Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe To Patch Flash 0-Day Friday

CmdrTaco posted more than 3 years ago | from the flash-in-the-pan dept.

Bug 113

Trailrunner7 writes "Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday — just four days after it was disclosed — for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents. Adobe said it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel, but Reader X users will have to wait till June for a fix."

Sorry! There are no comments related to the filter you selected.

They're planning to patch a 0-day? (2)

gazbo (517111) | more than 3 years ago | (#35818654)

Impressive.

Re:They're planning to patch a 0-day? (0)

Anonymous Coward | more than 3 years ago | (#35818756)

Apparently it was disclosed 2 days ago so its not a 0 day, so it isn't impressive and if they gave a shit they could patch it today.

Re:They're planning to patch a 0-day? (1)

Culture20 (968837) | more than 3 years ago | (#35819186)

I know parent is a troll since everyone knows this, but as long as an exploit is made available before the developer knew (or disclosed they knew) about the vulnerability, the exploit is referred to until the end of time as a zero-day exploit. It successfully attacked 0 or more days before work on a patch started. George Washington didn't stop being the first President of the United States when he stepped out of office, he stopped being the current president.

Re:They're planning to patch a 0-day? (1)

syockit (1480393) | more than 3 years ago | (#35819252)

In /., you're supposed to give a car analogy, not a statesman, nor a politician.

Let's see.. if a car can't work even while its mileage is still zero, you call it, uh... what?

That shows how little I know of cars.

Re:They're planning to patch a 0-day? (1)

0xdeadbeef (28836) | more than 3 years ago | (#35820090)

No, it refers to a crack released on or before the day the game it targets is released. Script kiddies only use the term because they think warez d00ds are the coolest.

Re:They're planning to patch a 0-day? (4, Interesting)

Riceballsan (816702) | more than 3 years ago | (#35818802)

This may be one of the few times 0 day was actually used right. 0-day hits without warning, and it has to be patched after the fact, assuming of course there was no warnings by white hats beforehand that were ignored/covered up. That being said, as much as I hate adobe and the ridiculous amounts of security flaws that actually allow these issues to occur, Seriously who the heck would want the ability to use flash in a word document, so they can print animations? That being said, 4 days is actually decent response time. compared to say word itself that will probably have the patch for this itself in a few months.

Re:They're planning to patch a 0-day? (0)

phantomfive (622387) | more than 3 years ago | (#35819142)

No, look it up, you're wrong. Zero-day means the developer doesn't know about it. It's here. [wikipedia.org] This particular exploit has been known, by Adobe, for at least four days. Don't make the mistake of thinking because YOU don't know what the exploit is, it's still a zero day.

Re:They're planning to patch a 0-day? (1)

IB4Student (1885914) | more than 3 years ago | (#35819212)

so, that'd make it a 4-day? >__>

Re:They're planning to patch a 0-day? (0)

Anonymous Coward | more than 3 years ago | (#35819326)

Yes.

Re:They're planning to patch a 0-day? (2)

_0xd0ad (1974778) | more than 3 years ago | (#35819242)

No, zero-day means that the developer didn't know about it when the attack went live. They'll eventually discover the vulnerability and patch it, but that doesn't change the fact that it was a zero-day attack.

Re:They're planning to patch a 0-day? (1)

phantomfive (622387) | more than 3 years ago | (#35819432)

Zero-day attack = attack perpetrated using a zero-day vulnerability.
Zero-day vulnerability = vulnerability the developer doesn't know about.

Please read the summary again and realize which one we are talking about here.

Re:They're planning to patch a 0-day? (1)

_0xd0ad (1974778) | more than 3 years ago | (#35819456)

It doesn't change the fact that it was a zero-day vulnerability, either.

And Adobe themselves called it one:

During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris

Re:They're planning to patch a 0-day? (1)

phantomfive (622387) | more than 3 years ago | (#35819540)

Please read that and tell me, do you think it was written by a PR agent, or by a security expert?

We know what a 0-day vulnerability is. Whether Adobe uses the term correctly or not is irrelevant to the discussion.

