Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Flash To Be Top Hacker Target In 2010

CmdrTaco posted more than 4 years ago | from the flash-in-the-pan dept.

Security 180

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"

cancel ×

180 comments

Sorry! There are no comments related to the filter you selected.

Rob Malda's tiny penis (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30583640)

Rob "CmdrTaco" Malda has an embarrassingly small penis. It's barely 2 inches when fully erect.

Re:Rob Malda's tiny penis (1)

isama (1537121) | more than 4 years ago | (#30585404)

It's not about the size, it's about what you can do with it.

But I don't think you would understand.

I already see this happening (2, Funny)

BadAnalogyGuy (945258) | more than 4 years ago | (#30583660)

Sometimes when I go to a website, it will have Flash malware which forces me to download unwanted content and then plays it without my consent.

Damn you Youtube!!!

Re:I already see this happening (0, Flamebait)

fluffybacon (696495) | more than 4 years ago | (#30583732)

I don't understand this. Can you give me an analogy, possibly involving a car?

Re:I already see this happening (0)

panda (10044) | more than 4 years ago | (#30583886)

It's like "when I'm drivin' in my car and a man comes on the radio, tellin' me more and more about some useless information supposed to fire my imagination."

Re:I already see this happening (0)

g0bshiTe (596213) | more than 4 years ago | (#30584008)

And I supposed you can't get no satisfaction!

Re:I already see this happening (4, Funny)

digitalunity (19107) | more than 4 years ago | (#30584238)

Does anyone else see the irony that the white paper is in Adobe PDF format and most people will be reading about Adobe Reader vulnerabilities IN Adobe Reader?

Re:I already see this happening (0)

ThatsNotPudding (1045640) | more than 4 years ago | (#30584422)

It's not a bug, it's synergy!

Re:I already see this happening (0, Redundant)

datapharmer (1099455) | more than 4 years ago | (#30584564)

reader != flash, unless of course you use the definition of "slows down computer, decreases stability, and creates a security nightmare for IT" in which case, good job - you are dead on!

Re:I already see this happening (0)

Anonymous Coward | more than 4 years ago | (#30584932)

The summary does mention both Flash and Acrobat reader.

Re:I already see this happening (1, Informative)

Anonymous Coward | more than 4 years ago | (#30585038)

No, but reader == reader. From the summary, "we anticipate Adobe software, especially Acrobat Reader and Flash"

Re:I already see this happening (0)

Anonymous Coward | more than 4 years ago | (#30585444)

rtfa

It's probably a trojan (0)

bigtrike (904535) | more than 4 years ago | (#30585102)

It's to help prove their point.

Re:I already see this happening (0, Offtopic)

just_another_sean (919159) | more than 4 years ago | (#30584044)

Exactly. I can't stand the one where he keeps telling me how white my shirts could be.

Re:I already see this happening (0, Offtopic)

sopssa (1498795) | more than 4 years ago | (#30584440)

I could use some of that. Lets say I forgot what mother always told me about washing white and red clothes, and that I'll be wearing pink for a while.

Re:I already see this happening (0, Offtopic)

Aeros (668253) | more than 4 years ago | (#30584126)

Rush Limbaugh?

Re:I already see this happening (0, Offtopic)

Sir_Lewk (967686) | more than 4 years ago | (#30584152)

Nope, not doing it. Is PizzaAnalogyGuy around?

Re:I already see this happening (0, Offtopic)

PizzaAnalogyGuy (1684610) | more than 4 years ago | (#30584772)

Last night I was spending some time at my friends place. We have a long history raiding together in WoW - he always takes care of me, kills enemies that try to approach me from behind and heals me when I'm on the verge of dieing. He is a person that one might call a "good friend". If he would be a girl, I would marry her. But no patches and no new content in WoW has hit it somewhat. We've already done everything, we've already seen everything and we've already experienced everything together. While waiting for the new expansion, it was time to go test a new Game.

