Adobe Warns of Critical Flash Bug, Already Being Exploited

Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."

Abode Is The Weakest Link

[WrongSizeGlass]

Adobe's Acrobat, Reader & Flash are the weakest security links on any PC. This isn't really news any more ... it's expected.

Adobe sucks.

[RocketRabbit]

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

I think it's about time to go from using Click2Flash to just deleting the Flash plugin completely.

Re:Abode Is The Weakest Link

[pinkishpunk]

one has to wonder this days if they even try to fixer their products. Given the rate this problems show up, it maybe they should start to think about starting from scratch with a bloatless reader. Wishful thinking I know, they have gotten everyone to use the bloat in one way or another :(

There's a safe alternative!

[Anonymous Coward]

The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can. And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Bye Bye Flash
Html5, here we come!

-F

Relevant? Bah

[markdavis]

>"The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac"

What horrible wording. One could read that to mean Linux is not a "relevant platform" in general, or that the vulnerability can't use the exploit to do anything to a Linux system or several other things.

From the article:

"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh."

"Square" (10.2.x) plugins vulnerable, too, or not?

[yuna49]

I'm running the 64-bit "preview" Linux plugin called "Square [adobe.com]". Adobe reports,"You have version 10,2,161,23 installed" when I check by right-clicking on a video and choosing About. Does that mean I'm not vulnerable to this flaw?

Re:We really need to sandbox all browser sessions

[0123456]

Attention browser developers:

Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.

Or run Linux and use an Apparmor wrapper to prevent Flash from doing anything bad if it's compromised.

On my systems it can't read much of anything, can't write to anything other than /tmp and its own config files, and web sites can't download flash turds to track me... all enforced by the kernel.

Re:Two weeks

[today]

Just a guess, but removing authplay.dll might help mitigate the Reader portion of this exploit. I generally do that after every Reader upgrade because a similar vulnerability happened once before. Besides, who ever uses Flash inside a PDF document anyway?

Re:Code Exploit Discovery Automation

[Statecraftsman]

There's no correlation between age of a product and security. If anything the older the project and more nebulous the code base, the less likely anyone inside Adobe even understands it all. I use sumatrapdf and evince so I'm not affected personally but I think the only hope is either replacement or freeing the source code for the product. From a business perspective, Adobe will only go and fix bugs that become a big enough PR disaster that they can't ignore them. There would also need to be a viable alternative to their products.

Similarly to how Microsoft has had to acknowledge OpenOffice, at some point hopefully GIMP and Inkscape and other creative tools will cause Adobe to address their own issues. The software industry has a serious lack of competition and without free software that closely mimics commercial products, it's hard to imagine anything improving substantially in the near future.

Re:OS makers not helping much either

[cbhacking]

On Windows, you can force any program to run at Low IL (Integrity Level support requires Vista or above). Low IL processes, regardless of their nominal user permissions, can only write to Low IL folders. There are only a couple of these in the base install - %USERPROFILE%\AppData\Local\Low contains things like the Temporary Internet Files folder (IE runs at low IL by default).

Low IL processes also can't start other processes at higher integrity levels. If for some reason you need a higher level (the usual reason is saving files) you can have a "broker process" that runs at the standard level (Medium IL) and exposes some interprocedural communication to the Low IL process. Strictly speaking this opens a hole in your sandbox, but it's a lot easier to lock down that broker process since it's very special-purpose and has a very small attack surface. Also, the broker process can be used to present a warning to the user when it is invoked for anything potentially dangerous (IE's "Protected Mode" warning appears when the browser asks the broker process to start an external application).

It's not as customizable as AppArmor, but it's less complicated. Unfortunately, it also takes a little tweaking to find out how to set process or folder IL.

Square" (10.2.x) is vulnerable

[WD]

I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081 [cert.org]

Re:Abode Is The Weakest Link

[bmo]

The download for the Linux Adobe Reader is 60 some-odd megabytes. The font package is another 40 some-odd.

It's only supposed to be a document display. I remember a full blown 32 bit operating system with a GUI (OS/2) that took up a stack of 16 (estimating) 3.5 inch floppies. Just what the fuck is Adobe doing?

The only thing I can think of is that the code base for Adobe Reader is spaghetti code and every time they update it, it adds more spaghetti. This probably explains the very long lag time when it comes to security updates.

--
BMO

Re:Abode Is The Weakest Link

[hitmark]

not unlikely, given that photshop apparently have code inside it that dates back to m86k mac.

Re:Adobe sucks.

[RocketRabbit]

Actually Adobe Reader was always presented as a PDF reader. All the other shit they tacked onto it was added after several revisions.

Re:Adobe sucks.

[Anonymous Coward]

Does Click2Flash even work? On the Firefox front, the Better Privacy folks have shown that FlashBlock and others don't truly work -- that an attacker who chooses a non-standard "extension" for a Flash URL and tweaks the HTML a wee bit can sail right past them. FlashBlock is only really good for stopping advertisements (which are usually, but historically not always, safe).

Repeat: FlashBlock in Firefox does NOT offer protection agains malicious Flash.

In Windows, there's a registry change that supposedly turns off the ActiveX/Internet Explorer verison of Flash player. So my new plan is no Flash in Firefox, period. On Windows I'm gonna try that Registry hack. Maybe this means I'll have to hit YouTube with Chrome to watch videos. Shrug. My security is worth something, and Adobe is no longer trustworthy.

What happens when...

[BLToday]

what happens when in 6 or 12 months, manufacturers like Samsung stop updating their current release Android phones? (Talk to a Behold 2 owner about Samsung not updating phones right after release). How are we going to be protected from the army of infected phones? Who's going to be responsible for updating a Flash vulnerability in Android if the manufacturer doesn't release updates? Will Flash updates by pushed from Adobe?

Re:"Square" (10.2.x) plugins vulnerable, too, or n

[Kjella]

Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.

Yes, but it doesn't necessarily imply the same is true of version numbers. Here in Norway we swap the dots and commas in numbers (1.234,55 vs 1,234.55) but I have never seen any software package, domestic or foreign, that uses anything but dots in their numbering. I think they're more considered dividers like in chapters, that do use dots like "3.4 Crossing the beams". And ok, so (float)7.5 makes sense but what exactly would a kernel version number of 2.6.36 mean? What when you go from 2.6.9 to 2.6.10? It does not make any sense, but if you consider them equal to chapters it makes perfect sense.