Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe To Push Emergency Fix For Flash Bug

samzenpus posted more than 3 years ago | from the hurry-up dept.

Security 78

Trailrunner7 writes "Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have an emergency fix ready on Thursday. The company still plans to patch Reader two weeks from now. The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15."

cancel ×

78 comments

I have a question (0, Troll)

Anonymous Coward | more than 3 years ago | (#34114342)

What is the point of waiting to deploy these fixes? Do they need to age before they are palatable to the public?

Re:I have a question (4, Informative)

Codename Dutchess (1782238) | more than 3 years ago | (#34114360)

I would imagine that there is a certain amount of testing with any software patch thats released.

Re:I have a question (1)

blair1q (305137) | more than 3 years ago | (#34114458)

No doubt they have a "process" that includes running regression tests on release builds.

Also no doubt this process is completely inadequate for most needs and products, and exists only to serve a pro-forma certification process, meaning in this case they should have tested the feature they changed and released it, planning to update it on the original schedule if testing showed a regression problem. Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.

But then you get IT droids whining that they have to push it to their herds twice.

Re:I have a question (3, Interesting)

mcgrew (92797) | more than 3 years ago | (#34114640)

Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.

No, your security doesn't matter to them a bit. But a risky beta release can give them bad publicity.

Nobody gives a damn about your security but you. Especially not the proprietary software houses. FOSS, at least, usues their own systems, so they have a reason to worry about security.

Any way, this doesn't affect me (yet) because I'm using a different PDF reader (came with the distro) and haven't been able to get Flash working at all.

Re:I have a question (1)

shentino (1139071) | more than 3 years ago | (#34120004)

If the beta is properly disclosed as such, and is given the standard pack of disclaimers and warnings against premature use, then what business does it have getting bad publicity?

Re:I have a question (1)

mcgrew (92797) | more than 3 years ago | (#34125328)

A beta can give an indication of what the final product will look like.

Re:I have a question (4, Insightful)

rgviza (1303161) | more than 3 years ago | (#34115558)

These are not the droids you're looking for.

On a serious note, why badmouth IT people just because adobe's products are broken?

Personally I'd be simply dumping flash and pdfs, at the proxy/email servers, til adobe fixes their software. Send out note to entire company: Due to extreme security risk in adobe's products we must block flash and pdf content in web pages and email until further notice.

It's against policy (written or unwritten) in a lot of shops to deploy beta software to users so intermediate patching wouldn't be kosher in a lot of places. It'd likely get you fired in a significant number of shops, especially in government, financial and medical industries where compliance with federal information security regulations is important.

It's usually not a preference for the IT "droid". At the beginning of my career (I'm a software engineer now), we just did what we were told to do by the boss after we informed him of a problem. I'm pretty sure it still works the same way, at least if you want to stay employed. I was actually in the software patching automation group. We deployed what we were told to. We could care less what it was we were shipping out as long as the package worked.

If we were handed an adobe update on tuesday, then another one on thursday, no one would have cared one iota that it was for the same product. We'd just push it out.

Re:I have a question (1)

sjonke (457707) | more than 3 years ago | (#34116590)

I presume that this vulnerability does not affect Preview on the Mac? Is that a correct assumption?

Re:I have a question (1)

the_womble (580291) | more than 3 years ago | (#34116956)

You have just illustrated why people badmouth IT.

Do you realise that a lot of information that people need to do their jobs comes as PDFs? Broker's research (especially when emailed to clients), regulations for particular industries, all kinds of other stuff.

Flash is not often critical, but I am sure there are examples out there.

You are doing what is easy rather than doing it right. Have you considered installing a different PDF reader? Even different Flash players (if what your users need will work with them)? What about providing a few kiosk machines that are regularly wiped (if nothing else works)? If its going to take time to roll out solutions, have you thought about how to give priority to the people who needed it most?

Re:I have a question (0, Troll)

MichaelKristopeit132 (1934228) | more than 3 years ago | (#34114460)

it obviously depends on the nature of the patch... many would not require much testing at all... sometimes only a single execution.

