Adobe Warns of Critical Flash Bug, Already Being Exploited

Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."

I need this on my iPhone

[Anonymous Coward]

I hope Apple and Adobe come to an agreement because I want to live on the edge too.

Re:

[Peach Rings]

I'd love to be on the cutting edge but I can't update Flash Player on Windows without installing some insane Adobe downloader addon for Firefox o_O

Does anyone know where I can find flashplayer.xpt and NPSWF32.dll for the latest update so I can copy the files manually into system32\macromed\flash folder? The only flash xpi I can find was last modified in like 2009.

Re: Direct download link to Flash Player

[qubezz]

The full Flash installer is buried in a deep link. You can use Internet Explorer, choose the 'different operating system or browser' [adobe.com] link on the Adobe Flash download page [adobe.com], and get the Firefox version (likewise use an alternate browser to get the IE version).

Of course, if you want a direct link to download the most recent installer without the 'download manager' slimeware or 'free Google Toolbar', here it is!:

• Flash Player installer for Firefox/Netscape [adobe.com]
• Flash Player installer for Internet Explorer/ActiveX [adobe.com]

Tool to neuter Flash exploits - Blitzableiter

[plover]

Here's an embarrassment for Adobe. An external researcher has created a tool called Blitzableiter [recurity.com], which is simply a Flash parser written in .Net. Its only job is to verify that any Flash you load is fully compliant with the Flash file format, and to hurl an exception if anything fails to parse correctly. I saw FX's presentation at DefCon and was suitably impressed.

The cool thing is that he claims it's caught every exploit, past and present, that he's been able to find to test it with.

Think about it. Someone external to Adobe is keeping Adobe's products safe simply by enforcing Adobe's own rules. Way to go, Adobe, you're completely awesome.

Configuring Blitzableiter to work in Firefox takes a little bit of work. He asked the NoScript guy to provide an external plugin mechanism, which launches Blitzableiter to check out the SWFs before they're permitted into the Shockwave player. So you have to load the NoScript extension, then configure it to run Blitzableiter. I look at it as a fairly small price to pay for safety.

I will say that it's pretty damn picky, and there's a lot of probably-safe-but-badly-written Flash out there that it won't let you load. Since there's actually very little Flash content I want to see anyway, it's not been a real problem for me. For expediency I put youtube.com in the exception list, just because I do trust the youtube player and don't feel I need to wait the extra two seconds to have it scanned every time I watch a video clip. Otherwise, it just rocks!

Abode Is The Weakest Link

[WrongSizeGlass]

Adobe's Acrobat, Reader & Flash are the weakest security links on any PC. This isn't really news any more ... it's expected.

Re:Abode Is The Weakest Link

[blair1q]

Why the FUCK does a document display program have the ability to alter anything on my machine?

Re:

[Anonymous Coward]

Mostly because they have to keep the developers working and the shareholders thinking they are making progress toward more money. In reality Adobe is fast becoming a second rate company. I never thought that would happen ten years ago, but sure enough here we are.

Re:

[drpimp]

Especially with tools like this Sencha [sencha.com]

Re:Abode Is The Weakest Link

[Dr Herbert West]

Sure-- HTML5 is rapidly becoming the platform of choice for interactive application development, with its stability, widespread browser support, and cross-browser compatibility to... wait, what?

Re:

[exomondo]

HTML5 video [youtube.com] is here.

Adobe has no further reason to exist.

Great, video on the web. Sure if your knowledge of flash doesn't extend past it's ability to be a video container then you would think it is now pointless. However flash is a lot more than that and unfortunately HTML5 content creation tools are rubbish, until such time as there is a CS-quality toolset for creating HTML5 content, SVG supporting audio, we get some method for block invasive HTML5 content, performance gets on par with flash, etc... flash will remain relevant. HTML5 should undoubtedly push flash

Re:

[exomondo]

Without this competitor taking the vast majority of the market, more development effort would be put into GIMP as it would have a much larger user base.

Any product would take a larger market share if its competition is eliminated.

Re:Abode Is The Weakest Link

[TheReaperD]

Two words: Feature Creep

Re:

[LambdaWolf]

That, and good, old-fashioned buffer overruns and things of that sort.

Re:Abode Is The Weakest Link

[ConceptJunkie]

The sad thing is that it took Reader about 3 or 4 versions not to be complete crap and the moment it actually got good they started bloating it almost as much as Emacs, except with stuff that is neither cool and powerful nor useful to the vast majority of users.

What should be a simple lightweight document viewer now requires an installer a significant fraction of the size of an entire Windows installation from just a decade or so ago.

