Adobe Warns of Critical Flash Bug, Already Being Exploited 244
Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."
I need this on my iPhone (Score:5, Insightful)
I hope Apple and Adobe come to an agreement because I want to live on the edge too.
Re:Abode Is The Weakest Link (Score:5, Insightful)
Why the FUCK does a document display program have the ability to alter anything on my machine?
Re:Abode Is The Weakest Link (Score:3, Insightful)
Mostly because they have to keep the developers working and the shareholders thinking they are making progress toward more money. In reality Adobe is fast becoming a second rate company. I never thought that would happen ten years ago, but sure enough here we are.
In other news (Score:5, Insightful)
In other news, Steve Jobs now has even more arguments to push aside Flash and Shockwave.
Wait, Shockwave? That thing is still alive?
We really need to sandbox all browser sessions (Score:4, Insightful)
Attention browser developers:
Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.
Any user-initiated visit to a web site would be a new session.
Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.
Basically, if you aren't trusted, you get a very limited view of the local computer and once you quit, you get amnesia.
Re:Adobe sucks. (Score:5, Insightful)
Yeah, I was kind of shocked by that. I disable Flash by default everywhere but so far have let PDF plugins stay because I need them for a lot of things and hey, it's a freakin document format! Now I find out that Reader is linked to both executable Javascript AND Flash. And anybody sending me a simple PDF document could be exploiting holes in any of those. What a nightmare.
Re:Why two weeks to fix? (Score:2, Insightful)
I'd be more worried about the fact that majority of consumers don't update their Acrobat Reader on PCs. Clicking "Update Later" button has become something you get to click every time you reboot the computer.
OS makers not helping much either (Score:1, Insightful)
Why the FUCK does a document display program have the ability to alter anything on my machine?
Not to let Adobe off the hook, but OS makers should make it easier for users to limit the abilities of vulnerable or dangerous programs.
Quick, how would you start Adobe Reader on Linux, OS X, and Windows such that it isn't allowed to write to files? How would you do the same for however your browser starts Flash? Could you easily step several users through this process?
Re:There's a safe alternative! (Score:2, Insightful)
JavaScript is a programming language. Just because the code is delivered in source form, it doesn't mean there cannot be security holes. And Flash exploits are actually Flash player exploits.
However, the following still remains true:
Re:Why two weeks to fix? (Score:5, Insightful)
Can someone please explain to me why it will take Adobe two weeks to get a patch out?
They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse. Plus, you don't give a optimistic estimate right at the start.
(Look how Chile handled that for the mining disaster. They started with a safe estimate, and got praised for beating their own deadline. Imagine the reactions if they had been too optimistic in their original estimate.)
Re:Abode Is The Weakest Link (Score:0, Insightful)
Photoshop is reason enough for Adobe to exist.
Anyone who thinks gimp is a replacement is full of shit.
Re:How to prevent Reader from using Flash? (Score:3, Insightful)
Use one of the pdf readers that doesn't have adobe's holes and bloat.
I think there is a windows port of evince, and I used to use sumatra when I had windows boxen. I have a friend that likes foxit, but I've never used it myself. etc.
Re:Abode Is The Weakest Link (Score:5, Insightful)
Two words: Feature Creep
Understand Apple a bit better? (Score:4, Insightful)
This is why Apple no longer ships Flash pre-installed, and why they do their own PDF readers. Regardless of any tiffs (or .TIFFs, har! see what I did there?) between Adobe and Apple, I'm sure that Adobe wants its products preinstalled in OSX. Even through its contentious history with Adobe, Apple has preinstalled Flash for many software releases now because it made business sense to do so. It no longer does.
Recent trends show that Adobe is the most readily-exploited software vendor (per US-CERT). Critical flaws are being discovered faster than operating system installer "golden images" can be put through the update-certification-release cycle. Any version of Flash or Acrobat/Reader that is incorporated into an OS golden image will almost certainly be vulnerable by the time a system with that OS installed reaches a customer. You're going to have to update the moment you're out-of-box, so why pre-install something you're going to have to patch anyway (assuming you patch at all)? And Apple can't autopatch it... their Software Update only updates Apple products (i.e. products which they actually have the legal right to patch).
