Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Warns of Flash, PDF Zero-Day Attacks

Soulskill posted more than 4 years ago | from the who-even-uses-that-stuff-anyway dept.

Security 216

InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."

cancel ×

216 comments

Sorry! There are no comments related to the filter you selected.

Good thing ... (5, Funny)

Anonymous Coward | more than 4 years ago | (#32468768)

... my iPad isn't affected !

Re:Good thing ... (1)

hedwards (940851) | more than 4 years ago | (#32468774)

Um, neither is my FreeBSD box, you make it sound like that's a good thing. As long as the other platforms use Flash, you're just kinda left out in the cold.

Re:Good thing ... (4, Insightful)

ushering05401 (1086795) | more than 4 years ago | (#32468808)

It is a good thing when non-technical customers start saying they are sick of the trauma of using a dominant proprietary product. Whether or not that results in a willingness to embrace an alternative is a different matter, but it is a start.

Re:Good thing ... (1)

MrHanky (141717) | more than 4 years ago | (#32468916)

You would have a point if the same non-technical customers weren't happily tied to use iTunes.

Re:Good thing ... (1)

Vekseid (1528215) | more than 4 years ago | (#32468942)

Some of my non-technical clients are getting plenty fed up with iTunes. There is plenty of room for something better to come along.

Re:Good thing ... (1)

Darkness404 (1287218) | more than 4 years ago | (#32468994)

Not if you use an iPod or iPhone.

Re:Good thing ... (1, Insightful)

Culture20 (968837) | more than 4 years ago | (#32469004)

And my non-techy friends are buying android phones and saying they got a phone just like my iPhone. Apple failed to remain different.

Re:Good thing ... (0, Troll)

Darkness404 (1287218) | more than 4 years ago | (#32469020)

Oh Apple is still different just different as in "we're not going to give you what you want unless its what we want".

Re:Good thing ... (1)

jo_ham (604554) | more than 4 years ago | (#32469102)

Shame they're stuck on 1.6.

*ducks*

Re:Good thing ... (0)

Anonymous Coward | more than 4 years ago | (#32469356)

Let them actually USE the iPhone and they'll know different. On paper and via spec sheets, everything "looks" to be the same, but, even at this point, Android just doesn't have the "fit and finish" of the iPhone OS.

Re:Good thing ... (0)

Anonymous Coward | more than 4 years ago | (#32469388)

Its close enough that honestly no-one but a picky, geeky, myopic, crazy would notice on day-day usage.

Re:Good thing ... (1)

Runaway1956 (1322357) | more than 4 years ago | (#32469224)

Did you just say "jailbreak"? My kid has an iPod that was jailbroken within 4 hours after he got it. (Not a new one - he bought a used one, just so he could jailbreak it. Wasn't worth the risk of bricking a NEW phone!"

Re:Good thing ... (1)

testadicazzo (567430) | more than 4 years ago | (#32469190)

No, he has a point whether or not the same non-tech customers are still tied to iTunes.

A step in the right direction is a step in right direction. Maybe getting rid of all proprietary formats would be better, but an improvement is an improvement, whether or not there is more which could be improved.

Re:Good thing ... (5, Funny)

AnonymousClown (1788472) | more than 4 years ago | (#32468838)

As long as the other platforms use Flash, you're just kinda left out in the cold.

Pfft. There's plenty of porn on MP3 and WMV.

Re:Good thing ... (1, Funny)

Anonymous Coward | more than 4 years ago | (#32469604)

Pfft. There's plenty of porn on MP3 and WMV.

For the love of gawd folks, please provide citations.

Re:Good thing ... (0)

Anonymous Coward | more than 4 years ago | (#32469628)

Dude, look up humor in a dictionary. You'll find a screenshot of the Good thing... post

Re:Good thing ... (1, Flamebait)

Quixotic Raindrop (443129) | more than 4 years ago | (#32469782)

Wait, so ... Flash is buggy, and a security risk?!? WHO FREAKING KNEW?!? (oh, that's right. Steve Jobs did. Thank God.)

Flash for the iPhone WHEN??? (4, Funny)

swb (14022) | more than 4 years ago | (#32468776)

Figure it out, Steve. Every other platform is getting Flash, I want the same opportunity for malware exploits that other mobile platforms will be getting.

