Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Patches Second Flash Zero-Day In 9 Days

samzenpus posted more than 3 years ago | from the protect-ya-neck dept.

Security 178

CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."

Sorry! There are no comments related to the filter you selected.

WTF adobe (1)

Xtravar (725372) | more than 3 years ago | (#36457276)

Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

Re:WTF adobe (2)

jo42 (227475) | more than 3 years ago | (#36457338)

The best solution to the crapware known as "Flash Player" (on Adobe's own site no less): http://kb2.adobe.com/cps/141/tn_14157.html [adobe.com]

Re:WTF adobe (1)

Mashiki (184564) | more than 3 years ago | (#36457822)

Too bad that pushing 90% of the web these days uses it including for full site design.

Re:WTF adobe (3, Insightful)

dgatwood (11270) | more than 3 years ago | (#36458072)

Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.

YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.

Re:WTF adobe (1)

monkyyy (1901940) | more than 3 years ago | (#36458770)

the same reason to use windows, games
and the same reasons to muti-boot as well; to disable it for most the time

Re:WTF adobe (1)

Billly Gates (198444) | more than 3 years ago | (#36458798)

"YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.
"

The issue is IE 6/7. Since Asian and corporate users refuse to upgrade the webmasters are under pressure to make a site that looks great for IE 6 that will work 5 years from now with Chrome 25. Flash is the substitute. I really hope when XP finally dies that corporations will upgrade to Windows 8 with IE 10 so developers can finally leave flash behind. There are sites too that use more flash if it detects IE 6 or IE 7.

Re:WTF adobe (1)

Danieljury3 (1809634) | more than 3 years ago | (#36458842)

Someone should make a virus that uses vulnerability's in IE 6/7 to gain access to a machine to uninstall IE 6/7. Might be the only way to make some of them upgrade.

Re:WTF adobe (1)

dgatwood (11270) | more than 3 years ago | (#36458948)

Since Asian and corporate users refuse to upgrade the webmasters are under pressure to make a site that looks great for IE 6 that will work 5 years from now with Chrome 25. Flash is the substitute.

And then their sites won't work on iPhone, iPod Touch, or iPad. In general, pandering to people running outdated browsers on an outdated OS on outdated hardware while ignoring people with the disposable income to buy modern gadgets is generally bad for sales. Just saying. :-)

There are sites too that use more flash if it detects IE 6 or IE 7.

See, since I don't run IE6 or IE7, I don't really care about those. They don't affect me, and if they affect you, this might be a good time for you to click on over to your choice of Google, Apple, or FireFox and download a better browser. :-D

Re:WTF adobe (1)

smash (1351) | more than 3 years ago | (#36459286)

If you're running IE6, you're insecure anyway. If you're running IE7, you should upgrade to IE8 (or even better, IE9), as basically anything that works in 7 works in 8/9.

Re:WTF adobe (2)

mikestew (1483105) | more than 3 years ago | (#36458334)

I don't even have Flash installed on the two machines I mainly use, and view a lot of pages on the Flash-incapable iPad and iPhone. The only place I notice the lack of Flash is YouTube and Hulu. YouTube is fine on iOS, and there's a Hulu app for iOS and Mac OS X. Sure, once in a while a site doesn't render. As I used to say about RealPlayer, there's nothing on the web I need to see so badly that I'm willing to install Flash.

Re:WTF adobe (1)

Anonymous Coward | more than 3 years ago | (#36457340)

Right, because if there is anyone you should trust to to things silently in the background it is Adobe.

Re:WTF adobe (2)

brucek2 (208676) | more than 3 years ago | (#36457390)

And also, why is the update process tied to system startup? My main desktop rarely reboots, which means I get these updates only weeks after I needed them, or after taking special action because I saw a story like this one.

Re:WTF adobe (5, Informative)

PNutts (199112) | more than 3 years ago | (#36457428)

http://secunia.com/vulnerability_scanning/personal [secunia.com] "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.

Re:WTF adobe (1)

brucek2 (208676) | more than 3 years ago | (#36457530)

Thanks! Installed and scanning now.

Re:WTF adobe (1)

Xtravar (725372) | more than 3 years ago | (#36457544)

Wow, that seems useful. I never understood why MS doesn't put 3rd party stuff into Windows Update.

Re:WTF adobe (1)

networkzombie (921324) | more than 3 years ago | (#36457640)

They would be assuming responsibility which is never a good thing.

Re:WTF adobe (0)

Anonymous Coward | more than 3 years ago | (#36458148)

You would be assuming an assumption. Is Ubuntu responsible if I add a 3rd party repository?

Re:WTF adobe (1)

Xtravar (725372) | more than 3 years ago | (#36458278)

Apple does it just fine with the AppStore...

