Forgot your password?
typodupeerror
Security IT

New Adobe Flash 0-Day 133

Posted by CmdrTaco
from the thats-not-gonna-work-out-well dept.
Trailrunner7 writes "Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well, and is being used in some highly targeted attacks right now. The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X's Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris."
This discussion has been archived. No new comments can be posted.

New Adobe Flash 0-Day

Comments Filter:
  • I re-installed Windows and cleared up the infestation last year. Not a particularly happy episode.

  • by moosehooey (953907) on Tuesday March 15, 2011 @01:51PM (#35494088)

    What the hell for? Fucking Adobe.

    • This is why I turned to using open source readers for pdf files.
      • I've hearing on slashdot about these open source readers for some time, but only recently did I experience one. I had a 300MB pdf that Adobe Reader just wouldn't open at all. A day or so of reading forums and updating components and I finally got it to open the file.... takes about 5 minutes and lags whenever I try to scroll. So I downloaded Foxit (after reading about it on /., and I'll never switch back. It opens the scene in about 2 seconds, and scrolls nicely. (Not that the file DID open originally

    • by KDEnut (1673932)
      IIRC it's part of the PDF standard.
      • by Anonymous Coward

        There is only one sane PDF standard, PDF/A, and Flash is not in it.

    • by garcia (6573)

      To make it the slowest possible PDF reader available. I recently switched to FoxIt after Adobe's shitty software continually hung Windows for MINUTES at a time searching for disconnected network printers I only access when I'm at the office.

      No problems with FoxIt and thus I haven't bothered to look back.

    • This is why it's bad that Windows doesn't include a basic PDF reader. Mac OS X uses Preview (an independent reimplentation) and Unix uses derivatives of Ghostscript (an independent reimplementation).

    • by syousef (465911) on Tuesday March 15, 2011 @04:15PM (#35495816) Journal

      What the hell for? Fucking Adobe.

      How else do you fit so many vulnerabilities in one product so efficiently? In fact they found they had to tap higher dimensions to fit more holes than there was physical space in Adobe products. Kinda like a cross between the Tardis and a permanent help desk role: The void is greater than physically possible.

  • by jbeaupre (752124) on Tuesday March 15, 2011 @02:00PM (#35494192)

    for those of you who want to check which version you have and which is the latest:

    http://www.adobe.com/software/flash/about/ [adobe.com]

    • Neat. According to that page, I have version 10.2.154.18 installed, which isn't listed in their table. Mind you, I'm running a dev version of Chrome, so who knows what vulnerabilities I'm actually exposed to.
      • by hAckz0r (989977)
        I think I have you beat. I'm running 10.3.162.29, and according to their page their latest is 10.2.154.12, so I'm approximately 0.1.8.17 into the future development cycle. ;)

        btw - I have a 64 bit plugin running under Firefox/Fedora.

        • Adobe tells me that I'm running version 10.3.180.42. Or rather, mostly *blocking* version 10.3.180.42 with ClickTo Flash in 64 bit Safari.

    • by Anonymous Coward

      Better yet:

      https://www.mozilla.com/en-US/plugincheck/

      It'll check ALL your plugins and tell you if they're up to date. It might fail for obscure plugins that it doesn't know about, but all the major ones are supported. Plus, you don't send a whole bunch of data to a company like Adobe.

    • by shitzu (931108)

      Version check does not help much, because the fix has not been issued yet. "The company plans to have a patch for the affected products ready by next week for all platforms"

  • by 140Mandak262Jamuna (970587) on Tuesday March 15, 2011 @02:04PM (#35494248) Journal
    The attack vector is a excel spreadsheet delivered via an attachment that contains a swf file that has this vulnerability. Looks like it is not a drive by download. Not sure if the streamed flash videos have the vulnerability. It does not affect Win7. Affects XP. If it is leveraging some specific bug in excel and then a bug in flash, it is very specific to that combination. XP+Excel+Adobe. The rest of us can rest easy and enjoy a little bit of schadenfreude.
    • by _0xd0ad (1974778)

      The payload might only be leveraging a specific bug in XP, but what's to say that a different payload couldn't be delivered through the same attack vector? One that targets other versions of Windows, even other operating systems altogether?

    • The rest of us can rest easy and enjoy a little bit of schadenfreude.

      I'm sorry, I can't even pronounce that. I'd like a Kahlúa please.

      • by Anonymous Coward

        shaw den froy duh (lightly roll the "r" in froy for some extra authenticity)

        German for "bad pleasure", means taking pleasure at the misfortune of others.

    • by Anonymous Coward

      TFA says DEP is the reason it doesn't work on Win7, so doesn't that mean 32-bit Win7 is still affected?

    • by jpea (879421)
      So, you have to open up a pdf with one hand, unplug your power cord with the other, curl your left big toe, dial 911 with your right pinkie toe, open up excel, type "meow" into row 3, column 204, then hit ctl+space+enter? damn!
  • Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.

