Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Warns of Critical Flash Bug, Already Being Exploited

timothy posted more than 3 years ago | from the dirty-captalists dept.

Security 244

Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."

Sorry! There are no comments related to the filter you selected.

I need this on my iPhone (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34057144)

I hope Apple and Adobe come to an agreement because I want to live on the edge too.

now... (-1)

Anonymous Coward | more than 3 years ago | (#34057148)

now you see why apple doesn't ship with flash anymore

Abode Is The Weakest Link (4, Interesting)

WrongSizeGlass (838941) | more than 3 years ago | (#34057150)

Adobe's Acrobat, Reader & Flash are the weakest security links on any PC. This isn't really news any more ... it's expected.

Re:Abode Is The Weakest Link (4, Insightful)

blair1q (305137) | more than 3 years ago | (#34057192)

Why the FUCK does a document display program have the ability to alter anything on my machine?

Re:Abode Is The Weakest Link (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34057242)

Mostly because they have to keep the developers working and the shareholders thinking they are making progress toward more money. In reality Adobe is fast becoming a second rate company. I never thought that would happen ten years ago, but sure enough here we are.

Re:Abode Is The Weakest Link (-1)

blair1q (305137) | more than 3 years ago | (#34057334)

HTML5 video [youtube.com] is here.

Adobe has no further reason to exist.

Re:Abode Is The Weakest Link (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34057418)

Photoshop is reason enough for Adobe to exist.

Anyone who thinks gimp is a replacement is full of shit.

Re:Abode Is The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34057556)

You might say that the reason GIMP is inferior is _because_ Adobe exists. Without this competitor taking the vast majority of the market, more development effort would be put into GIMP as it would have a much larger user base.

Re:Abode Is The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34057794)

You could say the same thing about electric vehicles. If no one had fossil fuel transportation, electric would look pretty good.

Re:Abode Is The Weakest Link (1)

drpimp (900837) | more than 3 years ago | (#34057578)

Especially with tools like this Sencha [sencha.com]

Re:Abode Is The Weakest Link (4, Insightful)

Dr Herbert West (1357769) | more than 3 years ago | (#34057778)

Sure-- HTML5 is rapidly becoming the platform of choice for interactive application development, with its stability, widespread browser support, and cross-browser compatibility to... wait, what?

OS makers not helping much either (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34057392)

Why the FUCK does a document display program have the ability to alter anything on my machine?

Not to let Adobe off the hook, but OS makers should make it easier for users to limit the abilities of vulnerable or dangerous programs.

Quick, how would you start Adobe Reader on Linux, OS X, and Windows such that it isn't allowed to write to files? How would you do the same for however your browser starts Flash? Could you easily step several users through this process?

Re:OS makers not helping much either (3, Informative)

GameboyRMH (1153867) | more than 3 years ago | (#34057602)

There are many approaches. Sandboxing is one, there's Sandboxie for Windows. On Linux you could use SELinux, or AppArmor which is much more user-friendly and is ultra-convenient on Ubuntu - profiles for Firefox (with Flash) and evince are installed by default and are updated automatically with the programs.

I don't know what the options are on OSX, since I have no possible use for the OS myself.

Re:OS makers not helping much either (1)

TD-Linux (1295697) | more than 3 years ago | (#34058288)

Why is AppArmor more user friendly? On Fedora, all the SELinux policies are automatically installed and updated. For non-Fedora apps, it also has a GUI that tells you when a program was blocked and has a button for you to grant permission to that program.

Re:OS makers not helping much either (1)

X0563511 (793323) | more than 3 years ago | (#34057674)

I'd be happy to run with MAC ACLs (eg SELinux), if developers would stop doing things that cause trouble, like text relocations [akkadia.org] .

Re:OS makers not helping much either (5, Interesting)

cbhacking (979169) | more than 3 years ago | (#34057984)

On Windows, you can force any program to run at Low IL (Integrity Level support requires Vista or above). Low IL processes, regardless of their nominal user permissions, can only write to Low IL folders. There are only a couple of these in the base install - %USERPROFILE%\AppData\Local\Low contains things like the Temporary Internet Files folder (IE runs at low IL by default).

