Adobe Patches Second Flash Zero-Day In 9 Days

CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."

WTF adobe

[Xtravar]

Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

Re:

[jo42]

The best solution to the crapware known as "Flash Player" (on Adobe's own site no less): http://kb2.adobe.com/cps/141/tn_14157.html [adobe.com]

Re:

[Mashiki]

Too bad that pushing 90% of the web these days uses it including for full site design.

Re:WTF adobe

[dgatwood]

Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.

YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.

Re:

[ArsenneLupin]

And, what's more, there's the Flashblock Add-on, which lets you re-enable flash on a case-by-case basis for the rare occasion where you need it, and where the culprit won't listen to its customers.

Re:

[dgatwood]

Since Asian and corporate users refuse to upgrade the webmasters are under pressure to make a site that looks great for IE 6 that will work 5 years from now with Chrome 25. Flash is the substitute.

And then their sites won't work on iPhone, iPod Touch, or iPad. In general, pandering to people running outdated browsers on an outdated OS on outdated hardware while ignoring people with the disposable income to buy modern gadgets is generally bad for sales. Just saying. :-)

There are sites too that use more f

Re:

[smash]

If you're running IE6, you're insecure anyway. If you're running IE7, you should upgrade to IE8 (or even better, IE9), as basically anything that works in 7 works in 8/9.

Re:

[Lennie]

He was talking about Asia and Windows XP, you can't upgrade to IE9. There is no IE9 for Windows XP.

You can however 'upgrade' to Firefox, Chrome, Opera.

(No I specifically do not mention Safari in that list because Safari uses the Windows libraries and thus does not support SNI)

Re:

[Lennie]

No I mean if they need flash to support old browsers than use a new browser. :-)

Re:

[Lennie]

That is why you upload your content on the site several times or use a service which does the conversion for you (like the Internet Archive or vid.ly: http://hacks.mozilla.org/2011/01/simple-html5-video-encoding-with-vid-ly-interview-first-impressions-and-invite-code/ [mozilla.org] ).

So ones for HTML5-video and one fallback for Flash.

That way, when HTML5-video does not work a fallback is available.

This is just like everything else in webdevelopment, if a older browser doesn't support a new feature. You add a fallback or

Re:

[Neil Boekend]

You should also push firefox to these machines. Replace ie with the FF installer. Let FF take the IE settings by default. Otherwise you have a machine without the possibility to download a browser.

Re:

[ais523]

You can just download a browser via FTP (the ftp command-line tool comes with Windows). That's often how I get Firefox on new Windows installations.

Re:

[Neil Boekend]

But you can't expect some redneck (who isn't smart enough to have upgraded by now) to do that from memory.

Re:

[jc42]

... no one wants html5 apart from a small bunch of talentless creeps that want us all to return to the bad old days of "this website is best viewed with [insert browser here]" ...

Not sure what you're getting at here. I've "converted" most of my web pages to HTML5, by replacing that old, crufty first line with "<!doctype html>", tested them against lots of browsers, and I've never found a problem.

Lest you think I'm just joking, well I am, obviously, but there's also a serious side to this. As far as I can tell, most of the supposed conversions to HTML5 consist of little more than rewriting the doctype line. Or adding it, in many cases. Then trusting the browsers to figu

Re:

[mikestew]

I don't even have Flash installed on the two machines I mainly use, and view a lot of pages on the Flash-incapable iPad and iPhone. The only place I notice the lack of Flash is YouTube and Hulu. YouTube is fine on iOS, and there's a Hulu app for iOS and Mac OS X. Sure, once in a while a site doesn't render. As I used to say about RealPlayer, there's nothing on the web I need to see so badly that I'm willing to install Flash.

Re:

[ArsenneLupin]

Too bad that pushing 90% of the web these days uses it including for full site design.

But honestly, who needs those 90% of crap sites? And if some needed site slips in along with all the trash, there's e-mail, there's phone, and there's competitors.

If more people did the civic thing, and actually call the relevant companies when there is a problem, it wouldn't be such a huge issue.