Re:Flash for the iPhone WHEN??? (1)

dazjorz (1312303) | more than 4 years ago | (#32468788)

I've heard some rumors that Steve himself is responsible for the exploit ;-)

Re:Flash for the iPhone WHEN??? (2, Funny)

davester666 (731373) | more than 4 years ago | (#32469134)

Steve Nash? I suppose, since the Suns are out of the playoffs and he's got a bit of free time...

Re:Flash for the iPhone WHEN??? (2, Funny)

hedwards (940851) | more than 4 years ago | (#32469408)

Nah, it's Steve Wonder, he's kind of pissed about being left out of this whole Flash thing.

Re:Flash for the iPhone WHEN??? (1)

cpghost (719344) | more than 4 years ago | (#32468822)

At least, we FreeBSD-ers aren't getting Flash... I guess we were lucky this time.

Re:Flash for the iPhone WHEN??? (3, Informative)

Conley Index (957833) | more than 4 years ago | (#32468938)

Why do you think, "we FreeBSD-ers aren't getting Flash"?

I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox. (Of course, it is usually blocked by noscript and flashblock.) A few years ago that might have been difficult to get running, but now it is just ports.

If we really want Flash is another story...

Re:Flash for the iPhone WHEN??? (4, Informative)

WrongSizeGlass (838941) | more than 4 years ago | (#32469116)

Of course, it is usually blocked by noscript and flashblock.

This appears to be a SWF file being run by Adobe Reader or Acrobat. Browser based plugins aren't going to help when it's opened by a desktop application.

Re:Flash for the iPhone WHEN??? (1)

king neckbeard (1801738) | more than 4 years ago | (#32469362)

I doubt anyone using flashblock will use an Adobe PDF reader, and I don't think any other readers have implemented SWF playback

Re:Flash for the iPhone WHEN??? (1)

hedwards (940851) | more than 4 years ago | (#32469422)

I'm finding that gnash seems to fill my needs for things like Youtube, which lets face it is the only real reason why anybody wants flash apart from web games. And with Youtube's owners being interested in ditching flash, I'm not sure how much longer it will even be needed for that.

Look at the credits for Adobe Reader. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32468778)

Look at the credits for Adobe Reader. Notice that the names are almost all Indian.

If you've ever worked with software developed in India, you'll immediately understand why problems like this are so common with products like Reader and Flash.

Re:Look at the credits for Adobe Reader. (4, Insightful)

Bert64 (520050) | more than 4 years ago | (#32468868)

Problems like this are common because reader and flash are ubiquitous, flash because it has no viable alternatives and reader because most users don't realise that there are far superior pdf viewers out there (i've even seen people install reader on macs where a far superior pdf viewer comes by default)...

Re:Look at the credits for Adobe Reader. (5, Insightful)

rudy_wayne (414635) | more than 4 years ago | (#32468964)

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

Re:Look at the credits for Adobe Reader. (0)

Anonymous Coward | more than 4 years ago | (#32469198)

You don't need it, but some people want it, so everyone gets it.

They probably don't even need to use a PDF file at all.

Re:Look at the credits for Adobe Reader. (2, Insightful)

cusco (717999) | more than 4 years ago | (#32469428)

PDF has always seemed to me like a solution in search of a problem. There were plenty of better alternative formats available, both editable and non-editable. Then Adobe helped one of its former executives get elected to the Senate and the gov't suddenly decided that PDF was going to be official format of all government documents forever-and-ever-amen.

One of the first things that I do on my customers' servers (after asking permission, of course) is uninstall Acrobat. They're generally thankful that we're concerned about the security of their systems, and frequently unaware that Acrobat was even on the thing to start with.

Re:Look at the credits for Adobe Reader. (0)

Anonymous Coward | more than 4 years ago | (#32469214)

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

Ironically, Adobe abandoned PostScript in favor of PDF because PostScript was executable and could be exploited by malicous people. That, speed (hard to understand if you compare PostScript documents with the PDFs of today), size (PDFs are usually larger than the same documents as a ps.bz2-file (or even ps.gz)) and searching in document (yeah, thats a laugh) was the reason I have heard for abandoning the beautiful, simple, very evolved and rock solid PostScript for the complicated kludge that is PDF. I think the real reason was that it is so simple to create good PostScript-tools that everybody can do it (and did), not just Adobe.