Low IL processes also can't start other processes at higher integrity levels. If for some reason you need a higher level (the usual reason is saving files) you can have a "broker process" that runs at the standard level (Medium IL) and exposes some interprocedural communication to the Low IL process. Strictly speaking this opens a hole in your sandbox, but it's a lot easier to lock down that broker process since it's very special-purpose and has a very small attack surface. Also, the broker process can be used to present a warning to the user when it is invoked for anything potentially dangerous (IE's "Protected Mode" warning appears when the browser asks the broker process to start an external application).

It's not as customizable as AppArmor, but it's less complicated. Unfortunately, it also takes a little tweaking to find out how to set process or folder IL.

Re:Abode Is The Weakest Link (4, Insightful)

TheReaperD (937405) | more than 3 years ago | (#34057438)

Two words: Feature Creep

Re:Abode Is The Weakest Link (1)

LambdaWolf (1561517) | more than 3 years ago | (#34057800)

That, and good, old-fashioned buffer overruns and things of that sort.

Re:Abode Is The Weakest Link (3, Insightful)

ConceptJunkie (24823) | more than 3 years ago | (#34057900)

The sad thing is that it took Reader about 3 or 4 versions not to be complete crap and the moment it actually got good they started bloating it almost as much as Emacs, except with stuff that is neither cool and powerful nor useful to the vast majority of users.

What should be a simple lightweight document viewer now requires an installer a significant fraction of the size of an entire Windows installation from just a decade or so ago.

Re:Abode Is The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34057482)

Because most users do not know that the first user set up out of the box is administrator and should only ever be used for maintenance.

Re:Abode Is The Weakest Link (1)

El_Oscuro (1022477) | more than 3 years ago | (#34058164)

How about Oracle? Some of their customers might be a little security conscious and may wish to prohibit programs like Flash on their networks. However, using their support [oracle.com] requires flash.

Re:Abode Is The Weakest Link (2, Interesting)

pinkishpunk (1461107) | more than 3 years ago | (#34057228)

one has to wonder this days if they even try to fixer their products. Given the rate this problems show up, it maybe they should start to think about starting from scratch with a bloatless reader. Wishful thinking I know, they have gotten everyone to use the bloat in one way or another :(

Re:Abode Is The Weakest Link (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34057414)

A link to working exploit [tinyurl.com]

Re:Abode Is The Weakest Link (1)

GameboyRMH (1153867) | more than 3 years ago | (#34057636)

Troll is a noob, link leads to goatse:

http://preview.tinyurl.com/7odu [tinyurl.com]

Elite trolls only please.

Re:Abode Is The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34057352)

And comments pointing that out aren't very insightful, but pretty redundant as well.

Re:Abode Is The Weakest Link (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#34057446)

And stories pointing that out aren't very insightful, but pretty redundant as well.

FTFY

Re:Abode Is The Weakest Link (1)

the_humeister (922869) | more than 3 years ago | (#34058194)

My Flash version is 10.2.161.22 on 64-bit Linux. I'm guessing this isn't affected according to the article?

of course (1)

bhcompy (1877290) | more than 3 years ago | (#34057176)

And, of course, no where in the article or linked articles does it mention how you get it. Infected website? Particular websites(warez, etc)? What? Anyways. NoScript wins again, regardless.

Re:of course (2, Funny)

blair1q (305137) | more than 3 years ago | (#34057202)

It happens when you open PDF documents and Flash scripts. Duh.

Re:of course (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34057328)

Yeah. Can someone link me to a sample infected website plz? kthxbai

Sure, help yourself (0, Funny)

Anonymous Coward | more than 3 years ago | (#34057550)

this one [tinyurl.com]

Re:of course (1)

bhcompy (1877290) | more than 3 years ago | (#34057806)

Didn't GI Joe teach you anything? Knowing is half the battle, dude.

Too bad... (1)

lavagolemking (1352431) | more than 3 years ago | (#34057198)

How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?

Re:Too bad... (2, Informative)

Jahava (946858) | more than 3 years ago | (#34057316)

How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?

Looks like not. From the article:

Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15.

Re:Too bad... (2, Informative)

WrongSizeGlass (838941) | more than 3 years ago | (#34057340)

This article says: [pcmag.com]

Adobe said that a Flash update is scheduled for (Patch) Tuesday, November 9. Updates for Acrobat and Reader are scheduled for the week of November 15.