    • Apple is copying Apple records. Apple is copying the ancient Romans by using their already developed counting system.

      Perhaps Acrobat X doesn't run on Apple computers because they're not powerful enough xD? One key difference: Your computer is expensive.
    • Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.

      Where do you get your misinformation? Reader X runs just fine on my MacBook Pro with Snow Leopard.

  • by Ionized (170001) on Tuesday March 15, 2011 @02:11PM (#35494340) Journal

    Seriously, get FoxIt PDF reader. It's free, and approximately 5 million times faster than Adobe Reader.

    • I had no end of problems using "other PDF" readers when I print postage from USPS.COM (yeah, I sells stuff on and off on fleaBay) This is not to say that I am a fan of Adobe, but with some things, there's just no substitute.

      • by Ionized (170001)

        I don't even have Reader installed, I use FoxIt for any PDFs I have to open and have never noticed issues. YMMV, but I suggest you at least give it a try.

        I notice the biggest difference when working with large (50+ page) PDF docs on my netbook. Adobe Reader is unbearably slow to scroll through pages, but FoxIt is painless and smooth.

    • by b0bby (201198)

      We tried it at work, but we get lots of crazy restricted pdfs from outside & we had even more problems with Foxit than Reader. Which I know, is pretty hard to believe.

      • by Songilly (1993968)
        I've had a few problems with the browser plugin not working on some pages. But for the most part I'm very happy with Foxit. Easily way better than Adobe Reader. I don't know why Adobe doesn't just make a Reader lite that is super zippy that works for 95% of things. Most people don't need all that security and locked down features. We just want to read a doc.
    • by cbhacking (979169)

      It's also actually a hell of a lot less secure than Adobe, oddly enough. Run a fuzzer with it and it falls over very easily. Apple's PDF reader has the same problem - even worse, in fact (15x as many exploitable vulnerabilities as Adobe Reader, according to a larger-scale experiment than I cared to run, see Charlie Miller's presentation at CanSecWest last year). I haven't tried fuzzing any of the other "fully featured" readers yet, but I'd be surprised if any of them did much better.

      The reason so many vulne

  • Reader 8 and 9 were tolerable, but Reader X seems like less of a reader app and more of a bloated advertisement for Adobe's other products. I suppose my machines will remain vulnerable but usable.

    • by yuhong (1378501)

      One nice thing about Reader X for me is when the browser plug-in is invoked, it displays a progress bar indicating the download of the PDF.

    • by Anonymous Coward

      Reader 8 isn't vulnerable to this because it lacks support for embedded flash files. Likewise removing authplay.dll (the dll Reader 9+ uses for embeded flash data) should mitigate the issue as well.

  • by WaffleMonster (969671) on Tuesday March 15, 2011 @02:16PM (#35494398)
    I am totally sick and tired of the constant wave of security bugs in these products. How hard can it really be after all these years to render compressed postscript without all of the underlying nonsense?
    • by Tharsman (1364603)

      No product is entirely secure, browsers are getting patched all the time due to people finding new vulnerabilities. This covers all browsers, Firefox, IE, Safari, Opera and even Chrome.

      What @#$@#$^ me off, is being forced to keep watch on two fronts for my security. If i'm using my browser, I'd wish the only thing I was able to blame for an exploit was the browser itself. With stupid plugins that web designers feel they must force visitors to use, they force me to double the potential exploitable entry po

    • Particularly with how advanced our compilers and other tools are now. When you combine compiler warnings, bounds checking, and stack shielding you don't really have any leg to stand on when it comes to exploits in your code do you?

    • by c0lo (1497653)

      When will Adobe get its act together?

      My guess: it'll be when Adobe releases it's own OS, entirely written in Flash, which also will run on smart-phones - that's the next logical development... now that emacs is lagging far behind.

  • by MrEricSir (398214) on Tuesday March 15, 2011 @02:18PM (#35494424) Homepage

    How can it be a 0 day attack when Acrobat takes 2 days to start?

    • Lately 0-day has come to mean they haven't seen it in the wild yet and haven't released the code to reproduce it (AFAIK they haven't). But yeah they toss that on anything these days .A true zero day is one you keep to your group or yourself. Groups stack them like cards in a deck for later use while keeping them secret.

      • by _0xd0ad (1974778)

        All 0-day means is that they found the exploit in the wild before they knew the vulnerability existed.

  • If you are considering "upgrading" to Reader X for safety, be aware that the installer does not contain an IFilter for extracting text from PDF files, so desktop search products relying on the IFilter will no longer be able to search your PDF files. Actually, it's worse than that. Not only does it lack an IFilter, it will remove the IFilter installed by older versions. More details here [adobe.com].