Re:I have a question (3, Funny)

Yvan256 (722131) | more than 3 years ago | (#34114518)

Indeed. If patches carried the risk of having the programmers executed if it didn't go well, there would be no software bugs at all.

Re:I have a question (2, Insightful)

MichaelKristopeit132 (1934228) | more than 3 years ago | (#34114596)

there would be no software at all....

Re:I have a question (0, Redundant)

mcgrew (92797) | more than 3 years ago | (#34114654)

There wouldn't be much software, either.

Re:I have a question (4, Funny)

Swanktastic (109747) | more than 3 years ago | (#34115244)

It's well known that North Korea publishes the most secure Hello World program in the world.

Re:I have a question (1)

hesaigo999ca (786966) | more than 3 years ago | (#34116618)

Yep, i agree, there is no real liability or accountability in this field right now, except for the airlines, they also use in house development though....but all in all if we even came close to what the car or plane industry goes through to make sure no problems arise BEFORE selling the product, we also would have maybe 1/100the of the apps out there available to us....of which windows would not be part of, neither adobe products

Re:I have a question (2, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#34114462)

I would imagine that there is a certain amount of testing with any software patch thats released.

Exactly. They'd hate to introduce more bugs, security vulnerabilities, etc into their otherwise stable and secure product.

Re:I have a question (3, Insightful)

llung (1841162) | more than 3 years ago | (#34114552)

And that testing is only as good as what it does test for. Really good QA is tough stuff and unfortunately, that level of expertise is often undervalued. Adobe has been pushing out lots of updates as of late. Good that they're doing it; bad that it's so often.

Re:I have a question (2, Informative)

FranTaylor (164577) | more than 3 years ago | (#34114660)

It's good that they are doing it so often.

It must cost them a small fortune every time.

Hopefully someone there who signs checks is getting tired of it all and is pushing for changes.

Re:I have a question (3, Interesting)

afidel (530433) | more than 3 years ago | (#34115100)

They are, there's a new from the ground up design for reader/acrobat pro coming sometime Q4. It's been in the works for a while but obviously being a new codebase it's going to require a ton of testing, and it hooks into products they've never hooked to before (Office 2010 for one) and all of that functionality needs to be tested as well.

Re:I have a question (0)

Anonymous Coward | more than 3 years ago | (#34115974)

From the ground up.. hmm... I hope it is as good as Netscape 4!!!

Re:I have a question (1)

llung (1841162) | more than 3 years ago | (#34116680)

When I said "bad that it's so often" it's because it's a reflection of how many holes their software is riddled with. Yes, getting fixes out is a good thing. Not having any holes is even better. With Adobe, these days, it seems every thing needs to be patched often.

Contradiction of terms (5, Funny)

Andy Smith (55346) | more than 3 years ago | (#34114514)

"revealed last week"
"emergency fix"
"Thursday"

Re:Contradiction of terms (3, Funny)

boarder8925 (714555) | more than 3 years ago | (#34114760)

Adobe never could get the hang of Thursdays.

Re:Contradiction of terms (1)

suomynonAyletamitlU (1618513) | more than 3 years ago | (#34114904)

So, they're late because time is an illusion? I'd hate to see how long their lunches last...

Re:Contradiction of terms (0)

Anonymous Coward | more than 3 years ago | (#34122074)

C U Next Thursday

Re:Contradiction of terms (4, Funny)

MrEricSir (398214) | more than 3 years ago | (#34114774)

"Hello, 911, what's your emergency?"
"I'm having a heart attack! Aaah, hurry!"
"Okay, we can have someone over there by Thursday."
"UUUGGGGYHH *thud*"

Re:Contradiction of terms (0)

Anonymous Coward | more than 3 years ago | (#34119010)

"revealed last week"
"emergency fix"
"Thursday"

"Flash"

Don't care... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34114558)

You are fucking stupid to have flash installed on any machine with ANY information in it.

It's been a giant gaping hole for every version all the way back...

The diffrence this time is they got bad press about it and had to do something.

Re:Don't care... (4, Insightful)

FranTaylor (164577) | more than 3 years ago | (#34114594)

You are fucking stupid to have flash installed on any machine with ANY information in it.

Yes those computers with no information stored in them would be much safer, if they could exist.

