Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Adobe Flash To Be Top Hacker Target In 2010 180

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
This discussion has been archived. No new comments can be posted.

Adobe Flash To Be Top Hacker Target In 2010

Comments Filter:
  • Sometimes when I go to a website, it will have Flash malware which forces me to download unwanted content and then plays it without my consent.

    Damn you Youtube!!!

  • Yuh huh (Score:3, Insightful)

    by Anonymous Coward on Tuesday December 29, 2009 @12:24PM (#30583668)
    Let me guess, Microsoft are just ready to offer the solution in the form of Silverlight, right?
    • Re: (Score:1, Interesting)

      I dunno, but it just seems to me that embedding a Turing machine into a website is just a bad idea no matter what you call it.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Microsoft would be foolish to let pass an opportunity to promote its competing products, yeah. They tend not to be foolish when it comes to such things.

      I don't see what Adobe's problem is with the security vulnerabilities. Don't trust data from the network, and don't ever use a variable/etc without bounds checking. How many versions, bugfixes, patches, and revisions does it take to get these two basic things right? Real question. I don't understand the difficulty here.
    • Re:Yuh huh (Score:5, Insightful)

      by El Lobo ( 994537 ) * on Tuesday December 29, 2009 @01:18PM (#30584334)
      That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

      At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...

      • Re: (Score:3, Informative)

        by causality ( 777677 )

        That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

        At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...

        Perhaps the OS deserves some blame (kneejerk types, note that some != all). On Windows there is no equivalent to the various centralized package managers that come with standard Linux distributions. You cannot go to one place and run one program and simultaneously update every last application installed. The biggest obstacle seems to be the copyright restrictions that prevent the redistribution of most Windows software. But for whatever reason, on Windows, every last application is on its own and must m

      • Re: (Score:3, Informative)

        by KiloByte ( 825081 )

        You see, somehow this isn't an issue on other OSes. Why? Because there's an unified update mechanism that can be used by any program.

        In addition, most of available software is packaged in a big repository with security support, and if you use third-party repositories, they can use the mechanism as well. On Windows, though, every program has to implement its own update -- some do, like Firefox, Thunderbird, WinAmp or Java, but the vast majority lacks it. And even those few with an auto-update function ha

  • by fprintf ( 82740 ) on Tuesday December 29, 2009 @12:29PM (#30583738) Journal

    With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.

    What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

    • iphones and other internet-enabled devices don't have flash or acrobat. Or if they do have flash, it's the stripped down ARM version.
    • Re: (Score:2, Insightful)

      No, what will happen is that the Macs, Linux, smartphones, etc. will still be praised as incredibly secure, and it will just be Adobe's fault. Nobody likes to take the blame or admit that their favorite platform isn't what they said it was, but everyone loves to insult Flash.
      • Seeing as it's a closed source plugin that you can't fix yourself... what else can you do but complain about it?

        It's also hard to argue that Flash on every platform other than 32-bit Windows is anything but badly coded software.

        • by mlts ( 1038732 ) *

          Try to get a standard on an alternative technology that has been around a while? If Oracle could update Java so it had better video processing, it could possibly go head to head with Flash for movies. Unlike Flash, Java has a decent security model so sandboxed stuff won't be jumping out to execute crap as a user, or perhaps as a superuser.

          Also, unlike Flash, Java runs almost anywhere. Yes, there are JVM issues, but a Java applet can be coded to run on any platform. The only platform it doesn't work on t

    • What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

      Yes.

      The moment you believe securing your system is not an issue, that's exactly when it becomes an issue.

      As Windows and Mac user, I don't trust either of my systems to be any more secure out-of-the-box than I can throw them. You don't get to ignore any responsibility for your system's security and have the privilege of being a link-clicking blind-downloader simply because you picked the "more secure" computer.

    • What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

      I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org].

      • by causality ( 777677 ) on Tuesday December 29, 2009 @01:20PM (#30584366)

        What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

        I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org].

        No joke. Even if they are absolutely equally secure, Gnash provides source code. You can build that source with SSP (or equivalent) [wikipedia.org]. You can also build it as PIC [wikipedia.org] and apply many other restrictions with a PaX [wikipedia.org] and/or Grsecurity kernel [wikipedia.org]. All of these will reduce the chances that a known vulnerability will lead to a successful exploit. Specifically, a known vulnerability that would normally allow an attacker to run arbitrary code stands a good chance of merely crashing the application.

