Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security IT

Adobe Patches Second Flash Zero-Day In 9 Days 178

Posted by samzenpus
from the protect-ya-neck dept.
CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."
This discussion has been archived. No new comments can be posted.

Adobe Patches Second Flash Zero-Day In 9 Days

Comments Filter:
  • Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

    • by jo42 (227475)

      The best solution to the crapware known as "Flash Player" (on Adobe's own site no less): http://kb2.adobe.com/cps/141/tn_14157.html [adobe.com]

      • by Mashiki (184564)

        Too bad that pushing 90% of the web these days uses it including for full site design.

        • Re:WTF adobe (Score:4, Insightful)

          by dgatwood (11270) on Wednesday June 15, 2011 @08:45PM (#36458072) Journal

          Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.

          YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.

          • And, what's more, there's the Flashblock Add-on, which lets you re-enable flash on a case-by-case basis for the rare occasion where you need it, and where the culprit won't listen to its customers.
        • by mikestew (1483105)

          I don't even have Flash installed on the two machines I mainly use, and view a lot of pages on the Flash-incapable iPad and iPhone. The only place I notice the lack of Flash is YouTube and Hulu. YouTube is fine on iOS, and there's a Hulu app for iOS and Mac OS X. Sure, once in a while a site doesn't render. As I used to say about RealPlayer, there's nothing on the web I need to see so badly that I'm willing to install Flash.

        • Too bad that pushing 90% of the web these days uses it including for full site design.

          But honestly, who needs those 90% of crap sites? And if some needed site slips in along with all the trash, there's e-mail, there's phone, and there's competitors.

          If more people did the civic thing, and actually call the relevant companies when there is a problem, it wouldn't be such a huge issue.

    • by brucek2 (208676)

      And also, why is the update process tied to system startup? My main desktop rarely reboots, which means I get these updates only weeks after I needed them, or after taking special action because I saw a story like this one.

      • Re:WTF adobe (Score:5, Informative)

        by PNutts (199112) on Wednesday June 15, 2011 @07:24PM (#36457428)
        http://secunia.com/vulnerability_scanning/personal [secunia.com] "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.
        • by Xtravar (725372)

          Wow, that seems useful. I never understood why MS doesn't put 3rd party stuff into Windows Update.

          • they do offer this if you run windows server update services (wsus). It is called system center updates publisher (scup). Saves a lot of time and hassle for windows domain admins. adobe, hp, dell, and many other big vendors are compatible. It doesn't cover every piece of software under the sun, but it covers most of the ones likely to cause havoc due to 0 day exploits.
      • by Qzukk (229616)

        Actually, it's tied to the login process, logging out and back in triggers the updater. As for why, I'm guessing that it's because there's no central repository that can be checked periodically, and people whine and moan about having a half dozen executables sitting around and doing nothing but checking for updates. I've got computers at work that have programs in the background for Java updates, InstallShield (several programs use this), Apple's updater, Adobe's updaters and Google's updater, all on top

    • Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

      I already have. You won't miss much, and I doubt it'll stay the standard container format for web video much longer.

  • by farnsworth (558449) on Wednesday June 15, 2011 @07:31PM (#36457490)
    Since it didn't say in the summary:

    Affected software versions

    • Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
    • Adobe Flash Player 10.3.185.23 and earlier versions for Android
  • it's not in iOS? Besides the whole Apple-Adobe fighting & Apple pushing other standards.
    Enjoy.

    • Flash is the new RealPlayer. The sooner everyone uninstalls it the sooner it sinks into obscurity where it belongs.

    • by dudpixel (1429789)

      For argument's sake - its not in android either.

      Users must explicitly download and install it (unless the manufacturer bundles it - which they shouldn't).

      Maybe adobe should be the one responsible for their software, so that Apple doesn't feel like they have to be. Its about time they (adobe) cleaned this crap up.

  • Gotta love FlashBlock.

  • by hoeferbe (168081) on Wednesday June 15, 2011 @07:38PM (#36457542)

    Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version [adobe.com] from 7 months ago?

    • by arth1 (260657)

      Indeed.
      My Add-ons manager says I have:
      Adobe Acrobat 9.4.3.231
      Shockwave Flash 10.2.152.32

      When checking for updates, there are none.
      It's mid-2011, why should the focus be on 32-bit?

      Then again, a 64-bit version of Firefox would be nice too. Or perhaps not, given how much memory it eats. With it being a 32-bit app, at least it can't gobble up more than 2 GB per process...

      • Yes the 64 bit version of Firefox seems to eat more memory. But on the other hand I haven't run 32 bit Firefox since version 1.5 so it may just be feature creep.
        • by hedwards (940851)

          The 64bit versions always use more memory, which is why you're often better off not using a 64bit version unless you've got a reason to do so.