Re:Don't care... (1)

Yvan256 (722131) | more than 3 years ago | (#34114828)

This is another pet rock idea in the making...

"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"

Re:Don't care... (0, Offtopic)

spleen_blender (949762) | more than 3 years ago | (#34114910)

I miss my tandy :(

Re:Don't care... (0, Offtopic)

Yvan256 (722131) | more than 3 years ago | (#34115214)

I have a Tandy 1000 RLX. With its 80286 processor, VGA video, IDE support and 1.44 MB floppy drive, it's the best, smallest Tandy 1000 to have while still being able to easily find legacy parts for it (monitor, hard drive, etc).

If you only run MS-DOS, replace the hard drive with the biggest supported Compact Flash card you can find. You can store all your old games on it and still have lots of room left.

Re:Don't care... (1)

rakuen (1230808) | more than 3 years ago | (#34115038)

In fact it would even get faster if you threw it.
*rimshot*

Re:Don't care... (0)

Anonymous Coward | more than 3 years ago | (#34115740)

This is another pet rock idea in the making...

"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"

Hi, I'm a Mac!

Re:Don't care... (1)

lennier (44736) | more than 3 years ago | (#34117974)

This is another pet rock idea in the making..

The Commodore PET made a pretty good rock. If you could lift it.

LOAD "SPACE INVADERS",1

Re:Don't care... (1, Informative)

Anonymous Coward | more than 3 years ago | (#34115094)

Well if you really cared you could pass --safe-plugins to Chromium and sandbox Flash. It'll break some websites but YouTube works. Details: click [chromium.org] . Linux details: click [google.com] . On Linux the sandbox is using either chroot (SUID) or policies (AppArmor, SELinux, seccomp...).

Re:Don't care... (0)

Anonymous Coward | more than 3 years ago | (#34119646)

Why should i sandbox flash... When flash should BE a sandbox?

Re:Don't care... (0)

Anonymous Coward | more than 3 years ago | (#34120846)

Well technically it uses the same OS measures Adobe would be using. But you're right. The only reason to crudely sandbox Flash is if you need Flash, because Adobe can't be arsed to properly secure it themselves.

It is a complex system (3, Interesting)

Anonymous Coward | more than 3 years ago | (#34115374)

A disclaimer: I'm not in any way assosciated with Adobe but I do teach courses on Flash (among other subjects).

Flash is a much more complex system than many people realize. Lots of people (including lots of programmers) think of flash as only some small browser plugin that can be used for annoying banners and such. But really, flash is a large development enviroment (and rather interesting one at that). Object oriented programming language (ActionScript) is ran in a full scale virtual machine (complete with garbage collectors and the like) and can be used to view multimedia, manipulate files... It is in many ways a lot like Java. Of course, there are also many people who think of annoying browser applets when they hear "Java" but I doubt I even need to explain why they're silly.

There are three reasons why Flash has all the negative reputation that it has:

1) The ugly history. For example, switch from AS2 to AS3 meant massive speed improvements (Adobe claims that Flash got ten times faster. I might not sign that number... But it got a LOT faster). However, though it happened several years ago, geeks are rather slow to change their stereotypes on this kind of issues. There have been a lot of other improvements like that so Flash is quite different from what it was a decade (or even half a decade) ago.

2) It is used in ugly ways. We all know how annoying it is when websites have a dozen different flash elements (especially if you have 10 tabs open)... But is an issue with webmasters using their tools to create poor sites, not with the tools themselves. It could reasonably be argued that Adobe should give end user more control to protect them from the dickish developers (easier mute, etc.) but I don't think that even that is a given. People who program in C can create applications that are impossible to mute (except at OS level). People who program in Java can create applications that are impossible to mute (except at OS level). We don't say "C sucks" or "Java sucks" because of that, we say "The developer was an idiot. I'll just close this application, then.".

3) It is too easy to create (crappy) applications. I think that Java also suffers (or, at least used to suffer) from this. It is easy to create something that seems like it works, even though it is a horrible mess in the background. So... There are a lot of people who could never produce anything in more demanding languages (like C++) but can create something in Flash. Because of that, many people who create flash applications don't have any background in software engineering, computer science, etc. and that is reflected in the end result.

