Adobe Warns of Critical Flash Bug, Already Being Exploited 244
Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."
Re:Too bad... (Score:3, Informative)
How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?
Looks like not. From the article:
Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15.
Re:Too bad... (Score:3, Informative)
Adobe said that a Flash update is scheduled for (Patch) Tuesday, November 9. Updates for Acrobat and Reader are scheduled for the week of November 15.
Re:There's a safe alternative! (Score:4, Informative)
And the same thing could be said about Flash too.
There's little-to-no practical opportunity to choose a Flash implementation, and Flash is not open-source, so we cannot secure it ourselves. Nothing you said is true.
Re:OS makers not helping much either (Score:4, Informative)
There are many approaches. Sandboxing is one, there's Sandboxie for Windows. On Linux you could use SELinux, or AppArmor which is much more user-friendly and is ultra-convenient on Ubuntu - profiles for Firefox (with Flash) and evince are installed by default and are updated automatically with the programs.
I don't know what the options are on OSX, since I have no possible use for the OS myself.
Re:We really need to sandbox all browser sessions (Score:1, Informative)
Which would be great - except that the fucktarded conslutant crowd that brought us IE6-specific ActiveX plug-ins for "enterprise" software, has now migrated to Flash. Cloud/webapp type stuff are being used for things like HR, payroll, and other internal accounting processes, and as IE6 gets phased out, these vendor-lock-in apps are now increasingly becoming Flash-based. And since it's no longer as easy to control whether a user regularly deletes cookies, these bits of cubicleware all seem to require the use of LSOs. The more things change, the more they stay the same. *sigh*
Re:Adobe sucks. (Score:3, Informative)
Acrobat Reader is Adobe's general purpose client platform for content produced with Adobe Acrobat and related tools. That has been true, essentially, forever. Reading PDFs is, of course, an important part of that, but Acrobat hasn't been -- or been presented as -- just a "PDF viewing utility" for quite a long time, if it ever was.
Re:Adobe sucks. (Score:3, Informative)
The only reason to use Adobe to read PDFs these days if for PDF Forms...
Re:How to prevent Reader from using Flash? (Score:5, Informative)
Huh didn't know there was a Windows port of evince. I'll have to look at replacing Foxit with that:
http://live.gnome.org/Evince/Downloads [gnome.org]
And an .MSI installer too! I'll have to talk with the other IT guys at work tomorrow...
Re:Understand Apple a bit better? (Score:4, Informative)
You do realize that Apple's PDF reader is *WAY* less secure than Adobe's, right? We're talking 15x as many exploitable vulnerabilies across the same test set of fuzzed files. Adobe and their miserable security practices are a scourge the computing world, you hate their stuff, you remove it all from the computer.. OK, fine. You go with an alternative that has more than an order of magnitude worse security... wait, what?!?
Re:Adobe sucks. (Score:2, Informative)
Flash ActionScript isn't native code... It's VM'ed. If it was native code, it would at least run faster. Now, that doesn't stop someone from putting native code into a string, and pushing that string past an array boundary (which sounds like what this exploit is), but the AVM Bytecode itself isn't native code. The same sort of exploit was happening in Java just a few weeks ago, see CVE-2010-3552.
Also... (Score:4, Informative)
... this makes me very wary of buying a device where all apps, and the OS/UI itself are written in Adobe AIR [youtube.com] (which is pretty much Flash.) So when a vulnerability comes along you... what... quit using the whole device? I'm sure that will go over really well with the large businesses that are BlackBerry's intended customers. And for those who think I'm hyperbolizing, watch the video and listen close--the head of RIM says (at the 2:20 mark) "what we've done is... really embed AIR right into 'the metal' and the operating system." By "metal" I think he means "as low-level as we possibly could."