Re:They're planning to patch a 0-day? (3, Insightful)

_0xd0ad (1974778) | more than 3 years ago | (#35819600)

It was a zero-day vulnerability. The fact that it's no longer a zero-day vulnerability isn't nearly as important as the fact that it was one, since the very fact that we're discussing it means that it's no longer unknown.

If you want to be that pedantic, you might as well just throw out the term altogether, because as soon as you find out that a 0-day exists, it ceases to exist.

Re:They're planning to patch a 0-day? (0)

Anonymous Coward | more than 3 years ago | (#35820950)

You are very persistent at making incorrect statements. I'll explain what a zero day is again, and see if you can understand it.

A zero day exploit is one that the vendor doesn't know about. It doesn't mean it's unknown.

Make sense? If I know about it, and I am not the vendor, then it is still a zero-day. If you know about it, and you are not the vendor, it is still a zero-day. If a hacker knows about it, and the vendor doesn't, then to him/her it is a very useful zero-day. Once the vendor knows about it, it's day one.

Re:They're planning to patch a 0-day? (1)

_0xd0ad (1974778) | more than 3 years ago | (#35821208)

I understand that perfectly well. It means that it is unknown to the vendor. I was stating it from the point of view of the vendor of the product.

Re:They're planning to patch a 0-day? (1)

lennier (44736) | more than 3 years ago | (#35822538)

as soon as you find out that a 0-day exists, it ceases to exist.

The 0day that can be named is not the true 0day.

What is the sound of one buffer overflowing?

Re:They're planning to patch a 0-day? (1)

MozeeToby (1163751) | more than 3 years ago | (#35819260)

The attack was a zero day attack, Adobe didn't know the vulnerability existed until the attack was discovered. They are now patching said attack on day 4. Saying that Adobe is patching a zero day attack 4 days after it was discovered doesn't seem unreasonable to me.

Re:They're planning to patch a 0-day? (1)

phantomfive (622387) | more than 3 years ago | (#35819360)

Except it's no longer a 0 day once it is discovered. They are not patching a zero day vulnerability, they are patching a vulnerability that used to be a zero day and no longer is.

Re:They're planning to patch a 0-day? (1)

bunratty (545641) | more than 3 years ago | (#35819756)

Yes, Adobe will patch a vulnerability that was used in a 0-day attack. Or "Adobe To Patch Flash 0-day" for short.

I suppose when I ask if you know what time it is you'll say "Yes", then give me a lecture on how my question was improperly phrased if I'm not satisfied with your answer.

Re:They're planning to patch a 0-day? (1)

quenda (644621) | more than 3 years ago | (#35819332)

So it is actually a "minus four day" attack?

Re:They're planning to patch a 0-day? (0)

Anonymous Coward | more than 3 years ago | (#35820088)

Seriously who the heck would want the ability to use flash in a word document, so they can print animations?

PDF, the Portable Document Format, allows embedding of video and audio. Flash-in-DOC is a symptom of a larger problem.

Re:They're planning to patch a 0-day? (1)

arth1 (260657) | more than 3 years ago | (#35823496)

This may be one of the few times 0 day was actually used right.

Actually, no. It's a prime example of it being used wrong, as crisis maximization.

Zero day is a vulnerability before you discover it.
First-day is when you immediately put out a fix.
4 days after discovery, like this is, is three days after that and has nothing whatsoever to do with zeroth-day exploits.

And in "just" four days? (1)

SanityInAnarchy (655584) | more than 3 years ago | (#35819032)

I miss reading a Slashdot article about a 0-day (within hours of the actual vulnerability), then going to patch it and discover I'd already patched via my distro's repository.

Re:And in "just" four days? (0)

Anonymous Coward | more than 3 years ago | (#35819134)

You are not alone.

Re:And in "just" four days? (1)

froggymana (1896008) | more than 3 years ago | (#35822626)

My distro already has this one patched. It simply doesn't install it

Via Word ... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35818688)

This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

Re:Via Word ... (2)

ledow (319597) | more than 3 years ago | (#35818784)

HOW MANY MORE TIMES?