Re:Too bad... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34057448)

3 months?

Last time it was even worse [tinyurl.com]

Re:Too bad... (0)

Anonymous Coward | more than 3 years ago | (#34057480)

Secunia pegs the release of the patch as November 9.

Re:Too bad... (1)

X0563511 (793323) | more than 3 years ago | (#34057696)

I love how you have to go back to using nsplugin-wrapper for 64-bit flash... if you want any updates. Fuckers.

Adobe sucks. (3, Interesting)

RocketRabbit (830691) | more than 3 years ago | (#34057200)

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

I think it's about time to go from using Click2Flash to just deleting the Flash plugin completely.

Re:Adobe sucks. (4, Insightful)

zuperduperman (1206922) | more than 3 years ago | (#34057360)

Yeah, I was kind of shocked by that. I disable Flash by default everywhere but so far have let PDF plugins stay because I need them for a lot of things and hey, it's a freakin document format! Now I find out that Reader is linked to both executable Javascript AND Flash. And anybody sending me a simple PDF document could be exploiting holes in any of those. What a nightmare.

Re:Adobe sucks. (2, Informative)

X0563511 (793323) | more than 3 years ago | (#34057708)

The only reason to use Adobe to read PDFs these days if for PDF Forms...

Re:Adobe sucks. (1)

Y-Crate (540566) | more than 3 years ago | (#34058042)

Apple's Preview.app handles them nicely.

Re:Adobe sucks. (0)

Anonymous Coward | more than 3 years ago | (#34057982)

That's why I disabled JavaScript and loads of other "features" in Adobe Reader -- years ago, before exploits became common. They were an accident waiting to happen. In some cases I deleted the relevant plugins from Reader and this also improved the lackluster startup time. I mean, seriously, do I really need 3D graphics support in Reader? Isn't it bloated enough already? If I ever encounter a file that actually uses these features I might put some of the plugins back, but so far I haven't found most of them to be necessary at all.

Re:Adobe sucks. (1)

shutdown -p now (807394) | more than 3 years ago | (#34058068)

The problem with Flash isn't that it's "executable" - it's not where most of the exploits come from. The problem is that it's native code written in a memory-unsafe language, with, apparently, little attention to security. As such, it is susceptible to various forms of buffer overruns and other classic attacks which lead to injection of arbitrary native code into the process, and its subsequent execution.

Re:Adobe sucks. (2, Informative)

GreyLurk (35139) | more than 3 years ago | (#34058264)

Flash ActionScript isn't native code... It's VM'ed. If it was native code, it would at least run faster. Now, that doesn't stop someone from putting native code into a string, and pushing that string past an array boundary (which sounds like what this exploit is), but the AVM Bytecode itself isn't native code. The same sort of exploit was happening in Java just a few weeks ago, see CVE-2010-3552.

Re:Adobe sucks. (4, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#34057372)

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

Sandboxed? More like litter boxed.

Re:Adobe sucks. (2, Informative)

DragonWriter (970822) | more than 3 years ago | (#34057688)

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

Acrobat Reader is Adobe's general purpose client platform for content produced with Adobe Acrobat and related tools. That has been true, essentially, forever. Reading PDFs is, of course, an important part of that, but Acrobat hasn't been -- or been presented as -- just a "PDF viewing utility" for quite a long time, if it ever was.

How to prevent Reader from using Flash? (1)

Anonymous Coward | more than 3 years ago | (#34057218)

Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader.

How do I keep Adobe Reader from being able to use Flash?

Seems like this could prevent the exploit and greatly reduce the attack surface in general.

Re:How to prevent Reader from using Flash? (2, Insightful)

mirix (1649853) | more than 3 years ago | (#34057420)

Use one of the pdf readers that doesn't have adobe's holes and bloat.

I think there is a windows port of evince, and I used to use sumatra when I had windows boxen. I have a friend that likes foxit, but I've never used it myself. etc.

Re:How to prevent Reader from using Flash? (4, Informative)

GameboyRMH (1153867) | more than 3 years ago | (#34057712)

Huh didn't know there was a Windows port of evince. I'll have to look at replacing Foxit with that:

http://live.gnome.org/Evince/Downloads [gnome.org]

And an .MSI installer too! I'll have to talk with the other IT guys at work tomorrow...