As we left all the possible MMO's to download, we figured it was time to go get a pizza. Truth to be told, we were quite hungry at that point. While walking towards the pizza place, I was just thinking about all the delicious ingredients I could choose from. Should I take a crusty hawaiian style pizza with ham and pineapples, dipped in barbeque sauce and extra cheese and mayonnaise on top. Or would it be better to eat a large pizza with tenderly sliced onions, steak, pepper and mushroom with American cheese on top. Or go wild and order both of them.. I just had to make sure there would be enough room left for pancakes with strawberry jam afterwards as a dessert.

We made our orders and sat on the table to wait. I couldn't wait - two best large pizzas, some coca-cola and pancakes as a dessert. Then all the new MMO's to test. It was a happy day. I was happy.

As the cook brought us our pizzas, he told us there were minor changes on the ingredients as they were out on some. No biggie, I said and paid my pizzas and pancake. We walked back home and started this game called "Eve Online" to test it out, as it looked interesting. At this point, I was almost dieing in hunger. I opened my pizza box and to my surprise.. he had changed the barbeque sauce to mexican sauce! This is madness, I was yelling. But in the end, it was a great pizza, and I still had the another one too. All the crustiness, mayonnaise, cheese and fresh taste made up for it. And so did the pancakes with strawberry jam dessert.

Re:I already see this happening (1)

bhamlin (986048) | more than 4 years ago | (#30583736)

Sounds like someone's been a victim of one too many Rickrolls....

Re:I already see this happening (0)

Anonymous Coward | more than 4 years ago | (#30583868)

This thread is devoted to CmdrTaco's small penis.

Re:I already see this happening (2, Informative)

VanessaE (970834) | more than 4 years ago | (#30584170)

Tubestop [mozilla.org] is your friend (tm).

Re:I already see this happening (1)

the_hellspawn (908071) | more than 4 years ago | (#30584790)

Youtube my butt! Your looking at PoRN! I know I get it too :{p

Yuh huh (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30583668)

Let me guess, Microsoft are just ready to offer the solution in the form of Silverlight, right?

Re:Yuh huh (2, Interesting)

Neuroelectronic (643221) | more than 4 years ago | (#30583728)

I dunno, but it just seems to me that embedding a Turing machine into a website is just a bad idea no matter what you call it.

Re:Yuh huh (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30583974)

Microsoft would be foolish to let pass an opportunity to promote its competing products, yeah. They tend not to be foolish when it comes to such things.

I don't see what Adobe's problem is with the security vulnerabilities. Don't trust data from the network, and don't ever use a variable/etc without bounds checking. How many versions, bugfixes, patches, and revisions does it take to get these two basic things right? Real question. I don't understand the difficulty here.

Re:Yuh huh (5, Insightful)

El Lobo (994537) | more than 4 years ago | (#30584334)

That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...

Re:Yuh huh (2, Informative)

causality (777677) | more than 4 years ago | (#30585202)

That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...

Perhaps the OS deserves some blame (kneejerk types, note that some != all). On Windows there is no equivalent to the various centralized package managers that come with standard Linux distributions. You cannot go to one place and run one program and simultaneously update every last application installed. The biggest obstacle seems to be the copyright restrictions that prevent the redistribution of most Windows software. But for whatever reason, on Windows, every last application is on its own and must make provisions for its own updates. If it doesn't, or if the user gets tired of dialogs popping up and just wants to get rid of them, then you get the scenario you describe. On a Linux or BSD -style system, WebBoard would be a package like any other and would be regularly updated as part of your routine system maintainence.

Re:Yuh huh (0)

Anonymous Coward | more than 4 years ago | (#30585510)

You shouldn't have to know about the vulnerability. Your IT should know that you don't expose services running as local system to any thing outside of the local machine's firewall. Service accounts.

(And before /. queues up the "but linux" how many of you would be ok with running webappX as root and exposing it to the www?)

Re:Yuh huh (0)

Anonymous Coward | more than 4 years ago | (#30584884)

Sadly Silverlight is more secure than Flash.