Do NOT open a document that you're not expecting, that isn't from someone you know, etc. Yeah, you could say that this can be passed legitimately from person to person but come on - this is the first rule of virus protection - don't open documents without screening them (not via some magical software that "knows" if it's bad or not, but by using your brain) first.

The fact that you can even still GET a Word virus whether it executes in macros, integrated Flash or some other ActiveX-based crap, tells you that Microsoft just don't care any more.

Re:Via Word ... (0)

Anonymous Coward | more than 3 years ago | (#35819110)

Or open it using Google Docs*.

*Replace with your favorite cloud [sigh] office suite

Re:Via Word ... (1)

GameboyRMH (1153867) | more than 3 years ago | (#35821030)

What happens when you receive a document meant to produce a browser exploit when rendered by a web-based office application?

Hey, it could happen.

Reminds me of a virus from the novel Jennifer Government. A popular antivirus suite would gather info on any files it picked up with a heuristic scan and send that info to the server, which would then distribute virus definition updates to all the clients. The virus was meant only to be picked up by the heuristic scan, but it was made so that the resulting virus info would exploit the antivirus' virus definition handling. It would then wipe the disk of the host PC - which would be the server and all the clients.

It was also cross-platform (ran on Windows and *nix-based OSes)...I'm pretty sure that part's impossible IRL.

Re:Via Word ... (2)

Entropius (188861) | more than 3 years ago | (#35819676)

Why should I?

It's a fucking document. It's a series of bits which are converted into pixel values and shown on a screen, not code.

If you get your computer compromised by a document, then the only person who's fault it is is the one who wrote the document decoder (and/or the idiot who decided that documents should include embedded code, which is ridiculous).

You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

Likewise, you feel, or you should feel, perfectly safe running vim on anything that comes your way, since going "vim virus.txt" is not going to do bad things to you, no matter what's in there -- because the people who wrote vim are not morons.

The same ought to be true for other document formats. Perhaps I am an old fuddy-duddy, but there is absolutely no reason that any responsible document format needs to contain executable code -- and if any document decoder mistakes data for code (via a buffer overrun or similar), then their ass is the one to blame.

Re:Via Word ... (0)

Anonymous Coward | more than 3 years ago | (#35820010)

"You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss."

Actually, you don't really know that. Remember a few years ago the big scare when *any* file of *any* type once loaded onto a windows machine could unload a nasty attack hidden inside the file? Even a .txt file could have this issue. It wasn't an IE thing either, it was at the OS level, and for a period of about a week MS was trying to tell people for the love of all that is holy to stay off the internet until they patched the hole.

Re:Via Word ... (1)

mlingojones (919531) | more than 3 years ago | (#35820836)

But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

I can think of at least one way a JPEG can get you in bigger trouble than that. >_>

Re:Via Word ... (1)

aztracker1 (702135) | more than 3 years ago | (#35822438)

Well, I've experienced plenty of documents that pull in real-time data for a portion of the document... unfortunately Flash is commonly installed as a "safe for scripting" active-x plugin in windows... I prefer simple pdf viewers, and don't open unexpected attachments... I really would just prefer that there were two differing extensions for such "interactive" documents, opposed to read-only, no interaction...

Re:Via Word ... (1)

hairyfeet (841228) | more than 3 years ago | (#35822576)

You want to know why MS Office gets bit (and also why OO.o isn't gaining any traction)? simple: Business are hooked on Macros like crack, that's why. You'd be amazed at how many "mission critical apps" I've seen that were some horrible kludge of VB and Office Macros.

Hell why do you think VB6 was so damned hard for MSFT to kill? Because businesses had WAY too much shit running on it. Same thing with MS Office, as VBA is all over the damned place and anything they patch has to make sure it don't shit all over all those macros.

So I'd say the whole thing is a "be careful what you wish for" as businesses wanted something that even non coders could whip up basic office programs with and MSFT gave it to them. Well letting anybody and his dog run any code embedded in something else is a BAD IDEA, and then add to the fact that Adobe has added the kitchen sink into what was supposed to be a "Portable Document Format" and we have a serious SNAFU.