Re:

[brucek2]

And also, why is the update process tied to system startup? My main desktop rarely reboots, which means I get these updates only weeks after I needed them, or after taking special action because I saw a story like this one.

Re:WTF adobe

[PNutts]

http://secunia.com/vulnerability_scanning/personal [secunia.com] "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.

Re:

[Xtravar]

Wow, that seems useful. I never understood why MS doesn't put 3rd party stuff into Windows Update.

Re:

[datapharmer]

they do offer this if you run windows server update services (wsus). It is called system center updates publisher (scup). Saves a lot of time and hassle for windows domain admins. adobe, hp, dell, and many other big vendors are compatible. It doesn't cover every piece of software under the sun, but it covers most of the ones likely to cause havoc due to 0 day exploits.

Re:

[Xtravar]

Apple does it just fine with the AppStore...

Re:

[tlhIngan]

Apple does not have corporate users who hate to upgrade unless things are tested first ... whichever year they decide to do it. It is a liability because it is called Windows Update and therefore is part of Windows according to the lawyers. Not to mention Sarbines Oxley requires documentation for unathorized software upgrades or installs and useless annoying crap.

With the Apple Store the user assumes responsibility. No such arrangement on Windows as Offices would refuse to use it otherwise.

Actually, it's be

Re:

[datapharmer]

which means that all your apps don't get patched until windows says it is ok. That's a great idea.

Re:

[icebraining]

No, you have a single installer that connects to multiple repositories, one for each company if necessary. Just like with apt(itude).

Re:

[Qzukk]

Actually, it's tied to the login process, logging out and back in triggers the updater. As for why, I'm guessing that it's because there's no central repository that can be checked periodically, and people whine and moan about having a half dozen executables sitting around and doing nothing but checking for updates. I've got computers at work that have programs in the background for Java updates, InstallShield (several programs use this), Apple's updater, Adobe's updaters and Google's updater, all on top

Re:

[RussellSHarris]

Yeah, because it never occurred to anybody that the Windows Task Scheduler could be used to schedule checks for updates for computers that never get rebooted...

Re:

[Nimey]

Oh, wait. Google does that.

Re:

[hedwards]

It's a force of habit from when Windows used to come with that auto Reboot feature. You know the one that was that pretty blue color.

Re:

[Alex Belits]

No, that's supposed to be a nag screen.

Re:

[Serious Callers Only]

Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

I already have. You won't miss much, and I doubt it'll stay the standard container format for web video much longer.

Re:

[ColdWetDog]

mod parent up, Adobe needs to get with the times and provide an auto-updater, even Java provides this!

Actually Adobe does have an update demon for Creative Suite (at least on OS X). It's actually rather benign, it just sits there and gives you the number of patches it thinks you need. Doesn't beep, squeak or bounce up and down. The problem though, is as 'ol Qzukk points out a few comments above this. You end up with a half dozen little programs bothering you at random times. Do Not Want.

Affected software versions

[farnsworth]

Since it didn't say in the summary:

Affected software versions

• Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.3.185.23 and earlier versions for Android

Re:

[Alex Belits]

That kind of pancake would have to be made on a Moebius pan.

Re:

[Zebedeu]

The flash player is a separate download on the Android Market.
I updated it this morning.

Or is it different where you live?

Re:

[psyclone]

Thanks for the info. I have the same issue as the GP (but on Verizon). Viewing "My Apps" under the Market did not reveal an update. However, manually searching for flash player, then doing the update worked for me. (2.2 - froyo)

Perhaps one of the reasons

[bryan1945]

it's not in iOS? Besides the whole Apple-Adobe fighting & Apple pushing other standards.
Enjoy.

Re:

[CharlyFoxtrot]

Flash is the new RealPlayer. The sooner everyone uninstalls it the sooner it sinks into obscurity where it belongs.

Re:

[dudpixel]

For argument's sake - its not in android either.

Users must explicitly download and install it (unless the manufacturer bundles it - which they shouldn't).

Maybe adobe should be the one responsible for their software, so that Apple doesn't feel like they have to be. Its about time they (adobe) cleaned this crap up.

Stating the obvious

[93 Escort Wagon]

Gotta love FlashBlock.