Re:Look at the credits for Adobe Reader. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32468914)

Completely agree. Over the years I have developed a complete disdain for Indian developers. The majority of these guys have no idea what they are doing and have next to zero experience. I have learned to expect to be let down when working with a team of Indian developers as every project I've ever been on where work was out-sourced to India, the Indian team has failed to deliver an acceptable product, leaving us to pick up the pieces. I would rather work with college interns any day of the week - they at least care about doing their job well. Unfortunately, the management types can't see beyond the cost savings and don't understand the concept of 'you get what you pay for'.

Granted, there are certainly quality developers in India, but the majority of these guys are farmed by the dozen to be nothing more than coding monkeys and have next to zero talent.

Of course this is a troll comment because it's not PC, but its an unfortunate truth in the IT world today. It just really pisses me off, so I had to rant...

Re:Look at the credits for Adobe Reader. (0)

Anonymous Coward | more than 4 years ago | (#32468968)

troll? Somebody doesn't like the truth. There are a lot of people in India. They produce a lot of high quality, top notch, computer scientists. But they also produce average, above average, and below average programmers. So a company outsources to India because they want to save money. Well, the outsource shop wants to make money, and that means getting cheap labor. Good quality Indian talent works for less than good quality American (or European or whatever) talent in the same way that low quality Indian talent works for less than good quality Indian talent. It's a fucking race to the bottom and Indian colleges are printing cs degrees like Ben Bernanke prints dollars.

Re:Look at the credits for Adobe Reader. (0)

Anonymous Coward | more than 4 years ago | (#32469470)

The saddest part of that downmod is that he's absolutely right. Just before uninstalling it and replacing it with Foxit, I checked the credits for Reader, and almost all of the names were clearly Indian.

Steve Jobs wins. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32468782)

Steve wins, again.

The new Jobs equation (1)

m0s3m8n (1335861) | more than 4 years ago | (#32468800)

Blu-Ray = Flash = Bag of Hurt.

In other news... (1)

Bieeanda (961632) | more than 4 years ago | (#32468806)

...a patch will be released sometime in the Fall quarter.

Give us Flash on iStuff now! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32468828)

Woo! One more argument for having Flash on the iPad and iPhone.

Zero-day? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32468852)

Am I the only one sick of the "zero day" buzzword?

It's a vulnerability/security hole. Stop creating new 1337 buzzwords, please. It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists. (no, FBI and ATF I won't be doing that but I can dream of it!)

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32468910)

Fine.

Adobe Warns of Flash, PDF Negative-One-Day Pwnage

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32468920)

Am I the only one sick of the "zero day" buzzword?

Not nearly as sick of hearing about "software ecosystems." That one moved to the top of the jargon file of every Microsoft executive after BillG said it once.

Re:Zero-day? (2, Insightful)

Culture20 (968837) | more than 4 years ago | (#32468954)

Am I the only one sick of the "zero day" buzzword?

No, but I'm only annoyed when people misuse it. Zero-day [wikipedia.org] has a specific meaning that is an important distinction when talking about vulnerabilities and exploits. When I hear "Zero-day", my immediate response is: "Oh ^&@#$, who put in strange trouble tickets the last few days?" and "Yay, Overtime for out of cycle Microsoft/Adobe patching."

Re:Zero-day? (2, Interesting)

TheLink (130905) | more than 4 years ago | (#32469812)

Not sure if it's related to the announcement, but today when I opened a whole bunch of Yahoo Finance pages at a go, I got an "open/download p.pdf" prompt. By reflex I cancelled that (and I don't use Adobe for PDF stuff anyway), but it may mean that someone has managed to use popular servers to infect machines.

Perhaps I should have downloaded and tried analyzing it. Not sure where it actually comes from- yahoo may use 3rd party servers for caching, and nowadays stuff like facebook also gets involved etc.

Re:Zero-day? (5, Informative)

Alwin Henseler (640539) | more than 4 years ago | (#32468986)

Buzzword or not, "zero day" means a vulnerability that is already being exploited by the time it's published. If vulnerability is published but no exploit exists -> no zero day.

Regardless of what you think of reasons for using that "zero day" label, this is very relevant to end-users: zero day -> you're at risk, NOW. No zero day -> you're probably safe (for the time being, that is).