Centralised Updating (0)

Anonymous Coward | more than 4 years ago | (#30583720)

Enforced centralised updating for Adobe products with GP, without local admin rights is what we need (like WSUS).

This is about finding a common infection point (4, Insightful)

fprintf (82740) | more than 4 years ago | (#30583738)

With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

Re:This is about finding a common infection point (1)

larry bagina (561269) | more than 4 years ago | (#30583920)

iphones and other internet-enabled devices don't have flash or acrobat. Or if they do have flash, it's the stripped down ARM version.

Re:This is about finding a common infection point (2, Insightful)

El Capitaine (973850) | more than 4 years ago | (#30583960)

No, what will happen is that the Macs, Linux, smartphones, etc. will still be praised as incredibly secure, and it will just be Adobe's fault. Nobody likes to take the blame or admit that their favorite platform isn't what they said it was, but everyone loves to insult Flash.

Re:This is about finding a common infection point (1)

mister_playboy (1474163) | more than 4 years ago | (#30584616)

Seeing as it's a closed source plugin that you can't fix yourself... what else can you do but complain about it?

It's also hard to argue that Flash on every platform other than 32-bit Windows is anything but badly coded software.

Re:This is about finding a common infection point (1)

oahazmatt (868057) | more than 4 years ago | (#30584112)

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

Yes.

The moment you believe securing your system is not an issue, that's exactly when it becomes an issue.

As Windows and Mac user, I don't trust either of my systems to be any more secure out-of-the-box than I can throw them. You don't get to ignore any responsibility for your system's security and have the privilege of being a link-clicking blind-downloader simply because you picked the "more secure" computer.

Re:This is about finding a common infection point (1)

wizardforce (1005805) | more than 4 years ago | (#30584200)

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org] .

Re:This is about finding a common infection point (4, Informative)

causality (777677) | more than 4 years ago | (#30584366)

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org] .

No joke. Even if they are absolutely equally secure, Gnash provides source code. You can build that source with SSP (or equivalent) [wikipedia.org] . You can also build it as PIC [wikipedia.org] and apply many other restrictions with a PaX [wikipedia.org] and/or Grsecurity kernel [wikipedia.org] . All of these will reduce the chances that a known vulnerability will lead to a successful exploit. Specifically, a known vulnerability that would normally allow an attacker to run arbitrary code stands a good chance of merely crashing the application.

You just don't have options like this with binary blobs. I really would like to see more development of Gnash, as it seems that Adobe Flash is on a downhill course in terms of security and will continue to be a problem. Source code is about freedom and control. With such control, you can take steps to manage a risk even if you cannot perfectly mitigate it.

Re:This is about finding a common infection point (2, Insightful)

Paradigm_Complex (968558) | more than 4 years ago | (#30584462)

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

I can't speak for Macs or smartphones (who gloats over the security of smartphones? Things like the amount of iphone jailbreaking going on or the Tmobile sidekick crash make it pretty clear smartphones have issues...), but Linux is still more secure the Windows in this respect. There's numerous ways to isolate the damage that could be done from a hole in flash. MAC like SELinux or AppArmor are perfect for this, and Windows still doesn't have a competent MAC implementation (MIC is insufficient). There's ways to sandbox firefox without MAC, too, such as setting everything up to sudo to another user every time firefox is called. There's a LOT of ways to deal with this.

Now, all of these take some work on the user's part. Stupid/lazy Windows users can be pwned just as badly as stupid/lazy Linux people. But it's not as though a competent individual is just as badly off on both platforms... Linux has solutions for dealing with untrusted things like flash where Windows does not. If you actually and actively care about security, you can continue to gloat about Linux's superiority in this respect. If you're too lazy to take security seriously, you can be pwned on both counts.

Quick fixes won't be enough. (1)

sznupi (719324) | more than 4 years ago | (#30583740)

People often just don't update Flash much. It's a little better for Adobe Reader from what I see; but just a little - automatic updates are treated more like a nuisance to hide, it seems.