I consider flash to be where Java was some years ago. A decent concept and a decent virtual machine, though the API is still somewhat messy and too many people still assosciate it with slow and annoying browser applications. It might well be that Flash will die soon but I also wouldn't be shocked if Adobe would manage to conquer new areas and we would see a second era of Flash.

Re:It is a complex system (1)

NapalmV (1934294) | more than 3 years ago | (#34116390)

"I consider flash to be where Java was some years ago. A decent concept and a decent virtual machine, though the API is still somewhat messy and too many people still assosciate it with slow and annoying browser applications."

And when exactly did Java become associated with fast and cool browser applications?

Re:It is a complex system (0)

Anonymous Coward | more than 3 years ago | (#34119516)

Yup. Slashdot also hates Apple, not because of the product, but because of the users. Flash is much the same thing - really nice in theory, but used and twisted in ways it should not have been meant to.

Re:Don't care... (1)

hairyfeet (841228) | more than 3 years ago | (#34116744)

Or you could just...this is a thought, just throwing it out there...use Foxit [foxitsoftware.com] with SandboxIE [sandboxie.com] and call it a day. Or if you would prefer even more protection run Comodo AV or Internet Security [comodo.com] and have EVERYTHING sandboxed. And that is of course if you are running on an older Windows, as Vista and 7 already do file and registry virtualization.

It really isn't hard to isolate programs anymore, or set up a machine so all but the most determined idiots can't hose it. I have my customers as well as my family on a combo of Comodo+Firefox with ABP+Foxit and frankly I can't remember the last time I had to clean a bug from one of those machines. Short of them ignoring the AV and saying "Yes, I'd like a bug, please install it!" they really have nothing to worry about. Just have everything set to autoupdate, along with an easy to setup program like Winutilities Free to automate registry and broken shortcut cleaning and defragging and the machine is as close to an appliance as one can get. It takes me less than a half hour and then I don't have to mess with it ever again.

So banning flash really is a case of chopping off your head to get rid of a headache. The users will scream bloody murder when their Farmville and videos don't work, and frankly it is unnecessary. You can even set up Filehippo update checker [filehippo.com] so all their third party programs are updated regularly as well. It really ain't hard AC.

Finally Safe (1, Funny)

Anonymous Coward | more than 3 years ago | (#34114630)

Let me guess. With this new fix, we will have the best, safest Flash ever.

Re:Finally Safe (1)

IllusionalForce (1830532) | more than 3 years ago | (#34123098)

Until next week, that is.

Is thit what the exploit looks like? (1)

XLazarusX (534555) | more than 3 years ago | (#34114634)

I tried to look at a photo of someone who won a Governors office today via Google images. The site I landed on popped up the Firefox Flash update screen for a second, then asked to update Firefox from a .cc site, which I denied. Was I almost taken by this exploit, or am I being paranoid?

Re:Is thit what the exploit looks like? (0)

Anonymous Coward | more than 3 years ago | (#34114750)

Upgrade to the latest version of Adobe Flash player to view THIS content, bitch. :: triggers exploit ::

Case against flash on mobile devices. (1)

RyuuzakiTetsuya (195424) | more than 3 years ago | (#34114648)

When are FroYo devices running 10.1 getting the update? When's HTC and Sprint, HTC and AT&T, HTC and TMobile and HTC and Verizon planning on doing an OTA? When's Motorola? Samsung? etc. etc. etc.

Re:Case against flash on mobile devices. (0)

Anonymous Coward | more than 3 years ago | (#34114692)

... or when is linux 64-bit?

Re:Case against flash on mobile devices. (1)

h4rr4r (612664) | more than 3 years ago | (#34114918)

No need for OTA for Carriers, it is in the market.

Third party plugins & apps (3, Insightful)

savvysteve (1915898) | more than 3 years ago | (#34114834)

In my experience outdated third party plugins like flash, reader and even java seem to be the way a lot of the attacks are happening lately. I watched a fake antivirus load to my PC after it somehow launch adobe reader about a year ago. An outbreak of fake antiviurses on machines revealed the same outdated version of java loaded on those machines. Sadly the end users affected normally were pretty good about their surfing habits even though the job required a lot of research work. It isn't just windows updates to worry about anymore.