Re:Zero-day? (-1, Troll)

BitZtream (692029) | more than 4 years ago | (#32469128)

Wrong

Zero Day means freshly discovered exploit. Period.

It means brand new, not yesterday, just found today.

It started with zero day warez, which meant you could get them from IRC or the FTP site the day they were released, not later.

End users don't know shit about zero-day, it means nothing to them, as stated above its nothing more than a scary buzzword that they don't understand.

Newbies like yourself need to not tell people where these words came from when you weren't around when they were created.

Re:Zero-day? (3, Informative)

Leebert (1694) | more than 4 years ago | (#32469210)

Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.

So if, for example, someone reported this to Adobe previously, and Adobe hadn't fixed it yet, then it isn't a zero day exploit. If Adobe only found out about the vulnerability because people were exploiting it, it was a zero day vulnerability.

Which might be what you were saying, but it didn't come out unambiguously that way. :)

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32469256)

Wrong.

Zero day means means the exploit was fully disclosed to the public without giving the vendor a grace period to release a fix.

Warez kiddies like yourself need to stop acting like you know everything just because you can use FTP.

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32469454)

You do understand there were 0 day warez releases before MS dos even existed right?

Re:Zero-day? (1)

Alwin Henseler (640539) | more than 4 years ago | (#32469278)

It means brand new, not yesterday, just found today.

I think you may be confusing 'found' with 'published'. Until a vulnerability (or an exploit using that vulnerability) is published, there's no way to know for sure it isn't being exploited. The only way to be sure, is if you are doing the exploiting, or you see yourself being exploited. Lacking that, you won't know if a vulnerability exists, and maybe it's being exploited somewhere below the radar. "Zero day" just means that 'being exploited' and 'published' have an overlap in the same 24-hour timeframe.

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32469310)

Zero Day means freshly discovered exploit. Period.

No, it means exploit freshly discovered by someone other than the software maker, and other than someone who only tells the software maker.

No need to a asshole about correcting someone, especially when you're wrong to begin with.

Re:Zero-day? (0)

Anonymous Coward | more than 4 years ago | (#32469420)

you know you're getting old when w4ReZ puppies are old schoolers...and correct.

Re:Zero-day? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32469726)

Wrong

Zero Day means freshly discovered exploit. Period.

It means brand new, not yesterday, just found today.

It started with zero day warez, which meant you could get them from IRC or the FTP site the day they were released, not later.

End users don't know shit about zero-day, it means nothing to them, as stated above its nothing more than a scary buzzword that they don't understand.

Newbies like yourself need to not tell people where these words came from when you weren't around when they were created.

There's a reason the post you responded to is rated 5 Informative and yours isn't. Your comments are especially interesting because the author of that post has a lower ID than you do so I'm not sure I'd be so quick to make claims on "newbies" status.

With that said, there is a source that disagrees with you: http://en.wikipedia.org/wiki/Zero-day_exploit

And get off my lawn.

Re:Zero-day? (0, Troll)

guruevi (827432) | more than 4 years ago | (#32469132)

No zero day -> You're probably safe for the next 24 hours, less if you're on Windows.

Re:Zero-day? (1)

selven (1556643) | more than 4 years ago | (#32469204)

Zero day -> you're at risk, now.

No zero day -> well, we published the vulnerability, so it'll take 12-48 hours for someone to write and start using an exploit.

Re:Zero-day? (1)

cpghost (719344) | more than 4 years ago | (#32469410)

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

Re:Zero-day? (1)

Lars T. (470328) | more than 4 years ago | (#32469862)

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

No, the bulletin is already out before the attack. Well, if he's already climbing the stairs, we can talk about it...

Re:Zero-day? (1)

the_humeister (922869) | more than 4 years ago | (#32469520)

What I want to know (but neither the summary nor Adobe's announcement say) is how the exploit actually works. No details are given other than that the reader and flash are vulnerable.

Re:Zero-day? (1)

dave562 (969951) | more than 4 years ago | (#32469684)

I present the motion that from this moment, we substitute "fresh no day" for the term "zero day". It was good enough for warez kids so it will be good enough for security researchers.

64 bit Linux (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32468858)

I see the 64 bit Flash plugin for Linux has not been updated. Anyone heard of a timeline for this update?

Re:64 bit Linux (2, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#32469088)

I see the 64 bit Flash plugin for Linux has not been updated.

Does that really suprize you?