And 64-bit Will Be Updated When?

[hoeferbe]

Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version [adobe.com] from 7 months ago?

Re:

[arth1]

Indeed.
My Add-ons manager says I have:
Adobe Acrobat 9.4.3.231
Shockwave Flash 10.2.152.32

When checking for updates, there are none.
It's mid-2011, why should the focus be on 32-bit?

Then again, a 64-bit version of Firefox would be nice too. Or perhaps not, given how much memory it eats. With it being a 32-bit app, at least it can't gobble up more than 2 GB per process...

Re:

[pjbgravely]

Yes the 64 bit version of Firefox seems to eat more memory. But on the other hand I haven't run 32 bit Firefox since version 1.5 so it may just be feature creep.

Re:

[hedwards]

The 64bit versions always use more memory, which is why you're often better off not using a 64bit version unless you've got a reason to do so.

Re:

[Lennie]

euh... unless you have enough memory available is also a good answer. :-)

Re:

[arth1]

That's because Chrome runs a different process per tab, which FF won't do until the next version.

If looking at memory for a single tab and the browser itself, Firefox is far more greedy.
But really, both of them are hogs. You should be able to run a web browser in 12 MB of memory, not up to 2 GB.

Re:

[Alex Belits]

It's mid-2011, why should the focus be on 32-bit?

It's Adobe.

Re:

[AmiMoJo]

Even us 32 bit users can't always upgrade. I don't have admin rights on my work laptop and it runs an ancient version of Reader 8. IT very slowly roll out updates now and then, but for now I am vulnerable.

I can do Flash Player updates but they only happen when the machine is rebooted. I usually hibernate to preserve my environment from day to day so it might be a week or two until it happens, during which time I am vulnerable.

Re:

[PlusFiveTroll]

Just write an pdf exploit that grabs admin and install err, foxit or something patched a little less often then once a week.

Re:And 64-bit Will Be Updated When?

[arth1]

Honest question: Why use an x64 browser?

Speed, for one thing. For Windows, here [favbrowser.com] is one benchmark that shows the rather significant difference. When on javascript heavy sites, having a 64-bit browser sure helps.

For Linux, there are other considerations, like not having to install the whole 32-bit compatibility layer and libraries at all. Fedora, for example, won't install 32-bit support unless you explicitly tell it to. Being 64-bit only saves a lot of memory compared to being dual-stack.

For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.

The speed difference for large spreadsheets can be stupendous, in favour of 64-bit. Or running a text analysis on a book-sized document. I've ran 64-bit Office 2010 for quite a while, and haven't run into a single problem yet (well, 64-bit problem that is -- Office itself is another issue).

Re:

[Nimey]

64-bit browsers tend not to be faster for some things, especially Javascript.

Would that it were different, though.

Re:

[Lennie]

This says 64-bit is faster JavaScript than 32-bit:
http://arewefastyet.com/ [arewefastyet.com]

Re:

[Nimey]

Chrome's new V8 (or Crankshaft, one of the two) isn't ported to 64-bit yet, and 64-bit IE9 also has slower javascript.

I saw nothing on that site about bitness at all.

Re:

[ace123]

Why use flash in an x64 browser?
FTFY

I don't have flash in my 64-bit chrome. I rarely even notice that I'm not using flash. When I really want to see something in flash, I pop open the 32-bit firefox installation I have, and paste the url in there. More often than not, Vimeo and YouTube's HTML5 players work fine. The only trouble comes with any videos that embed ads, or DRM-heavy video sites like Hulu. (Exchange Chrome with Firefox if you want)

I've been using this solution for a while, and it's much better t

ActiveX

[slyborg]

Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...

Re:

[hedwards]

Well, Flash isn't accessible and can't be made accessible. Anything that you convey using Flash also has to be conveyed in another fashion. Flash isn't available on all platforms that one might want to use, meaning that you're leaving some folks out. The performance is horrendous and the plug ins are frequently out of date and buggy. It's also a regular security nightmare and probably always will be as Adobe doesn't seem to be doing any better than Macromedia was previously.

Time for it to die and be replace

Re:

[ArsenneLupin]

Have all you flash haters not seen any javascript html exploits?

