Adobe To Patch Flash 0-Day Friday

Trailrunner7 writes "Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday — just four days after it was disclosed — for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents. Adobe said it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel, but Reader X users will have to wait till June for a fix."

They're planning to patch a 0-day?

[gazbo]

Impressive.

Re:

[Culture20]

I know parent is a troll since everyone knows this, but as long as an exploit is made available before the developer knew (or disclosed they knew) about the vulnerability, the exploit is referred to until the end of time as a zero-day exploit. It successfully attacked 0 or more days before work on a patch started. George Washington didn't stop being the first President of the United States when he stepped out of office, he stopped being the current president.

Re:

[syockit]

In /., you're supposed to give a car analogy, not a statesman, nor a politician.

Let's see.. if a car can't work even while its mileage is still zero, you call it, uh... what?

That shows how little I know of cars.

Re:

[0xdeadbeef]

No, it refers to a crack released on or before the day the game it targets is released. Script kiddies only use the term because they think warez d00ds are the coolest.

Re:They're planning to patch a 0-day?

[Riceballsan]

This may be one of the few times 0 day was actually used right. 0-day hits without warning, and it has to be patched after the fact, assuming of course there was no warnings by white hats beforehand that were ignored/covered up. That being said, as much as I hate adobe and the ridiculous amounts of security flaws that actually allow these issues to occur, Seriously who the heck would want the ability to use flash in a word document, so they can print animations? That being said, 4 days is actually decent response time. compared to say word itself that will probably have the patch for this itself in a few months.

Re:

[phantomfive]

No, look it up, you're wrong. Zero-day means the developer doesn't know about it. It's here. [wikipedia.org] This particular exploit has been known, by Adobe, for at least four days. Don't make the mistake of thinking because YOU don't know what the exploit is, it's still a zero day.

Re:

[IB4Student]

so, that'd make it a 4-day? >__>

Re:

[_0xd0ad]

No, zero-day means that the developer didn't know about it when the attack went live. They'll eventually discover the vulnerability and patch it, but that doesn't change the fact that it was a zero-day attack.

Re:

[phantomfive]

Zero-day attack = attack perpetrated using a zero-day vulnerability.
Zero-day vulnerability = vulnerability the developer doesn't know about.

Please read the summary again and realize which one we are talking about here.

Re:

[_0xd0ad]

It doesn't change the fact that it was a zero-day vulnerability, either.

And Adobe themselves called it one:

During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris

Re:

[phantomfive]

Please read that and tell me, do you think it was written by a PR agent, or by a security expert?

We know what a 0-day vulnerability is. Whether Adobe uses the term correctly or not is irrelevant to the discussion.

Re:They're planning to patch a 0-day?

[_0xd0ad]

It was a zero-day vulnerability. The fact that it's no longer a zero-day vulnerability isn't nearly as important as the fact that it was one, since the very fact that we're discussing it means that it's no longer unknown.

If you want to be that pedantic, you might as well just throw out the term altogether, because as soon as you find out that a 0-day exists, it ceases to exist.

Re:

[lennier]

as soon as you find out that a 0-day exists, it ceases to exist.

The 0day that can be named is not the true 0day.

What is the sound of one buffer overflowing?

Re:

[arth1]

No, the Heisenphrase is still quite useful, but just like "undiscovered species" it has to be qualified with a word like "previously" when talking about a specific occurrence, and not used in statistics, forecasts and speculations.

Re:

[_0xd0ad]

Why does it need to be qualified with a word that's redundant given the context?

Re:

[arth1]

Would you call a new species that was discovered last week a "previously undiscovered species", or insist on "undiscovered species" because "previously" was redundant given the context?

Re:

[_0xd0ad]

If you're talking about its discovery, it's redundant to say that it was previously undiscovered.

Re:

[_0xd0ad]

I understand that perfectly well. It means that it is unknown to the vendor. I was stating it from the point of view of the vendor of the product.

Re:

[MozeeToby]

The attack was a zero day attack, Adobe didn't know the vulnerability existed until the attack was discovered. They are now patching said attack on day 4. Saying that Adobe is patching a zero day attack 4 days after it was discovered doesn't seem unreasonable to me.

Re:

[phantomfive]

Except it's no longer a 0 day once it is discovered. They are not patching a zero day vulnerability, they are patching a vulnerability that used to be a zero day and no longer is.

Re:

[bunratty]

Yes, Adobe will patch a vulnerability that was used in a 0-day attack. Or "Adobe To Patch Flash 0-day" for short.

I suppose when I ask if you know what time it is you'll say "Yes", then give me a lecture on how my question was improperly phrased if I'm not satisfied with your answer.