Re:WTF adobe (1)

Billly Gates (198444) | more than 3 years ago | (#36458834)

"Apple does it just fine with the AppStore..."

Apple does not have corporate users who hate to upgrade unless things are tested first ... whichever year they decide to do it. It is a liability because it is called Windows Update and therefore is part of Windows according to the lawyers. Not to mention Sarbines Oxley requires documentation for unathorized software upgrades or installs and useless annoying crap.

With the Apple Store the user assumes responsibility. No such arrangement on Windows as Offices would refuse to use it otherwise.

Re:WTF adobe (2)

tlhIngan (30335) | more than 3 years ago | (#36459102)

Apple does not have corporate users who hate to upgrade unless things are tested first ... whichever year they decide to do it. It is a liability because it is called Windows Update and therefore is part of Windows according to the lawyers. Not to mention Sarbines Oxley requires documentation for unathorized software upgrades or installs and useless annoying crap.

With the Apple Store the user assumes responsibility. No such arrangement on Windows as Offices would refuse to use it otherwise.

Actually, it's because the iOS App Store (and likely the Mac App Store) requires apps to be self-contained. The only dependencies on apps allowed are what comes with a completely clean install of the OS. So as a first-pass test, all you need to do is run your app, because unless you jailbreak, you're reasonably assured that it's just your app running.

If you update your PDF viewer on iOS, iOS will launch the PDF viewer itself and it's running in its own little sandbox when a webbrowser requests it.

Microsoft Office, etc. install stuff all over the place and many hidden dependencies can result - apps using fonts, DLLs, APIs and other things without realizing they're not provided with Windows, just that so many people use those programs that it's assumed it's there and very strange things happen when they aren't.

So in general, updating an iOS app will update the files associated with just that app, and since the app is self-contained, there is no way there can be hidden library dependencies or API dependencies. But Windows and Office have so many components added to them that strange dependencies develop. Heck, I had one program require OpenSSL under Windows, and it worked, despite my never installing the OpenSSL DLLs. Instead, it seemed Windows pulled the OpenSSL DLLs from the WiFi driver's installation directory and used those. Tell me if that isn't a disaster waiting to happen.

Re:WTF adobe (0)

Anonymous Coward | more than 3 years ago | (#36459412)

Especially if we could get rid of all the third-party updaters.
My windows machine has windows update, java update, and adobe update running, plus god-know-what on various application starts.

My linux machine has ... apt

And in theory, my mac only needs to run the mac-app-store, because one of the conditions of being in the store is that your app only uses the stores built-in updater.
Of course, my mac is also running ports, which has its own updater, and I haven't actually got anything from the store yet. so there are a couple of third party apps that update on their own too.

I am hoping that windows 8's app-store will have a similar condition, and will likewise handle updating in a centralized way.
I mean, its not like apt, and its equivelents haven't been around for more than 10 years....

Re:WTF adobe (1)

Anonymous Coward | more than 3 years ago | (#36457768)

So it does exactly what Chromium does? Updates specific plugins, disables known vulnerable plugins, and makes plugin instances click-enabled?

Before Google added native vulnerability checking they had an extension for that: https://chrome.google.com/webstore/detail/pgkcfihepeihdlfphbndagmompiakeci [google.com] .

Re:WTF adobe (1)

Anonymous Coward | more than 3 years ago | (#36458426)

For you firefox folk out there

http://www.mozilla.com/en-US/plugincheck/ [mozilla.com]

Works decently...

Re:WTF adobe (2)

Qzukk (229616) | more than 3 years ago | (#36457592)

Actually, it's tied to the login process, logging out and back in triggers the updater. As for why, I'm guessing that it's because there's no central repository that can be checked periodically, and people whine and moan about having a half dozen executables sitting around and doing nothing but checking for updates. I've got computers at work that have programs in the background for Java updates, InstallShield (several programs use this), Apple's updater, Adobe's updaters and Google's updater, all on top of Windows Update whenever it runs.

Re:WTF adobe (2)

RussellSHarris (1385323) | more than 3 years ago | (#36457892)

Yeah, because it never occurred to anybody that the Windows Task Scheduler could be used to schedule checks for updates for computers that never get rebooted...

Re:WTF adobe (1)

Nimey (114278) | more than 3 years ago | (#36458494)

Oh, wait. Google does that.

Re:WTF adobe (1)

hedwards (940851) | more than 3 years ago | (#36459342)

It's a force of habit from when Windows used to come with that auto Reboot feature. You know the one that was that pretty blue color.

Re:WTF adobe (0)

Anonymous Coward | more than 3 years ago | (#36457408)

No you won't. Which is exactly why all of this is a problem and HTML5's provisions aren't enough to displace Flash, yet anyway.