Re:Third party plugins & apps (0)

Anonymous Coward | more than 3 years ago | (#34115344)

Not 'lately.' Something like 2000-2006 was targeting mainly browsers and occasionally plugins (esp. ActiveX), then 2006-2008 outdated or abandoned browsers (IE, esp. IE6), and 2009-current outdated browsers and largely plugins. IE8 essentially shifted the main focus away from browser exploitation and onto plugins. When plugins go, maybe we'll see a focus back on browsers again with better engineered exploits.

Re:Third party plugins & apps (1)

savvysteve (1915898) | more than 3 years ago | (#34123214)

Isn't this what I just said?

flash update (1)

fatbuckel (1714764) | more than 3 years ago | (#34114962)

just moved my entire network (243 computers) off of reader 9 to reader 8.Testing repl acements now. F*ck Adobe.

Re:flash update (2, Insightful)

zonky (1153039) | more than 3 years ago | (#34115960)

What makes you think reader 8 is any better, security rise? It's just unsupported.

Re:flash update (0)

Anonymous Coward | more than 3 years ago | (#34116340)

Unsupported? Adobe Reader 8.2.5 and 9.4.0 were released on the same date.

I assume Reader 8 doesn't come bundled with a copy of flash as authplay.dll. That's why every adobe flash vulnerability tends to also affect adobe reader.

Re:flash update (1)

EXrider (756168) | more than 3 years ago | (#34116796)

just moved my entire network (243 computers) off of reader 9 to reader 8.Testing repl acements now. F*ck Adobe.

Did you know that all you had to do was remove one DLL? I just rolled a logon script out to rename authplay.dll (the flash component of Reader) on every machine, problem mitigated. Unfortunately, most people here need the real Adobe reader, as we do a lot of graphics and print, so 3rd party replacements aren't an option yet.

Too late (1, Informative)

Anonymous Coward | more than 3 years ago | (#34115026)

I already replaced it with gnash and I am satisfied.

clipper chip (1)

samjam (256347) | more than 3 years ago | (#34115056)

This is why the NSA have stopped harping on about the clipper chip and other mandatory back doors.

They don't need 'em!

Makes me laugh about eulas in general:

"I the customer promise not to reverse engineer or copy this big security hole, and to let you disperse all my private data, and in return you promise that you may or may not abuse me in the aforementioned fashion, or permit such abuse by third, fourth and fifth parties."

Where's all the class action lawsuits?

Re:clipper chip (1)

bmo (77928) | more than 3 years ago | (#34115496)

From "Good Omens" by Terry Pratchett and Neil Gaiman:

Along with the standard computer warranty agreement which said that if the machine 1) didn't work, 2) didn't do what the expensive advertisements said, 3) electrocuted the immediate neighborhood, 4) and in fact failed entirely to be inside the expensive box when you opened it, this was expressly, absolutely, implicitly and in no event the fault or responsibility of the manufacturer, that the purchaser should consider himself lucky to be allowed to give his money to the manufacturer, and that any attempt to treat what had just been paid for as the purchaser's own property would result in the attentions of serious men with menacing briefcases and very thin watches. Crowley had been extremely impressed with the warranties offered by the computer industry, and had in fact sent a bundle Below to the department that drew up the Immortal Soul agreements, with a yellow memo form attached just saying: "Learn, guys..."

Learn from other industries, Adobe (1)

tibit (1762298) | more than 3 years ago | (#34115132)

I think the time is ripe to get on the bandwagon of safety-critical software development methodologies. It has been shown over an over that there is a bunch of code, in widespread use, whose failures cause extensive economical harm -- even if the harm to the individual is small, the collective expense is major and measured in USD billions. Flash Player and Reader fall into the category of software whose safety shortcomings cause extensive economical harm. Why are those developed using "standard" (read: cavalier) methodologies, I don't know. Flash Player and Adobe Reader should be developed at least to FAA software level C, ideally to level B. Or SIL3 per IEC61508. At least Adobe would directly feel how much it really costs to have feature bloat. No one adds features willy-nilly to SIL3 code.

