Mac.

This is but a taste of things to come. Flash is an abomination. It has too much power with too little end user control over that power. Combined with its insanely large install base and you have disaster waiting to happen.

I'm not sorry for being right all the time. So suck it!

Zero-Day attack (1, Insightful)

smitty_one_each (243267) | about 5 years ago | (#28852611)

Zero-Day attack
The coder: whack
One means to stop
The furbrained attack
Burma Shave

Re:Zero-Day attack (1)

Smidge207 (1278042) | about 5 years ago | (#28852735)

Privacy is unfair
Private property is theft
Free speech is hate crime
The economy is George W. Bush's fault
Burma Shave

Re:Zero-Day attack (0)

Anonymous Coward | about 5 years ago | (#28853149)

Just
shut
the
fuck
up
err... Burma Shave!

Re:Zero-Day attack (0)

Anonymous Coward | about 5 years ago | (#28853365)

A better analogy
Is buyer marketplace vendor
Gates and RMS argue
About where to position the marketplace
  Burma Shave

Millions of complacent idiots devastated (1, Funny)

David Gerard (12369) | about 5 years ago | (#28852797)

A computer worm that spreads through Flash and PDFs on PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design.

Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."

Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.

"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."

"Yes," said Phagge. "Yes, they do."

Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28853127)

Er. Except the same vulnerability exists for Mac and Linux users whom have flash installed.

Re:Millions of complacent idiots devastated (0, Troll)

Mr. Firewall (578517) | about 5 years ago | (#28853247)

Except the same vulnerability exists for Mac and Linux users

Uh, hold it there, Professor. Not quite.

Unix users have privelege separation.

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28853359)

So does Windows Vista. Oh, you turned it off because it was irritating to enter a password or click OK.

Re:Millions of complacent idiots devastated (1)

LordLimecat (1103839) | about 5 years ago | (#28853437)

So does vista, chief.

Re:Millions of complacent idiots devastated (1)

Eunuchswear (210685) | about 5 years ago | (#28853525)

Unix users have privelege separation.

which protects the uninteresting, easy to reinstall OS and apps, and leaves your important data swinging naked in the wind.

Unless you run your browser in a jail, of course.

Re:Millions of complacent idiots devastated (1)

Viol8 (599362) | about 5 years ago | (#28853771)

Err , actually so long as you keep backups of your private data a trojan coming along and screwing it up is a minor annoyance. Finding your computer OS has an infection and won't run properly or even boot is a lot more of a PITA when you have to spend half a day reinstalling it and all the apps and setting everything up the way you want.

Re:Millions of complacent idiots devastated (1)

Eunuchswear (210685) | about 5 years ago | (#28854075)

Ok, if you're worried about easily detectable changes.

What if the malware makes hard to detect changes, or, even worse, no changes at all and just copies your nice data to some naughty person?

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28854249)

Err , actually so long as you keep backups of your private data a trojan coming along and screwing it up is a minor annoyance. Finding your computer OS has an infection and won't run properly or even boot is a lot more of a PITA when you have to spend half a day reinstalling it and all the apps and setting everything up the way you want.

Wow. What a brilliant argument. I'll respond with the obligatory:
As long as you keep a backup image of your OS, a trojan coming along and screwing it up is a minor annoyance.

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28854049)

Unless you run your browser in a jail, of course.

Well, on Vista and 7, both IE8 and Chrome sandbox the browsing process in such a way that it can't actually write to most of your data. (They run with a Low IL level, whereas most other user apps run with a Medium IL)

At least we have that.

Re:Millions of complacent idiots devastated (1)

0x537461746943 (781157) | about 5 years ago | (#28853565)

Unfortunately you don't need root privileges to get to private user data and launch trojans. My user data is the most important to me.

Re:Millions of complacent idiots devastated (1)

Viol8 (599362) | about 5 years ago | (#28853725)

I have these things called "backups". You might want to try them sometime.

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28854073)

No backup protects against Information Disclosure, do you think the trojans main goal is to just destroy everything?

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28854205)

And how excatly do your backups protect you from trojans that steal your private data, smartass??

As the GP said:

Unfortunately you don't need root privileges to get to private user data and launch trojans.

Re:Millions of complacent idiots devastated (5, Informative)

recoiledsnake (879048) | about 5 years ago | (#28853903)

WRONG on many levels. If you're not running as admin, only your user files will get affected in all the current OSes including XP. But IE8 on Windows 7/Vista does sandboxing and hence is more secure than Firefox on Ubuntu out of the box. Don't believe me? Read is straight from the horse's mouth. http://blogs.zdnet.com/security/?p=2941 [zdnet.com]

Why Safari? Why didnâ(TM)t you go after IE or Safari?

Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.

Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

With my Safari exploit, I put the code into a process and I know exactly where itâ(TM)s going to be. Thereâ(TM)s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I donâ(TM)t know where it is. Even if I get to the code, itâ(TM)s not executable. Those are two hurdles that Macs donâ(TM)t have.

Itâ(TM)s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But thatâ(TM)s only half the equation. The other half is exploiting it. Thereâ(TM)s almost no hurdle to jump through on Mac OS X.

Once you're penetrated... (1)

argent (18001) | about 5 years ago | (#28854035)

Privilege separation is a useful tool, but minimizing the surface area for the initial attack is critical. Security is like sex, once you're penetrated, you're ****ed.

The biggest problems Windows has are related to the surface area exposed to attack:

1. The lack of the ability to bind most survices to a specific IP address means that even services intended for internal use have to be blocked by a firewall rather than being bound to 127.0.0.1.

2. The lack of ability to pass parameters to a program without passing through a re-parsing step, leading to quoting attacks against helper applications.

3. ActiveX.

4. ActiveX.

5. The use of a common set of helper application bindings for the shell and browser, a vulnerability alas copied by Apple.

6. Did I mention ActiveX?

Windows has privilege separation issues, but not nearly as great as they used to, so I wouldn't put this even in the top 10 security problems.

Common runtimes, like Flash, Silverlight, and Java, are a problem because they create the possibility of a "one size fits all" attack. You shouldn't ignore the danger whether you're running Windows or UNIX.

Re:Millions of complacent idiots devastated (1)

cream wobbly (1102689) | about 5 years ago | (#28854279)

Erm.. this is a troll, while shouting about "backups!" isn't?

Good heavens.

And considering the numbers still using WinXP either by choice or by necessity, talking about Vista as if it's the de-facto standard is just plain lying.

Re:Millions of complacent idiots devastated (1)

cbiltcliffe (186293) | about 5 years ago | (#28853465)

The vulnerability exists, yes. But I can pretty much guarantee that any payload is only going to target Windows systems.

Sure, they'll be able to get "deltree c:\WINDOWS" or steal_all_your_passwords.exe onto your Linux box, but it will bork when it tries to run.

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28854043)

And what makes Linux so fundamentally different that you could not replace your proposed
"deltree c:\WINDOWS"
with
"rm -rf ~/*" ??

And don't answer that this only deletes data in your home directory, because that is the data that counts.

Re:Millions of complacent idiots devastated (1)

cbiltcliffe (186293) | about 5 years ago | (#28854247)

Well, not a whole lot, on a poorly set up system.

But there is the fact that a single user cannot bork a system for other users. That certainly counts for something.

And the simple fact of marketshare means that Linux will not be targetted in this way for the forseeable future.

And as to deleting data, I haven't run across malware for years that does this. Usually it tries to embed itself into the system somewhere, and steal information. The "deltree C:\WINDOWS" comment was to simplify the payload for explanation.
But an embedded info-stealing payload would be difficult to write for Linux, because there are so many variations. It would essentially have to be downloaded as source and compiled on the system. But if /home and /tmp are mounted noexec, then it makes it difficult for the malware to then run. The user can't put it anywhere else, and it can't execute to run from those locations.
It could be called directly by the shell, but again, there are several different shells for Linux, with no guarantee of any given one being installed on a system.

Possible? Certainly. But much less likely, for a number of reasons.

Not just Windows (5, Insightful)

ThrowAwaySociety (1351793) | about 5 years ago | (#28853205)

"A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems" (emphasis added.)

TFA only mentions Windows because they don't bother scanning Macs or Linux boxes.

Re:Millions of complacent idiots devastated (0, Troll)

lockwood (169993) | about 5 years ago | (#28853215)

Oh, for crisake, give it a rest fanboy!

Re:Millions of complacent idiots devastated (0)

Anonymous Coward | about 5 years ago | (#28853695)

Get the dick out of your ass douchebag. Windows is "insecure"? Is it unsure of itself? Worried about what its friends think? Before going off on some Linux dick-down-the-throat tirade, get an education, learn the meanings of words, and remove the enormous Linux cock from your asshole.

Re:Millions of complacent idiots devastated (1)

unifyingtheory (1357069) | about 5 years ago | (#28854007)

I see blatant plagiarism [today.com] gets you a +5 funny on /. these days.

