92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash

CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."

This is why...

[Darkness404]

This is the reason why we either need diversity in software or OSS. Flash is installed on practically ever computer, and for good reason, many sites require Flash. However relying on a single software and single software versions is a bad idea, even more so when it is closed-source.

Re:Noscript

[causality]

Browsing the web without a few browser mods is the only to surf these days anyway.

Yeah. When I read this headline my first impression was "should I try to act surprised?"

This is just history repeating itself. Even if it required an NDA, if Adobe were smart they'd try to hire the OpenBSD folks to audit their code as they're obviously not capable of securing it themselves.

I've Always Said...

[Anonymous Coward]

I've always said(for years) that Flash would be the killer infection vector and that its cross platform ubiquity would be the Achilles heel for Linux and Mac.

This is but a taste of things to come. Flash is an abomination. It has too much power with too little end user control over that power. Combined with its insanely large install base and you have disaster waiting to happen.

I'm not sorry for being right all the time. So suck it!

Re:Horseshit.

[causality]

How is that Offtopic? It's exactly spot on. Mod parent up, if you're not Noscript shill.

Agreed. Mods, please promote the GP post. This really should be discussed and resolved.

I also disagree with the GP but censoring him is not the Way. I do think it is akin to censorship because nothing he said is detrimental to the discussion. Also, a lot of people feel the way that he does and they should have their say. At least, this is what I believe. I have written a post describing why I disagree and why I think there is a better way to handle the situation. I think that in an open discussion, the truth will win out, and on this one I also believe that I have summarized the truth of the matter. If I'm wrong about that, modding down the "other side" of the discussion will not help me to discover where I have erred.

Flash and PDF are both disasters

[hessian]

These bloated plugins seem to also be responsible for 80%-ish of the crashes I have in Mozilla.

They are the big weakness of the web: what if someone decides to start putting a non-standard format out there that becomes a de facto standard because it's the easiest way to do something?

Flash seems to be the easiest way to put up an animation.

PDF is the best format for distributing documents that you don't necessarily want others to edit.

No one wants to explore alternatives because the content is in these somewhat unwieldy formats.

Re:Flash can DIAFF (flash fire)

[tunapez]

all web sites have a perfectly usable non-flash variant of the site

I've found a more than a few that did not have Non-flash alternatives, sadly it's becoming less rare. Maybe w/ the proliferation of pages designed for mobile device displays we can see smaller pages w/ less bells & whistles loading all the time.

Anyone find a good aggregate of functional mobile web pages? I've found the basics, would like to try more of these at home.
Goog [slashdot.org]
Msn/Live/Bing/... [slashdot.org]
yahoo [slashdot.org]

I'm beginning to suspect Flash as my problem.

[Xilinx_guy]

I noticed in early July that my Kubuntu 8.10 machine started showing corruption in the EXT3 filesystems, and it seemed to happen everytime I used Firefox (which had Flash installed). I finally got so sick of restoring from backups that I rebuilt a totally new Kubuntu 9.04 image, without Firefox. I now run Firefox in VirtualBox, using a sandboxed image of Kubuntu 9.04. This has stopped the filesystem corruption in the host OS, but I continue to see EXT3 corruption in the sandboxed Firefox with Flash. It's beginning to look very sensible to use 3 virtual machines for browsing the web now. Green Sandbox for just my banks. Yellow Sandbox for email and Paypal, and Red Sandbox for everything else (including Slashdot). Even with Noscript, the Red Sandbox gets dirty still, and needs rolling back to the initial snapshot. I haven't run rootkit detection or virus scanning yet, but I'm beginning to believe that integrated intrusion detection will be the next Great Thing (tm) for virtual machines. Charlie Stross thought about this years ago in Accelerando. It's worth a read.

Re:Millions of complacent idiots devastated

[je ne sais quoi]

I read the linked interview, and then I read a few other related things and while that's certainly cause for concern, the real question is, why do we continually read about windows zombie nets, windows holes, etc.? To my knowledge there has only been one botnet on OS X, and even that required you to download a pirated version of some software and install it --and as far as I know, that vector for attack has been in continuous use for windows machines since windows 3.1.

If Apple has about 8-10% of the usage share of PCs, shouldn't 8-10% of the stories we read be about OS X vulnerabilities? We almost never see them. As others in this thread have noted, this particular vulernability in this article is across the board, linux, os X and windows, so I'll give you that one and that OS X vulnerabilities may be underreported. But I'm not the first to observe this and various theories I've read include that Apple sells more laptops that are inherently mobile thus unattractive to malware writers, the vulnerability writing software hasn't been written for OS X yet, Apple tends to patch things more quickly, and that Apple is more litigious so nobody wants to talk about any found vulnerabilities. I don't think any of these things are really on the mark though. Maybe the virus writers just buy commodity hardware and don't want to bother spending the extra money for a mac.

Flash should be replaced

[1s44c]

Flash is a ongoing security nightmare. Users demand the functionality but don't understand or care about the security cost.

Flash is one abomination that should be put out of its misery ASAP.

Security through Diversity

[cenc]

I would highly suspect by now the entire eco-system involved in an average patch in FOSS software is very much outstripping the resources of MS. At least on the eyeball side. What does MS put at any given problem a few hundred or a few thousand programmers? Yea, there might be a whole lot more people in the marketing spin department, but they don't really count as helpful.

It is not just the guys around one project, a particular writer in FOSS that vets the patch. It is the entire community of hundreds of different distros, sub-projects, individual users, and so on that vet a patch or change and decide to include it, ignore it, put it on the shelf, and push changes back up the food chain as problems are found.

I consider myself to be fairly much an end user of FOSS, but perhaps leaning more on the power users side of things. I remember a bug in a early development release of Firefox I found. From the time it was released, to the time I found it, verified it, and went to report it, was less than 30 mins. Guess what? 100 other people found it, 10 proposed patches had been submitted, and the best was already accepted and in to the next version a full 15 mins earlier than me. That is just normal in FOSS.

No one can tell me a company with massive bureaucracy of rules and procedures would be able to mobilize anything at that speed. It likly takes them a week just to get authorization to look at the source code they wrote from the legal department.