        You just don't have options like this with binary blobs. I really would like to see more development of Gnash, as it seems that Adobe Flash is on a downhill course in terms of security and will continue to be a problem. Source code is about freedom and control. With such control, you can take steps to manage a risk even if you cannot perfectly mitigate it.

    • Re: (Score:3, Insightful)

      What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

      I can't speak for Macs or smartphones (who gloats over the security of smartphones? Things like the amount of iphone jailbreaking going on or the Tmobile sidekick crash make it pretty clear smartphones have issues...), but Linux is still more secure the Windows in this respect. There's numerous ways to isolate the damage that could be done from a hole in flash. MAC like SELinux or AppArmor are perfect for this, and Windows still doesn't have a competent MAC implementation (MIC is insufficient). There's

      • Re: (Score:3, Insightful)

        by CodeBuster ( 516420 )
        There are other issues which make security more than simply a technical problem in commercial closed source products like Flash. Sometimes a bug is not fixed because management feels that "nobody cares" or "users won't notice" and so they order the devs to ignore it to "cut costs" and "save money". At other times, security is thought (by managers) to make the product "user unfriendly" or "too hard" to use. I have heard of projects where the devs were deliberately ordered to remove security features because
    • Well, I don’t see that malware running on my custom-compiled system with unsupported 64-bit alpha of Flash anytime soon. ^^

    • They keep saying it, but it hasn't happened. How popular does my Mac OS have to get before I see real threat? How popular do smart phones have to become before a real threat? Or, perhaps the best way to infect the most machines is to attack the easiest to exploit, not the most prevalent.

    • "What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?"

      Not until our kernel gets its own web browser too ;-)

    • Unless crime gangs all went to some course learning to code massively multi platform, the "issue" will basically put some .exe file to users computer and run it. It won't be some amazingly universal binary which runs on ARM/x86/PPC/MIPS and dozen of different operating systems.

      I understand your sarcasm and it is really alerting that there are like 10% of market who believes their platform is something like NSA Terminals we see at movies but Flash exploit isn't the one which the real doomsday for OS X will c

  • People often just don't update Flash much. It's a little better for Adobe Reader from what I see; but just a little - automatic updates are treated more like a nuisance to hide, it seems.

    Overall - good riddance. Simple & small PDF readers with scripting disabled are all almost anybody needs anyway. As for Flash - everybody here keeps whitelists of pages already, right? And perhaps those few whitelisted ones will feel the need to enable HTML5 video tag sooner.

    • by dgatwood ( 11270 ) on Tuesday December 29, 2009 @12:45PM (#30583940) Homepage Journal

      Even if they updated regularly, it would still be an easy target. Something like six of the top ten browser crasher bugs are in Flash plug-ins. There are so many crasher bugs that nobody can even keep count. When you realize that every single one of those is probably an exploitable attack vector, you quickly understand why I use click2flash. Swiss cheese belongs on sandwiches, not on the public Internet....

    • People often just don't update Flash much.

      Except that Flash can be made to auto-update since around version 8.

      So no, people don't update Flash. It updates itself!

      • Re: (Score:3, Informative)

        by Jeng ( 926980 )

        You might update, but "people" are stupid and do not.
        "People" tend to minimize or close anything that pops up in between start up and opening the app that one started the computer to use. Whether it be windows update, virus scan update, or updates of nagging software. Of those three the updates of nagging software will be the most likely to just be closed without any update taking place.

  • i expect a fix in 5 minutes. everyone knows that anything delivered from the cloud is highly secure and easy to fix if problems arise

  • WTF (Score:3, Informative)

    by tylersoze ( 789256 ) on Tuesday December 29, 2009 @12:31PM (#30583768)

    Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.

    • Re: (Score:3, Informative)

      by Abcd1234 ( 188840 )

      Don't be silly, buffer overflows can happen anywhere. Hell, IE has been compromised thanks to a b0rked JPEG decoder in GDI+, ffs.