Overall - good riddance. Simple & small PDF readers with scripting disabled are all almost anybody needs anyway. As for Flash - everybody here keeps whitelists of pages already, right? And perhaps those few whitelisted ones will feel the need to enable HTML5 video tag sooner.

Re:Quick fixes won't be enough. (3, Interesting)

dgatwood (11270) | more than 4 years ago | (#30583940)

Even if they updated regularly, it would still be an easy target. Something like six of the top ten browser crasher bugs are in Flash plug-ins. There are so many crasher bugs that nobody can even keep count. When you realize that every single one of those is probably an exploitable attack vector, you quickly understand why I use click2flash. Swiss cheese belongs on sandwiches, not on the public Internet....

Re:Quick fixes won't be enough. (1)

psydeshow (154300) | more than 4 years ago | (#30583956)

People often just don't update Flash much.

Except that Flash can be made to auto-update since around version 8.

So no, people don't update Flash. It updates itself!

Re:Quick fixes won't be enough. (2, Informative)

Jeng (926980) | more than 4 years ago | (#30584670)

You might update, but "people" are stupid and do not.
"People" tend to minimize or close anything that pops up in between start up and opening the app that one started the computer to use. Whether it be windows update, virus scan update, or updates of nagging software. Of those three the updates of nagging software will be the most likely to just be closed without any update taking place.

isn't Flash content in the cloud? (1, Funny)

alen (225700) | more than 4 years ago | (#30583764)

i expect a fix in 5 minutes. everyone knows that anything delivered from the cloud is highly secure and easy to fix if problems arise

WTF (2, Informative)

tylersoze (789256) | more than 4 years ago | (#30583768)

Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.

Re:WTF (2, Informative)

Abcd1234 (188840) | more than 4 years ago | (#30584020)

Don't be silly, buffer overflows can happen anywhere. Hell, IE has been compromised thanks to a b0rked JPEG decoder in GDI+, ffs.

That said, Adobe has certainly made their job harder by including a full-blown ECMAScript engine in acroread. But even without that, the ubiquity of Flash and Reader makes them ideal targets for hackers, thus further illustrating why software monoculture is a bad thing.

Re:WTF (0)

Anonymous Coward | more than 4 years ago | (#30584030)

Well it was just a document viewer, then someone got the bright idea to add Javascript to it.

Re:WTF (1)

Leomania (137289) | more than 4 years ago | (#30584066)

I'm much more of a hardware (chip) guy than I'll ever be a software guy. I'd like to ask (honestly), how can Flash remain such a security nightmare? After all this time, all of the preceding versions of flash, how can vulnerabilities continue to be found in light of more scrutiny by the developers (code audits, bounds checkers, etc.)? I realize no complex piece of software is bug-free, but Flash (and of course, Acrobat Reader) have continuous vulnerability discoveries... must it be so forevermore?

Re:WTF (1)

Abcd1234 (188840) | more than 4 years ago | (#30584106)

Your argument would make sense if Flash was a product in maintenance mode, where no new substantial development was being done, and only bug fixes and security enhancements were being applied. But, of course, that's not at all the case. New features, performance enhancements, and god knows what else, show up in every rev of Flash, and that means new potential security vulnerabilities.

Hell, by your argument, Firefox should be virtually bug free by now...

Re:WTF (0)

Anonymous Coward | more than 4 years ago | (#30584906)

Hell, by your argument, Firefox should be virtually bug free by now...

My experience has been that it is...

Re:WTF (0)

Anonymous Coward | more than 4 years ago | (#30585120)

That's funny, I'm seeing 267 open bugs in the 3.5 branch of Firefox in their Bugzilla and another 270 in the 1.9.1 renderer that it uses. Between the two, approximately 100 are classified as critical.

(Not to bash Firefox, as I certainly appreciate all of the hard work many people have put into it - but it's big, complex software and it's by no means bug free)

Re:WTF (1)

Yvan256 (722131) | more than 4 years ago | (#30584088)

I'm with you on built-in Mac OS X support. It can "print" PDF files and read them as easily as PNG or JPEG files. I hope Apple never adds support for scripting in their PDF decoder.