Flash forces McAfee on you (4, Informative)

bubblegoose (473320) | more than 3 years ago | (#34115164)

The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.

The flash updater now has the checkbox checked by default for mcafee security scan plus, and they moved the checkbox so you don't notice it when you are glancing at the installer.

Re:Flash forces McAfee on you (2, Informative)

Anonymous Coward | more than 3 years ago | (#34115544)

Click to download, DONT accept their stupid "Download Assistant" and start clicking through the support pages...eventually you'll find the executables in the clear...

http://kb2.adobe.com/cps/855/cpsid_85599.html

Re:Flash forces McAfee on you (3, Informative)

Tynin (634655) | more than 3 years ago | (#34115572)

The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.

Thank you greatly for posting this. On my workstation I had an Adobe Flash Updater pop up on me in the last week or 2, I let it run and do it's thing. So, the next day at work I noticed Mcafee Security Scan (or some such) on my computer, I thought it was strange and even double checked that the corporate mandated Symantec was still installed and running. I just chalked it up to some manager deciding to inflict the masses with another ill conceived GPO push. I meant to question our helpdesk about it, but I glossed over it by the next day.

They must have really snuck that checkbox in very well, I'm pretty diligent with my usual "is this software trying to push additional crapware on me" scan for checkboxes and didn't see it. I often expect them in pretty much everything these days (I'm looking at you Java), but I hadn't noticed the Flash Updater sneaking them in before.

Re:Flash forces McAfee on you (1)

ficuscr (1585141) | more than 3 years ago | (#34117812)

This also really ticked me off. Firefox did the update of flash last time it updated and at no time was I shown an opt in (pre-checked or otherwise) for that crap Mcafee product. The functionality provided by Acrobat Reader and Flash (more annoying ads?) are starting to not balance in terms of the exposure to vulnerabilities, crap bundled installs, and weekly updates.

Amen (2, Insightful)

ThatsNotPudding (1045640) | more than 3 years ago | (#34122746)

How is this even legal, given they are security updates? Plus, we now have to seek out the more obscure 'clean' update to prevent the Adobe Download Manager (DLM) from infecting our browsers. Adobe is really starting to feel like a virus.

Where do I click .. (2, Informative)

viralMeme (1461143) | more than 3 years ago | (#34115432)

Where do I click to get 'infected`, besides there is no authplay.dll on my computer.

"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX" link [threatpost.com]

Shockwave Flash 10.1 on Ubuntu 10.10 ..

Re:Where do I click .. (1)

tokul (682258) | more than 3 years ago | (#34121230)

Where do I click to get 'infected`, besides there is no authplay.dll on my computer.
...
Shockwave Flash 10.1 on Ubuntu 10.10 ..

Your quote said that autoplay.dll is in Acrobat Reader 9.4 for Windows. You maybe be vulnerable only to Flash part of this security report

You don't have Shockwave Flash on your machine. You have only Flash. Adobe does not provide Shockwave packages for Linux. Current Shockwave version is 11.5 something.

Adobe = Steaming pile of dung (0)

Anonymous Coward | more than 3 years ago | (#34115566)

Flash has always been an appalling security nightmare. We have been seeing exploits for it for years now. Adobe simply can't be trusted to write 'hello, world!' without adding a pile of remotely exploitable holes.

At this point we should be seriously considering using silverlight and moonlight instead, that's how bad this adobe situation has become.

Do we need anymore reason... (0)

Anonymous Coward | more than 3 years ago | (#34115924)

To continue using Adobe's software?

"Speaking about Mr. Jobs's assertion that Adobe is the No. 1 cause of Mac crashes, Mr. Narayen says if Adobe crashes Apple, that actually has something 'to do with the Apple operating system.'" (WSJ: http://blogs.wsj.com/digits/2010/04/29/live-blogging-the-journals-interview-with-adobe-ceo/?mod=e2tw)

by that logic, it means

IF Flash and Reader have a major vulnerabilities across ALL OS, Windows, Mac, Linux, Android, Symbian...
  Oh, well it must have something to do with the operating system

Re:Do we need anymore reason... (1)

Frnknstn (663642) | more than 3 years ago | (#34121326)

YHBT etc, but that is an interesting point. Your two examples are unrelated, but in a way Mr Narayen is right about crashes. If any application is able to 'crash' a whole computer, then the operating system has a problem. The OS should remain stable, regardless of what programs are executed. (Of course, the fact that an application is buggy means that it too is broken.)