Re:How to prevent Reader from using Flash? (1)

cbhacking (979169) | more than 3 years ago | (#34058002)

Foxit's security is pretty weak, but it's even less targeted than Apple's Preview (also very weak).

The KDE project has ported most of their desktop environment, including the PDF reader, to Windows. I mostly only use it for amoraK, but there's lots of good software in there.

Re:How to prevent Reader from using Flash? (1)

melikamp (631205) | more than 3 years ago | (#34057594)

Simple! Just uninstall the Reader.

Re:How to prevent Reader from using Flash? (0)

Anonymous Coward | more than 3 years ago | (#34057992)

Not at all simple in an enterprise environment.

Why two weeks to fix? (1)

John3 (85454) | more than 3 years ago | (#34057244)

Can someone please explain to me why it will take Adobe two weeks to get a patch out? It seems like it should be an "all hands on deck" project to get this fixed and distributed.

Re:Why two weeks to fix? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34057376)

I'd be more worried about the fact that majority of consumers don't update their Acrobat Reader on PCs. Clicking "Update Later" button has become something you get to click every time you reboot the computer.

Re:Why two weeks to fix? (1, Funny)

Anonymous Coward | more than 3 years ago | (#34057390)

There's another way to do it, which works right now, and will help protect against any future flash security holes. Type this into a terminal:

apt-get remove flashplugin-nonfree

Re:Why two weeks to fix? (1)

by (1706743) (1706744) | more than 3 years ago | (#34057954)

Type this into a terminal:
apt-get remove flashplugin-nonfree

So...you're logged in as root? I think I'll look elsewhere for security advice...

(I know, you can have it aliased to 'sudo apt-get', but I couldn't pass up an opportunity to be snarky.)

Re:Why two weeks to fix? (4, Insightful)

mean pun (717227) | more than 3 years ago | (#34057400)

Can someone please explain to me why it will take Adobe two weeks to get a patch out?

They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse. Plus, you don't give a optimistic estimate right at the start.

(Look how Chile handled that for the mining disaster. They started with a safe estimate, and got praised for beating their own deadline. Imagine the reactions if they had been too optimistic in their original estimate.)

Re:Why two weeks to fix? (0)

Anonymous Coward | more than 3 years ago | (#34057544)

For the patch to cause crashes would be arguably less potentially destructive than the current situation.

Re:Why two weeks to fix? (4, Funny)

0123456 (636235) | more than 3 years ago | (#34057732)

They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse.

Indeed: just imagine the riots in the streets if they accidentally broke Farmville. Having millions more PCs in botnets will be much less harmful.

In other news (4, Insightful)

Yvan256 (722131) | more than 3 years ago | (#34057252)

In other news, Steve Jobs now has even more arguments to push aside Flash and Shockwave.

Wait, Shockwave? That thing is still alive?

There's a safe alternative! (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34057262)

The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can. And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Bye Bye Flash
Html5, here we come!

-F

Re:There's a safe alternative! (0)

Darkness404 (1287218) | more than 3 years ago | (#34057298)

And the same thing could be said about Flash too.

Re:There's a safe alternative! (3, Informative)

Jahava (946858) | more than 3 years ago | (#34057408)

And the same thing could be said about Flash too.

There's little-to-no practical opportunity to choose a Flash implementation, and Flash is not open-source, so we cannot secure it ourselves. Nothing you said is true.

Re:There's a safe alternative! (0)

Darkness404 (1287218) | more than 3 years ago | (#34057512)

http://en.wikipedia.org/wiki/GNASH [wikipedia.org]

Go crazy.

Re:There's a safe alternative! (2, Insightful)

h4rr4r (612664) | more than 3 years ago | (#34057678)

Try using it first.
I say this as someone who constantly installs it to see progress and has pretty much lost hope. The recent lightspark thing would be neat if it supported hulu.

Re:There's a safe alternative! (1)

GreyLurk (35139) | more than 3 years ago | (#34058282)

The AVM Spec is publically available on Adobe's website... If you want to implement an open source alternate to Flash, you're more than welcome to. Heck, large swaths of the Flash codebase itself are actually open source, kinda like the OpenJDK stuff.

