Forgot your password?
typodupeerror
Security Media Operating Systems Software Windows

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash 286

Posted by timothy
from the in-some-contexts-8%-is-really-good dept.
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
This discussion has been archived. No new comments can be posted.

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash

Comments Filter:
  • Re:Noscript (Score:5, Informative)

    by ground.zero.612 (1563557) on Tuesday July 28, 2009 @10:48AM (#28852389)

    The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

    Sounds like someone doesn't keep current on events, as this problem was worked on some months ago.

  • Re:Noscript (Score:5, Informative)

    by causality (777677) on Tuesday July 28, 2009 @11:00AM (#28852651)

    The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

    He admitted his error and has stopped doing this. See this link [hackademix.net]. The very first line? "I screwed up. Big time."

    Any fool can make a mistake. It takes some guts to admit it, correct it, and try to move on especially in public like that. For that reason I do not count myself among the folks who still want to figuratively crucify him.

  • by asdf7890 (1518587) on Tuesday July 28, 2009 @11:17AM (#28852981)

    FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.

    I was under the impression that it replaced the flash objects in the page's DOM before Firefox gets chance to call the plugin. I'll have to see if I can't verify that...

  • by fpophoto (1382097) on Tuesday July 28, 2009 @11:19AM (#28853023) Homepage Journal
    Do you have a link for that? The info I've read suggests otherwise. AFAIK, Flashbock blocks Flash completely before the page even loads, although this suggests a bypass is very easy. [seclists.org]
  • by quazee (816569) on Tuesday July 28, 2009 @11:50AM (#28853583)
    Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
    There were 23 reported security issues [mitre.org] in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
    In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
    This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
  • by recoiledsnake (879048) on Tuesday July 28, 2009 @12:10PM (#28853903)

    WRONG on many levels. If you're not running as admin, only your user files will get affected in all the current OSes including XP. But IE8 on Windows 7/Vista does sandboxing and hence is more secure than Firefox on Ubuntu out of the box. Don't believe me? Read is straight from the horse's mouth. http://blogs.zdnet.com/security/?p=2941 [zdnet.com]

    Why Safari? Why didnâ(TM)t you go after IE or Safari?

    Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.

    Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it.

    [ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

    With my Safari exploit, I put the code into a process and I know exactly where itâ(TM)s going to be. Thereâ(TM)s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I donâ(TM)t know where it is. Even if I get to the code, itâ(TM)s not executable. Those are two hurdles that Macs donâ(TM)t have.

    Itâ(TM)s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But thatâ(TM)s only half the equation. The other half is exploiting it. Thereâ(TM)s almost no hurdle to jump through on Mac OS X.

  • the exploit demo they link to does not work in 3.5, so it seems the bypass gap was closed...
  • by Anonymous Coward on Tuesday July 28, 2009 @12:42PM (#28854487)
    Get rid of Acrobat reader while you're at it: http://kb2.adobe.com/cps/326/326641.html [adobe.com]
  • Oh please (Score:4, Informative)

    by Sycraft-fu (314770) on Tuesday July 28, 2009 @12:51PM (#28854645)

    Let's not let the facts get in the way of rabid fanboyism! After all, Linux is 100%, completely secure! There are magical GPL fairies in the kernel that protect it from any and all attacks, even when the app in question is from a 3rd party.

  • by Colonel Korn (1258968) on Tuesday July 28, 2009 @12:54PM (#28854687)

    A computer worm that spreads through Flash and PDFs on PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design.

    1) This vulnerability exists on OSX, Windows, and Linux.

    2) The annual pwn2own competition, among others, shows that Linux and Windows are similarly secure and OSX is much less secure. OSX goes down first every year, while Windows and Linux both last until later days of the competition when more direct access to the systems is granted to the contestants.

    A Windows machine is more likely to be compromised, but that's because of market share. "Insecure by design" implies that you're talking about the security of the OS against someone who wants to compromise it. It's proven every year that only OSX lags in this area, and it lags quite badly (this year's winner rated the difficulty of compromising Vista and Linux as a 9-10, and the difficulty of breaking into OSX as a 3, IIRC).

    3) Goto 1)

  • by shutdown -p now (807394) on Tuesday July 28, 2009 @01:34PM (#28855327) Journal

    Well, it's unsurprising Silverlight doesn't have any vulnerabilities. Flash runs in its own, custom built virtual machine. Silverlight runs in the .NET virtual machine, which is designed with a sandbox at its core, and generally has been much, much more rigorously audited and tested.

    I have no idea about Silverlight vulnerability track record, but I can assure you that full .NET sandbox can and was successfully broken. I've personally discovered one way to corrupt the stack and execute arbitrary native code from a sandboxed application (such as a WPF browser app). That particular vulnerability has been fixed, and does not affect Silverlight anyway, but it serves as a reminder that VM sandboxes aren't perfect. Java also had its share of problems in that regard (though IIRC .NET had far less than Java did, especially early on).

  • by kalirion (728907) on Tuesday July 28, 2009 @01:46PM (#28855547)

    This is something that can be detected and stopped by Antivirus software, right? Since my Avast! updates every day, if it can protect me against this Flash vulnerability, then it shouldn't matter to me when Adobe issues the patch.

