Forgot your password?
typodupeerror
Security Media Operating Systems Software Windows

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash 286

Posted by timothy
from the in-some-contexts-8%-is-really-good dept.
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
This discussion has been archived. No new comments can be posted.

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash

Comments Filter:
  • Well at least the iPhone is safe...

    Will Flash just die already! We have the video tag, IE users can suck it up as well. FlashBlock for Firefox, but what to use for Chrome?

    • Re: (Score:3, Insightful)

      by ByOhTek (1181381)

      People wonder why I don't install flash, all web sites have a perfectly usable non-flash variant of the site, and get extremely PISSED OFF when an enterprise software manufacturer requires the use of flash for important parts of their site.

    • by Frosty Piss (770223) on Tuesday July 28, 2009 @10:24AM (#28853117)

      Will Flash just die already!

      There's always Silverlight... No, really!

  • This is why... (Score:2, Interesting)

    by Darkness404 (1287218)
    This is the reason why we either need diversity in software or OSS. Flash is installed on practically ever computer, and for good reason, many sites require Flash. However relying on a single software and single software versions is a bad idea, even more so when it is closed-source.
    • by Ilgaz (86384)

      Yes, who are they to support all platforms in equal manner allowing same functionality in all sites?

      My suggestions are:
      1) Drop PowerPC support
      2) Drop Linux support
      3) Find some sold out once open source heroes to implement half ass functional thing with a cool name.
      4) Go mono! err.. profit!

  • FlashBlock (Score:4, Insightful)

    by asdf7890 (1518587) on Tuesday July 28, 2009 @09:51AM (#28852475)
    This makes FlashBlock all the more useful. No flash that I don't explicitly enable ever runs in my browser, which should stop these drive-by attacks in their tracks (unless they somehow infect flash objects I would normally allow, instead of injecting a new "hidden" object into the hacked sites).
  • by jo42 (227475) on Tuesday July 28, 2009 @09:52AM (#28852497) Homepage

    The fix to all Flash problems lies here on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control [adobe.com].

  • If you're not using this, or something like it, then your Admin isn't doing their job.

    It looks like none of the users are getting flash until thursday. Sorry guys, no pandora for you. (also looks like I won't be getting a cake on sysadmin day).

  • Adobe (Score:3, Insightful)

    by sys.stdout.write (1551563) on Tuesday July 28, 2009 @09:55AM (#28852567)
    is like RealNetworks was years ago.

    The only difference is that when Real started raping people's computers it was replaced.
  • I've Always Said... (Score:3, Interesting)

    by Anonymous Coward on Tuesday July 28, 2009 @09:57AM (#28852605)

    I've always said(for years) that Flash would be the killer infection vector and that its cross platform ubiquity would be the Achilles heel for Linux and Mac.

    This is but a taste of things to come. Flash is an abomination. It has too much power with too little end user control over that power. Combined with its insanely large install base and you have disaster waiting to happen.

    I'm not sorry for being right all the time. So suck it!

  • Zero-Day attack (Score:2, Insightful)

    Zero-Day attack
    The coder: whack
    One means to stop
    The furbrained attack
    Burma Shave
  • Flash is installed on almost every PC. The large majority of Windows users still use Internet Explorer, so the majority right there are vulnerable. Firefox has a respectable percentage of the user base, but very few of those people (outside of the Slashdot crowd) seem to use tools like Flashblock. The other browsers - Chrome, Safari, Opera round out the group; their users are pretty much all vulnerable too.

    It's sad, I agree - but we already knew this was the case since we've known about this unpatched flaw

    • Well, given that it's possible to avoid Flashblock just by lying to the browser (since FF3 doesn't do much MIME checking), installing it really doesn't help security significantly.

  • I hate Adobe (Score:4, Insightful)

    by Anonymous Coward on Tuesday July 28, 2009 @10:29AM (#28853213)

    You know ...

    I hate Adobe software.

    There, I said it.

    Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).

    You know you're in trouble when freakin' MicroSoft is putting out better software.

    Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.

    Dear god.

    Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.

    • I just installed Windows 7 RTM and went to install flash for IE8 (for steam) and Adobe installed a download manager just to install flash. Are they retarded or something? I wish I could ditch Adobe flash for an alternative. I'm already 100% free of Apple software, it would be nice to coup de grace Adobe from my system as well.

  • by quazee (816569) on Tuesday July 28, 2009 @10:50AM (#28853583)
    Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
    There were 23 reported security issues [mitre.org] in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
    In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
    This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
    • Flash's record is pretty bad, but Silverlight hasn't been completed tested out in the wild yet because it's not very popular right now. More exploits might be coming as it gets used more. But MS seems to have developed it with security in mind, so let's see what happens.

      • by Mr 44 (180750)

        Window's record is pretty bad, but Mac OSX hasn't been completed tested out in the wild yet because it's not very popular right now. More exploits might be coming as it gets used more. But Apple seems to have developed it with security in mind, so let's see what happens.

      • by Ilgaz (86384)

        The day there is a Silverlight issue (if it doesn't get scraped), I will remember this message.

        Even Java, completely designed around sandboxed virtual machine idea and even invented it had security vulnerabilities.