Re:

[phantomfive]

Why do you think this has anything to do with what time it is? Please write clearly.

Re:

[quenda]

So it is actually a "minus four day" attack?

Re:

[arth1]

This may be one of the few times 0 day was actually used right.

Actually, no. It's a prime example of it being used wrong, as crisis maximization.

Zero day is a vulnerability before you discover it.
First-day is when you immediately put out a fix.
4 days after discovery, like this is, is three days after that and has nothing whatsoever to do with zeroth-day exploits.

And in "just" four days?

[SanityInAnarchy]

I miss reading a Slashdot article about a 0-day (within hours of the actual vulnerability), then going to patch it and discover I'd already patched via my distro's repository.

Re:

[froggymana]

My distro already has this one patched. It simply doesn't install it

Re:

[Phoghat]

Actually I'd like to go a day WITHOUT a notice from Adobe about patching something.

Via Word ...

[WrongSizeGlass]

This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

Re:

[ledow]

HOW MANY MORE TIMES?

Do NOT open a document that you're not expecting, that isn't from someone you know, etc. Yeah, you could say that this can be passed legitimately from person to person but come on - this is the first rule of virus protection - don't open documents without screening them (not via some magical software that "knows" if it's bad or not, but by using your brain) first.

The fact that you can even still GET a Word virus whether it executes in macros, integrated Flash or some other ActiveX-based

Re:

[GameboyRMH]

What happens when you receive a document meant to produce a browser exploit when rendered by a web-based office application?

Hey, it could happen.

Reminds me of a virus from the novel Jennifer Government. A popular antivirus suite would gather info on any files it picked up with a heuristic scan and send that info to the server, which would then distribute virus definition updates to all the clients. The virus was meant only to be picked up by the heuristic scan, but it was made so that the resulting virus in

Re:

[Entropius]

Why should I?

It's a fucking document. It's a series of bits which are converted into pixel values and shown on a screen, not code.

If you get your computer compromised by a document, then the only person who's fault it is is the one who wrote the document decoder (and/or the idiot who decided that documents should include embedded code, which is ridiculous).

You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, becau

Re:

[mlingojones]

But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

I can think of at least one way a JPEG can get you in bigger trouble than that. >_>

Re:

[aztracker1]

Well, I've experienced plenty of documents that pull in real-time data for a portion of the document... unfortunately Flash is commonly installed as a "safe for scripting" active-x plugin in windows... I prefer simple pdf viewers, and don't open unexpected attachments... I really would just prefer that there were two differing extensions for such "interactive" documents, opposed to read-only, no interaction...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[lennier]

A million times this.

What bugs me is that all the programmers who wrote these format decoders riddled with buffer overruns still have jobs. How can that be possible? Either they knew at the time that they were writing unsafe virus-holes - and went ahead anyway, thus committing gross negligence - or else, even worse, they had no way of telling if the code they were writing was safe or unsafe and yet went ahead and released it on a "who knows, what's the worst that could happen?" sort of policy.

Either way, it

Re:

[Riceballsan]

Well as much as part of that is true, for the most part it is terrible advice. "Don't open anything given to you by people you don't know" is solid advice, but it is half the time interpreted as something is safe if it is from someone you know and trust. Virus's don't work that way, most infections I run into these days were given to the person by their grandmothers who wouldn't hurt a fly. Second part is unexpected, this is also true, getting "hahafunny.doc" out of the blue is almost a guaranteed virus, bu

Re:

[rssrss]

"Microsoft just don't care any more."

I did not think Microsoft ever cared about anything other than Microsoft's profits.

Re:

[ackthpt]

This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

I've always assumed Word Processor was not the same as Compiler or Interpreter. Shows just what a marvelous world it is when your Word documents aren't even documents at all, but full environments of their own.

Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

Re:

[softWare3ngineer]

Long live gedit. also and on the plus side, it is a simpler tool that makes you focus on the content of what you are writing.

Re:

[ColdWetDog]

Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

Emacs users all of the world spit in scorn at your shameful statement.

Re:

[Entropius]

Unsophisticated people use hundred-megabyte software packages to prepare documents.

Sophisticated people use vim and latex.

Re:

[s122604]

Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?

I've been modded down to troll for asking these kinds of questions before. I'm really just curious, I ask with all humility, grace, and supplication...

Re:

[WrongSizeGlass]

Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?.

From Adobe's security bulletin: [adobe.com]

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.

I don't know if OO will try to use the .swf payload inside the Word document.

Re:

[gstoddart]

I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

It's no wonder we get so many *(&$^& viruses when word-processors attempt to launch embedded executable files without asking or anything.