Re:64 bit Linux (0)

Anonymous Coward | more than 4 years ago | (#32469212)

To tell you the truth, yes. Why not update it?

Re:64 bit Linux (1)

king neckbeard (1801738) | more than 4 years ago | (#32469378)

Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.

Re:64 bit Linux (2, Informative)

0123456 (636235) | more than 4 years ago | (#32469636)

Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.

Unlike Windows where there is _no_ 64-bit support.

In any case, I just checked adobe.com and no version seems to have been updated yet.

Re:64 bit Linux (1)

king neckbeard (1801738) | more than 4 years ago | (#32469712)

Windows users don't expect 64-bit versions, and I don't think you can get Windows without the 32-bit libraries. GNU/Linux users may find the only thing holding them back from a completely 64-bit system is flash. Thus, they were the loudest voices complaining about the lack of 64-bit support. It seems odd, though, as I seem to recall parts of CS5 being 64-bit only.

Re:64 bit Linux (0)

Anonymous Coward | more than 4 years ago | (#32469618)

Given the processors being sold nowadays I'm really surprised that there are still people installing 32 OS on their 64 bit boxes.

This is why a universal platform is important (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32468886)

Imagine how hard it is to write malware. Having Flash and PDF available on all platforms reduces the amount of time necessary to infect people. Good work Adobe.

Current software is fundamentally broken (4, Insightful)

hackstraw (262471) | more than 4 years ago | (#32468888)

The closest platforms to getting it right are Apple and Linux distros. I say that because they provide a central software base and can push out updates all coming from one place. If you use something like Windows, you have to get updates from Microsoft, your hardware manufactures and then your 3rd party software. AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

Even if I say that Apple and Linux are better, they too are broken. And then there are 3rd party apps that continually want you to upgrade them before you run them. Its obnoxious. I can't think of any consumer or professional piece of equipment that needs such care and feeding. If my car has issues (yeah car analogy), then there is a recall. Its a big deal. I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.

Re:Current software is fundamentally broken (1)

CosaNostra Pizza Inc (1299163) | more than 4 years ago | (#32468926)

Maybe HTML5 is a step in the right direction. It would be nice to get rid of Adobe Flash, Silverlite, etc plugins that have security holes and make our browsers slow and bloated memory hogs.

Re:Current software is fundamentally broken (1)

Alwin Henseler (640539) | more than 4 years ago | (#32469174)

Using HTML5 to replace plugins like Flash will in itself do nothing to improve security: right now, those plugins are optional, and if you don't have them installed you have a 'simpler', mature, HTML4-capable browser left. When HTML5 becomes mainstream, that core part of browsers will be even more complex (HTML5 >> HTML4), with fewer optional parts. Or do you think browsers will have a 'disable HTML5 support' somewhere buried in their preferences? (for the sake of simplicity, I'm ignoring whatever HTML5 support may have been built into browsers already).

Which means (other variables unchanged) that the common, core part of popular browsers will be an even larger attack surface. How this would improve security, is beyond me. Of course the fact that 99% have plugins like Flash installed, and that HTML5 core part of browsers will likely be much better maintained & secured than some of those plugins, will help. But again: in itself it means nothing. And don't forget that adding HTML5 support to browsers, means a lot of new code in the first place. Which all needs to be debugged, tested & fixed over time.

So the only thing that really helps, is improving the quality of code that goes out the door in the 1st place. And reduce the amount of code that's needed for an average set of functionality. If HTML5 support in browsers helps us do that, I'm all for it. But don't mistake HTML5 for some kind of silver bullet.

Re:Current software is fundamentally broken (1)

filesiteguy (695431) | more than 4 years ago | (#32468966)

Well, IMO, that's not a valid assumption. Adobe pushes out updates all the time on my Wintendo machines. I've been online since last night with two Ubuntu machines and haven't gotten an update yet.

As for third party plugins going away, not bloody likely.

In fact, I'm writing this using Google Chrome browser, which is *supposed* to be a next-gen browser and will handle more plugins than even the ActiveX-ridden Internet Explorer.

Also, the web has moved so far away from HTML/JavaScript only that you are pretty much unable to browse most sites without flash, or some video player or various other plugins.

(By the way, I load PDF files in a separate viewer - Foxy Reader in Wintendo and Evince (which came with the distro) in Ubuntu.