A more general statement ... (1)

neonprimetime (528653) | about 5 years ago | (#28852851)

9 out of every 10 Windows users are vulnerable to the XXXXXX vulnerability.

Sad, yes. News? No. (1)

93 Escort Wagon (326346) | about 5 years ago | (#28852909)

Flash is installed on almost every PC. The large majority of Windows users still use Internet Explorer, so the majority right there are vulnerable. Firefox has a respectable percentage of the user base, but very few of those people (outside of the Slashdot crowd) seem to use tools like Flashblock. The other browsers - Chrome, Safari, Opera round out the group; their users are pretty much all vulnerable too.

It's sad, I agree - but we already knew this was the case since we've known about this unpatched flaw for a while now...

Re:Sad, yes. News? No. (1)

The_mad_linguist (1019680) | about 5 years ago | (#28853289)

Well, given that it's possible to avoid Flashblock just by lying to the browser (since FF3 doesn't do much MIME checking), installing it really doesn't help security significantly.

Killer App (1)

HaaPoo (696098) | about 5 years ago | (#28852925)

This gives a new meaning to the term Killer App

I hate Adobe (4, Insightful)

Anonymous Coward | about 5 years ago | (#28853213)

You know ...

I hate Adobe software.

There, I said it.

Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).

You know you're in trouble when freakin' MicroSoft is putting out better software.

Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.

Dear god.

Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.

Re:I hate Adobe (1)

Nightspirit (846159) | about 5 years ago | (#28853895)

I just installed Windows 7 RTM and went to install flash for IE8 (for steam) and Adobe installed a download manager just to install flash. Are they retarded or something? I wish I could ditch Adobe flash for an alternative. I'm already 100% free of Apple software, it would be nice to coup de grace Adobe from my system as well.

Re:I hate Adobe (0)

Anonymous Coward | about 5 years ago | (#28854291)

Having worked for Adobe (lost my job over cost savings in India): its what you get for shipping everything off to there - seriously - they really could care less... It will only get worse as the Chinese are starting ramp up their software industry and working for less than the Indians. Its my impression they care even less about quality.

Adobe Flash security is extremely disappointing (3, Informative)

quazee (816569) | about 5 years ago | (#28853583)

Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues [mitre.org] in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.

Re:Adobe Flash security is extremely disappointing (1)

recoiledsnake (879048) | about 5 years ago | (#28853941)

Flash's record is pretty bad, but Silverlight hasn't been completed tested out in the wild yet because it's not very popular right now. More exploits might be coming as it gets used more. But MS seems to have developed it with security in mind, so let's see what happens.

Re:Adobe Flash security is extremely disappointing (1)

jpmorgan (517966) | about 5 years ago | (#28854069)

Well, it's unsurprising Silverlight doesn't have any vulnerabilities. Flash runs in its own, custom built virtual machine. Silverlight runs in the .NET virtual machine, which is designed with a sandbox at its core, and generally has been much, much more rigorously audited and tested.

versions of Flash Player - 9.0.159.0 and 10.0.22.8 (4, Funny)

buchner.johannes (1139593) | about 5 years ago | (#28853715)

An interesting approach, using IP addresses as version numbers

Re:versions of Flash Player - 9.0.159.0 and 10.0.2 (1)

Icegryphon (715550) | about 5 years ago | (#28853795)

IBM Corporation - 9.0.159.0
Internet Assigned Numbers Authority - 10.0.22.8
Tinfoil hats now half off.

Admin? (1)

wiredlogic (135348) | about 5 years ago | (#28853787)

So do you have to be on an administrator account for the attack to work?

How can it still be a zero day exploit... (1)

Viol8 (599362) | about 5 years ago | (#28853809)

... if everyone knows about it?

Or am I missing something here?

The remaining 8% of Windows PC (1)

gmuslera (3436) | about 5 years ago | (#28854067)

were turned off at the moment of the counting.

Let me guess (1)

mandark1967 (630856) | about 5 years ago | (#28854097)

The other 8% were:

1 -- Downloading Flash because they felt "left out"
2 -- Powered off
3 -- Already infected
4 -- At the local Geek Squad store having their Owners' Personal Information "backed up" to the technician's USB stick (It's value-added!)
5 -- Some combination of the above choices

Could this be.... (1)

wjousts (1529427) | about 5 years ago | (#28854151)

the best thing to ever happen to Silverlight?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>