To me that sounds like the security equivalent of picking up used syringes off the ground and sticking them into your arm to see what's in them.

I mean, WTF? Does

Re:

[lennier]

I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

And what happens if you print that?

Do you get a Youtube movie at 60 pages per second coming out of your laser printer?

Re:

[Billly Gates]

I am not a hacker in this area but the word .doc format is specifically designed as an executable. The reason why is to make it harder for people to leave the MS ecosystem and switch to competing products. Also it is there to give Visual Basic an edge.

Virus makers love this as their code can hide in a perfect container. OpenXML which is now used is far superior because nothing is hidden but it also supports legacy binary blobs of executable code.

Keep polishing that turd Adobe

[Anonymous Coward]

At least my iPad is still safe.

Re:

[ph0rk]

The important thing about the gilded cage is, in some cases, the gilt. Not the bars.

Re:

[PNutts]

You mean like a golden cage is still "safe" from some food that happens to be a turd? :P æbut also from all other food.

I'm not sure what you meant by that but thanks for reminding me to check my iPhone for an Angry Birds update.

Re:

[Tackhead]

At least my iPad is still safe.

Not necessarily. Even without Flash support, those things are huge vectors for earworms.

7 am, waking up in the morning
Zero-day fresh, gotta get my warez,
Gotta sign my key, gotta have serials
Crackin' everything, the time is goin'
Tickin' on and on, everybody's codin'
Gotta log on to the Slash - dot
Gotta slash my dot, I click Refresh...

PDF for printouts,
Flash is for online,
Gotta make my mind up,
Which code did they break?

It's Friday, Friday
Zero-day on Friday,
Sysad

Re:

[GameboyRMH]

Just as a Power Wheels truck is safe from a high-speed crash.

Re:

[heff_sf]

One keeps hearing the Flash fanbois harping about the great lot of "Flash-based content online out there that you miss out on", always, always failing to articulate exactly what all this great content is. Crappy Flash-based ads that suck up 95% of the CPU, drain battery life and crash the browser, and this is somehow hindering one's computing experience? Or are they referring to crappy Flash-based games? If Flash games are indeed what they mean then the rejoinder "anyone who is seriously into computing" doe

Linux?

[Lunaritian]

If the malware is distributed with Word docs, then how can it infect Linux? Does it work with Open/LibreOffice too?

Re:Linux?

[machxor]

The vulnerability exists in Flash Player not Microsoft Word. A Word document is simply the package being used to distribute the payload.

Re:

[Abstrackt]

Neither TFA nor TFS say it infects Linux, though it sure reads like that at first, it actually says a patch will be available for Windows, MacOS X and Linux. It's probably minimal effort to plug the hole in all of them at once.

Re:

[ObsessiveMathsFreak]

Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit. Just last week I had to spend 4 hours fixing a 32-bit library bug. Flash has of course been the single biggest and most obnoxious problem with my still ongoing 64-bit upgrade process.

Re:

[0123456]

Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit.

Meanwhile every computer I own that has a 64-bit CPU runs 64-bit Linux and I've never seen any issue with the 64-bitness other than Adobe's inability to ship a working 64-bit Flash plugin.

Re:

[GameboyRMH]

I don't even have problems with Adobe's 64-bit Flash plugin. What can I say, it just works.

Article is Dup

[Anonymous Coward]

Doesn't Slashdot post this same article every week?

Re:

[indeterminator]

The previous one was about Flash embedded in an Excel file. I'll predict next week a Powerpoint file is involved.

40..50 years of computing

[countertrolling]

And the whole damn country can be taken down by a media player. Truly fascinating.

Re:

[geek]

Unless you're on an iPad

Re:

[countertrolling]

Keyloggers

Re:

[ColdWetDog]

Keyloggers

No keyboard! (Well, none to speak of, anyway).

Re:

[smelch]

Yes, because key loggers go in the hardware. No physical keyboard, where will you put the keylogger? Genius.

Re:

[GameboyRMH]

Yeah for those we use other browser exploits, like the old jailbreakme.com, or the HTML-based forced-dialing vulnerability.

Re:

[lennier]

I used to think that William Gibson's Neuromancer was wildly unrealistic for portraying a future Net so riddled with vulnerabilities that any cowboy kid with a cyberspace console could hack their way into a bank and escape barely milliseconds ahead of the Intrusion Countermeasure Electronics.

Now I know that the unrealistic part is that there's any countermeasures at all.

US grammar?

[Anonymous Coward]

They are planning to patch Friday?
Why does Friday need patching?

