Forgot your password?
typodupeerror
Security OS X Windows Linux

New Zero-Day Flash Bug Affects Windows, OS X, and Linux Computers 178

Posted by Soulskill
from the you-can-count-on-flash dept.
An anonymous reader writes "Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux. 'While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.' Adobe has reportedly patched the bug for all platforms. Researchers first detected the bug from attacks performed on seven Syrian computers. The attacks seem to have been hosted on the Syrian Ministry of Justice website, which has led to speculation that these are state-sponsored vulnerability exploits. This speculation is further supported by evidence that one of the exploits was 'designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.'"
This discussion has been archived. No new comments can be posted.

New Zero-Day Flash Bug Affects Windows, OS X, and Linux Computers

Comments Filter:
  • Long story short (Score:5, Insightful)

    by Anonymous Coward on Tuesday April 29, 2014 @02:25PM (#46870475)

    flash is equally bad on all platforms web guys please stop using it.

    • by powerlord (28156) on Tuesday April 29, 2014 @02:30PM (#46870531) Journal

      flash is equally bad on all platforms web guys please stop using it.

      Hey ... look at the upside, feature parity across Windows, OSX and Linux ... even for bugs and exploits.

    • by fuzzyfuzzyfungus (1223518) on Tuesday April 29, 2014 @02:51PM (#46870767) Journal

      flash is equally bad on all platforms web guys please stop using it.

      Will nothing please you whiners? The Adobe Exploit Runtime offers simultaneous support across Windows, OSX, and Linux for a cutting edge vulnerability, and do we hear even a whisper of credit?

      • by mellon (7048)

        Get real. The NSA isn't allowed to talk about this stuff. Doesn't mean it's not true.

      • by styrotech (136124)

        The Adobe Exploit Runtime offers simultaneous support across Windows, OSX, and Linux for a cutting edge vulnerability

        Not so fast... most of us Linux users are falling behind in our access to cutting edge vulnerabilities.

        Sure we still have plenty of the old ones to play with, so it isn't all bad.

    • - or should be - long live the open alts.

    • Right, because Gecko and WebKit never have security vulnerabilities in them.

    • What I wonder is-- how did the Syrians get hold of a zero-day vulnerability in Flash? I doubt they found it themselves. Did they buy it, or did the Russians give it to them?
  • I never installed flash and I rarely find web pages that require it. I've noticed a slow migration away from it as well. One or twice a year I check some websites that required flash in the past and some no longer do so. YMMV.

    It does not seem that difficult to go without flash and it is getting easier every day.
    • by jonnythan (79727)

      There are a number of things that require it. For me the big ones are MLB At Bat, WatchESPN, Hulu, and HBO Go.

      • by perpenso (1613749)

        There are a number of things that require it. For me the big ones are MLB At Bat, WatchESPN, Hulu, and HBO Go.

        People are migrating to phones and tablets for such things.

      • Just for fun I tried to watch a video on Hulu with Safari and sure enough they told me I had to have Flash installed in order to watch their stuff. Then I told Safari to lie to them and tell them that I am using an iPad. Low and behold the videos worked like a charm. Why do sites like Hulu and others still require that people have this malware vector installed on their systems?

  • I have it disabled. (Score:5, Interesting)

    by Antony T Curtis (89990) on Tuesday April 29, 2014 @02:48PM (#46870735) Homepage Journal

    I deliberately do not install Flash on my computers _and_ I deliberately choose to not install any of the third-party work-alikes.

    If the content owner only publishes content in a SWF, it is not worth my bother to look at it. Okay, I can't view video clips in Facebook, but if it is an embedded youtube video, usually I can view it just fine by going to youtube's website.

    • If the content owner only publishes content in a SWF, it is not worth my bother to look at it.

      Animutations and other vector animations are usually much smaller in their original SWF than they are when transcoded to MPEG-4 or WebM video. In this era of monthly caps, rendering to pixels can't always compete with the bandwidth efficiency of vectors. You're not going to get, say, "We Drink Ritalin" by Robinson Wilburn [albinoblacksheep.com] (parody fan video for the song "Hot Limit" by John Desire, which incidentally introduced me to DDR) as small in MP4 as it is in SWF, probably not even with H.266 when it does exist.

      Okay, I can't view video clips in Facebook, but if it is an embedded youtube video, usually I can view it just fine by going to youtube's website.

      If the

      • by LDAPMAN (930041)

        You do realize HTML5 supports vector animation?

        • by LDAPMAN (930041)

          Forgot a link...just some examples: http://creativedroplets.com/ht... [creativedroplets.com]

          DIE FLASH DIE!!!

