Adobe Flash Zero-Day Attack Underway 246
Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"
And people (Score:5, Insightful)
Re:And people (Score:5, Insightful)
Flash perpetual vulnerability (Score:5, Insightful)
Re:And people (Score:5, Insightful)
I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.
I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.
I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)
What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.
"I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.
Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.
NoScript won't protect me against any sites that I visit often, really.
Welcome to the proprietary internet. (Score:5, Insightful)
Re:SNAFU (Score:3, Insightful)
Your arguement is essentially flawed as this exploit has probably been in flash player since macromedia owned it and yet your blame gets directed at adobe.
Re:And people (Score:5, Insightful)
It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.
And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).
And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.
Re:And people (Score:4, Insightful)
On the other hand, invasive and outright obnoxious ads tend to kill the experience, so people start looking for ways to get rid of them.
As usual, the best way is something both sides can "live" with. Take
It's pages that run full page in-your-face ads that make their users turn to adblockers. And those ads will be blocked. Some pages turned to tools that ensured that, if you block their ads, you don't get to see their content. Which in turn often backfired and kept people who didn't block the ads but just happened to have some sort of freaky setup to be locked out as well.
Hmm... honestly, I didn't want to turn this into a tirade about DRM.
Re:And people (Score:2, Insightful)
These asshats just don't get it. If I have configured MY browser not to obey every link on your shitty page, that is none of your business.
Re:And people (Score:1, Insightful)
Adding adblock into the mix is good too.
Why is SQL injection even still a problem? (Score:5, Insightful)
After all, it's my God-Given Right to name my son Robert'; DROP TABLE STUDENTS [xkcd.com]. I shouldn't be getting nasty phone calls from every school he's ever attended!
Re:And people (Score:2, Insightful)
Re:SNAFU (Score:3, Insightful)
Not that this vulnerability would necessarily have been picked up...
Re:And people (Score:5, Insightful)
Re:SNAFU (Score:5, Insightful)
1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.
I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.
Re:And people (Score:3, Insightful)
Re:This is NOT a 'zero day flaw'..... (Score:5, Insightful)
Re:And people (Score:1, Insightful)
Made all the more so due to a lack of an automated update mechanism for adobe flash
Re:And people (Score:5, Insightful)
Also, for a developer who only does update/work/diff/commit, CVS (and SVN) is easier
to use than git.
Re:And people (Score:0, Insightful)
Re:And people (Score:4, Insightful)
If it's good and cheap, it takes forever to do it.
If it's good and quickly done, it won't be cheap.
If it's cheap and quickly patched together, it will be anything but good.
Now, look at the market of today and tell me which strategy allows you to sell your product.
It's not just software, this system works in every area. And the only thing that keeps it in check, unfortunately, is safety regulations and liability. Else we'd have gas lines that blow up every now or then and cars that make it a matter of luck whether they break when you hit the metal.
The current hype is price. How many products do you know that sell through quality? The selling point is how CHEAP it is and how much you SAVE when you buy it.
The same works for software. Yes, you could create a rock solid, absolutely stable system. Software follows the same rules as above. It can be cheap and solid, but it will take
But I can't find an example for solid and quick. I guess the company that tried it went bankrupt before they were done...
Re:And people (Score:5, Insightful)
I'm quite active in a lot of forums and while some webmeisters might bitch about it, they have every right to write piss poor web code (including intrusive banners) and I have every right NOT to see such crap when I browse.
do you believe it when TV shows make you feel like you are 'stealing' if you don't watch the ads between the show segments?
how is blocking ads any diff?
why would you just 'give in' to some stupid webmaster? he has his views but its not the full story. and if he goes away due to 'lack of profit motive' another (maybe better) will come along. dime a dozen.
I don't 'protect' webmasters. they are not any better than users and don't deserve any more consideration than they give users (which tends to be on the low end of the respect stick).
Flash (Score:4, Insightful)
In any case, my point is that Flash is an overkill for most GUIs on the web, it's good for video streaming, but even for that it is not absolutely necessary. However for whatever reason various dynamic functionality is often required by the business to be done within the browser. Something that cannot be done without some sort of scripting - sliding tabs, smooth transformations between images/text whatever. Such functionality is what browser side scripting is for. In order to be able to use this functionality at least javascript will have to be allowed. Whether anyone really wants to go to the website is a different question, but some websites provide useful functionality that is welcomed by the customers.
Re:And people (Score:3, Insightful)
If you're talking about 0-day exploits, my point still stands: any decoder can potentially have exploits, and the only solution is to either keep your software (whether it's an image library or a flash plugin) up to date, or to simply stop using it (browse with no images, no flash).
If you're problem with Flash is that it's a pain for users, you can argue the same way about a lot of other things. For instance, I haven't seen functionality by default to "selectively" stop animated gifs, even though their only use these days is ads.
Personally, from a technical standpoint I find flash pretty nice. While there's a lot of people using Flash to make another silly "skip intro"-site, I've seen others making good use of Flash's capabilities to actually make a better user interface. You can try to do similar things with html, css and "ajax", but the results I've seen out there are often very messy (but again, sometimes it really works well).
In both cases, the technologies are just tools. Blame the people who bombard people with advertisement, or make crappy websites. Not the tools that are (ab)used.
My only qualm with Flash was that until recently it wasn't open at all, and I don't trust Adobe. With the specs now being fully open, and two independent open-source Flash runtime implementations, that issue has been solved too.
My Stewped Bank' "Website" (Score:3, Insightful)
"For 'Security' Reasons".
Now I have even more ammunition with which to criticize their "security". (this began when they recommended Internet Exploiter(tm)(r)(c) and the prevailing commercial "Operating System"s, and locked out me, with my Debian and IceWeasel: "IceWeasel? That's _not_ an approved browser!"
Hey, I know. I need a new bank. Does anybody know of one that's clueful enough to _not_ recommend IE?