Re:WTF adobe (0)

Anonymous Coward | more than 3 years ago | (#36457686)

mod parent up, Adobe needs to get with the times and provide an auto-updater, even Java provides this!

Re:WTF adobe (1)

ColdWetDog (752185) | more than 3 years ago | (#36457796)

mod parent up, Adobe needs to get with the times and provide an auto-updater, even Java provides this!

Actually Adobe does have an update demon for Creative Suite (at least on OS X). It's actually rather benign, it just sits there and gives you the number of patches it thinks you need. Doesn't beep, squeak or bounce up and down. The problem though, is as 'ol Qzukk points out a few comments above this. You end up with a half dozen little programs bothering you at random times. Do Not Want.

Re:WTF adobe (1)

kirbysuperstar (1198939) | more than 3 years ago | (#36457808)

Even Adobe Reader provides this.

Capture Portal (0)

Anonymous Coward | more than 3 years ago | (#36457282)

It's a pity that the update failed and exited with no opportunity to retry because it ran before I logged into the capture portal that my condominium uses. Guess I'll get it tomorrow then.

HOLY SHIT!! omg (-1)

Anonymous Coward | more than 3 years ago | (#36457304)

HOLY SHIT, HOLY SHIT!!!

Hell has officially frozen over.

Out of band? (1)

Anonymous Coward | more than 3 years ago | (#36457316)

Adobe last issued an 'out-of-band' emergency update...

What is with all these software companies trying to schedule their patches? I don't buy the whole "it helps IT people roll out updates" argument. If a patch interferes with some sysadmin's precious schedule, he can just roll it out later (after half his machines are infected).

Re:Out of band? (0)

Anonymous Coward | more than 3 years ago | (#36457434)

Exactly. It's a PHB trying to 'manage' the bug fixes after 'scheduling' the released software coding so aggressively that of course it was full of bugs and holes. Trying to justify it some other way is just corporate doublespeak.

Re:Out of band? (4, Informative)

LO0G (606364) | more than 3 years ago | (#36457812)

Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.

As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.

Re:Out of band? (1)

Anonymous Coward | more than 3 years ago | (#36457960)

Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.

As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

Sorry, but this reeks of Security Through Obscurity. Every minute that a company has a patch and refuses to release it, they're making things worse for everyone.

Re:Out of band? (1)

shutdown -p now (807394) | more than 3 years ago | (#36458128)

"Security through obscurity" is not a universally bad thing. Only on Slashdot it's considered some kind of final, unrefutable argument in any security-related discussions.

Re:Out of band? (0)

Anonymous Coward | more than 3 years ago | (#36459018)

It's bad when you're not using a multi-layered security approach.

Re:Out of band? (1)

hedwards (940851) | more than 3 years ago | (#36459358)

This is the type of security by obscurity that's bad. Security by obscurity as part of a balanced approach isn't problematic, but failing to release patches because of this sort of silliness is just irresponsible. You hold off on releasing a patch because people might reverse engineer it rather than having to use the already known exploit. The companies releasing these patches are rarely the first party to discover them, typically the find out about them after somebody exploits them.

Re:Out of band? (2)

LO0G (606364) | more than 3 years ago | (#36458780)

shutdown-p basically nailed it but I want to dig a bit deeper.

There is no such thing as absolute security. There is no software available to end-users that is 100% secure (there may be very special case scenarios but they're not mainstream). Because of this, security is primarily a risk management problem.

So when you decide to take a patch, you have to weigh the risks of taking the patch (it might break some LOB app) against the risk of *not* taking the patch (you might get hacked).

We make these choices every single day when we get patches from vendors. Sysadmins (who have to keep entire corporations alive) are very risk averse (deploying a patch which shuts down the accounting department is likely to be a career-limiting-move) and that means that they want to make sure that every patch is tested before they deploy it.

So when they see a patch, they need to weight the risks. There is *no* debate that the bad guys reverse engineer patches. They do. That means that once a patch is deployed, the risks of *not* taking it skyrocket.

If you release patches once every few days, that means that sysadmins are constantly putting their line of business apps at risk.

Somewhat off-topic: Every once in a while, someone at work asks about the benefits of moving some internal server from its traditional port to a new port (for instance moving the SMTP server from port 25 to port 9998). The purists always respond with "that's just security by obscurity", to which the pragmatists respond "yeah, but it works to remove certain classes of threats. It won't stop a dedicated attacker who's actively probing your ports, but for most automated attacks, it can be highly effective".

So yeah, a little "security by obscurity" helps.

Re:Out of band? (1)

dgatwood (11270) | more than 3 years ago | (#36458822)

In this case, maybe; in general, no.