As much as I thiunk sandboxes are band aids on bullet wounds maybe that's what we are gonna end up needing here: an automatic "drop your broke ass code here" sandbox that lets businesses keep their big kludge VBA nightmares and horribly written PDF bloatware while letting the rest of us just look at a PDF or open a word doc without the BS.

Re:Via Word ... (1)

lennier (44736) | more than 3 years ago | (#35822678)

A million times this.

What bugs me is that all the programmers who wrote these format decoders riddled with buffer overruns still have jobs. How can that be possible? Either they knew at the time that they were writing unsafe virus-holes - and went ahead anyway, thus committing gross negligence - or else, even worse, they had no way of telling if the code they were writing was safe or unsafe and yet went ahead and released it on a "who knows, what's the worst that could happen?" sort of policy.

Either way, it's bad.

If a civilisation which routinely tolerated the insane lack of safety that we tolerate in programming built, say, nuclear reactors, we'd expect to have them melt down the first time we got a magnitude 9 earthq -

oops.

Re:Via Word ... (1)

Riceballsan (816702) | more than 3 years ago | (#35819972)

Well as much as part of that is true, for the most part it is terrible advice. "Don't open anything given to you by people you don't know" is solid advice, but it is half the time interpreted as something is safe if it is from someone you know and trust. Virus's don't work that way, most infections I run into these days were given to the person by their grandmothers who wouldn't hurt a fly. Second part is unexpected, this is also true, getting "hahafunny.doc" out of the blue is almost a guaranteed virus, but opening your bosses quarterly financial is also a risk if there is even a possibility he has used it on a compromised machine and the virus rather then forcing the computer to spread it out, just implants itself into everything silently.

Re:Via Word ... (1)

rssrss (686344) | more than 3 years ago | (#35820100)

"Microsoft just don't care any more."

I did not think Microsoft ever cared about anything other than Microsoft's profits.

Re:Via Word ... (1)

ackthpt (218170) | more than 3 years ago | (#35819174)

This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

I've always assumed Word Processor was not the same as Compiler or Interpreter. Shows just what a marvelous world it is when your Word documents aren't even documents at all, but full environments of their own.

Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

Re:Via Word ... (1)

softWare3ngineer (2007302) | more than 3 years ago | (#35819284)

Long live gedit. also and on the plus side, it is a simpler tool that makes you focus on the content of what you are writing.

Re:Via Word ... (1)

ColdWetDog (752185) | more than 3 years ago | (#35819424)

Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

Emacs users all of the world spit in scorn at your shameful statement.

Re:Via Word ... (1)

Entropius (188861) | more than 3 years ago | (#35819678)

Unsophisticated people use hundred-megabyte software packages to prepare documents.

Sophisticated people use vim and latex.

Re:Via Word ... (0)

Anonymous Coward | more than 3 years ago | (#35820154)

Or even leather, nylon and spikes.

Re:Via Word ... (1)

s122604 (1018036) | more than 3 years ago | (#35819414)

Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?

I've been modded down to troll for asking these kinds of questions before. I'm really just curious, I ask with all humility, grace, and supplication...

Re:Via Word ... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35819794)

Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?.

From Adobe's security bulletin: [adobe.com]

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.

I don't know if OO will try to use the .swf payload inside the Word document.

Re:Via Word ... (1)

gstoddart (321705) | more than 3 years ago | (#35820238)

I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

It's no wonder we get so many *(&$^& viruses when word-processors attempt to launch embedded executable files without asking or anything.

To me that sounds like the security equivalent of picking up used syringes off the ground and sticking them into your arm to see what's in them.

I mean, WTF? Does Microsoft just sit around and try to identify new sources of arbitrary code they can execute?

This is one of the reasons I don't install Flash on my machines.

Re:Via Word ... (1)

lennier (44736) | more than 3 years ago | (#35822732)

I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

And what happens if you print that?

Do you get a Youtube movie at 60 pages per second coming out of your laser printer?

Re:Via Word ... (1)

Billly Gates (198444) | more than 3 years ago | (#35823348)

I am not a hacker in this area but the word .doc format is specifically designed as an executable. The reason why is to make it harder for people to leave the MS ecosystem and switch to competing products. Also it is there to give Visual Basic an edge.

