Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Pushes Emergency Flash Player Security Fix

samzenpus posted more than 2 years ago | from the slap-on-the-patch dept.

Security 56

wiredmikey writes "As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability."

cancel ×

56 comments

Meanwhile (-1)

Anonymous Coward | more than 2 years ago | (#37473136)

My iPad is not affected.

Re:Meanwhile (2)

Kifoth (980005) | more than 2 years ago | (#37473198)

Oh. Really? ;) [padgadget.com]

Re:Meanwhile (2)

Synerg1y (2169962) | more than 2 years ago | (#37473228)

All you have to worry about is...
http://www.pcmag.com/article2/0,2817,2368269,00.asp [pcmag.com]

This one took about a week...
http://www.slashgear.com/apples-mac-os-x-security-update-2011-005-blocks-stolen-diginotar-certificates-09178410/ [slashgear.com]

Maybe u can just go to slashd0t.org instead if you set up your internal certs proper if your on a mac :) .

Coming soon, can you set up local certs on a mac? rats... google returned a hit...
https://discussions.apple.com/thread/2734627?start=0&tstart=0 [apple.com]
even better :)

Re:Meanwhile (1)

atisss (1661313) | about 2 years ago | (#37477554)

My browsers aren't either.
Only couple of cases when I do click on flashblock is - in youtube or vimeo when they don't have html5 support

This has never happened before! (4, Funny)

savanik (1090193) | more than 2 years ago | (#37473156)

The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

Re:This has never happened before! (1)

Device666 (901563) | more than 2 years ago | (#37473166)

Oh really, please check your email...

Re:This has never happened before! (0)

Anonymous Coward | more than 2 years ago | (#37473234)

Not sure if trolling or just stupid. Probably stupid considering this is slashdot.

Re:This has never happened before! (0)

Anonymous Coward | more than 2 years ago | (#37475124)

Not sure if trolling or just stupid. Probably stupid considering this is slashdot.

Not sure if trolling or just stupid. Probably trolling considering your 2nd sentence.

Re:This has never happened before! (1)

ejtttje (673126) | more than 2 years ago | (#37473592)

Apparently people don't know a good troll when they see it :)

Re:This has never happened before! (1)

tinkerton (199273) | about 2 years ago | (#37478120)

people shouldn't continually lump trolling together with parody, sarcasm, irony, tongue in cheek, or just stand up comedy.

Re:This has never happened before! (0)

Anonymous Coward | more than 2 years ago | (#37473624)

The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

What is the use case for Flash ?

Ad banners ? ROTFL
Video ? No, with HTML5 video already in place.
Games ? Nothing Canvas can't fix.
Websites ? People should run away like hell from websites that are flash only.

Adobe will never ever willingly abandon Flash.
Change has to come from users, even if it means in the short medium term not playing flash games, or seeing a lol cat video on vimeo etc...But users generally are stupid, they would sell their own mother for a video or 5 minutes at a flash game. And this is what they win. I say let them be infected every day; at a certain point they will learn the lesson. Throw Adobe Flash in the e-toilet.

Re:This has never happened before! (0)

Anonymous Coward | more than 2 years ago | (#37475256)

Porn, you moron.

Re:This has never happened before! (1)

Dr Herbert West (1357769) | more than 2 years ago | (#37475298)

Wish I had mod points left, so I could mod you "dimwit". What, exactly, does canvas "fix"?

Go ahead and build me a game or an app that is more complicated than minesweeper or a tip calculator that can run seamlessly on multiple browsers. Or tell a client that their product slideshow will have nice transitions sometimes, in some browsers, maybe. But don't use it on IE6, or firefox. But IE9 will work, after service pack XX.

Do some actual production work once in a while, with a client that isn't your mom, before posting your bullshit. Devs don't set standards-- the clients do. And like it or not, they've been conditioned to want the experience that Flash has made standard.

Re:This has never happened before! (0)

hairyfeet (841228) | more than 2 years ago | (#37475308)

Oh please! like we haven't had like a bazillion browser bugs these past couple of years? And WHICH HTML V5, the H.264 HTML V5 or the Theora one or the WebM one?