The reason you might be right in this case is that Flash is just so d**n buggy. I don't know how bad it is on Windows, but on Mac OS X, back before I added Click2Flash (and later, ClickToFlash), it used to be the #1 most common cause of Safari crashes on my machine by fully an order of magnitude over all other causes combined. When you realize that the odds are good that every single one of those crashes is an exploitable security hole, it's a wonder they don't have a zero-day a day.

Because it is so buggy, everybody assumes it is an easy target, and they go looking for exploitable holes. This greatly increases the odds of zero-day exploits. Were Flash not a train wreck, most theoretically exploitable holes would not be known until patch time, and it would be very beneficial to schedule patch releases. As it stands, scheduling patches is of only moderate utility because patching the holes in Flash is like to trying to plug the holes in a colander, one at a time.

In general, however, when you have to upgrade tens of thousands of machines at a company, you need to be able to count on scheduling that work ahead of time. It's a major undertaking, and if you can schedule it ahead of time, you minimize the chances that someone will disassemble the patch, come up with a working exploit, deploy that exploit with a bunch of prewritten attack code in a Flash advertisement on some major ad network, and infect half of your machines before you are able to get them patched.

And this is why my machine has been running a Flash blocker for several years even though nobody has targeted Mac OS X through Flash yet. Just think of Flash blockers as a condom for your network browsing experience, and always practice safe web.

Re:Out of band? (1)

10101001 10101001 (732688) | more than 3 years ago | (#36458726)

As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

That doesn't really make sense, though. If what you say is true and it's the patch itself that is used to make the exploit, it doesn't matter if you release the patch on day 1 or day 10. It'll still be patch day + 6 hours before an exploit is in the wild. The real issue, actually, is not telling IT folks about the exploit (not necessarily details but enough to know to not use the product or to use a work around to limit/block the exploit) before the patch is released. Presuming that it takes days between announcing there's an exploit and releasing the patch, that should give IT folks the time to mitigate the risk and then deal with the patch when it comes. All a vendor having a time table does is allow them to group many exploits together to allow them to pretend the amount of exploits that exist are smaller than there are. IT folk, having to deal with multiple vendors with multiple patch day schedules, have to develop their own schedule for accepting patches, testing them, and applying them, anyways, so I don't really see how it helps them.

The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.

Which still means telling IT folk about the exploit and not waiting for the patch to actually be made. As much as the exploit might be the wild, that doesn't mean every black hat has enough information about the exploit to use it. Hence, releasing the patch to everyone still has a lot of the above mentioned +6 hour risk.

Re:Out of band? (1)

LO0G (606364) | more than 3 years ago | (#36458838)

There are two possible reactions to telling the IT guys about the exploit: (1) you give them enough information to harden their systems proactively (adobe flash scripting has a problem when dealing with flibberjabber elements) or (2) you give them vague information (there's a bug in flash somewhere).

The first is probably enough to give the bad guys enough of a clue for them to figure out the vulnerability and you've just created a 0day. The second isn't enough information for the IT guy to figure out how to protect their systems.

If there was a way for a vendor to tell only their customers about an upcoming issue, without letting the bad guys know, that's another thing. It's exactly why Microsoft created the MAPP [microsoft.com] which lets antimalware firms know about upcoming patches before they're released.

Re:Out of band? (1)

dgatwood (11270) | more than 3 years ago | (#36458904)

The real issue, actually, is not telling IT folks about the exploit (not necessarily details but enough to know to not use the product or to use a work around to limit/block the exploit) before the patch is released.

You're kidding, right? Are there really any IT admins who still don't know that from a security perspective, Flash is a giant sieve? :-)

Seriously, any IT admin that doesn't (at minimum) install a Flash blocker on every machine is missing a security hole so big you could drive an Abrams through it.

All a vendor having a time table does is allow them to group many exploits together to allow them to pretend the amount of exploits that exist are smaller than there are.

Very, very wrong. It has lots of benefits:

  • Fewer patches mean each patch likely to be more thoroughly tested because it wasn't rushed out the door.
  • Fewer patches mean IT admins have time to test them all before rolling them out.
  • Even with all the testing in the world, patches are going to break at least a few machines. Therefore, fewer patches = fewer hosed machines.
  • As someone else noted, the release + 6 hours problem occurring once per week instead of once per day means that crackers creating exploits have only one seventh the number of opportunities to break into your machines.

In short, the only reason you should ever release an unscheduled security patch is if you know that the vulnerability is already being exploited in the wild. Mind you, I'm not saying that you should sit on security fixes for two or three months, but releasing non-zero-day security fixes in an unscheduled fashion would be just as reckless and irresponsible as not immediately releasing a patch for a zero-day.