Virus makers love this as their code can hide in a perfect container. OpenXML which is now used is far superior because nothing is hidden but it also supports legacy binary blobs of executable code.

Keep polishing that turd Adobe (3, Funny)

Anonymous Coward | more than 3 years ago | (#35818770)

At least my iPad is still safe.

Re:Keep polishing that turd Adobe (0)

Anonymous Coward | more than 3 years ago | (#35819076)

You mean like a golden cage is still "safe" from some food that happens to be a turd? :P â¦but also from all other food.

Re:Keep polishing that turd Adobe (0)

Anonymous Coward | more than 3 years ago | (#35819366)

You mean like a golden cage is still "safe" from some food that happens to be a turd? :P â¦but also from all other food.

And yet its residents are fat and happy. Whoda thunk?

Re:Keep polishing that turd Adobe (1)

ph0rk (118461) | more than 3 years ago | (#35820290)

The important thing about the gilded cage is, in some cases, the gilt. Not the bars.

Re:Keep polishing that turd Adobe (2, Informative)

Tackhead (54550) | more than 3 years ago | (#35819860)

At least my iPad is still safe.

Not necessarily. Even without Flash support, those things are huge vectors for earworms.

7 am, waking up in the morning
Zero-day fresh, gotta get my warez,
Gotta sign my key, gotta have serials
Crackin' everything, the time is goin'
Tickin' on and on, everybody's codin'
Gotta log on to the Slash - dot
Gotta slash my dot, I click Refresh...

PDF for printouts,
Flash is for online,
Gotta make my mind up,
Which code did they break?

It's Friday, Friday
Zero-day on Friday,
Sysadmin's lookin' forward to the weekend, weekend,
Friday, Friday,
Patch it up by Friday,
Sysadmin's lookin' forward to the week-end.

Updatin', updatin' (Huh?)
Integration testin' (Damn!)
Fuck, fuck, fuck, fuck,
Adobe's blown another weekend...

(We-we-we so excited...)

Re:Keep polishing that turd Adobe (0)

Anonymous Coward | more than 3 years ago | (#35820670)

Sure but at this point an iPad is still just a great SECONDARY computing device. Gloat all you want but there's still a lot of Flash-based content online out there that you miss out on unless you also have something like just a basic computer. Flash was great for what it was originally developed for, then it was dragged into becoming a multimedia tool beyond its means. It's very, very hard to defend Adobe but Flash works in a relative sense -- playing online Flash games on the Internet as it was ten years ago was fun, but things just aren't the same and Flash has been pushed beyond it means. Until HTML5 catches on more Flash is more or less the standard we're stuck with. Anyone who is seriously into computing and can say they can live with just an iPad is lying, or in the case of some people like at TWIT, they have a shitload of staffers with real computers backing them.

Re:Keep polishing that turd Adobe (1)

GameboyRMH (1153867) | more than 3 years ago | (#35821466)

Just as a Power Wheels truck is safe from a high-speed crash.

Linux? (1)

Lunaritian (2018246) | more than 3 years ago | (#35818792)

If the malware is distributed with Word docs, then how can it infect Linux? Does it work with Open/LibreOffice too?

Re:Linux? (3, Informative)

machxor (1226486) | more than 3 years ago | (#35818868)

The vulnerability exists in Flash Player not Microsoft Word. A Word document is simply the package being used to distribute the payload.

Re:Linux? (0)

Anonymous Coward | more than 3 years ago | (#35819664)

Support for putting Flash into or referring to Flash from within a Word document would seem to be the fundamental problem: regardless of the details of this flaw, why in HELL enable that? It shouldn't even be possible. Disable it. Permanently.

Re:Linux? (1)

Abstrackt (609015) | more than 3 years ago | (#35818880)

Neither TFA nor TFS say it infects Linux, though it sure reads like that at first, it actually says a patch will be available for Windows, MacOS X and Linux. It's probably minimal effort to plug the hole in all of them at once.