And it amazes me how geeks here will sacrifice pretty much anything on the alter of cross compatibility with Linux. Have you TRIED HTML V5? try it on an older office machine or a new single core netbook, its a slideshow! And even on machines that it actually runs it sucks major resources. great way to kill batteries dead but most mobile users wouldn't be happy about that. compare to flash where even the 1.8GHz Sempron I use as a nettop and test bed for software for low power machines runs SD flash just beautifully. Hell I could add a $40 GPU and even go High Def.

So while I'm all for cross compatibility I don't want it if its gonna suck, which from what I've seen so far HTML V5 is gonna suck the big wet titty. there is just too much politics and too many with an agenda messing with it. Maybe in a decade they'll have the kinks worked out and the politics behind them it'll be good, but by then H.26x will be patent free so who will care.

Re:This has never happened before! (1)

AftanGustur (7715) | more than 2 years ago | (#37476532)

The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

Exactly, Microsoft removing flash support in the upcoming version of IE will bring us back years in terms of security.

Re:This has never happened before! (1)

hesaigo999ca (786966) | about 2 years ago | (#37479300)

That is the f*cking understatement of the century!!!
I hate flash, yet people still want to use it, I do not understand....foxit atleast, if not other pdf viewers. Adobe just has no clue when it comes to secuirty, they are great at buying up the competition and repackaging the software for the image industry, not for security, so why allow your browser to have access to it, we really do not need to have flash websites....period!

Adobe used to mean something.... (0)

Anonymous Coward | more than 2 years ago | (#37473170)

Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.

PDF should not be a distribution method for online documentation or viewing in web browsers, it should be available as a tertiary format FOR PRINTING ONLY, after html and plain text. But it is.

Flash should not be the default video player. But it is.

Haet :(.

Re:Adobe used to mean something.... (2)

0123456 (636235) | more than 2 years ago | (#37473226)

Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.

Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.

Re:Adobe used to mean something.... (1)

Nerdfest (867930) | more than 2 years ago | (#37473908)

It's sad that we need something like this, but I'm glad it exists. There's an RSS feed [adobe.com] from the Adobe Product Security Incident Response Team.

Re:Adobe used to mean something.... (1)

Kjella (173770) | more than 2 years ago | (#37475402)

Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.

Heh, I learned that already in childhood playing Sierra games. Save early, save often and keep your old savegames. Of course that was by design, maybe they were just trying to prepare people for work life? It has certainly saved my ass a few times...

Paged media and vector animation (1)

tepples (727027) | more than 2 years ago | (#37473268)

PDF should not be a distribution method for online documentation or viewing in web browsers, it should be available as a tertiary format FOR PRINTING ONLY

Web browser developers have treated CSS paged media [w3.org] as a mere afterthought. What's the best practice to distribute paged media such as slide presentations for on-screen viewing?

Flash should not be the default video player. But it is.

I agree for pixel-based video, not so much for vector-based cartoons, at least until 2014 when Windows XP dies (taking IE <= 8 with it) and until browsers' SVG renderers become much faster.

Re:Paged media and vector animation (0)

Anonymous Coward | more than 2 years ago | (#37473618)

What's the best practice to distribute paged media such as slide presentations for on-screen viewing?

#include <rant.h>

Put everything on one page and have the user the PgDn key or the scroll wheel. The web is not print. Fuck slideshows, fuck "after the jump", fuck "page 2" consisting of nothing more than one sentence of text and the author's byline, and fuck webmasters whoring for ad banner impressions.

Re:Paged media and vector animation (0)

Anonymous Coward | more than 2 years ago | (#37473742)

No, I think he meant literal slide presentations (e.g. at conferences), which are then made available on the web. Typical PDF viewers permit _both_ viewing a stream of pages, and a single page at a time, making it suitable for both delivering and browsing presentations; it's currently the best format I know for these, and there's really not much improvement needed. It's just the overuse of it for web-native content that _wants_ to be scrolled through on a long page, but is imprisoned in pages for no good reason.

The "slideshows" on various news sites and blogs, which are created specifically for the web, but use (in this case artificial) division into "pages" to satisfy an ad whore or a weak-minded scroll-averse "designer" -- those I totally agree with you on... but they're generally not PDFs anyway.

Re:Paged media and vector animation (0)

Anonymous Coward | more than 2 years ago | (#37474274)

Whoops...

s/\(just the overuse.*\)\./\1 that I hate./

Re:Paged media and vector animation (1)

tepples (727027) | more than 2 years ago | (#37473782)

Put everything on one page and have the user the PgDn key or the scroll wheel.