Wait, scratch that... large businesses have been buying Windows for two decades, so never mind me. I be this thing will fly off the shelves. Hmm, maybe I should write an antivirus app in Flash so it can run on a PlayBook. :-)
Re: Direct download link to Flash Player (Score:5, Informative)
The full Flash installer is buried in a deep link. You can use Internet Explorer, choose the 'different operating system or browser' [adobe.com] link on the Adobe Flash download page [adobe.com], and get the Firefox version (likewise use an alternate browser to get the IE version).
Of course, if you want a direct link to download the most recent installer without the 'download manager' slimeware or 'free Google Toolbar', here it is!:
Re:"Square" (10.2.x) plugins vulnerable, too, or n (Score:3, Informative)
Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)
Many cultures use commas instaed of periods for the decimal mark. Specifically, see here [wikipedia.org].
Re:Does the "Flashblock" plugin for Firefox help? (Score:1, Informative)
Tool to neuter Flash exploits - Blitzableiter (Score:5, Informative)
Here's an embarrassment for Adobe. An external researcher has created a tool called Blitzableiter [recurity.com], which is simply a Flash parser written in .Net. Its only job is to verify that any Flash you load is fully compliant with the Flash file format, and to hurl an exception if anything fails to parse correctly. I saw FX's presentation at DefCon and was suitably impressed.
The cool thing is that he claims it's caught every exploit, past and present, that he's been able to find to test it with.
Think about it. Someone external to Adobe is keeping Adobe's products safe simply by enforcing Adobe's own rules. Way to go, Adobe, you're completely awesome.
Configuring Blitzableiter to work in Firefox takes a little bit of work. He asked the NoScript guy to provide an external plugin mechanism, which launches Blitzableiter to check out the SWFs before they're permitted into the Shockwave player. So you have to load the NoScript extension, then configure it to run Blitzableiter. I look at it as a fairly small price to pay for safety.
I will say that it's pretty damn picky, and there's a lot of probably-safe-but-badly-written Flash out there that it won't let you load. Since there's actually very little Flash content I want to see anyway, it's not been a real problem for me. For expediency I put youtube.com in the exception list, just because I do trust the youtube player and don't feel I need to wait the extra two seconds to have it scanned every time I watch a video clip. Otherwise, it just rocks!
Re:Abode Is The Weakest Link (Score:5, Informative)
Re:Too bad... (Score:3, Informative)
Adobe actually finally corrected this a month ago, and a 64-bit Flash plugin is now available again - for all platforms.
Re:How to prevent Reader from using Flash? (Score:5, Informative)
Foxit's been getting a little too adware-ish for me lately, it's coming bundled with toolbars now, and it offers a browser plugin which can only be bad news for security, browser speed and browser stability. Between the two I definitely prefer evince.
Re:Abode Is The Weakest Link (Score:4, Informative)
Actually there is no malicious code in the link whatsoever. It links to TinyURL, a url shortening service. When a URL is submitted to TinyURL, the site stores the URL in a database and gives you a short lookup code that can be used with the service, allowing you to dispense shorter URLs that lead to longer ones. However this can allow URL obfuscation.
The troll has created a TinyURL link to the infamous goatse website, which displays a large photo of a naked man stretching his anus to Brobdingnagian proportions. He then placed a link in his Slashdot post, claiming that it links to exploit code or an attack site, which many Slashdotters would be interested in visiting, confident that their computers are immune. The troll hopes to get users to blindly follow the link, leading to a faceful of digital anus, producing lulz for the troll.
However experienced uber-geek users such as myself know that TinyURL offers a preview service, which can be used at any time by changing a TinyURL link from the format "tinyurl.com/whatever" to "preview.tinyurl.com/whatever," allowing a potential visitor to see where the link leads before proceeding. I did this and confirmed my suspicions that the link leads to the troll's shock site of choice, goatse.
Upon discovering the troll's weak attempt at trolling a group of technically advanced users with a technically weak trolling method, I then exposed his attempt and derided his weak trolling skills and lack of trolling experience.
I hope this answers your questions, I hate writing.