Re:Linux? (0)

Anonymous Coward | more than 3 years ago | (#35818964)

I do not think anyone really cares if Linux is safe or not. It is obvious that your a Linux fan boy and just trying to start stuff so I will just leave it at that. Linux is good for some tasks like servers but not for ease of use in other areas.

Re:Linux? (0)

Anonymous Coward | more than 3 years ago | (#35819262)

"I do not think anyone really cares if Linux is safe or not."

Just cause you don't care doesn't mean there's not others that do.

If we are to believe 1% - 2% of desktops are using Linux then that's still an awful lot of people out there using it, whether you like it or not.

Linux 64 bit (0)

Anonymous Coward | more than 3 years ago | (#35818798)

Of cource there is not going to be a patch for 64 bit Linux. How silly to run a 64 bit Operating System in 2011. Proprietary software at it's best. Fuck you adobe.

Re:Linux 64 bit (1)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#35818940)

Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit. Just last week I had to spend 4 hours fixing a 32-bit library bug. Flash has of course been the single biggest and most obnoxious problem with my still ongoing 64-bit upgrade process.

Re:Linux 64 bit (1)

0123456 (636235) | more than 3 years ago | (#35819096)

Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit.

Meanwhile every computer I own that has a 64-bit CPU runs 64-bit Linux and I've never seen any issue with the 64-bitness other than Adobe's inability to ship a working 64-bit Flash plugin.

Re:Linux 64 bit (1)

GameboyRMH (1153867) | more than 3 years ago | (#35821144)

I don't even have problems with Adobe's 64-bit Flash plugin. What can I say, it just works.

2006 called (0)

Anonymous Coward | more than 3 years ago | (#35819506)

Sounds like you must be stuck in a time warp, circa 2006. Everyone who isn't an idiot has been running 64-bit Linux happily for years.

32-bit is for unevolved cavemen and dumbfucks.

Re:Linux 64 bit (0)

Anonymous Coward | more than 3 years ago | (#35820332)

Just run the 32-bit version of Firefox. That's what I do.

This has two benefits: The latest flashplayer will work and all the shit preinstalled plugins from your distro won't work.

What fantastic news (-1)

Anonymous Coward | more than 3 years ago | (#35818812)

Software company decides to patch flaw!! Most interesting news!!

Article is Dup (5, Funny)

Anonymous Coward | more than 3 years ago | (#35818870)

Doesn't Slashdot post this same article every week?

Re:Article is Dup (1)

indeterminator (1829904) | more than 3 years ago | (#35822046)

The previous one was about Flash embedded in an Excel file. I'll predict next week a Powerpoint file is involved.

40..50 years of computing (2)

countertrolling (1585477) | more than 3 years ago | (#35818902)

And the whole damn country can be taken down by a media player. Truly fascinating.

Re:40..50 years of computing (1, Funny)

geek (5680) | more than 3 years ago | (#35819038)

Unless you're on an iPad

Re:40..50 years of computing (1)

countertrolling (1585477) | more than 3 years ago | (#35819272)

Keyloggers

Re:40..50 years of computing (1)

ColdWetDog (752185) | more than 3 years ago | (#35819472)

Keyloggers

No keyboard! (Well, none to speak of, anyway).

Re:40..50 years of computing (1)

smelch (1988698) | more than 3 years ago | (#35819652)

Yes, because key loggers go in the hardware. No physical keyboard, where will you put the keylogger? Genius.

Re:40..50 years of computing (1)

GameboyRMH (1153867) | more than 3 years ago | (#35821260)

Yeah for those we use other browser exploits, like the old jailbreakme.com, or the HTML-based forced-dialing vulnerability.

Re:40..50 years of computing (1)

lennier (44736) | more than 3 years ago | (#35822744)

I used to think that William Gibson's Neuromancer was wildly unrealistic for portraying a future Net so riddled with vulnerabilities that any cowboy kid with a cyberspace console could hack their way into a bank and escape barely milliseconds ahead of the Intrusion Countermeasure Electronics.

Now I know that the unrealistic part is that there's any countermeasures at all.

US grammar? (1)

Anonymous Coward | more than 3 years ago | (#35818912)

They are planning to patch Friday?
Why does Friday need patching?