And, of course, the headlines would (and do) read "Macs being exploited" instead of "Adobe being exploited". Apple doesn't want that, and is in a position to do something about it.
Do we perhaps understand why Apple does some of the things it does a little better now? Do we perhaps understand why Microsoft doesn't include Flash/Reader as part of its OS? Does Adobe need to get its goddamned act together before they start throwing rocks at OS vendors?
Re:There's a safe alternative! (Score:3, Insightful)
Try using it first.
I say this as someone who constantly installs it to see progress and has pretty much lost hope. The recent lightspark thing would be neat if it supported hulu.
Re:Abode Is The Weakest Link (Score:5, Insightful)
Re:Abode Is The Weakest Link (Score:4, Insightful)
The sad thing is that it took Reader about 3 or 4 versions not to be complete crap and the moment it actually got good they started bloating it almost as much as Emacs, except with stuff that is neither cool and powerful nor useful to the vast majority of users.
What should be a simple lightweight document viewer now requires an installer a significant fraction of the size of an entire Windows installation from just a decade or so ago.
Re:Understand Apple a bit better? (Score:4, Insightful)
And, thankfully, content providers still want their stuff to work on computing devices (like iPhones and iPads) that don't support Flash and so are providing non-Flash alternatives. That's not just good for Apple customers, but everybody in the long run.
Thanks Uncle Jobs! (Score:4, Insightful)
Re:Adobe sucks. (Score:1, Insightful)
Sumatra PDF [kowalczyk.info]
Re:There's a safe alternative! (Score:5, Insightful)
From the source: "Gnash... supports most SWF v7 features and some SWF v8 and v9. SWF v10 is not supported by GNU Gnash." [gnu.org]
Yeah. Sounds really useful. They support MOST of a SEVEN YEAR OLD VERSION. [wikipedia.org] Woo hoo, sign me up!
And by the way, who's to say that Gnash is free of bugs and/or exploitable holes? One problem with re-implementing something is that you're likely to (and sometimes need to) reproduces the original, bug for bug and flaw for flaw. Just ask the WINE guys.
Re:Two weeks (Score:2, Insightful)
Exhibit number 23 ... (Score:3, Insightful)
Re:Abode Is The Weakest Link (Score:3, Insightful)
HTML5 video [youtube.com] is here.
Adobe has no further reason to exist.
Great, video on the web. Sure if your knowledge of flash doesn't extend past it's ability to be a video container then you would think it is now pointless. However flash is a lot more than that and unfortunately HTML5 content creation tools are rubbish, until such time as there is a CS-quality toolset for creating HTML5 content, SVG supporting audio, we get some method for block invasive HTML5 content, performance gets on par with flash, etc... flash will remain relevant. HTML5 should undoubtedly push flash into the past but it still needs a lot of work from many different vendors and the standards body to actually get there as a viable replacement.
Re:OS makers not helping much either (Score:2, Insightful)
The problem with web browsers executing arbitrary code is really only "solved" with sand-boxing when you assume that your private personal data is stored on your hard disk. Unfortunately, since most personal data is now stored and accessed through a web browser, you have essentially allowed arbitrary code to operate on your personal data.
Emacs was compromised by a similar line of thinking, that:
Because the ability to execute code is sometimes useful when editing documents, everything should be implemented in Emacs.
Likewise, Javascript is sometimes useful for displaying information on webpages. However, this does not imply that web browsers should be an application platform.
Carrying these assumptions forward blindly gives rise to many of the current challenges of today.
Re:Abode Is The Weakest Link (Score:3, Insightful)
Until they go to install something that only works on an admin account. Then they quickly abandon the limited user accounts. Of course you can't blame the OS for that but the program writers that require admin to not just install but to run.
Not why you should thank him (Score:1, Insightful)
Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.
I don't have an iPhone, but I thank him for forcing web developers to find alternatives to Flash.