Belated (3, Interesting)

HomelessInLaJolla (1026842) | more than 3 years ago | (#34116198)

Most of us who are knowledgeable about programmatic structure, syntax, idiosyncracies, faults, and exploits advised Adobe, either formally and directly through communique or informally and indirectly through public message boards, to patch their vulnerabilities about fifteen years ago.

One ring to rule them all? Patch one bug and patch them all? For #$*@'s sakes... you people have more code-holes than Ivory [wikipedia.org] running 300 BAUD and a caller drop carrier with an immediate callback.

The only sane approach is to just assume (sane > CV_assume) that everything you do on modern day networks is compromised, intercepted, audited, and screened by someone with more money than you will ever even count.

Oh, for fuck's sake. Again? (1)

Nimey (114278) | more than 3 years ago | (#34116222)

KILL IT WITH FIRE.

Sticky? (1)

BitHive (578094) | more than 3 years ago | (#34116294)

Doesn't this story get posted every week? Why not just make it a permanent item on the /. home page?

Adobe (0)

Anonymous Coward | more than 3 years ago | (#34117262)

When did Adobe start to suck so badly? There was a time when I welcomed their products.

Speaking as a semi-casual user with several PCs, 75% of the snafu-fixing time I've put in over the last year has been linked to Adobe: virus attacks, zombie versions of Acrobat that won't uninstall, browser weirdnesses... Hours and hours. I am not happy.

I also find I can get along pretty well without Flash.

A Humble Request (1)

LifesABeach (234436) | more than 3 years ago | (#34117712)

Could the next patched version of Flash 10.x have a 64 bit Debug Version also? Thanks in advance.

When I upgrade Flash (0)

Anonymous Coward | more than 3 years ago | (#34119726)

STOP trying to trick me into downloading some crappy antivirus software (Sorry for yelling)

Also, I think I've found a bug in Slashcode:
1. As anonymous coward from work using Firefox 3.6, write a longish comment in ALL CAPS.
2. Slashdot will complain about this.
3. Then fix that comment.
4. You will not be able to type in the captcha.
5. When you submit/preview Slashdot will complain.
6. You will not be able to post unless you refresh the page.
7. ???
8. Profit.

Oh so you read an article & now know all about (0)

Anonymous Coward | more than 3 years ago | (#34153170)

The fact that anyone was caught by this is demonstrable proof that too many idiot managers and execs are making decisions about IT in corporate u.s. who should be nowhere near anything IT - no matter how many demos, articles, or courses they fumble through!!!!!!!!!!!!!!!!

ALL Adobe products create a glut of directories on installation, maintaining old copies of files that are never completely removed or over written. The chances for intentionally accessing any of these alternative files (vulnerable authplay for example) is elementary. Additionally, any examination into the continuous and pervasive vulnerabilities of Adobe products is a study reaching back into ancient history and clear testimony that adobe will not, can not, and does not want to fix the problems, that are at the heart of many of the adobe components.

  - June 2010 - same adobe components - critical vulnerabilites with methods for exploiting them publically published.
  - June 2009 - exact same components - exact same situation.

What does it take to get people to realize these are pain in the az products that will see adobe fold before they even consider fixing them. Considering the price of adobe products and the number of uneccessary copies of the same components and various versions installed, you idiots should be demanding a heck of a lot more!!!, (oops sorry, if you had even the slightest clue.)

Given recent articles about the growing potentials for hardware viruses, possibly lying in wait for years to be activated on some trigger, one might easily extropolate that the inside track is - that adobe is setting up, or being set up, to bring some parts of the world to its knees. It is neigh time for a responsible government to investigate the practices and path corporate america is irresponsibly, and perhaps intentionally, dragging the world.

Fools

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...