Re:US grammar? (2)

OffaMyLawn (1885682) | more than 3 years ago | (#35819718)

If it's that horrible song, maybe they could patch some talent into it.

chosen ones life0cidal holycost ends on fatal fri. (0)

Anonymous Coward | more than 3 years ago | (#35818972)

nobody's betting much on that, likely not knowing that the 'longshots' win over 1/2 of the races, with better returns guaranteed. all races are 'fixed' in some way. remember to wager early & often on the true winners.

Summary not quite accurate... (3, Informative)

fahrbot-bot (874524) | more than 3 years ago | (#35818978)

The Flash Player for Windows will get patched on April 25, but the Flash Player bug in Reader X for Windows will get fixed in June because the Reader X sandbox prevents exploitation. From TFA:

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe's relationship with Google.

Re:Summary not quite accurate... (1)

trparky (846769) | more than 3 years ago | (#35819410)

Even if they don't release the patch for Google Chrome, Google Chrome users are still fully protected.

All of these exploits in Adobe products is why everyone is coming out with their own PDF viewers or sandboxing the hell out of Adobe Flash.

Google Chrome has it right, wrap Adobe Flash in the same nearly impenetrable sandbox that the browser itself is wrapped in. The Google Chrome sandbox has proven time and time again that no matter what exploit is found in the browser, the sandbox has rendered them completely useless to do anything really bad to the surrounding operating system. Three years running as the reigning champion at Pwn2Own!

Re:Summary not quite accurate... (0)

Anonymous Coward | more than 3 years ago | (#35819626)

And what is strange to me is where I work the machines with issues all have Google Chrome installed. It appears that Chrome allows the locked down user to install plugins that can touch the OS in ways that said user would not normally be able to do. When we fix the machine and remove Chrome the only complaint we get is where is Google Chrome. The machine otherwise works fine.

Granted it is the same 4 people that hate not having admin rights to every machine they may touch who are doing this. The fact that they can use Chrome to screw with the host OS is an issue.

Re:Summary not quite accurate... (1)

Entropius (188861) | more than 3 years ago | (#35819698)

Smells astroturfy, because you're making sure to call it "Google Chrome" every time instead of just "Chrome" like a normal slashdotter would.

For those that actually deploy this (1)

adeft (1805910) | more than 3 years ago | (#35819510)

A bit hard to find, but this specific vulnerability is in "10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

0 day ... what it means. (1)

BitZtream (692029) | more than 3 years ago | (#35819562)

Its funny to see everyone arguing over what zero day means ...

Back in my day, and yes, I'm an old geezer apparently, zero day meant ... the first day it was discovered.

zero day warez releases were released the same day as the software hit the shelves or went on sale somewhere.

The next day, it was no longer zero day, it would be 1 day.

You also had pre-release warez of course, for things that were available on ftp sites or IRC before the public release, also commonly called zero day warez as well.

You wouldn't go to a 'zero day' warez site and expect to find something released 2 days ago, it would have been cycled out and off the site before then. Group distro sites and such being an entirely different beast as some hard larger archives and such.

Its amusing to me to see all the young'ens talk about zero day like they invented it and know exactly what it means, but I'm sorry to inform you that the way zero day is used this decade is much different than they way it was used a decade ago, mostly because of silly bloggers who don't know what it actually meant constantly referring to something new as zero day regardless of how long it had been known or public.

And for anyone who posts a link to wikipedia for a definition of zero day ... keep in mind, I STOPPED using the term before wikipedia even EXISTED, and its hardly an authoritative source (neither am I for that matter of course) for anything. Just because its on wikipedia doesn't mean its true or that the page on wikipedia is accurate. Have we learned nothing about crowd sourced websites in the last 10 years?

Anyone, you guys go on and argue over your silliness about zero day, us old geezers will sit back and laugh about how you guys missed out on the good old days, and both groups will imagine how we're better than the other group ... because.