Re:

[OffaMyLawn]

If it's that horrible song, maybe they could patch some talent into it.

Re:

[rfuilrez]

Because of this http://www.youtube.com/watch?v=CD2LRROpph0 [youtube.com]

Summary not quite accurate...

[fahrbot-bot]

The Flash Player for Windows will get patched on April 25, but the Flash Player bug in Reader X for Windows will get fixed in June because the Reader X sandbox prevents exploitation. From TFA:

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe's relationship with Google.

Re:

[trparky]

Even if they don't release the patch for Google Chrome, Google Chrome users are still fully protected.

All of these exploits in Adobe products is why everyone is coming out with their own PDF viewers or sandboxing the hell out of Adobe Flash.

Google Chrome has it right, wrap Adobe Flash in the same nearly impenetrable sandbox that the browser itself is wrapped in. The Google Chrome sandbox has proven time and time again that no matter what exploit is found in the browser, the sandbox has rendered them co

Re:

[Entropius]

Smells astroturfy, because you're making sure to call it "Google Chrome" every time instead of just "Chrome" like a normal slashdotter would.

For those that actually deploy this

[adeft]

A bit hard to find, but this specific vulnerability is in "10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

0 day ... what it means.

[BitZtream]

Its funny to see everyone arguing over what zero day means ...

Back in my day, and yes, I'm an old geezer apparently, zero day meant ... the first day it was discovered.

zero day warez releases were released the same day as the software hit the shelves or went on sale somewhere.

The next day, it was no longer zero day, it would be 1 day.

You also had pre-release warez of course, for things that were available on ftp sites or IRC before the public release, also commonly called zero day warez as well.

You wouldn't

Re:

[Imagix]

I'm with you on this one. 0-day as a descriptor is nearly meaningless noise as it is currently used. "A vulnerability that the vendor doesn't know about yet.". Big deal. "A new vulnerability" says pretty much the same thing. If it takes the crackers four years to find the vulnerability, it still counts as a 0-day. Part of the cachet around "0-day" originally was a giant raspberry to the software vendor that their copy protection for their software was so weak that it was broken the same day that it w

Re:

[bunratty]

A new vulnerability can be found by white hats and reported to the company, which is not a 0-day. A new vulnerability can be found by black hats and exploited before the company knows about it. That's a 0-day, and it's problematic because they company wasn't able to attempt to mitigate or fix the problem before it was exploited. Not all new vulnerabilities are 0-days; probably most are not. It's not important whether a vulnerability was found the first day the software was released or not. The important thi

Flash O'Day

[OglinTatas]

Wasn't he a quarterback for the Irish?

4 days sounds fairly quick

[Corse32]

I guess, does it push the update out to users?

Leave Flash behind

[xororand]

Try to uninstall Adobe Flash for a week. I did and I can't say that I miss anything.

YouTube:
- The HTML5 beta [youtube.com] works rather well with modern browsers like Firefox 4.0 and nearly every video is available. You don't need a Google account. The setting is stored in a cookie.
- If you're on Linux, try Minitube [gawker.com]. It's a standalone player for YouTube that uses hardware acceleration.

Thanks to the iPad, more and more web sites offer alternatives to Flash. My preferred news TV station is now streaming both with Ogg/Theora and H.264.

Yes, I can't view the occasional funny cat video because it's only available in Flash format but guess what: I'm still alive.

Re:

[RocketRabbit]

Really? Which news site streams OT?

Re:

[xororand]

It's a German news program: tagesschau.de
Screenshot [imgur.com].
They got an award for it too:

"The Free Software Foundation Europe (FSFE) and the Foundation for a Free Information Infrastructure (FFII) have used the occasion of Document Freedom Day 2011 to give an award to German broadcaster ARD's internet platform tagesschau.de for offering broadcast shows in the free Ogg Theora video format. According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate e

Re:

[The Wild Norseman]

According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

It's a trap! The cake is a lie!

OK Chrome has the fix already!

[fugas]

Stable Channel release 10.0.648.205 is out. Thanks Google for the incredibly swift response.

Just as bad as Microsoft

[applematt84]

It seems they are following in suit behind Microsoft with the "we will patch it when we feel like it" attitude. Disappointing.

That explains the my friend's recent infection.

[BLToday]

Here's the summary of the conversation:
Him: dude, it's happened again.
Me: too much porn man.
Him: I didn't do anything, even used Chrome and Firefox
Me: which site did you go to?
Him: it's my office computer, I can't look at porn here.
Me: OK, maybe there's not enough porn on your computer.

no patch yet...

[datapharmer]

So still waiting on that patch. When was that going to be released again?