Re:Current software is fundamentally broken (1)

0123456 (636235) | more than 4 years ago | (#32469250)

Also, the web has moved so far away from HTML/JavaScript only that you are pretty much unable to browse most sites without flash, or some video player or various other plugins.

Strange: Flash is the only plugin I have installed and I have Flash and Javascript disabled on most sites... doesn't seem to be a problem.

Re:Current software is fundamentally broken (1)

filesiteguy (695431) | more than 4 years ago | (#32469320)

If you're on some very basic sites, that can be done. My home page does not require flash but does have some javascript elements.

This site is heavy with javascript.

Re:Current software is fundamentally broken (0, Offtopic)

larry bagina (561269) | more than 4 years ago | (#32469022)

Don't worry, Michael Crawford (aka Super Debugger aka Jonathan Swift aka Jesus h-Bar Christ aka hotcoder@gmail.com) will solve the software problem [softwareproblem.org] . Solve it? Yes. He's one of the best (if not the greatest) debuggers ever. He can find most bugs by merely reading the source code.

Software failure is not a technical problem but a human problem. Michael Crawford realized this and has developed the Crawfordian Psychoanalysis Manifesto [crawfordia...alysis.com] which will end the software problem once and for all. He will fix not just bugs in code but bugs in the mind

I am absolutely serious.

Re:Current software is fundamentally broken (1)

Like2Byte (542992) | more than 4 years ago | (#32469238)

Software failure is not a technical problem but a human problem. Michael Crawford realized this and has developed the Crawfordian Psychoanalysis Manifesto which will end the software problem once and for all. He will fix not just bugs in code but bugs in the mind

Look, until this manifesto is released in a PDF I'm not reading it.

Re:Current software is fundamentally broken (0)

Anonymous Coward | more than 4 years ago | (#32469062)

AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

I would settle for an easy way to remove these plugins. You might think it should be easy in Firefox, but noooo.

If a third-party application installs a firefox plugin, I should be able to go Tools - Add-ons - Plugins and REMOVE the plugins.

But I can't do that, I can only mark them as "disabled", and they are easily re-enabled by other software. I WANT THESE PLUGINS GONE without having to hunt through directories to find & remove the files.

Re:Current software is fundamentally broken (1)

icebraining (1313345) | more than 4 years ago | (#32469122)

I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

Bullshit. It's called maintenance, and yes, cars do require it. In fact, it's much more onerous than clicking a few times and call it done - not to mention it's much cheaper.

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.

First, I trust third parties with *some* of my data, carefully selected. The "cloud" solution requires you to trust all your data.
Second, trusting everything in the cloud is nice because it never [pcworld.com] fails [computerweekly.com] .

Re:Current software is fundamentally broken (1)

Captain Spam (66120) | more than 4 years ago | (#32469412)

[...] and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

I certainly don't hold that belief. If not for third party plugins, we'd have to trust that all the major browsers would support any new, as-yet-unknown technologies as they come out, all on a timeframe that allows for people to test it and get used to it, else web browsers would stagnate pretty quickly, or we'd wind up with a walled garden of web technology, wherein only what the major browsers say goes into their browsers, first-party, goes in.

For example, PNG support was once just a third-party plugin. If nobody was able to use it, nobody would've even known it existed. It never would have taken off and become integrated into any modern browser nowadays, and we'd still be stuck with GIFs. SVG support, too. That was once just a third-party plugin (by Adobe, even). Would anyone have bothered to put that into web browsers if Flash could've done everything they needed back then? Who would've heard of it, or even cared about it?

Given the flexible nature of the web, we need some way to quickly extend the functionality of web browsers to keep up with it, else both get held back.

Re:Current software is fundamentally broken (0)

Anonymous Coward | more than 4 years ago | (#32469658)

AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

Uh, yeah. Why don't you make a list of all the software that Microsoft should bundle with Windows and while you're at it forward that list to a lawyer to file anti-trust lawsuits on the behalf of their competitors.

While you're all busy doing that, I'll go make popcorn ! :D

Official Workaround (5, Insightful)

Mojo66 (1131579) | more than 4 years ago | (#32468948)

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.

Re:Official Workaround (1)

HazE_nMe (793041) | more than 4 years ago | (#32469042)

You can update to the RC of Flash [adobe.com] and just don't open PDF files from untrusted sources (as usual).