Re:0 day ... what it means. (1)

Imagix (695350) | more than 3 years ago | (#35819706)

I'm with you on this one. 0-day as a descriptor is nearly meaningless noise as it is currently used. "A vulnerability that the vendor doesn't know about yet.". Big deal. "A new vulnerability" says pretty much the same thing. If it takes the crackers four years to find the vulnerability, it still counts as a 0-day. Part of the cachet around "0-day" originally was a giant raspberry to the software vendor that their copy protection for their software was so weak that it was broken the same day that it was released. So if the cracker can find a vulnerability in someone's software the same day that it is released, then fine. _That's_ a 0-day vulnerability. That says that the vendor is so bad that one can find problems the same day that it was released. If it takes 4 years... that's pretty strong.

Re:0 day ... what it means. (2)

bunratty (545641) | more than 3 years ago | (#35820424)

A new vulnerability can be found by white hats and reported to the company, which is not a 0-day. A new vulnerability can be found by black hats and exploited before the company knows about it. That's a 0-day, and it's problematic because they company wasn't able to attempt to mitigate or fix the problem before it was exploited. Not all new vulnerabilities are 0-days; probably most are not. It's not important whether a vulnerability was found the first day the software was released or not. The important thing is how long it takes the company to respond. If they had no knowledge of the vulnerability, it's a worst case scenario.

And, yet iPad still is... (0)

Anonymous Coward | more than 3 years ago | (#35819578)

Not a real computer, or anything remotely close to it, just a toy.
It's funny to see all the iSlaves coming out woodwork and claiming they are safe.

using anything Adobe is a security risk (0)

Anonymous Coward | more than 3 years ago | (#35819622)

Adobe has to have one of the crappiest security records of anything.

Flash O'Day (1)

OglinTatas (710589) | more than 3 years ago | (#35819710)

Wasn't he a quarterback for the Irish?

4 days sounds fairly quick (1)

Corse32 (682019) | more than 3 years ago | (#35819838)

I guess, does it push the update out to users?

Leave Flash behind (2)

xororand (860319) | more than 3 years ago | (#35820216)

Try to uninstall Adobe Flash for a week. I did and I can't say that I miss anything.

YouTube:
- The HTML5 beta [youtube.com] works rather well with modern browsers like Firefox 4.0 and nearly every video is available. You don't need a Google account. The setting is stored in a cookie.
- If you're on Linux, try Minitube [gawker.com] . It's a standalone player for YouTube that uses hardware acceleration.

Thanks to the iPad, more and more web sites offer alternatives to Flash. My preferred news TV station is now streaming both with Ogg/Theora and H.264.

Yes, I can't view the occasional funny cat video because it's only available in Flash format but guess what: I'm still alive.

Re:Leave Flash behind (1)

RocketRabbit (830691) | more than 3 years ago | (#35820602)

Really? Which news site streams OT?

Re:Leave Flash behind (1)

xororand (860319) | more than 3 years ago | (#35821012)

It's a German news program: tagesschau.de
Screenshot [imgur.com] .
They got an award for it too:

"The Free Software Foundation Europe (FSFE) and the Foundation for a Free Information Infrastructure (FFII) have used the occasion of Document Freedom Day 2011 to give an award to German broadcaster ARD's internet platform tagesschau.de for offering broadcast shows in the free Ogg Theora video format. According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

Re:Leave Flash behind (1)

The Wild Norseman (1404891) | more than 3 years ago | (#35822346)

According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

It's a trap! The cake is a lie!

OK Chrome has the fix already! (1)

fugas (619989) | more than 3 years ago | (#35821306)

Stable Channel release 10.0.648.205 is out. Thanks Google for the incredibly swift response.

Just as bad as Microsoft (1)

applematt84 (1135009) | more than 3 years ago | (#35822008)

It seems they are following in suit behind Microsoft with the "we will patch it when we feel like it" attitude. Disappointing.

That explains the my friend's recent infection. (1)

BLToday (1777712) | more than 3 years ago | (#35822188)

Here's the summary of the conversation:
Him: dude, it's happened again.
Me: too much porn man.
Him: I didn't do anything, even used Chrome and Firefox
Me: which site did you go to?
Him: it's my office computer, I can't look at porn here.
Me: OK, maybe there's not enough porn on your computer.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?