Adobe Flash To Be Top Hacker Target In 2010 180
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
Re:Yuh huh (Score:1, Interesting)
I dunno, but it just seems to me that embedding a Turing machine into a website is just a bad idea no matter what you call it.
Re:Quick fixes won't be enough. (Score:4, Interesting)
Even if they updated regularly, it would still be an easy target. Something like six of the top ten browser crasher bugs are in Flash plug-ins. There are so many crasher bugs that nobody can even keep count. When you realize that every single one of those is probably an exploitable attack vector, you quickly understand why I use click2flash. Swiss cheese belongs on sandwiches, not on the public Internet....
Re:Yuh huh (Score:2, Interesting)
I don't see what Adobe's problem is with the security vulnerabilities. Don't trust data from the network, and don't ever use a variable/etc without bounds checking. How many versions, bugfixes, patches, and revisions does it take to get these two basic things right? Real question. I don't understand the difficulty here.
Re:Do the hacks exploit buffer overflow issues? (Score:4, Interesting)
The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.
Re:There is already a solution (Score:5, Interesting)
There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework.
The problem with your statement is you assume the Flash content creators are programmers with enough free time. In reality, many of them have degrees in communications or visual arts or are just programmers who want a quick and easy tool for throwing together some quick video/UI content for the Web. From what I've seen, the decently made tools to create such content are mostly created by Adobe and focused on Flash. Unless a company steps up and creates equivalent tools for HTML5 and javascript and those tools gain a significant market share and momentum and ecosystem, I see Flash remaining dominant, with MS gobbling up a smaller share.
If Adobe doesn't do cleanup, God help us (Score:5, Interesting)
Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.
First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called
This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.
Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.
No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.
So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.
PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.
Good luck with million hour video downgrades (Score:5, Interesting)
Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.
It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.
For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.
HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.
Re:Silverlight couldn't be a Flash rival,thanks to (Score:3, Interesting)
their V2 dropped support for PowerPC macs which several people
So Silverlight can't possibly compete with flash because it doesn't support a hardware platform that hasn't been produced in 5 years now and already has negligible market share?
In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one
The only differences I'm aware of between mac and windows silverlight 3 are quite trivial [microsoft.com]
While mentioned, where is the iPhone/Symbian and even Windows Mobile support?
In the works [silverlight.net]. Admittedly, MSFT is dissapointingly behind schedule on this front.
Some of your complaints with Silverlight have merit. It isn't perfect yet, but it has made remarkable progress in the 2 years it has been out and most certailnly is a rival to flash. Flash had an 11 year head start and Silverlight already does just about everything it does and a few things better. Silverlight lags behind flash in market penetration and platform support, but at the rate it is going, it will catch up quite soon.
Re:Yuh huh (Score:3, Interesting)