        Hope you guys are getting paid to post these bullshit.

    • by jpmorgan (517966)
      Well, it's unsurprising Silverlight doesn't have any vulnerabilities. Flash runs in its own, custom built virtual machine. Silverlight runs in the .NET virtual machine, which is designed with a sandbox at its core, and generally has been much, much more rigorously audited and tested.
      • Re: (Score:3, Informative)

        Well, it's unsurprising Silverlight doesn't have any vulnerabilities. Flash runs in its own, custom built virtual machine. Silverlight runs in the .NET virtual machine, which is designed with a sandbox at its core, and generally has been much, much more rigorously audited and tested.

        I have no idea about Silverlight vulnerability track record, but I can assure you that full .NET sandbox can and was successfully broken. I've personally discovered one way to corrupt the stack and execute arbitrary native code from a sandboxed application (such as a WPF browser app). That particular vulnerability has been fixed, and does not affect Silverlight anyway, but it serves as a reminder that VM sandboxes aren't perfect. Java also had its share of problems in that regard (though IIRC .NET had far l

    • by Ilgaz (86384)

      So, MS jumps 3 versions in matter of 2 years, dropping PowerPC support and never intending to support Linux except hired open source cloning monkeys method and you claim it is 3rd generation software with no known threats?

      Guess what, DejaVu viewer has no known security issues too.

      Once upon a time, MS puppets were doing their dirty job with more clever methods.

    • ANY piece of software is going to have vulnerabilities -- and the more widespread it is the more people are going to strive to find those vulnerabilities. Silverlight will be no different if it takes over. The "security" of a piece of software is directly related to how diligent the devs are in patching holes. With closed source software, this is an extremely intensive process, so Silverlight is bound to be every bit as bad as Flash. Open source will ALWAYS be more secure, as you can have millions of eyes s
    • So, are you saying Windows is not done until Adobe is broke, so that people will use M$ stuff instead? They have done that before. I don't think Adobe is at fault, since the same problem appears many times for them, but no issues on Silverlight. Interesting, Adobe works on the Mac and Linux flawlessly. So it's got to be the evil empire again. Look out for the fine they are going to get now. WOW.

    • Re: (Score:3, Insightful)

      by Mathonwy (160184)

      Silverlight doesn't have any reported issues since not enough people use it for the bad guys to bother investing resources in finding its vulnerabilities. It's related to the same "macs don't get viruses" argument that was floated around right up until the point that macs became popular enough for virus writers to bother with them.

  • An interesting approach, using IP addresses as version numbers

  • So do you have to be on an administrator account for the attack to work?

  • ... if everyone knows about it?

    Or am I missing something here?

  • were turned off at the moment of the counting.
  • the best thing to ever happen to Silverlight?
    • by Ilgaz (86384)

      Well, it seems MS billions already sunk in Silverlight as nobody, including Windows users doesn't seem to care if it exists or not.

      So yes, a BLACK HAT ZERO DAY security exploit may buy some months for Silverlight. All Silverlight and Moonlight developers must be THANKFUL to that mafia guys exploiting a zero day bug in expense of putting billion end users at risk. We must all congratulate them in their hideouts, thanks for stealing end user information, you did a great service for MS born dead technology...

  • When there is a zero day issue exploited in the wild and if it is effecting near billion computers, some questions must be asked.

    1) Will the FBI and security organizations look to this matter as a threat to global security and this time, actually find the gang to question them?

    2) When did we start supporting zero day exploiting black hat mafia?

    3) Who is really behind this?

    4) Why would it take until Tuesday to fix the issue? Can't they provide a quick hotfix until Tuesday and ship the real thing with more te

  • Flashblock will not save you from this vulnerability. Flashblock only blocks flash objects in your internet browser (firefox/seamonkey.) This attack uses flash objects embedded in pdf documents which are handled by Adobe Reader. Now, who decided it was a good idea to allow pdf documents to have flash embedded in them?
  • by kalirion (728907) on Tuesday July 28, 2009 @12:46PM (#28855547)

    This is something that can be detected and stopped by Antivirus software, right? Since my Avast! updates every day, if it can protect me against this Flash vulnerability, then it shouldn't matter to me when Adobe issues the patch.

  • by hessian (467078) on Tuesday July 28, 2009 @01:22PM (#28856169) Homepage Journal

    These bloated plugins seem to also be responsible for 80%-ish of the crashes I have in Mozilla.

    They are the big weakness of the web: what if someone decides to start putting a non-standard format out there that becomes a de facto standard because it's the easiest way to do something?

    Flash seems to be the easiest way to put up an animation.

    PDF is the best format for distributing documents that you don't necessarily want others to edit.

    No one wants to explore alternatives because the content is in these somewhat unwieldy formats.

  • by Runaway1956 (1322357) on Tuesday July 28, 2009 @03:45PM (#28858667) Homepage Journal

    I stopped reading there. Obviously a slow news day.

  • by 1s44c (552956) on Tuesday July 28, 2009 @04:41PM (#28859483)

    Flash is a ongoing security nightmare. Users demand the functionality but don't understand or care about the security cost.

    Flash is one abomination that should be put out of its misery ASAP.

New crypt. See /usr/news/crypt.

Working...