Re:Out of band? (1)

jd2112 (1535857) | more than 3 years ago | (#36458130)

Spoken like someone who has never been responsible for keeping thousands of computers running mission critical applications. When money is involved (lost business, idle workers, etc.) the risk of deploying patches without going through proper testing cycles can be much greater than the risk posed by malware. If you have ever had a thousand workers idle because a patch caused a mission critical app to fail you would understand.

Re:Out of band? (1)

hedwards (940851) | more than 3 years ago | (#36459370)

I'm going to have to call BS. QA doesn't always take a predictable amount of time to complete. Sometimes it takes longer and sometimes it takes less time. Delaying security patches to home users because corporate users ask for it is completely unacceptable.

Re:Out of band? (1)

HTH NE1 (675604) | more than 3 years ago | (#36458644)

"Out-of-band" isn't even the correct term. If it was out-of-band, it would be pushed through an alternate channel or medium parallel to the usual release, like mailing the keys you need to decrypt the downloaded patches through postal mail, or like how CSS can be served independently from the HTML document as opposed to inline presentation HTML tags.

What it is is "out-of-schedule" or simply "unscheduled". Some PHB heard of the existing term "out-of-band" and decided that that's what this would be called without understanding, knowing, or even caring about the established meaning.

queue the comments... (1)

Anonymous Coward | more than 3 years ago | (#36457330)

about how it's not a zero-day if they knew about it

(and about how I don't know the difference between cue and queue)

Should be Free and Clear Soon? (1)

selex (551564) | more than 3 years ago | (#36457332)

At the rate they are finding bugs and patching them, Adobe Flash should be the most well written and perfect piece of software soon right? Selex

Again? Really? (0)

Anonymous Coward | more than 3 years ago | (#36457336)

Could Adobe hire some competent coders for once?

Re:Again? Really? (0)

Anonymous Coward | more than 3 years ago | (#36457418)

Whats wrong with the Indian code monkeys.

Affected software versions (4, Informative)

farnsworth (558449) | more than 3 years ago | (#36457490)

Since it didn't say in the summary:

Affected software versions

  • Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 10.3.185.23 and earlier versions for Android

Re:Affected software versions (1)

Anonymous Coward | more than 3 years ago | (#36458000)

There aint no pancake so thin it doesn't have two sides.

A Moebius pancake?

Re:Affected software versions (1)

Billly Gates (198444) | more than 3 years ago | (#36458852)

Great maybe my Andriod phone will get an update oh after it has been rooted by 2012. AT&T is refusing to update it, probably because they want me to buy a new phone.

Perhaps one of the reasons (1)

bryan1945 (301828) | more than 3 years ago | (#36457500)

it's not in iOS? Besides the whole Apple-Adobe fighting & Apple pushing other standards.
Enjoy.

Re:Perhaps one of the reasons (1)

CharlyFoxtrot (1607527) | more than 3 years ago | (#36458040)

Flash is the new RealPlayer. The sooner everyone uninstalls it the sooner it sinks into obscurity where it belongs.

Re:Perhaps one of the reasons (1)

dudpixel (1429789) | more than 3 years ago | (#36458546)

For argument's sake - its not in android either.

Users must explicitly download and install it (unless the manufacturer bundles it - which they shouldn't).

Maybe adobe should be the one responsible for their software, so that Apple doesn't feel like they have to be. Its about time they (adobe) cleaned this crap up.

Stating the obvious (1)

93 Escort Wagon (326346) | more than 3 years ago | (#36457506)

Gotta love FlashBlock.

And 64-bit Will Be Updated When? (4, Insightful)

hoeferbe (168081) | more than 3 years ago | (#36457542)

Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version [adobe.com] from 7 months ago?

Re:And 64-bit Will Be Updated When? (0)

PNutts (199112) | more than 3 years ago | (#36457706)

Because it hasn't been released yet (currently Preview 3).

Honest question: Why use an x64 browser? For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.

64-bit required for a browser (1)

poppopret (1740742) | more than 3 years ago | (#36457880)

If you open enough browser windows and enough tabs in each window, you'll exceed what a 32-bit program can handle. Depending on the OS, 32-bit programs get 2 or 3 GB of address space. I've seen my browser using more than 4 GB.

Re:And 64-bit Will Be Updated When? (1)

yoghurt (2090) | more than 3 years ago | (#36457918)

Why use an x64 browser?

Because *everything* on my linux system is 64 bit. Why should I install *any* 32 bit?

Re:And 64-bit Will Be Updated When? (1)

larry bagina (561269) | more than 3 years ago | (#36457922)

all those fancy new javascript engines that compile down to native code work much faster on x64 than on x86. Also, with firefox's memory leaks, 4 gigs isn't enough.

Re:And 64-bit Will Be Updated When? (4, Informative)

arth1 (260657) | more than 3 years ago | (#36458020)

Honest question: Why use an x64 browser?