      That said, Adobe has certainly made their job harder by including a full-blown ECMAScript engine in acroread. But even without that, the ubiquity of Flash and Reader makes them ideal targets for hackers, thus further illustrating why software monoculture is a bad thing.

      • Well I certainly understand that, but why aren't hackers targeting Notepad then? That's definitely a software monoculture. ;) How much more complex is it parsing ASCII than a PDF format? Is there anything inherent in the PDF format that makes software implementations inherently more buggy, other than just the simple fact it's a more complex format? Or does Adobe just suck? I can understand something like JPG where you have compression vs a simple uncompressed image format which should be trivial to guard ag

        • PDF includes compression. PDF includes script. PDF includes a command language (not just mark-up). Hell, PDF includes JPG.
        • How much more complex is it parsing ASCII than a PDF format?

          *Vastly*. At it's core, PDF is compressed PostScript, and PostScript is a turing complete functional programming language. On top of that, you have complex font handling and embedding, the rendering core itself, image handling, etc, etc. That, in and of itself, makes for a pretty large surface area that could be exploited. 'course, for good or ill, Adobe then threw ECMAScript, PDF Forms, annotations, and a whole raft of other functionality on t

          • Looking at the wiki page describing PDF it may not be Turing complete as it only includes a subset of Postscript which excludes if and loop statements.

    • I'm much more of a hardware (chip) guy than I'll ever be a software guy. I'd like to ask (honestly), how can Flash remain such a security nightmare? After all this time, all of the preceding versions of flash, how can vulnerabilities continue to be found in light of more scrutiny by the developers (code audits, bounds checkers, etc.)? I realize no complex piece of software is bug-free, but Flash (and of course, Acrobat Reader) have continuous vulnerability discoveries... must it be so forevermore?

      • Your argument would make sense if Flash was a product in maintenance mode, where no new substantial development was being done, and only bug fixes and security enhancements were being applied. But, of course, that's not at all the case. New features, performance enhancements, and god knows what else, show up in every rev of Flash, and that means new potential security vulnerabilities.

        Hell, by your argument, Firefox should be virtually bug free by now...

        • by mlts ( 1038732 ) *

          If I could ask for one thing with Flash, I wish it had a security model where on operating systems that supported it, it could run the foreign .swf containers either jailed or with highly restricted permissions. For example, a YouTube vid might need access to a shared object to set video preferences, but it needs no access other than that, or perhaps a way to connect back to YouTube to rate stuff or get the next video in a series.

          This isn't hard in Windows. IIRC, one can create a restricted hToken, then u

      • First of all, "nightmare" is hyperbole. Maybe it isn't as bad as Chicken Little says.

    • by Yvan256 ( 722131 )
      I'm with you on built-in Mac OS X support. It can "print" PDF files and read them as easily as PNG or JPEG files. I hope Apple never adds support for scripting in their PDF decoder.
  • Acrobat and Flash (Score:5, Informative)

    by Enderandrew ( 866215 ) <enderandrew@gmSTRAWail.com minus berry> on Tuesday December 29, 2009 @12:31PM (#30583778) Homepage Journal

    Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.

    For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.

    Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.

    Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

    For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.

    I really hope HTML 5 phases out the popularity of Flash.

    • "Sadly, there aren't many GOOD Flash alternatives"

      How about Silverlight or Moonlight?
      • by Nadaka ( 224565 )

        he said GOOD alternatives. Silverlight and Moonlight are not.

        Whatever happened to applets and javascript?

        • Wait, because, unlike Silverlight and Flash, Applets and Javascript are somehow magically free of vulnerabilities?

          Careful, your prejudices are showing...

          • by Nadaka ( 224565 )

            What the hell are you talking about? I said NOTHING about vulnerabilities. Perhaps it is your prejudices that are showing.

            Silverlight fails at cross platform use, and can break previously working and unrelated software when installed. Moonlight is a half implementation of Silverlight that cant even get its errors right. Applets and javascript play nicely in comparison, though javascript is a pain in the ass with its browser incompatibility issues.

            • What the hell are you talking about? I said NOTHING about vulnerabilities. Perhaps it is your prejudices that are showing.