Acrobat and Flash (5, Informative)

Enderandrew (866215) | more than 4 years ago | (#30583778)

Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.

For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.

Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.

Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.

I really hope HTML 5 phases out the popularity of Flash.

Re:Acrobat and Flash (1)

stimuli_ii (1266556) | more than 4 years ago | (#30583932)

"Sadly, there aren't many GOOD Flash alternatives"

How about Silverlight or Moonlight?

Re:Acrobat and Flash (1)

Nadaka (224565) | more than 4 years ago | (#30584048)

he said GOOD alternatives. Silverlight and Moonlight are not.

Whatever happened to applets and javascript?

Re:Acrobat and Flash (1)

McBeer (714119) | more than 4 years ago | (#30584322)

Whatever happened to applets and javascript?

Applets got a (mostly undeserved) reputation for being slow and unwieldy and a (mostly deserved) reputation for having security/runtime issues. Javascript lacks a ton of the features flash/silverlight have, isn't really all that fast, and making it cross browser compatible can be a real bear.

Whats the problem with Silverlight other then you don't like the company that made it? It's fast, secure, full featured, and works just fine in all the browsers people actually use.

Silverlight couldn't be a Flash rival,thanks to MS (1)

Ilgaz (86384) | more than 4 years ago | (#30584502)

As Silverlight's vendor was busy with feeding that once famous, now puppet idiot and his gang, their V2 dropped support for PowerPC macs which several people, including their market uses. No, PowerPC Macs didn't explode and reject to turn on when Apple announced Intel transition. They are in use by schools, people who keeps hardware which works, musicians (as 12" PB is still waiting for replacement), company terminals which does nothing than mailing and browsing.

In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one. Besides lack of real development tools on most popular Web designer tool (Mac, even in darkest days), now people will also need to be careful about the functions they use since some won't simply exist on Mac and possibly iPhone in future.

While mentioned, where is the iPhone/Symbian and even Windows Mobile support? None. In couple of months, Adobe&Nokia/Symbian Foundation starts rolling full Flash on portable devices. Windows Mobile "full flash" is already up and running on select handsets. Where is Silverlight for Win MO?

So, we will rely on MS, that same company and their sold out puppet's wannabe, lacking clones and replace Flash with it? The reason? Flash being more popular and coming to a point that everything having CPU will show our content?

Silverlight couldn't be rival to Flash. The issue is deep inside Microsoft, they are like 1980s IBM, they didn't convert themselves like Big Blue. They are all fine with 1990s "run windows or be second class citizen". Issue is, it doesn't work anymore. MSNBC shows only Silverlight? I go to CNN and use GPU/SMP accelerated Flash video. It would be MSNBC's loss, not mine.

Re:Silverlight couldn't be a Flash rival,thanks to (1)

stimuli_ii (1266556) | more than 4 years ago | (#30584640)

Color me skeptical but based on your reply I seriously doubt you would visit MSNBC's site because of the "puppet idiot and his gang" have a stake in it.

Nice rant all the same...

Re:Acrobat and Flash (1)

Abcd1234 (188840) | more than 4 years ago | (#30584406)

Wait, because, unlike Silverlight and Flash, Applets and Javascript are somehow magically free of vulnerabilities?

Careful, your prejudices are showing...

Re:Acrobat and Flash (1)

Nadaka (224565) | more than 4 years ago | (#30584956)

What the hell are you talking about? I said NOTHING about vulnerabilities. Perhaps it is your prejudices that are showing.

Silverlight fails at cross platform use, and can break previously working and unrelated software when installed. Moonlight is a half implementation of Silverlight that cant even get its errors right. Applets and javascript play nicely in comparison, though javascript is a pain in the ass with its browser incompatibility issues.

Re:Acrobat and Flash (1)

stimuli_ii (1266556) | more than 4 years ago | (#30584432)

Depends on what your definition of GOOD is I guess.