Speed, for one thing. For Windows, here [favbrowser.com] is one benchmark that shows the rather significant difference. When on javascript heavy sites, having a 64-bit browser sure helps.

For Linux, there are other considerations, like not having to install the whole 32-bit compatibility layer and libraries at all. Fedora, for example, won't install 32-bit support unless you explicitly tell it to. Being 64-bit only saves a lot of memory compared to being dual-stack.

For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.

The speed difference for large spreadsheets can be stupendous, in favour of 64-bit. Or running a text analysis on a book-sized document. I've ran 64-bit Office 2010 for quite a while, and haven't run into a single problem yet (well, 64-bit problem that is -- Office itself is another issue).

Re:And 64-bit Will Be Updated When? (1)

Nimey (114278) | more than 3 years ago | (#36458504)

64-bit browsers tend not to be faster for some things, especially Javascript.

Would that it were different, though.

Re:And 64-bit Will Be Updated When? (2)

arth1 (260657) | more than 3 years ago | (#36457838)

Indeed.
My Add-ons manager says I have:
Adobe Acrobat 9.4.3.231
Shockwave Flash 10.2.152.32

When checking for updates, there are none.
It's mid-2011, why should the focus be on 32-bit?

Then again, a 64-bit version of Firefox would be nice too. Or perhaps not, given how much memory it eats. With it being a 32-bit app, at least it can't gobble up more than 2 GB per process...

Re:And 64-bit Will Be Updated When? (1)

pjbgravely (751384) | more than 3 years ago | (#36458088)

Yes the 64 bit version of Firefox seems to eat more memory. But on the other hand I haven't run 32 bit Firefox since version 1.5 so it may just be feature creep.

Re:And 64-bit Will Be Updated When? (1)

hedwards (940851) | more than 3 years ago | (#36459374)

The 64bit versions always use more memory, which is why you're often better off not using a 64bit version unless you've got a reason to do so.

ActiveX (3, Insightful)

slyborg (524607) | more than 3 years ago | (#36457602)

Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...

Re:ActiveX (1)

Anonymous Coward | more than 3 years ago | (#36457916)

Because many web-apps need ties directly to local resources; either for performance reasons or extended functionality. Flash and ActiveX provide developers what HTML and javascript cannot.

As to why these aren't stand alone installed applications for security reasons? Because people would rather have portability and ease of access from any place in the world. You got a browser with Flash? Well, you task just got more convenient .

Re:ActiveX (1, Interesting)

wishfulThinking (1609785) | more than 3 years ago | (#36458916)

Good God, why all the hate on Flash? It's not a piece of crap at all... It does stuff that html/js/css hasn't been able to do, and still can't. So what if a company doesn't make all their products open source; some people gotta make a buck (protect what is rightfully theirs), and Adobe is not doing it in an evil way. Have all you flash haters not seen any javascript html exploits? XSS, dirty-cookie? Are there not a pissload of Sencha/JQuery Bugs? I've developed both Flash and html/js stuff they're both great. so why all the hate? 2011 html/css/javascript capabilities = 2003 Flash Capabilities

Re:ActiveX (1)

Anonymous Coward | more than 3 years ago | (#36459110)

Flash sucks your entire CPU, gets exploited regularly, and sucks ass in general. That's why there's all the hate on flash. Your nick fits you.

Re:ActiveX (1)

hedwards (940851) | more than 3 years ago | (#36459398)

Well, Flash isn't accessible and can't be made accessible. Anything that you convey using Flash also has to be conveyed in another fashion. Flash isn't available on all platforms that one might want to use, meaning that you're leaving some folks out. The performance is horrendous and the plug ins are frequently out of date and buggy. It's also a regular security nightmare and probably always will be as Adobe doesn't seem to be doing any better than Macromedia was previously.

Time for it to die and be replaced by something that isn't complete crap.

Adobe... Java.... Internet Explorer... (1)

PenquinCoder (1431871) | more than 3 years ago | (#36457624)

What do all of these have in common??? They're the most used in-roads to exploits on a system.

Unfortunately, while we have educated users and created worthy (and better) compiteroes to Internet Explorer, the same has not been done for Adobe's Flash/PDF, or Java.

Seriously, how many more exploits and system owning do we need to do before we can be free of Adobe's so called 'Portable Document', and its CPU hogging, desktop crashing, bug ridden, crackers best wet dream, craptastic software???

Re:Adobe... Java.... Internet Explorer... (1)

varargs (2260180) | more than 3 years ago | (#36457902)

Yep. I just installed Chrome on a new Linux system. Immediately got the message "Flash out of date." So I went to Adobe web site, and they said Chrome users needn't worry, Flash is automatically updated. Right. I don't know this for a fact, but it seems to me that Flash is a good example of what you get when you farm out your software development to 3rd worlders. They apparently still haven't gotten 64 bit support right.