I've got news for you: many have disabled javascript as well, just for that reason. And thanks to the Flashblock and NoScript extension, you can easily re-enable the offending elements on a case-by-case basis for the rare sites which can't be convinced to be respectful of their customers privacy and security.

Re:

[Dr.Syshalt]

Good God, why all the hate on Flash?

Because Adobe is losing the PR battle to Apple.

Re:

[Attack DAWWG]

Because Adobe is losing the PR battle to Apple.

Can we submit entries for the fucking stupidest Slashdot post of the month?

I'd like to submit the post I'm replying to.

Re:

[Just Some Guy]

Good God, why all the hate on Flash?

Because of the seemingly endless stream of stories exactly like the one you're reading right now. Flash doesn't remove any of the vulnerabilities you describe; it adds to them. What's less secure: Firefox with "javascript html exploits? XSS, dirty-cookie? [...] Sencha/JQuery Bugs", or Firefox with all that plus Flash's exploit du jour?

I'm glad you've found a way to make a living off it. Good for you! But I honestly couldn't care less if that ended tomorrow. My system's integrity is much more interesting to

Re:

[Dr.Syshalt]

Because the chances of successful exploitation are much higher with Flash.

Not unless you allow Flash in Flashblock. Everyone has a kind of Flashblock today - even Chrome.

Because Flash kills performance.

Nonsense. Flash performance is much better than performance of JS, doing the same task.

Because Flash hurts usability.

Oh, really? I thought it was bad designers/programmers who hurt usability. A well-designed RIA in Flex is much better than JS/CSS/HTML mess when it comes to usability. I don't even mention support.

Because they still don't have a proper x86_64 version.

Most PC games do not have 64bit versions. Should we hate them too?

Because advertisers are abusing it.

Again, how it it the problem of Flash? And again - flashblock is a

Re:

[Lennie]

Not anymore.

Maybe on IE6 or IE7, but no-one should be using those anyway.

Too many updates!

[antdude]

MS had so many updates yesterday. On my 64-bit Acer OEM VIsta HPE SP2 (IE7) test PC had to get over 200 MB of updates from MS. Then, Adobe updates. Augh!!

Re:

[TheRealQuestor]

so you would rather them not fix it at all? I don't care about a 200 meg download [and oddly mine was less then 65M last night] but I do care if I am running an unpatched system.

Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

So please mr. joe compnay, please keep fixing your horrible [or not so horrible] code.

Now if the folks who do Java could figure out how to actually fix

Re:

[antdude]

1. Don't release all the patches in the same day! I have to patch a bunch of computers manually: Linux/Debian, Windows, and Mac OS X.

2. Companies should do a better job with their codes to avoid these security problems.

Re:

[0123456]

Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!

Windows Update generally only updates the operating system and a few Microsoft apps. Ubuntu updates the operating system and thousands of applications (or whichever of those thousands you have installed).

And the big problem with Windows Update is not the amount it downloads, but the fact that it constantly wants to reboot after installing an update and thrashes the disk like a two dollar whore while it's installing so I usually can't do anything else.

Re:

[Lennie]

I think the trashing is:

"creating system restore point" or whatever it is called.

Re:

[TheRealQuestor]

they are that bad.

Re:

[Lennie]

Easiest way ? Use Firefox and disable the Java-plugins.

Hell, disable all plugins. Maybe enable flash with flashblock or other similair extension.

And still no new 64-bit releases

[The One KEA]

I wonder if Adobe has just given up on its pure 64-bit users (on both Windows and Linux) and decided that they can rot. I haven't seen a new Flash Player Square release mentioned anywhere since the last release came out. What on earth is preventing these people from supporting their 64-bit plugin with security updates?

warm fuzzy, but no

[mevets]

Adobe's holes are far beyond an easy fix. Funny how they have become the new Windows. It is, of course, because so many people use it, not because it is a pile of crap.

Re:

[dgatwood]

I'm assuming you're being sarcastic. If not, though, by that standard, we should have serious security holes on a near-daily basis in Notepad, Facebook, Google....