  • Re:Noscript (Score:3, Informative)

    by ground.zero.612 (1563557) on Tuesday July 28, 2009 @02:33PM (#28856319)

    as this problem was worked on some months ago.

    It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

    The character of the author of NoScript is that of the authors of

    1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)

    2) spyware/malware (changing configuration without the user's consent).

    trifish: I'm getting quick on the Citation Neededs. I know from firsthand experience that people can and do change. So please, please rattle off some quotations or links providing evidence to support your theory that people can't change their "character."

    The MAZZTer: I would just like to inform you that there are are entries in the about:config menu that allow you to turn off the first run "pop-op." I'm not sure that your "NoScript whitelisting NoScript" is a legit complaint, as you are capable of removing that, and I see nothing unethical about a software provider whitelisting their own site in their own software.

  • by Adm.Wiggin (759767) on Tuesday July 28, 2009 @02:42PM (#28856497) Journal
    I'm on 3.0.11 and it didn't even work...
  • by Adm.Wiggin (759767) on Tuesday July 28, 2009 @02:43PM (#28856529) Journal
    I've seen the video I'm headed for frequently flash on the screen before Flashblock takes it out (Gentoo Linux here).
  • Re:Noscript (Score:2, Informative)

    by lostmongoose (1094523) on Tuesday July 28, 2009 @03:43PM (#28857559)

    So far, he seems to have responded appropriately, which shows good character, actually.

    *good* character would have been not doing it in the first place. he's only responding because he got caught, not because he feels he was wrong.

  • by Super_Z (756391) on Tuesday July 28, 2009 @04:51PM (#28858765)

    2) The annual pwn2own competition, among others, shows that Linux and Windows are similarly secure and OSX is much less secure. OSX goes down first every year, while Windows and Linux both last until later days of the competition when more direct access to the systems is granted to the contestants.

    A Windows machine is more likely to be compromised, but that's because of market share. "Insecure by design" implies that you're talking about the security of the OS against someone who wants to compromise it. It's proven every year that only OSX lags in this area, and it lags quite badly (this year's winner rated the difficulty of compromising Vista and Linux as a 9-10, and the difficulty of breaking into OSX as a 3, IIRC).

    The CanSecWest Pwn2own competition has been organized 3 times. The first event in 2007 was called "hack-a-Mac" as the competition was about hacking a into MacOSX present on the network. User level access was gained on the second day as the organizers changed the rules and let people try to hack Safari instead as noone succeded in the original contest.

    The second 2008 pwn2own contest featured Vista, MacOSX 10.2.5 and Ubuntu. Both the Mac and the Vista computer were hacked into in this contest - the Mac first through a flaw in Safari on the second day and the Vista on the third day through a (windows specific) flaw in Adobe Flash.

    The third contest in 2009 focused on browsers. During the first session every browser except Google Chrome were hacked. Safari was the first to be exploited by chance of a draw as contestants where chosen by a random process. IE and Firefox was also hacked at similar stages in this contest.

    So - how many times has "OSX" been hacked in the CanSecWest contest? Exactly as many times as Vista or Windows 7 has been.

    As for your "quote" - in fact this years winner stated that MacOSX was still the safest operating system.

    Now - is CanSecWest a good indicator of whether an OS is "secure" or not? What is usually not stated is that one of the rules of this competition is that no known exploit can be used. Windows can have dozens of zero-day exploits and can yet escape unscathed from this competition. Firefox can have a (hypothetically) stellar security history and yet be "hacked in seconds". Claiming security based on these rules are exceedingly stupid.

    So your hateboy statement that "It's proven every year that only OSX lags in this area" is simply disingenuous.

    What is shocking though is that your post - which is so full of actual faults and reeks of hateboyism - gets modded +5 insightful. I guess it is a good indicator of the current sorry state of Slashdot.

  • by Kalriath (849904) * on Tuesday July 28, 2009 @07:05PM (#28860375)

    That's the biggest load of bullshit in a while.

    You talk about Silverlight being worse than Flash because it uses ActiveX -- hey guess what... SO DOES FLASH!

    ActiveX is not a platform, it's a specifically formatted way of producing a Dynamic Link Library that the browser can load it as a COM object (usually in the browser's context - so the users). It by definition cannot have security vulnerabilities - the host can, and the plugin can, but "ActiveX" can't.

  • Re:FlashBlock (Score:1, Informative)

    by Anonymous Coward on Wednesday July 29, 2009 @11:35AM (#28867175)

    Glad that I use IE and Vista!

    This flash vulnerability cannot be used to install malwares because of the Vista/IE protected mode (sandboxing) which prevents such flaws in IE or its plugins from being exploited to write data on the hard drive.

    For IE8 users running XP, you can prevent flash player from executing automatically when you surf on unknown sites:
    no need for third party plugin, just go to tools, manage addons, double click on flash, and click on remove from all site. Then each time a site wants to use flash, a yellow bar will be shown so that you can decide to authorize flash on this particular site.

"Say yur prayers, yuh flea-pickin' varmint!" -- Yosemite Sam

Working...