        • HTML5 vector animation has three drawbacks:
          Speed
          The Flash version of this Flash vs. SVG benchmark [themaninblue.com] runs at 22-23 fps on a laptop with an Atom N450 CPU, which is nearly four times the speed of SVG (6 fps) in Firefox 29 on the same laptop. Set quality to low and it shoots up to 31-32 fps.
          Tools
          The page you linked on creativedroplets.com mentions Edge Animate. But second-hand copies of old versions of Flash are widely available, while Edge Animate is available only by subscription.
          Content
          A lot of authors of ex
          • by LDAPMAN (930041)

            I suggest you get a new laptop. I get 120fps on the 1000 object version at full quality. The argument that there are more tools for an old technology than a new one is missing the point. The tools will come and there are many ways to create SVG.

            • by LDAPMAN (930041)

              At 4000 objects Flash topped out at 30fps. I get over 60 for SVG and canvas.

            • I suggest you get a new laptop.

              Except for the Surface Pro, other 10" products I've seen are also Atom based. Or has Atom improved dramatically in the past four years?

              The tools will come

              That doesn't help if you want to deliver something now, not years later after the tools have come.

  • Well on the positive side it is refreshing to see someone writing portable code. :-)
  • by dsinc (319470) on Tuesday April 29, 2014 @02:58PM (#46870839) Journal
    I'm not a Flash developer, so I'm asking very seriously: is there a compelling reason to keep using Flash in 2014? For the past several years, the only notable things associated with this technology have been major security holes.
    • by Kardos (1348077)

      It is dying. Things don't die instantly in the software world, they just decline.

      • Some things die so slowly it seems you have to literally wait for the actual users to die. IE6 is one of those things. Flash is another.

    • by l0ungeb0y (442022)

      Yes, 2-way HD Video Chat on Desktop Browsers and Native Apps with Adobe Air. In a couple years real time video communication will be fulfilled in Browser with WebRTC, but WebRTC is not ready and only supported on a couple browsers. Until then the only reliable method to get 2-way HD Video Conferences in both the Browser and Native Apps is with Adobe Flex streaming to a Media Server such as FMS or Wowza.

    • There is a non-trivial demand for highly interactive stuff on the web. You may not be interested in that, but many people are and thus many developers are. Well, only Flash really does anything approaching a competent job of that. If you want to make something like a game, that runs on all the major browsers and all the major platforms, Flash can do that. Anything else, it is a crap shoot.

      For example I remember when the HTML5 Angry Birds came out. Ok, interesting, I'd like to see that. In Chrome, it works m

  • Ahem. (Score:5, Funny)

    by peatbakke (52079) <peat.peat@org> on Tuesday April 29, 2014 @02:59PM (#46870847) Homepage
    • by tgetzoya (827201)
      I want to give you all the points.
    • by lgw (121541)

      4,294,967,296 Internets to you sir! That's all the internets!

      • 4,294,967,296 Internets to you sir! That's all the internets!

        You know, with IPv6, you get 340,282,366,920,938,463,463,374,607,431,768,211,456 internets.

  • Uninstall Flash! (Score:5, Interesting)

    by chihowa (366380) * on Tuesday April 29, 2014 @03:09PM (#46870941)

    I just reinstalled my OS a few weeks ago and never reinstalled flash. Despite a profuse amount of websurfing and watching videos here and there, I haven't needed flash yet.

    Fewer annoying, moving, sound-producing site navigation controls, better battery life on my laptop when watching videos, and fewer horrible security vulnerabilities to worry about! Dumping Flash is something I should have done long ago!

    • by Kjella (173770)

      Or just set it to "click to run", that way a redirect to a malicious website will do nothing, a compromised banner ad will do nothing so they'd have to compromise actual flash content on a site you use. For bonus points you don't see flash ads. And if it gets too annoying to do a single click extra, you can always set up an exception for that site.

      Personally what I miss the most these days is a setting to really block everything from opening up a new tab/window, no matter what link I clicked. Despite having

  • And this is why you don't install third party "goodies" on your linux workstations (unless you are looking for just a play machine.).

    There's a reason distros separate things into free/nonfree or main/universe. The first thing everyone does is go out and get 'multiverse.' Heck, if that's what you want, you might as well stick with windoze...

    • by cbhacking (979169)

      Right, because there's never critical vulnerabilities in widely-used open source software. I mean, anything as sensitive as, say, an SSL library would obviously be thoroughly tested and code reviewed to prevent any kind of trivially exploitable error that looks like something a CS freshman student might make. Thank goodness neither OpenSSL nor GnuTLS are required by any common free software, for example...

      • by deego (587575)
        Yeah. Thieves can break in any way. So, you might as well leave your housedoor unlocked. Hell, remove the doors while you are at it.
  • The summary doesn't say.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...