This, of course, brings us to the obvious question: how many security holes does a single plug-in have to patch before we can take for granted that the code is one giant, steaming pile of dingo turds? Just curious. Maybe that should be a Slashdot poll....

Re:

[dgatwood]

The x86_64 architecture has the ability to mark memory pages non-executable (NX) and so some forms of overrun exploits simply do not succeed.

Sure, that prevents certain types of exploits against certain vulnerabilities, but it doesn't generally nullify a vulnerability entirely.

A vulnerability is like having a glass window next to the door on your house. The NX bit is like bars on that window. It prevents you from trivially breaking the glass and reaching through to turn the lock, but it does not prevent

How about an auto-updater that doesn't suck?

[Nimey]

Something like the one Adobe Reader X uses, in point of fact, one that can be configured to automatically install updates in the background without administrator privileges.

If you're going to be so fucking useless as to need such frequent security updates, have mercy on us IT types and unfuck your auto-updater.

Re:How about an auto-updater that doesn't suck?

[Alex Belits]

You underestimate Adobe developers' ability to fuck up.

Then they'll have security holes in the updater, and it will be holes in privileged application. Where is your permissions model now?

2nd in nine days

[dave562]

There must be some serious pressure on them if they are patching that frequently. It's not like Senate.gov or Google are getting hacked or anything. People are not really using the internet, and malicious files to go after anything pertinent, at places like Lockheed, or other RSA customers. None of those places would use Adobe Reader to open those RFPs or other thousands of forms sent to them by Uncle Sam, right?

Barn door, meet the horse's ass that has already run away from you.

I don't think that anyone

Adobe deserves to be raked...

[mevets]

But the inference you are making is not well supported. Google's response to getting hacked was to institute a ban on MS machines. Apparently, Google lacks the resources to manage MS machines properly, which isn't exactly surprising.

Dust off the Senate.gov and others, and you may find the same root cause. Not unsolvable; just the solutions are unworkable. Ditch them and demand something better. Its not like there is a shortage of choice.

Re:

[dave562]

I was thinking about alternative choices as I was writing the original post. What can people realistically do? There are at least two or three other free PDF viewing utilities out there that I am aware of. What is to say that any of those are significantly more secure than Acrobat? For all their faults, at least Adobe has the resources to throw at a problem when something goes wrong. Can the same be said about PrimoPDF devs?

I get the sense that Adobe has finally reached the tipping point. Their softwa

That little checkbox

[mph_sd]

Strangely I decided not to read the EULA before applying the second patch in 2 days. Ok, i didn't read it for the first patch in 2 days either. I hope this doesn't make me liable for...anything.

agin, and again, and againa, and yet again

[hesaigo999ca]

Ok, so who is going to come out with the joke of the day this time.....
It is almost like 1000 monkeys were in a room for a few years hitting the keyboard in order to produce these adobe products,
and now we are all finding out about it......

In all seriousness, the only thing i could see attributing to the fact that these programmers just don't check their code
is that they are all students, and maybe 1 or 2 senior programmers, and of which keeps changing regularly, so much so that the standards of coding
are b

Cool, when can I get Flash on my iPhone?

[alcmaeon]

I really need a crippled and vulnerable mobile phone. Oh, Damn you Apple! Damn you Steve Jobs! You are so petty and narrow minded.

I wish they would just stop

[kimvette]

I wish they would just stop it with this "zero day" buzzword already. Just say "vulnerability" or even "security hole." That way, articles will be less amateurish-sounding, as if they hired a script kiddie to write the copy.

Re:

[Shikaku]

http://www.youtube.com/watch?v=H47ow4_Cmk0 [youtube.com]

Re:

[thsths]

It seems to me that the rate at which they fix bugs is ever increasing, maybe even exponentially.

That means that either
a) they introduce new bugs faster than the fix old ones (also exponentially growing),
b) there is an infinite number of bugs in Flash,
c) most of the fix do not actually fix the bug in question, or
d) they will run out of bugs to fix soon!

Now you can venture a guess as to what is actually happening.

Re:

[Lennie]

e) it is crap old spagetti code which depends on third-party libraries which was created at a time when security wasn't all that high on the list of priorities.