So how does the author of such a page set the PgDn key or the scroll wheel to advance the scroll position by exactly the height of one slide?

Re:Paged media and vector animation (0)

Anonymous Coward | more than 2 years ago | (#37475832)

The same way that author guarantees that my 1024x600 netbook and my 1280x1024 desktop both show exactly one slide per screen -- quit being such a fucking control freak and let me read the document in the way that I'm most comfortable.

It's a lot less time-consuming (and less aggravating!) to adjust my scrolling to fit different heights than it is to enable Flash and click "page forward", then wait 30 seconds for the next section to render.

Re:Paged media and vector animation (0)

Anonymous Coward | more than 2 years ago | (#37476378)

So... are you a troll, or an idiot?

Tepples listed one good use for PDFs (natively paginated documents, such as IRL slideshows/presentations), and one begrudging use for Flash (Homestar Runner); some AC (I assume you) replied to the PDF use suggesting we pretend pages don't exist for those, instead of (the status quo) loading them in a PDF viewer that almost invariably supports both continuous scrolling and single-page viewing.

Unless someone is using a PDF viewer implemented in Flash *shudder*, Flash has nothing to do with it, and if they are, that's a fault specific to them -- I don't approve, you don't approve, and nothing tepples has said indicates he approves, so it's either a total red herring (troll) or a facepalmingly stupid misunderstanding (idiot).

PowerPointitis, margins, and FlashPaper (1)

tepples (727027) | about 2 years ago | (#37478042)

Thank you for recognizing my point.

Tepples listed one good use for PDFs (natively paginated documents, such as IRL slideshows/presentations)

The impression I got from the top-level post was that documents SHOULD NOT* be natively paginated and SHOULD be authored for scrollable media. Slideshows/presentations allegedly lead to PowerPoint syndrome [visionarymarketing.com] .

a PDF viewer that almost invariably supports both continuous scrolling and single-page viewing.

In theory, yes. But in practice, people still distribute PDFs with two-column layouts intended for printing. And even with one-column layouts, continuous scrolling still leaves a two inch gap between the text at the bottom of one page and the text at the top of the next.

Unless someone is using a PDF viewer implemented in Flash *shudder*

That was FlashPaper [wikipedia.org] , Macromedia's competitor to Acrobat before Adobe bought Macromedia. Nowadays, even though PDF technology has nothing to do with Flash technology, they're associated in people's minds under the banner of "Adobe products".

* In the sense of RFC 2119 [ietf.org] .

Re:Adobe used to mean something.... (3, Interesting)

Anonymous Coward | more than 2 years ago | (#37473326)

Nation-State Attackers Are Adobe's Biggest Worry: [A]dobe has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it's at a point where the company's main adversaries are state-sponsored actors. Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. [HSEC-1.2; Date: 20 September 2011; Source: http://threatpost.com/en_us/blogs/nation-state-attackers-are-adobes-biggest-worry-092011%5D [threatpost.com]

Update Flash, now with FREE trojan! (0, Insightful)

Anonymous Coward | more than 2 years ago | (#37473260)

What worries me more is that the download page of Flash has the "Yes, install Google Chrome - optional" already selected for you. Users searching for the big large download button will not even see it. Chrome (or at least how Google pushes it) behaves more and more like a trojan!

Re:Update Flash, now with FREE trojan! (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37473314)

They change their bundleware push every few weeks to months, it seems to vary a bit. Chrome is a recent addition, some McAffee shit was before that, I think the bing toolbar may have shown up once or twice...

It's atrociously unprofessional on Adobe's part, very 90's .bomb affiliate sleazeware; but it isn't a google-specific thing(though Google is getting themselves rather dirty by association, particularly when they have google.com from which to offer things, which is a pedestal that few can hope to aspire to...

Re:Now With self-deleting installer! (1)

qubezz (520511) | more than 2 years ago | (#37475676)

These people at Adobe are getting unbelievable. Now, the way that you could previously have gotten an offline installer (choose different OS/different browser), foists you a web downloader instead of a full installer, and guess what? You run it, and it deletes itself! Besides foisting Google Toolbar on you (or McAfee Antivirus crapware if you are downloading Firefox flash), this is about as slimeball as it gets.