My opinion is that Flash is not the best RIA product out there. It just has the most installations.

Re:Acrobat and Flash (0)

Anonymous Coward | more than 4 years ago | (#30584546)

I think he meant an alternative implementation of Flash not an alternative technology. There's Gnash and Swfdec, but neither is nearly 100% compatible.

Re:Acrobat and Flash (1)

Enderandrew (866215) | more than 4 years ago | (#30584742)

That is what I meant. For a user, if they want to go to Youtube, they can't simply uninstall Flash and make the site work with Silverlight.

Flash is so utterly predominant on the web, that most users feel it is necessity.

Re:Acrobat and Flash (0)

Anonymous Coward | more than 4 years ago | (#30584172)

So what are these flash exploits capable of doing on a Linux box? Haven't heard any instances of this happening to any of my Linux using friends yet. Just FUD?

What are you going to target... (1)

SuperKendall (25149) | more than 4 years ago | (#30584264)

Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7. Both have excellent patching mechanisms that consumers use regularly.

Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system calls are you going to start making? Linux? Mac? Hardly.

Just like in the past, Flash exploits will be something Windows users have to worry about while Linux and Mac users just sit back and shake heads that so many people put up with the problems of an overly large monoculture.

Re:What are you going to target... (1)

LOLLinux (1682094) | more than 4 years ago | (#30584346)

Just like in the past, Flash exploits will be something Windows users have to worry about while Linux and Mac users just sit back and shake heads that so many people put up with the problems of an overly large monoculture.

lolwut? [adobe.com]

Re:What are you going to target... (1)

Enderandrew (866215) | more than 4 years ago | (#30584472)

The users aren't as focused on security because the OS is seen as traditionally secure. I love Linux. I advocate Linux as a safer way to browse the web.

Flash exploits on a web site are going to target Windows, as opposed to the small Linux market.

However, Flash exploits do exist.

My original point is that this is an odd prediction saying that Flash will become an issue in 2010, when I already think it was the biggest issue in 2009.

Good luck with million hour video downgrades (4, Interesting)

Ilgaz (86384) | more than 4 years ago | (#30584630)

Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.

It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.

For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.

HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.

Re:Good luck with million hour video downgrades (1)

EzInKy (115248) | more than 4 years ago | (#30585440)

Perhaps if the holders of H264 patents granted royalty free rights for foss implementations of their codecs everyone could have their cake and eat it too.

Re:Good luck with million hour video downgrades (0)

Anonymous Coward | more than 4 years ago | (#30585470)

Give me a break. If YouTube and others don't switch to HTML5 then they will fade away as they are replaced by better sites that do support HTML5.

That's just how it works. Doesn't matter if it costs them a ton of money to redo their stuff. If a better solution comes along then people will use it instead of crappy old systems.

64-bit windows safe (0)

Anonymous Coward | more than 4 years ago | (#30583798)

64-bit windows isn't a target of flash virus :)

Do the hacks exploit buffer overflow issues? (1)

master_p (608214) | more than 4 years ago | (#30583818)

Do the hacks exploit buffer overflow or wilder pointer issues? anyone knows?

Re:Do the hacks exploit buffer overflow issues? (3, Interesting)

psydeshow (154300) | more than 4 years ago | (#30584002)

The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.

i can has FOSS Flash Replacement? (1)

AP31R0N (723649) | more than 4 years ago | (#30583906)

It's time to start seriously chipping away at Adobe's stranglehold on multimedia. Or at least give it some serious competition that will inspire them to work harder.

As someone else has mentioned, this might be HTML 5's time to step up.

Re:i can has FOSS Flash Replacement? (0)

Anonymous Coward | more than 4 years ago | (#30585222)

yes, one day html 5 will replace flash...

can i ask if you know the slightest thing about that which you speak of? talk about picking yourself a lost cause mate

save your moaning till flash dominates each and every mobile phone that is on the market. :)

How are Linux users affected by this? (1)

Nutria (679911) | more than 4 years ago | (#30583928)

Are there Flash-based keyloggers or bots?