  • This is why i hate so many websites that use flash, why put all your eggs in one basket, so that when again another flash 0 day comes out, your like...wtf....do we really need to be stuck to a propitiatory software that is useless when it comes to security....all in the hopes of achieving greater visual effects for your site....at least offer a flashless option to view the site.....so many suffer from the fact that if you have no flash installed, you can not continue, but this means it hurts them more in th

    • by tlhIngan (30335)

      On the other hand, at least Android users (flash is also vulnerable there) don't have to wait for their carriers to decide when they can update their flash runtime. I assume you can just update it right there from the marketplace.

      Not sure about those Androids that ship with flash though - maybe they might be stuck?

  • Article reports: "There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment"

    *BOGGLE* If that sort of functionality is even possible, then it was just an accident waiting to happen.

    • by phntm (723283)

      the description made me twitch a bit too.
      next step i guess is to e-mail xp vmware images running internet explorer iframing excel using flash embedding a pdf

    • by cbhacking (979169)

      Excel supports OLE, and has since the 90s. Note that it's not actually putting the reader or any other directly executable code in the spreadsheet, but it can contain a reference saying "I have a SWF object that I'd like to render here" and the OS will load whatever it has that renders those.

  • And who are they after?
  • by jensend (71114) on Tuesday March 15, 2011 @04:32PM (#35496060)

    In related news, SumatraPDF [kowalczyk.info], the primary open-source PDF viewer for Windows, just had its 1.4 release a couple of days ago. In the course of the past ~6 months they've added GDI support so documents can print quickly (rather than sending huge bitmaps to printers), improved performance in all sorts of ways (notably including much-faster zooming and searching), and quashed lots of bugs. They've also added a browser plugin and a Windows Search filter (both optional). So even if you've tried it in the past and it didn't meet your needs, it's likely worth trying again.

    Outside of multimedia (e.g. Flash) and JS- both of which I've never seen used in a PDF for anything other than an exploit- the only thing Sumatra lacks at this point, AFAIK, is the ability to work well with forms.

    • by jerk (38494)

      I switched from FoxIt to Sumatra on Windows after I ran into a PDF that wouldn't open in FoxIt.

  • Flash is archaic and should be on it's way out. Advertisers are waisting a lot of money on flash as they're missing a huge market share (iOS devices). HTML5 does anything flash can do... but better and is openly supported cross platform. Even google got the smack down when they tried to nix HTML5 out of chrome as it got patched by microsoft to support it.
    • by spongman (182339)

      HTML5 does anything flash can do

      you're kidding, right?

      the thing flash does that advertisers care most about is work the same on everyone's browser. if you're paying for impressions that means a LOT.

      besides that it has a whole bunch of capabilities that HTML5 doesn't get close to. try combining:
      - fonts
      - anti-aliased vector art
      - bitmaps & pixel effects
      - animations
      - video
      - 3d
      in a single pre-compiled binary format, using little to no coding.

      even if html5 could so all of this, there are still no tools sign

  • Seems to me, if any other type of business that produces goods, had as many bugs and other crap as the adobe reader has had, wouldn't they be given large fines and other crap and not allowed to put products out until they fix it?

    While I surf safe (even with the large amount of pirated/cracked/copyrighted stuff I download, I don't get hit with virus/trojans/worms/whatever. Yet, my family, friends don't have the talent, or brains to be online like i do. Update their flash player? doubt it. update acro

  • The usual "Ragging on Flash" roundup rolling in.

    Let's look at the facts:

    1) Flash is by far the most ubiquitous end-user plattform in existance.

    2) For a little more than a decade competitors have tried to dethrone Flash. And even the most promising of those failed miserably due to pure and utter incompetence in delivering what people want and rich client developers need. (Java Media Framework and JavaFX anyone?)

    3) Compared to it's penetration and availability, Flash actually is one of the safest plattforms o

    • "1) Flash is by far the most ubiquitous end-user plattform in existance."

      No, that would be far from the truth. HTML is more widespread at the moment.

      "2) For a little more than a decade competitors have tried to dethrone Flash. And even the most promising of those failed miserably due to pure and utter incompetence in delivering what people want and rich client developers need. (Java Media Framework and JavaFX anyone?)"

      Yes Java sucks, but only as badly as Flash sucks.

      "3) Compared to it's penetration and ava

      • by Qbertino (265505)

        No, that would be far from the truth. HTML is more widespread at the moment.

        HTML isn't a programming language. Nor does it have a unified VM.

        HTML5 + Canvas + Video tag. There you go.

        Proves once again: You, as every other person here ragging on Flash, do not know what you are talking about nore have you spent 3 minutes thinking about the subject. And I'm not being offensive here, I'm just stating the facts as they are.
        There is no way that HTML5 + Canvas + Whatever can deliver the functionality of a unfied ub

        • Go to the chrome experiments site. How about a re-implementation of the classic DOS game, OOTW?

          If that can be done in HTML5, all of your links (which, BTW, give me a "MISSING PLUGIN" notice on a blank screen) can be too.

          Sorry, buddy. Flash is fucking finished.

Air is water with holes in it.

Working...