Re:Official Workaround (4, Insightful)

joe_frisch (1366229) | more than 4 years ago | (#32469280)

It seems unfortunate that to have secure code you need to use a pre-release version. There is a need for a secure, but not feature-rich document format - I don't need dancing bears.

Only reading documents from "trusted" sources doesn't work - those sources may have been compromised.

Call me dumb, but... (2, Interesting)

Rui Lopes (599077) | more than 4 years ago | (#32468974)

It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.

... how can the DLL affect osx & other unix OSes? And why does it ship on these OSes?

Re:Call me dumb, but... (0)

Anonymous Coward | more than 4 years ago | (#32469060)

In the end, a DLL is just x86 code that the application can load and execute. I can't imagine it being very hard to load the code on OSX/Linux which both run x86.
Wine does this already, and I wouldn't be surprised that there are uglier things at work in acrobat...

Re:Call me dumb, but... (1)

marcosdumay (620877) | more than 4 years ago | (#32469568)

The DLL is part of Acrobat Reader. I've never saw a Linux that ships with Acrobat, but it is available for most of them (on some it is just a click away). Anyway, very few people do use Acrobat on Linux, unless you are one of those few that got out of your way to install it, it is not an issue.

64-bit Linux (1)

macemoneta (154740) | more than 4 years ago | (#32468978)

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

Re:64-bit Linux (2, Informative)

WrongSizeGlass (838941) | more than 4 years ago | (#32469324)

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

No versions have been fixed yet so all versions are still vulnerable ... this includes Linux 64-bit.

Re:64-bit Linux (1)

macemoneta (154740) | more than 4 years ago | (#32469404)

The Flash Player 10.1 Release Candidate "does not appear to be vulnerable," the company said.

The Linux 64-bit version is still at the vulnerable level, and has not been brought up to the non-vulnerable level.

Re:64-bit Linux (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32469736)

We heard you the first time. Maybe you should *listen* when you read: It's not fixed yet. The 10.1 RC has not been released yet (that's the whole "release candidate" part of it). There is no patch for 10.0.x.x or 9.0.x.x yet so <insert platform & architecture here> is still vulnerable. Mmm-kay?

Sumatra PDF + Flashblock (0)

Anonymous Coward | more than 4 years ago | (#32469040)

Use Sumatra PDF instead of Adobe Reader.

Use Flashblock with Firefox. You can whitelist your daily sites as you use them. Furthermore you save CPU, heat, noise and money from the beginning.

Can't wait for HTML 5 and friends (JavaScript, WebM, Canvas, WebGL, ...) to kick Flash's ass.

It would be also nice people moving from PDF to ODF; I think it's technically viable (same features, zero cost, what I am missing?), besides the obvious gain in security and stability.

Oh christ, not again (1)

Nimey (114278) | more than 4 years ago | (#32469146)

It's job security for us computer janitors, but still fucking annoying that their security is so bad.

PDF files should not "execute" (4, Insightful)

bradley13 (1118935) | more than 4 years ago | (#32469228)

If Adobe had the brains of a hamster, it would prohibit executable content in PDF files. Anything fancier than a fill-in-the-blank form has no place in a document format. Business needs some sort of standardized format in which to exchange written documents electronically, and PDF has fulfilled this role until now (barring the dimwits who still send Word files around). Allowing PDF to include executable content is not only dumb - it will eventually destroy PDF as a trusted format.

Film at eleven (0)

king neckbeard (1801738) | more than 4 years ago | (#32469308)

How exactly is an Adobe exploit news? This happens all the time.

Saint Steve was right! (2, Funny)

lostsoulz (1631651) | more than 4 years ago | (#32469394)

Sent from my iPhone.

it's that you ? (0)

Anonymous Coward | more than 4 years ago | (#32469400)

Stevie

Show us the code Adobe (2, Insightful)

Alcoholist (160427) | more than 4 years ago | (#32469484)

Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.

Whatever (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32469488)

Who gives a fuck and why did this make slashdot.

dominant standards vs dominant products (1)

moria (829831) | more than 4 years ago | (#32469778)

When an industrial standard is dominant with implementation from different vendors (think WWW, JPEG, ODF, XMPP and even PDF), there is interoperability and better security through diversity. When a single product dominates (think Flash, Windows), we bring "write once, play everywhere" to malicious code writers.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?