And the link is a pdf?! (0)

Anonymous Coward | more than 4 years ago | (#30583946)

I'm not clicking on that one!

Oh, the irony! (5, Funny)

Locke2005 (849178) | more than 4 years ago | (#30583948)

"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

Re:Oh, the irony! (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#30584056)

"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

It seems to be a standard PDF file that opens just fine in other PDF readers. What did you try opening it with? Or do you mean because you don't know there are other PDF readers you, personally, have to use Acrobat Reader?

Re:Oh, the irony! (1)

nacturation (646836) | more than 4 years ago | (#30584436)

"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

Fortunately this vendor (who conveniently sells security products) allowed us to view their press release on Slashdot using HTML.

Oh the irony (0)

Anonymous Coward | more than 4 years ago | (#30583952)

McAfee reports that PDF attacks are going to be tops in the upcoming year by releasing reports in PDF form. Maybe they're trying to collect stats on who is vulnerable...

New Year Forecasts (0)

Anonymous Coward | more than 4 years ago | (#30584012)

I wish the media would spend as much time reviewing the forecasts from the previous year as they do reporting what experts think will happen next year. I predict the big security issue for 2010 will be... annoying. And profitable for the security industry, even for the expert who said the problem will be something else.

There is already a solution (2, Insightful)

jrozzi (1279772) | more than 4 years ago | (#30584050)

Developers can stop using flash and end-users should uninstall it. There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework. For the remaining 10%, HTML 5 will be able to handle most of it (canvas tag, videos, better form support, etc), and the remainder of things that javascript/html can't do that flash can do (if there is anything), is not even worth implementing in a website. Since javascript and HTML is all open and much easier to work with, I foresee flash and silverlight on the decline. This especially holds true when HTML 5 is fully supported in most people's browsers.

"Flash" is often sold. (1)

Errol backfiring (1280012) | more than 4 years ago | (#30584186)

As long as IT salesmen sell "flashy" sites and bleat that it is professional to put a flash lock on your site, developers will have to build it.

As you already say that most things can be done in javascript, I don't see that HTML5 support would hurt the use of flash.

Re:There is already a solution (1)

PerfectionLost (1004287) | more than 4 years ago | (#30584248)

Flash games are the only things you can't easily reproduce in javascript. I know my siblings (ranging from the age of 4-15) are the source of most of my parents computer woes. They play many flash based games, and I assume that is the source of a lot of their issues.

Re:There is already a solution (0)

Anonymous Coward | more than 4 years ago | (#30584486)

I admit to not knowing much about javascript, but can it do youtube style video? That type of video (from many different sites) constitutes the majority of my use of Flash.

Re:There is already a solution (1)

clone53421 (1310749) | more than 4 years ago | (#30584958)

In HTML 5, yes [youtube.com] .

Re:There is already a solution (1)

eigenstates (1364441) | more than 4 years ago | (#30585272)

This uses the Quicktime libraries, for those what are interested.

Re:There is already a solution (4, Interesting)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#30584256)

There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework.

The problem with your statement is you assume the Flash content creators are programmers with enough free time. In reality, many of them have degrees in communications or visual arts or are just programmers who want a quick and easy tool for throwing together some quick video/UI content for the Web. From what I've seen, the decently made tools to create such content are mostly created by Adobe and focused on Flash. Unless a company steps up and creates equivalent tools for HTML5 and javascript and those tools gain a significant market share and momentum and ecosystem, I see Flash remaining dominant, with MS gobbling up a smaller share.

selling a product (1)

bcrowell (177657) | more than 4 years ago | (#30584098)

McAfee, of course, has a product to sell.

For Adobe Reader, the solution is really easy. Either install something faster and more secure as your browser's PDF plugin, or disable javascript in Adobe Reader. All the security vulnerabilities in AR have been related to javascript, which is a feature that almost nobody wants or needs in pdf files anyway.