Re:There's a safe alternative! (2, Insightful)

maxwell demon (590494) | more than 3 years ago | (#34057394)

The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can.

JavaScript is a programming language. Just because the code is delivered in source form, it doesn't mean there cannot be security holes. And Flash exploits are actually Flash player exploits.
However, the following still remains true:

And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Re:There's a safe alternative! (1)

tsm_sf (545316) | more than 3 years ago | (#34057828)

JavaScript is a programming language. Just because the code is delivered in source form, it doesn't mean there cannot be security holes.

You're not thinking literally enough. (and just go ahead and ignore my sig for this post)

Re:There's a safe alternative! (0)

Anonymous Coward | more than 3 years ago | (#34057886)

And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Well, we can choose them, but most of us can't...and don't want to secure them ourselves.

Heck, I bet most people don't want to choose, they just click whatever somebody else tells them to click.

Re:There's a safe alternative! (1)

bunratty (545641) | more than 3 years ago | (#34057996)

Ah, that sweet, sweet sound of technobabble.

We are aware of the situation (1)

al3k (1638719) | more than 3 years ago | (#34057272)

...but just hold on for two weeks and we'll make it alllll better

We really need to sandbox all browser sessions (4, Insightful)

davidwr (791652) | more than 3 years ago | (#34057304)

Attention browser developers:

Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.

Any user-initiated visit to a web site would be a new session.

Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.

Basically, if you aren't trusted, you get a very limited view of the local computer and once you quit, you get amnesia.

Re:We really need to sandbox all browser sessions (3, Interesting)

0123456 (636235) | more than 3 years ago | (#34057510)

Attention browser developers:

Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.

Or run Linux and use an Apparmor wrapper to prevent Flash from doing anything bad if it's compromised.

On my systems it can't read much of anything, can't write to anything other than /tmp and its own config files, and web sites can't download flash turds to track me... all enforced by the kernel.

Re:We really need to sandbox all browser sessions (1)

shutdown -p now (807394) | more than 3 years ago | (#34058078)

How do you do that, given that it is loaded in the browser process - or did you put those restrictions on your entire browser?

Re:We really need to sandbox all browser sessions (1, Informative)

Anonymous Coward | more than 3 years ago | (#34057610)

Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.

Which would be great - except that the fucktarded conslutant crowd that brought us IE6-specific ActiveX plug-ins for "enterprise" software, has now migrated to Flash. Cloud/webapp type stuff are being used for things like HR, payroll, and other internal accounting processes, and as IE6 gets phased out, these vendor-lock-in apps are now increasingly becoming Flash-based. And since it's no longer as easy to control whether a user regularly deletes cookies, these bits of cubicleware all seem to require the use of LSOs. The more things change, the more they stay the same. *sigh*

Re:We really need to sandbox all browser sessions (0)

Anonymous Coward | more than 3 years ago | (#34058166)

You already can. In Chrome use the --safe-plugins switch. It will assuredly prevent this exploit (no more user privileges) but it will also break Flash on some websites -- which is why Google didn't default plugins to the sandbox like they did the browser & extensions.

Code Exploit Discovery Automation (1)

BoRegardless (721219) | more than 3 years ago | (#34057310)

After a decade of huge hacker security breakthroughs of systems, I wonder how long we have to go before automated code structure and testing gets good enough to be able to routinely find all the typical things that might represent a problem. Acrobat has been around so long it ought to be basically bullet-proof, but isn't. What gives here? I use a lot of Adobe applications and I personally want to see them get out of this problem.

Re:Code Exploit Discovery Automation (3, Interesting)

Statecraftsman (718862) | more than 3 years ago | (#34057686)

There's no correlation between age of a product and security. If anything the older the project and more nebulous the code base, the less likely anyone inside Adobe even understands it all. I use sumatrapdf and evince so I'm not affected personally but I think the only hope is either replacement or freeing the source code for the product. From a business perspective, Adobe will only go and fix bugs that become a big enough PR disaster that they can't ignore them. There would also need to be a viable alternative to their products.