Just like Adobe PDF (Reader):
http://www.youtube.com/watch?v=54XYqsf4JEY [youtube.com]

Re:Out of band?

[LO0G]

Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.

As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.

Re:

[shutdown -p now]

"Security through obscurity" is not a universally bad thing. Only on Slashdot it's considered some kind of final, unrefutable argument in any security-related discussions.

Re:

[hedwards]

This is the type of security by obscurity that's bad. Security by obscurity as part of a balanced approach isn't problematic, but failing to release patches because of this sort of silliness is just irresponsible. You hold off on releasing a patch because people might reverse engineer it rather than having to use the already known exploit. The companies releasing these patches are rarely the first party to discover them, typically the find out about them after somebody exploits them.

Re:

[LO0G]

shutdown-p basically nailed it but I want to dig a bit deeper.

There is no such thing as absolute security. There is no software available to end-users that is 100% secure (there may be very special case scenarios but they're not mainstream). Because of this, security is primarily a risk management problem.

So when you decide to take a patch, you have to weigh the risks of taking the patch (it might break some LOB app) against the risk of *not* taking the patch (you might get hacked).

We make these choices e

Re:

[dgatwood]

In this case, maybe; in general, no.

The reason you might be right in this case is that Flash is just so d**n buggy. I don't know how bad it is on Windows, but on Mac OS X, back before I added Click2Flash (and later, ClickToFlash), it used to be the #1 most common cause of Safari crashes on my machine by fully an order of magnitude over all other causes combined. When you realize that the odds are good that every single one of those crashes is an exploitable security hole, it's a wonder they don't have a z

Re:

[LO0G]

There are two possible reactions to telling the IT guys about the exploit: (1) you give them enough information to harden their systems proactively (adobe flash scripting has a problem when dealing with flibberjabber elements) or (2) you give them vague information (there's a bug in flash somewhere).

The first is probably enough to give the bad guys enough of a clue for them to figure out the vulnerability and you've just created a 0day. The second isn't enough information for the IT guy to figure out how t

Re:

[dgatwood]

The real issue, actually, is not telling IT folks about the exploit (not necessarily details but enough to know to not use the product or to use a work around to limit/block the exploit) before the patch is released.

You're kidding, right? Are there really any IT admins who still don't know that from a security perspective, Flash is a giant sieve? :-)

Seriously, any IT admin that doesn't (at minimum) install a Flash blocker on every machine is missing a security hole so big you could drive an Abrams through

Re:

[jd2112]

Spoken like someone who has never been responsible for keeping thousands of computers running mission critical applications. When money is involved (lost business, idle workers, etc.) the risk of deploying patches without going through proper testing cycles can be much greater than the risk posed by malware. If you have ever had a thousand workers idle because a patch caused a mission critical app to fail you would understand.

Re:

[hedwards]

I'm going to have to call BS. QA doesn't always take a predictable amount of time to complete. Sometimes it takes longer and sometimes it takes less time. Delaying security patches to home users because corporate users ask for it is completely unacceptable.

Re:

[Alex Belits]

Yessss! Because impact of a gaping security hole is less than of a non-working punch the monkey banner!

Re:

[jd2112]

The job of IT is to keep the environment running. Unless there is a major virus update the risk of a patch causing an outage is usually greater than the (short term) risk of malware. I've experienced both mad scrambles to get a patch deployed and also mad scrambles to roll back a patch that caused a production outage. Trust me, a production outage ALWAYS a bigger deal than a virus outbreak.

Re:

[Alex Belits]

Production outage caused by Flash version change? Your production software relies on Flash, and breaks over upgrades?

Re:

[Alex Belits]

Zero-day exploit is an exploit used or released before the vulnerability is published (or if not published, a fixed version or patch is released).
First-day exploit is an exploit used or released within a day after vulnerability is published, etc.

Re:

[Alex Belits]

But how?

Re:

[Lennie]

It is a free product and they don't really want to spend a lot of money on it ?

Re:

[Lennie]

Use something like Flashblock and only allow the plugin for certain sites.

Done ?