          • by Lennie (16154)

            euh... unless you have enough memory available is also a good answer. :-)

      • by Alex Belits (437) *

        It's mid-2011, why should the focus be on 32-bit?

        It's Adobe.

    • by AmiMoJo (196126)

      Even us 32 bit users can't always upgrade. I don't have admin rights on my work laptop and it runs an ancient version of Reader 8. IT very slowly roll out updates now and then, but for now I am vulnerable.

      I can do Flash Player updates but they only happen when the machine is rebooted. I usually hibernate to preserve my environment from day to day so it might be a week or two until it happens, during which time I am vulnerable.

      • Just write an pdf exploit that grabs admin and install err, foxit or something patched a little less often then once a week.

  • ActiveX (Score:4, Insightful)

    by slyborg (524607) on Wednesday June 15, 2011 @07:43PM (#36457602)

    Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...

  • MS had so many updates yesterday. On my 64-bit Acer OEM VIsta HPE SP2 (IE7) test PC had to get over 200 MB of updates from MS. Then, Adobe updates. Augh!!

    • so you would rather them not fix it at all? I don't care about a 200 meg download [and oddly mine was less then 65M last night] but I do care if I am running an unpatched system.

      Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

      So please mr. joe compnay, please keep fixing your horrible [or not so horrible] code.

      Now if the folks who do Java could figure out how to actually fix

      • by antdude (79039)

        1. Don't release all the patches in the same day! I have to patch a bunch of computers manually: Linux/Debian, Windows, and Mac OS X.

        2. Companies should do a better job with their codes to avoid these security problems.

      • by 0123456 (636235)

        Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

        Windows Update generally only updates the operating system and a few Microsoft apps. Ubuntu updates the operating system and thousands of applications (or whichever of those thousands you have installed).

        And the big problem with Windows Update is not the amount it downloads, but the fact that it constantly wants to reboot after installing an update and thrashes the disk like a two dollar whore while it's installing so I usually can't do anything else.

        • by Lennie (16154)

          I think the trashing is:

          "creating system restore point" or whatever it is called.

  • I wonder if Adobe has just given up on its pure 64-bit users (on both Windows and Linux) and decided that they can rot. I haven't seen a new Flash Player Square release mentioned anywhere since the last release came out. What on earth is preventing these people from supporting their 64-bit plugin with security updates?

  • Something like the one Adobe Reader X uses, in point of fact, one that can be configured to automatically install updates in the background without administrator privileges.

    If you're going to be so fucking useless as to need such frequent security updates, have mercy on us IT types and unfuck your auto-updater.

  • There must be some serious pressure on them if they are patching that frequently. It's not like Senate.gov or Google are getting hacked or anything. People are not really using the internet, and malicious files to go after anything pertinent, at places like Lockheed, or other RSA customers. None of those places would use Adobe Reader to open those RFPs or other thousands of forms sent to them by Uncle Sam, right?

    Barn door, meet the horse's ass that has already run away from you.

    I don't think that anyone

    • But the inference you are making is not well supported. Google's response to getting hacked was to institute a ban on MS machines. Apparently, Google lacks the resources to manage MS machines properly, which isn't exactly surprising.

      Dust off the Senate.gov and others, and you may find the same root cause. Not unsolvable; just the solutions are unworkable. Ditch them and demand something better. Its not like there is a shortage of choice.

      • by dave562 (969951)

        I was thinking about alternative choices as I was writing the original post. What can people realistically do? There are at least two or three other free PDF viewing utilities out there that I am aware of. What is to say that any of those are significantly more secure than Acrobat? For all their faults, at least Adobe has the resources to throw at a problem when something goes wrong. Can the same be said about PrimoPDF devs?

        I get the sense that Adobe has finally reached the tipping point. Their softwa

  • Strangely I decided not to read the EULA before applying the second patch in 2 days. Ok, i didn't read it for the first patch in 2 days either. I hope this doesn't make me liable for...anything.
  • Ok, so who is going to come out with the joke of the day this time.....
    It is almost like 1000 monkeys were in a room for a few years hitting the keyboard in order to produce these adobe products,
    and now we are all finding out about it......

    In all seriousness, the only thing i could see attributing to the fact that these programmers just don't check their code
    is that they are all students, and maybe 1 or 2 senior programmers, and of which keeps changing regularly, so much so that the standards of coding
    are b

  • I really need a crippled and vulnerable mobile phone. Oh, Damn you Apple! Damn you Steve Jobs! You are so petty and narrow minded.
  • I wish they would just stop it with this "zero day" buzzword already. Just say "vulnerability" or even "security hole." That way, articles will be less amateurish-sounding, as if they hired a script kiddie to write the copy.

Be careful when a loop exits to the same place from side and bottom.

Working...