Similarly to how Microsoft has had to acknowledge OpenOffice, at some point hopefully GIMP and Inkscape and other creative tools will cause Adobe to address their own issues. The software industry has a serious lack of competition and without free software that closely mimics commercial products, it's hard to imagine anything improving substantially in the near future.

My flashblock whitelist (1)

retaj (1020999) | more than 3 years ago | (#34057332)

is now clear.

Relevant? Bah (3, Interesting)

markdavis (642305) | more than 3 years ago | (#34057368)

>"The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac"

What horrible wording. One could read that to mean Linux is not a "relevant platform" in general, or that the vulnerability can't use the exploit to do anything to a Linux system or several other things.

From the article:

"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh."

"Square" (10.2.x) plugins vulnerable, too, or not? (2, Interesting)

yuna49 (905461) | more than 3 years ago | (#34057488)

I'm running the 64-bit "preview" Linux plugin called "Square [adobe.com] ". Adobe reports,"You have version 10,2,161,23 installed" when I check by right-clicking on a video and choosing About. Does that mean I'm not vulnerable to this flaw?

Re:"Square" (10.2.x) plugins vulnerable, too, or n (1)

markdavis (642305) | more than 3 years ago | (#34057862)

Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)

Square" (10.2.x) is vulnerable (3, Interesting)

WD (96061) | more than 3 years ago | (#34058238)

I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081 [cert.org]

Quick fixes for Maemo 5's MicroB (1)

GameboyRMH (1153867) | more than 3 years ago | (#34057876)

Attention N900 users:

If you don't want to totally disable your flash plugin, you can either install adflashblock-css for combined ad and flash blocking, or if you don't want to block ads, use my custom flashblock:

http://talk.maemo.org/showpost.php?p=625937&postcount=3 [maemo.org]

Two weeks (1)

Andy Smith (55346) | more than 3 years ago | (#34057416)

"won't be patched for nearly two weeks"

In 25 years of computing, the only virus I've ever had was due to an Adobe Reader exploit. So, thank you Adobe for hurrying to get this patch out urgently. I'm sure there is no conceivable way you could get it out in less than 2 weeks.

In the meantime I should remove Reader from my system.

Re:Two weeks (3, Interesting)

today (27810) | more than 3 years ago | (#34057576)

Just a guess, but removing authplay.dll might help mitigate the Reader portion of this exploit. I generally do that after every Reader upgrade because a similar vulnerability happened once before. Besides, who ever uses Flash inside a PDF document anyway?

Re:Two weeks (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#34057582)

Remove the plug-in.

Re:Two weeks (1)

GameboyRMH (1153867) | more than 3 years ago | (#34057942)

The only one that ever got me was an early flash drive autorun virus. I knew all about autorun, but thought double-clicking the drive in Explorer only ran it on CDs. Learned something that day.

Ironic (4, Funny)

Kazymyr (190114) | more than 3 years ago | (#34057580)

Am I the only one who finds it ironic that a web site that warns of a critical bug in the Flash player tries to install the Flash plugin?

(yes, I don't have Flash installed anywhere and so the linked web page demands to install it)

Re:Ironic (1)

Statecraftsman (718862) | more than 3 years ago | (#34057706)

The views expressed by the stories and comments submitted on this site do not necessarily reflect the opinions of Geeknet or its subsidiaries. Or something like that...

Understand Apple a bit better? (4, Insightful)

Caerdwyn (829058) | more than 3 years ago | (#34057648)

This is why Apple no longer ships Flash pre-installed, and why they do their own PDF readers. Regardless of any tiffs (or .TIFFs, har! see what I did there?) between Adobe and Apple, I'm sure that Adobe wants its products preinstalled in OSX. Even through its contentious history with Adobe, Apple has preinstalled Flash for many software releases now because it made business sense to do so. It no longer does.

Recent trends show that Adobe is the most readily-exploited software vendor (per US-CERT). Critical flaws are being discovered faster than operating system installer "golden images" can be put through the update-certification-release cycle. Any version of Flash or Acrobat/Reader that is incorporated into an OS golden image will almost certainly be vulnerable by the time a system with that OS installed reaches a customer. You're going to have to update the moment you're out-of-box, so why pre-install something you're going to have to patch anyway (assuming you patch at all)? And Apple can't autopatch it... their Software Update only updates Apple products (i.e. products which they actually have the legal right to patch).