Re:Adobe... Java.... Internet Explorer... (0)

Anonymous Coward | more than 3 years ago | (#36457996)

"...crackers best wet dream..."

I object,not all white dudes use Flash - Uh, wait a minute...;>(

Flash programmers have serious mental problems. (-1)

Anonymous Coward | more than 3 years ago | (#36457664)

If you use flash I hope you get your ass stretched to goatse size and then a hive of wasps flys in to that hole.

This also applies to IE6 users and Blackberry using hipsters.

Tenable's Security Center requires Flash (1)

Anonymous Coward | more than 3 years ago | (#36457688)

Why don't I feel secure?

Too many updates! (1)

antdude (79039) | more than 3 years ago | (#36457908)

MS had so many updates yesterday. On my 64-bit Acer OEM VIsta HPE SP2 (IE7) test PC had to get over 200 MB of updates from MS. Then, Adobe updates. Augh!!

Re:Too many updates! (1)

TheRealQuestor (1750940) | more than 3 years ago | (#36458036)

so you would rather them not fix it at all? I don't care about a 200 meg download [and oddly mine was less then 65M last night] but I do care if I am running an unpatched system.

Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

So please mr. joe compnay, please keep fixing your horrible [or not so horrible] code.

Now if the folks who do Java could figure out how to actually fix it so I don't get 5 calls a week about some malware that says their system is infected or their hard drive is failing, I'd be a happy camper. Poorer, but happier. Out of the last 20 or so incident calls I have had to go fix that involved malware, they have ALL been introduced to a fully patched and locked down system using some java crap. I would remove Java like the plague, which it is, if it weren't for them needing it for the damn medical and or finacial softwares they run.

Freaking java should just die.

Re:Too many updates! (1)

antdude (79039) | more than 3 years ago | (#36458058)

1. Don't release all the patches in the same day! I have to patch a bunch of computers manually: Linux/Debian, Windows, and Mac OS X.

2. Companies should do a better job with their codes to avoid these security problems.

Re:Too many updates! (1)

0123456 (636235) | more than 3 years ago | (#36458716)

Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

Windows Update generally only updates the operating system and a few Microsoft apps. Ubuntu updates the operating system and thousands of applications (or whichever of those thousands you have installed).

And the big problem with Windows Update is not the amount it downloads, but the fact that it constantly wants to reboot after installing an update and thrashes the disk like a two dollar whore while it's installing so I usually can't do anything else.

Re:Too many updates! (1)

Billly Gates (198444) | more than 3 years ago | (#36458892)

Are the latest Java JRE really that insecure? Java has prided itself as having the ultimate sandbox and I know finally someone compromised it last year.

Reason I am asking is because I use Eclipse and do Android development. Is it save to use the latest releases of Java 6 64 bit?

Re:Too many updates! (1)

TheRealQuestor (1750940) | more than 3 years ago | (#36458934)

they are that bad.

How many of these bugs are "tangential"? (0)

Anonymous Coward | more than 3 years ago | (#36457964)

semi OT - generalize to exploits in various packages

By "Tangential", I mean, would the exploits exist in the "core" application (in this case "render flash"), or are exploits related to "other stuff" demanded by "marketing" needs? (e.g. adding on automatic updates, breaking the "core" use into free and premium modules, "phone-home" or "store local info" add-ons...

Just curious

auto update feature should be mandatory (0)

Anonymous Coward | more than 3 years ago | (#36457968)

seriously, what are you thinking, Adobe?

is it for the lulz we have to manually remove and install updates?

And still no new 64-bit releases (1)

The One KEA (707661) | more than 3 years ago | (#36458092)

I wonder if Adobe has just given up on its pure 64-bit users (on both Windows and Linux) and decided that they can rot. I haven't seen a new Flash Player Square release mentioned anywhere since the last release came out. What on earth is preventing these people from supporting their 64-bit plugin with security updates?

Re:And still no new 64-bit releases (0)

Anonymous Coward | more than 3 years ago | (#36458378)

Perhaps they don't need it? The x86_64 architecture has the ability to mark memory pages non-executable (NX) and so some forms of overrun exploits simply do not succeed.

warm fuzzy, but no (1)

mevets (322601) | more than 3 years ago | (#36458856)

Adobe's holes are far beyond an easy fix. Funny how they have become the new Windows. It is, of course, because so many people use it, not because it is a pile of crap.

Re:warm fuzzy, but no (1)

dgatwood (11270) | more than 3 years ago | (#36459146)

I'm assuming you're being sarcastic. If not, though, by that standard, we should have serious security holes on a near-daily basis in Notepad, Facebook, Google....

