Adobe Patches Second Flash Zero-Day In 9 Days

CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."

Re:WTF adobe

[PNutts]

http://secunia.com/vulnerability_scanning/personal [secunia.com] "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.

Affected software versions

[farnsworth]

Since it didn't say in the summary:

Affected software versions

• Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.3.185.23 and earlier versions for Android

Re:Out of band?

[LO0G]

Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.

As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.

Re:And 64-bit Will Be Updated When?

[arth1]

Honest question: Why use an x64 browser?

Speed, for one thing. For Windows, here [favbrowser.com] is one benchmark that shows the rather significant difference. When on javascript heavy sites, having a 64-bit browser sure helps.

For Linux, there are other considerations, like not having to install the whole 32-bit compatibility layer and libraries at all. Fedora, for example, won't install 32-bit support unless you explicitly tell it to. Being 64-bit only saves a lot of memory compared to being dual-stack.

For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.

The speed difference for large spreadsheets can be stupendous, in favour of 64-bit. Or running a text analysis on a book-sized document. I've ran 64-bit Office 2010 for quite a while, and haven't run into a single problem yet (well, 64-bit problem that is -- Office itself is another issue).