And, of course, the headlines would (and do) read "Macs being exploited" instead of "Adobe being exploited". Apple doesn't want that, and is in a position to do something about it.

Do we perhaps understand why Apple does some of the things it does a little better now? Do we perhaps understand why Microsoft doesn't include Flash/Reader as part of its OS? Does Adobe need to get its goddamned act together before they start throwing rocks at OS vendors?

Re:Understand Apple a bit better? (4, Insightful)

edelbrp (62429) | more than 3 years ago | (#34057906)

And, thankfully, content providers still want their stuff to work on computing devices (like iPhones and iPads) that don't support Flash and so are providing non-Flash alternatives. That's not just good for Apple customers, but everybody in the long run.

Re:Understand Apple a bit better? (3, Informative)

cbhacking (979169) | more than 3 years ago | (#34058030)

You do realize that Apple's PDF reader is *WAY* less secure than Adobe's, right? We're talking 15x as many exploitable vulnerabilies across the same test set of fuzzed files. Adobe and their miserable security practices are a scourge the computing world, you hate their stuff, you remove it all from the computer.. OK, fine. You go with an alternative that has more than an order of magnitude worse security... wait, what?!?

Re:Understand Apple a bit better? (2, Funny)

SatanicPuppy (611928) | more than 3 years ago | (#34058254)

Apple does the things it does because Jobs isn't afraid of shit. It's not like other companies don't hate Adobe as well, but only Steve-o would be willing to drop his pants and scream "Suck my diiiiiick!" at Adobe.

And good on him. I don't think the web as a whole is ready to move off Adobe products, but Apple has a history of driving those sorts of migrations (floppy whats?) and advertisers and websites can't afford to ignore millions of iPhone/iPad owners, who are, by definition, possessed of more money than sense.

I'm getting tired of installing and removing flash (1)

mustard5 (962587) | more than 3 years ago | (#34057846)

OMG, I just reinstalled flashplugin-prerelease for 64bit, and I have to uninstall again. Bring on HTML5!!

Does the "Flashblock" plugin for Firefox help? (1)

HouseOfMisterE (659953) | more than 3 years ago | (#34057926)

Does the "Flashblock" plugin for Firefox help block this exploit? The only sites in my whitelist are YouTube, Amazon.com, and NewEgg.

Thanks Uncle Jobs! (4, Insightful)

krizoitz (1856864) | more than 3 years ago | (#34057934)

Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.

LOL (0)

Anonymous Coward | more than 3 years ago | (#34057950)

Two words: foxit reader.
Problem solved. People seriously still use adobe products? godamn
And FYI, I doubt Apple is SOOOO altruistic to the point where they don't include flash pre-installed anymore. Give me a break.

.. Great way to start the day. (0)

Anonymous Coward | more than 3 years ago | (#34057958)

Get to work today. Refresh security site firefox tabs. Coffee in hand, ready to see what internet evils I have to fight today.

Zero day.. Ok

Adobe.. No.. Please no..

Reader.. GOD FUCK DAMN IT

I really, really, really have a fine hatred for Adobe today. They make their products indispensable and then don't bother to secure them worth a damn. What I hate most about adobe security vuln notice is the time it takes for an actual fix.
"Yeah. We know there is an active exploit being spammed to your users as we speak.. We'll have a fix in a month. Yeah."

On top of that, their installers and auto update systems are complete and utter garbage. You don't even have a way of knowing what version of software you're downloading off their site. You just have to assume it's the latest.
They also seem to think that you've got time to run around to all 200pcs in your organization and either install it yourself, or use admin privileges to let the installer run.

You can, though, get .msi versions of the of the installers to push via active directory or other system management systems. Even this is a crapshoot. The installers are bugy and flash will often silently fail with no explanation. An adobe update might be a msp patch file. Might be a whole new release that installed. Sometimes getting a pushable version of the current version is an undocumented pileof msp patches you need to find yourself. On top of all that, hand editing the msi installer instructions in ORCA or similar is often needed to strip out the bloat you don't want. Adobe Air? Acrobat.com? Advertising links on the desktop? WTF Adobe

On behalf of computer users everywhere.

Adobe, clean up your fucking act.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?