This, of course, brings us to the obvious question: how many security holes does a single plug-in have to patch before we can take for granted that the code is one giant, steaming pile of dingo turds? Just curious. Maybe that should be a Slashdot poll....

Re:And still no new 64-bit releases (1)

dgatwood (11270) | more than 3 years ago | (#36459084)

The x86_64 architecture has the ability to mark memory pages non-executable (NX) and so some forms of overrun exploits simply do not succeed.

Sure, that prevents certain types of exploits against certain vulnerabilities, but it doesn't generally nullify a vulnerability entirely.

A vulnerability is like having a glass window next to the door on your house. The NX bit is like bars on that window. It prevents you from trivially breaking the glass and reaching through to turn the lock, but it does not prevent you from breaking the glass, pointing a gun at someone on the other side, and ordering him or her to unlatch the bars so that you can reach in and unlock the door.

In much the same way, an NX bit prevents you from injecting arbitrary code in some places, but doesn't necessarily prevent you from calling mprotect or whatever to make the writable page executable or to make some other executable page writable or whatever. This just means that you now have to exploit the vulnerability in a more complex fashion or exploit it more than once (e.g. once to return into the first line of mprotect after overwriting the parameters appropriately so that it makes the stack writable, and once to overwrite the stack with your code and jump into it). The exploit just becomes a somewhat more complicated trampoline design instead of a simpler chunk of code.

All those techniques (NX, ASLR, etc.) make it harder to attack 64-bit processes, but even when combined, they are not a cure-all, and I'd be wary of any claim that they can completely nullify any particular security hole. It might be true in a few cases, but that's like buying expensive HDMI cables for your living room under the assumption that it will make the picture look better.

I would love to update, but fuck you Adobe/Java (0)

Anonymous Coward | more than 3 years ago | (#36458298)

I don't want to close my browser, i have 25tabs open

I don't want to install yet another piece of software (with all its vulnerabilities) called a "Download Manager" (DLM to fool lusers with an acronym), probably useful in 1992 on a 28K modem not so much in 2011 with ADSL2/Cable/HSPDA, bin that shit, face it Adobe you wasted your money on buying whatever software company chumps created it

I don't want to visit webpages laden with Omniture (2o7) spyware and tracker-of-the-week taking as much data as they can cram in a GET request like the parasites that they are while i try to figure out which button to click without getting into a world of pain..

I don't want a Google toolbar or a Yahoo bar or any other damm toolbar, nobody wants that shit (thats why they have to pay you to trick users into installing it) all it does is ruin their browsing experience (the sooner the AV companies properly mark them as Spyware and block them the better)

I dont want a "free security scan" and least of all from Mcafee, if i want a AV ill be sure to get from the people who make them.

but most of all i just want a goddamm fucking security update so i don't have to worry about getting pWned because your 10yo product still isnt up to scratch yet

and no i dont want your running shit in the background (java im looking at you) or installing any consoles or quickstarters or "deployment toolkits" or "Peer assisted networking", just fix the damn vulnerability and GTFO

Java the bitch better be listening too

well, fuck (0)

Anonymous Coward | more than 3 years ago | (#36458386)

I've watched about 20 hours of porn since then.

How about an auto-updater that doesn't suck? (1)

Nimey (114278) | more than 3 years ago | (#36458480)

Something like the one Adobe Reader X uses, in point of fact, one that can be configured to automatically install updates in the background without administrator privileges.

If you're going to be so fucking useless as to need such frequent security updates, have mercy on us IT types and unfuck your auto-updater.

2nd in nine days (1)

dave562 (969951) | more than 3 years ago | (#36458674)

There must be some serious pressure on them if they are patching that frequently. It's not like Senate.gov or Google are getting hacked or anything. People are not really using the internet, and malicious files to go after anything pertinent, at places like Lockheed, or other RSA customers. None of those places would use Adobe Reader to open those RFPs or other thousands of forms sent to them by Uncle Sam, right?

Barn door, meet the horse's ass that has already run away from you.

I don't think that anyone has digitized my 1st grade crayon drawings yet. I think those are still safe.

Adobe deserves to be raked... (2)

mevets (322601) | more than 3 years ago | (#36458878)

But the inference you are making is not well supported. Google's response to getting hacked was to institute a ban on MS machines. Apparently, Google lacks the resources to manage MS machines properly, which isn't exactly surprising.

Dust off the Senate.gov and others, and you may find the same root cause. Not unsolvable; just the solutions are unworkable. Ditch them and demand something better. Its not like there is a shortage of choice.

That little checkbox (2)

mph_sd (564445) | more than 3 years ago | (#36458686)

Strangely I decided not to read the EULA before applying the second patch in 2 days. Ok, i didn't read it for the first patch in 2 days either. I hope this doesn't make me liable for...anything.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?