              Well, given the article is about *security vulnerabilities*, it stands to reason that when one is discussing viable replacements for Flash, one might be specifically referring to, you know, security vulnerabilities.

    • Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

      In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7. Both have excellent patching mechanisms that consumers use regularly.

      Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system

      • The users aren't as focused on security because the OS is seen as traditionally secure. I love Linux. I advocate Linux as a safer way to browse the web.

        Flash exploits on a web site are going to target Windows, as opposed to the small Linux market.

        However, Flash exploits do exist.

        My original point is that this is an odd prediction saying that Flash will become an issue in 2010, when I already think it was the biggest issue in 2009.

      • In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7.

        Is that really true? Both have inferior ASLR to Windows 7, for example.

        Both have excellent patching mechanisms that consumers use regularly.

        I don't see any way in which Apple's patching mechanism is superior to Windows'. Also, the way Apple uses it is inadequate; for example, they are very bad about updating OSS components of the OS, and you will find tragically old versions of perl libraries &c.

        Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system calls are you going to start making? Linux? Mac? Hardly.

        AFAICT this is the only meat in your comment sandwich.

    • by Ilgaz ( 86384 ) on Tuesday December 29, 2009 @01:39PM (#30584630) Homepage

      Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.

      It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.

      For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.

      HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.

      • by EzInKy ( 115248 )

        Perhaps if the holders of H264 patents granted royalty free rights for foss implementations of their codecs everyone could have their cake and eat it too.

      • Actually, nobody cares if H.264 is “protected by anything”. We all have pulled stuff off of bittorrent, loaded some cracks, or had someone do that for us. I don’t remember seeing any computer without “illegal” software in the last 10 years. Even in companies!

        Like with GIF.

        The joke is, that YouTube already uses H.264. Someone at Google should offer a Firefox extension that simply implements H.264 for the video tag. :)

        • Well, what I say is, VP3 is a freaking outdated piece of junk abandoned and got donated to open source community.

          If Google has balls to donate the real deal (VP7,8) or even IF it is possible, things may change. Why IBM , big blue with army of lawyers couldn't open OS/2? Why some abandonware can't open their source but gives away free license instead? Why some can't? Because it is how such huge things work. All parties, including the companies, TV stations, TV industry organisations must agree that they will

  • Do the hacks exploit buffer overflow or wilder pointer issues? anyone knows?

  • It's time to start seriously chipping away at Adobe's stranglehold on multimedia. Or at least give it some serious competition that will inspire them to work harder.

    As someone else has mentioned, this might be HTML 5's time to step up.

  • Are there Flash-based keyloggers or bots?

    • I actually did a little research on this, and assuming Flash and Adobe Reader vulnerabilities allow code to be executed like in Windows, there is a possibility of setting up a keylogger or bot. Of course, as long as the exploited app isn't running with root permissions (which would only happen if you were logged in as root), it could only infect one user profile and it would be trivial to remove (it would only be able to run on login or X session start by say, putting itself in ~/.profile, ~/.kde/autostart
      • by Nutria ( 679911 )

        assuming Flash and Adobe Reader vulnerabilities allow code to be executed like in Windows

        Native code (which is what your comment implies, and means you'd have to "know your target", have 3 different payloads -- one each for Windows, OSX and Linux -- and a very intelligent installer), or interpreted code running in the Flash engine which would go away as soon as you close your browser (which I rarely do)?

        • The viruses targeted at Windows PCs are able to run native code, so I'm assuming that if the Linux versions of Flash and AR have similar vulnerabilities, they'd be able to execute native code as well.
  • by Locke2005 ( 849178 ) on Tuesday December 29, 2009 @12:46PM (#30583948)
    "We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
    • "We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

      It seems to be a standard PDF file that opens just fine in other PDF readers. What did you try opening it with? Or do you mean because you don't know there are other PDF readers you, personally, have to use Acrobat Reader?

    • "We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

      Fortunately this vendor (who conveniently sells security products) allowed us to view their press release on Slashdot using HTML.

  • Developers can stop using flash and end-users should uninstall it. There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework. For the remaining 10%, HTML 5 will be able to handle most of it (canvas tag, videos, better form support, etc), and the remainder of things that javascript/html can't do that flash can do (if there is anything), is not even worth implementing in a website. S
    • As long as IT salesmen sell "flashy" sites and bleat that it is professional to put a flash lock on your site, developers will have to build it.