JEEEBUSS CHRIST!!!! (1)

MightyMartian (840721) | more than 2 years ago | (#37473292)

Flash is truly become one big pile of steaming crap! I used to be against Apple, but frankly I think it should be made unlawful and Adobe fined a trillion dollars for every security incident involving that piece of garbage.

Fucking hell, all of this so we can watch some fucking videos on the Internet and be annoyed by idiotic ads. Somebody, please, wipe Adobe out. They have become, through their sheer stupidity and incompetence, a force for online evil.

Re:JEEEBUSS CHRIST!!!! (1)

Eravnrekaree (467752) | more than 2 years ago | (#37475982)

I would partly blame Firefox (!) however as well. Why would I say such a thing? Firefox fails to offer some means to block the loading of the flash plugin selectively, I would like for instance to by default block it and then opt in to allow certain pages to use flash. This should be integrated into a general security zones feature where you can create a security zone with this and settings for other things like javascript, to be enabled or disabled for the sites you have added to the zone. Firefox lacks the most basic tools to even manage flash adn so helps make the problem worse. And dont say it should be an add-on, because add-ons THEMSELVES are an inventiona to trojabs!

Re:JEEEBUSS CHRIST!!!! (0)

Anonymous Coward | more than 2 years ago | (#37476348)

Are you just trolling? Firefox has the best of all of those things by far, bar none. Oh but it takes an add-on? What's the point of that claim? Flash is an add-on functionally.

Re:JEEEBUSS CHRIST!!!! (1)

hawkinspeter (831501) | about 2 years ago | (#37477384)

Haven't you heard of noscript or flashblock plugins for firefox?

How do I...? (2)

mr_lizard13 (882373) | more than 2 years ago | (#37473492)

How do I get this vital security update for my iPhone?

Re:How do I...? (0)

Anonymous Coward | more than 2 years ago | (#37474030)

How do I get this vital security update for my iPhone?

From the same place that I can get this vital security update for my Nokia 3310.

Ha ha! Only jesting.... one great joke deserves another- yes, I spotted your little point, and we can both be smug that neither of our phones needs this security update because they don't run Flash. I have a small flat lump of concrete in my garden that doesn't suffer from that vulnerability for the same reason.

In fact, my lump of concrete is *entirely* secure from hacker attacks, so it *must* be better than an Android phone that runs that nasty Flash stuff!

Re:How do I...? (0)

Anonymous Coward | more than 2 years ago | (#37474436)

I'm just going to keep the joke going because my Windows, Linux, and Android operating systems all shipped with Flash and I'm not sure how they got there or how to update.

Stupidity is a choice.

Figures (0)

Nimey (114278) | more than 2 years ago | (#37473790)

I just got done making a new install image for work today.

I'm seriously not trolling (1)

Ralph Spoilsport (673134) | more than 2 years ago | (#37474154)

when I say I don't care because to me Flash is DEAD. Ever since HTML 5 started congealing, I've seen no reason to bother with Flash outside of simple animations. Which is where it started. And should have stayed, but with MM Director dying a slow and deserved death in the mid 90s, they had to find new work for the engineers....

Re:I'm seriously not trolling (0)

Anonymous Coward | more than 2 years ago | (#37474670)

Apple had a huge hand in this change as well. By completely shutting out Flash on their mobile platform, they've forced developers to use alternate techniques if they want their sites to work on all devices. Supporting HTML5 and Flash video on your site brings you one step closer to getting rid of Flash completely. We just have to wait for IE8 to die now... see you guys in 10 years.

Slim version (3, Informative)

MrL0G1C (867445) | more than 2 years ago | (#37474452)

Nice quickly installing slim version, no junk and no download manager etc required:

IE
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe [adobe.com]

Firefox etc
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe [adobe.com]

Re:Slim version (1)

whoami9801 (765798) | more than 2 years ago | (#37475646)

You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?

Re:Slim version (3, Informative)

David_W (35680) | more than 2 years ago | (#37475760)

You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?

Funny, I just went looking for such a beast, being sick of fighting with their usual installer...

64 bit? (1)

jbeaupre (752124) | more than 2 years ago | (#37474784)

Does this also affect the 64 bit version 11? Just curious since they haven't updated it for 2 weeks.