I'm skeptical about any risk from flash. Flash apps run in a sandbox. Are they referring to things like malicious facebook apps? That seems like a relatively minor concern to me. Sure, it would be embarrassing to have all your facebook friends get spam from you, but the potential damage seems relatively minor. It can't take over your machine, can't access your banking info, etc. And of course flashblock, which I would never be without in any case, will protect you from running untrusted flash apps on random webpages that you hit.

Re:selling a product (1)

thsths (31372) | more than 4 years ago | (#30584314)

> I'm skeptical about any risk from flash. Flash apps run in a sandbox.

Flash apps should run in a sandbox - but the recent vulnerabilities are ways to break out of the sandbox.

Of course any plugin should run in a sandbox, but I think only Google Chrome actually does that. It may be a consequence of the Radioactive X disaster - just download and execute anything - which Microsoft introduced in the late 90s.

Preferred way to update Flash? (1)

Exp315 (851386) | more than 4 years ago | (#30584150)

So how do we keep Flash updated, assuming that Adobe tries to keep it patched? Is there a better way than going to Adobe's website and downloading a new version and installing it manually?

What Adobe needs is... (1)

mswhippingboy (754599) | more than 4 years ago | (#30584260)

  • Automatic code verification to stop nefarious ECMAScript code.
  • The script should run within a "sandbox" so it can't inflict damage on your system.
  • All memory should be allocated from within the Flash runtime so buffer overflows can't happen.

Oh wait... Java applets already do all this.. maybe we just need to dump flash!

I'll wait while the Java bashing commences. :)

If Adobe doesn't do cleanup, God help us (4, Interesting)

Ilgaz (86384) | more than 4 years ago | (#30584282)

Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.

First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called

This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.

Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.

No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.

So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.

PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.

the REAL preferred target (0)

Anonymous Coward | more than 4 years ago | (#30584316)

Why don't they design the underlying Operating System to be immune to bugs in the applications. Or at least mitigate the effects and fail safely. Why about applications deliberately designed to exploit some defect in the Operating System to give crooks access to your online banking information. Who is legally responsible if my online bank account gets hacked ?

"'Cybercriminals have long picked on Microsoft products due to their popularity"

Really, I thought it was to do with the defective nature of the underlying Operating System, the one that was never designed with Internet security in mind [wikipedia.org] .

Ironic... (1)

PNutts (199112) | more than 4 years ago | (#30584330)

...that the report identifying Flash and Reader as the top vectors for 2010 is released in PDF format? At the risk of shouting "get off my lawn", what happened to good old plain text? The margins and logos did not add to the content. If you need all that then you probably should't have opened the PDF.

In other news.... (0, Offtopic)

awyeah (70462) | more than 4 years ago | (#30585024)

... 2010 is predicted to be the year of the Linux desktop.

get to work on gnash, then (1)

xiando (770382) | more than 4 years ago | (#30585094)

flash expl0its just don't work with the free software Gnash flash player. I even submitted a bug report regarding one of them (yes, actually, it's listed at savannah). If you know C/C++ then please help hacking gnash so we free software users don't miss out on getting robbed by the apparently evil "criminal hackers".

More ironic (1)

Nalez (556446) | more than 4 years ago | (#30585138)

What is even MORE ironic is the whitepapers page http://mcafee.com/us/threat_center/white_paper.html [mcafee.com] that links to the article saying that adobe reader is going to be a upcoming threat in 2010, ALSO links to adobe reader!

What's wrong with this idea? (0)

Anonymous Coward | more than 4 years ago | (#30585358)

Let's say you have two computers. One is meant for everything but web surfing (except e-mail, bank sites, anything "sensitive"), and the other is meant solely for web surfing.

The first one can have flash "un"installed. The second one would have flash installed, and would be a "play" computer, where you surf, do web research, etc., without worrying about trashing your machine because a simple reinstall will cure everything without data loss on said machine. It could even be frozen, if that is your thing.

Tell me, what would be wrong with this idea?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>