      As you already say that most things can be done in javascript, I don't see that HTML5 support would hurt the use of flash.

    • by 99BottlesOfBeerInMyF ( 813746 ) on Tuesday December 29, 2009 @01:11PM (#30584256)

      There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework.

      The problem with your statement is you assume the Flash content creators are programmers with enough free time. In reality, many of them have degrees in communications or visual arts or are just programmers who want a quick and easy tool for throwing together some quick video/UI content for the Web. From what I've seen, the decently made tools to create such content are mostly created by Adobe and focused on Flash. Unless a company steps up and creates equivalent tools for HTML5 and javascript and those tools gain a significant market share and momentum and ecosystem, I see Flash remaining dominant, with MS gobbling up a smaller share.

      • Yeah, I hear JavaScript has great video codec support. And webcam/mic support. And audio playback support. And all that is pretty much uniform across major browsers.

  • McAfee, of course, has a product to sell.

    For Adobe Reader, the solution is really easy. Either install something faster and more secure as your browser's PDF plugin, or disable javascript in Adobe Reader. All the security vulnerabilities in AR have been related to javascript, which is a feature that almost nobody wants or needs in pdf files anyway.

    I'm skeptical about any risk from flash. Flash apps run in a sandbox. Are they referring to things like malicious facebook apps? That seems like a relatively

    • by thsths ( 31372 )

      > I'm skeptical about any risk from flash. Flash apps run in a sandbox.

      Flash apps should run in a sandbox - but the recent vulnerabilities are ways to break out of the sandbox.

      Of course any plugin should run in a sandbox, but I think only Google Chrome actually does that. It may be a consequence of the Radioactive X disaster - just download and execute anything - which Microsoft introduced in the late 90s.

  • So how do we keep Flash updated, assuming that Adobe tries to keep it patched? Is there a better way than going to Adobe's website and downloading a new version and installing it manually?
  • by Ilgaz ( 86384 ) on Tuesday December 29, 2009 @01:14PM (#30584282) Homepage

    Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.

    First, this is what you will see in your system.log, whatever browser you use:
    [0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called

    This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.

    Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.

    No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.

    So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.

    PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.

  • flash expl0its just don't work with the free software Gnash flash player. I even submitted a bug report regarding one of them (yes, actually, it's listed at savannah). If you know C/C++ then please help hacking gnash so we free software users don't miss out on getting robbed by the apparently evil "criminal hackers".
  • "Flash to be top hacker target" has a far different connotation than "we anticipate...".

  • Every now and then, some writer tosses up some words like "Cybercriminals have long targeted xyz products due to their popularity". They don't. Criminals are lazy. They attack weak and easy spots first. It has nothing to do with "popularity". If it were, apache http servers would be the most attacked server application of them all - and they aren't.

  • They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.

    Currently I have to wade through a bunch of retarded forms and sign a corporate distribution agreement and wait a few hours so they will send me a link to an MSI so I can update flash.

    Put an MSI on your home page that I can download in a few clicks and push out via Group Policy.

    With a deb, I can update all the linux systems I manage using cssh, wget to grab the deb, and 'dpkg -i' to install.

    If they're not will
    • They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.

      They have packages. Check www.adobe.com and look under Linux.

      • They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.

        They have packages. Check www.adobe.com and look under Linux.

        Are they finally up to date? I remember a year or so back that they were slightly outdated.

        But the one that really hurts is no Windows MSI. I can easily install a deb to 500 linux machines using cssh. I can't easily install some stupid EXE with lots of clicky installer bullshit to 500 machines without going insane. When managing a large Windows network, I've found you *must* have MSIs to mass-install software. That's the whole reason we aren't using Firefox anywhere. Can't easily deploy it.

        • by mlts ( 1038732 ) *

          FrontMotion (http://www.frontmotion.com/Firefox/) keeps (fairly) updated copies of Firefox on their website ready to push in .MSI format. They are also signed.

          This may not be something usable in a lot of places (Frontmotion isn't a company that everyone knows, so people would be leery of trusting their signatures), but it can be useful in some cases.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...