I was wondering that myself (0)

Anonymous Coward | more than 2 years ago | (#37475344)

I use the 64-bit FLASH 11 betas for FireFox & IE9 here. Good question, hope we get answers!

APK

64-bit Flash Updated to 2 ver.# 11.0.1.152 (0)

Anonymous Coward | more than 2 years ago | (#37615248)

FINAL BUILD - Check your version here, first -> http://www.adobe.com/software/flash/about/ [adobe.com]

AND, then download the latest/greatest for whatever OS, browser, & "bitness" (lol, 32 or 64) you need, here:

http://get.adobe.com/flashplayer/otherversions/ [adobe.com]

* That's in regards to my other reply to you here, I was curious myself, since we both use the 64-bit build of FLASH PLAYER (& I kept you in mind is all)...

APK

P.S.=> Enjoy! So - Yes, the 64-bit one HAS BEEN UPDATED, & to the version # in my subject-line above also...

... apk

just goes to show... (1)

Gravis Zero (934156) | more than 2 years ago | (#37475236)

the more features you add to a program the more likely it is to be exploited. it also doesn't help to be closed source.

So? (1)

jensend (71114) | more than 2 years ago | (#37475342)

Is every security update now front page-worthy news? Maybe it's been a slow news day or something, but Flash security patches aren't exactly a rare occurrence. Might as well have an article "SUN COMES UP AGAIN TODAY!"

Getting the New Version (2)

DERoss (1919496) | more than 2 years ago | (#37475598)

For those few (like me) who use SeaMonkey with "Advertise Firefox compatibility" disabled, the download site for Flash is broken. You wind up in a loop without ever getting the download. Either enable "Advertise Firefox compatibility" or spoof Firefox in some other way. Then, before trying the download site, remove all Adobe cookies. Yes, it's another case of invalid UA sniffing.

When you finally download, you get a stub installer, not a complete installer. This is true for everyone, including users of IE and Firefox. To download the complete installer, see http://forums.adobe.com/thread/889580?tstart=0 [adobe.com] .

I'm not sure why I pursued this so vigorously. Normally, I browse the Web with Flash disabled.

Does this effect Flash 11 beta? (1)

Bandwidth_ (91035) | more than 2 years ago | (#37475710)

Does this effect the Flash 11 beta?

Re:Does this effect Flash 11 beta? (1)

operator_error (1363139) | more than 2 years ago | (#37476820)

Adobe released Flash 11 yesterday, so no need to use the beta anymore; and I'm assuming the security issue was addressed or the release wouldn't be happening.

http://apple.slashdot.org/story/11/09/21/1559246/Adobe-Releases-Flash-11-and-AIR-3 [slashdot.org]

TFA specifically calls out Flash 10.3 though, not v11. Also the Flash 11 beta on Linux doesn't mention the new release at all. I am using Ubuntu and using the Flash Preferences (in System > Preferences), I am not informed of any actual new release. Maybe because I am in Europe and Adobe's CDN hasn't woken up yet? (ha ha). I clicked the Advanced tab, and then Updates > Check Now. My browser opens a page at adobe.com which tells me:

You have version 11,0,1,98 installed

Actually, I have Beta 2 installed from at least a week ago, not the Sept. 21 release.

Go Adobe! Go!

Re:Does this effect Flash 11 beta? (2)

operator_error (1363139) | more than 2 years ago | (#37476876)

Oh man, I hate replying to my own ./ post, but *that* ./ article headline and summary are completely false. If your read all the waaaay down to the bottom of TFA, on the linked-to slashdot piece, it says "Flash Player 11 and AIR 3 would be publicly available in early October, Adobe said in a statement." So no v11 Release happened at all.

Adobe specifically states "Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android.". Hope this info helps.

https://www.adobe.com/support/security/bulletins/apsb11-26.html [adobe.com]

Useless security fix without an effective updater (1)

Quick Reply (688867) | about 2 years ago | (#37477648)

It doesn't matter how quickly Adobe push out security updates, their updater is ineffective because it has too many manual steps, when it should be able to be completely automated like Windows Update is.

Most users that I have seen simply click "Cancel" every time they start up their computer and the updater comes up, because they don't know what it is, and have been tought not to install software that they don't know.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...