Re:

[El_Oscuro]

How about Oracle? Some of their customers might be a little security conscious and may wish to prohibit programs like Flash on their networks. However, using their support [oracle.com] requires flash.

Re:OS makers not helping much either

[GameboyRMH]

There are many approaches. Sandboxing is one, there's Sandboxie for Windows. On Linux you could use SELinux, or AppArmor which is much more user-friendly and is ultra-convenient on Ubuntu - profiles for Firefox (with Flash) and evince are installed by default and are updated automatically with the programs.

I don't know what the options are on OSX, since I have no possible use for the OS myself.

Re:

[TD-Linux]

Why is AppArmor more user friendly? On Fedora, all the SELinux policies are automatically installed and updated. For non-Fedora apps, it also has a GUI that tells you when a program was blocked and has a button for you to grant permission to that program.

Re:

[Paradigm_Complex]

For the pre-made policies, you're correct, AppArmor isn't necessarily much more friendly than SELinux.

However, if you want to make your own policies, SELinux is a nightmare. AppArmor is _much_ easier.

Personally, I prefer TOMOYO Linux over the both of them. There's also SMACK, if you don't like any of the aformentioned three.

There's security benefits to customizing the policies to your own usage; if you're paranoid enough, I'd recommend doing so. There's certain liberties pre-made policies need t

Re:

[X0563511]

I'd be happy to run with MAC ACLs (eg SELinux), if developers would stop doing things that cause trouble, like text relocations [akkadia.org].

Re:OS makers not helping much either

[cbhacking]

On Windows, you can force any program to run at Low IL (Integrity Level support requires Vista or above). Low IL processes, regardless of their nominal user permissions, can only write to Low IL folders. There are only a couple of these in the base install - %USERPROFILE%\AppData\Local\Low contains things like the Temporary Internet Files folder (IE runs at low IL by default).

Low IL processes also can't start other processes at higher integrity levels. If for some reason you need a higher level (the usual reason is saving files) you can have a "broker process" that runs at the standard level (Medium IL) and exposes some interprocedural communication to the Low IL process. Strictly speaking this opens a hole in your sandbox, but it's a lot easier to lock down that broker process since it's very special-purpose and has a very small attack surface. Also, the broker process can be used to present a warning to the user when it is invoked for anything potentially dangerous (IE's "Protected Mode" warning appears when the browser asks the broker process to start an external application).

It's not as customizable as AppArmor, but it's less complicated. Unfortunately, it also takes a little tweaking to find out how to set process or folder IL.

Re:

[Merls the Sneaky]

Until they go to install something that only works on an admin account. Then they quickly abandon the limited user accounts. Of course you can't blame the OS for that but the program writers that require admin to not just install but to run.

Re:

[the_humeister]

My Flash version is 10.2.161.22 on 64-bit Linux. I'm guessing this isn't affected according to the article?

Re:

[bmo]

The download for the Linux Adobe Reader is 60 some-odd megabytes. The font package is another 40 some-odd.

It's only supposed to be a document display. I remember a full blown 32 bit operating system with a GUI (OS/2) that took up a stack of 16 (estimating) 3.5 inch floppies. Just what the fuck is Adobe doing?

The only thing I can think of is that the code base for Adobe Reader is spaghetti code and every time they update it, it adds more spaghetti. This probably explains the very long lag time when it co

Re:

[hitmark]

not unlikely, given that photshop apparently have code inside it that dates back to m86k mac.

Re:Abode Is The Weakest Link

[mkro]

The problem is that it is not "only supposed to be a document display". Someone gave a pretty good summary on Reddit [reddit.com] about a month ago. The conclusion is that Adobe Reader is most likely overkill for 90% of the users, and you should stick to something like SumatraPDF or Foxit.

Re:

[GameboyRMH]

Troll is a noob, link leads to goatse:

http://preview.tinyurl.com/7odu [tinyurl.com]

Elite trolls only please.

Re:

[EdIII]

Well since we know it is an exploit now, and you claim it is goatse, we have no way of really knowing what that is now do we?

Describe it to us, with plenty of adjectives please, and do it slowly.

Re:Abode Is The Weakest Link

[GameboyRMH]

Actually there is no malicious code in the link whatsoever. It links to TinyURL, a url shortening service. When a URL is submitted to TinyURL, the site stores the URL in a database and gives you a short lookup code that can be used with the service, allowing you to dispense shorter URLs that lead to longer ones. However this can allow URL obfuscation.

The troll has created a TinyURL link to the infamous goatse website, which displays a large photo of a naked man stretching his anus to Brobdingnagian proportions. He then placed a link in his Slashdot post, claiming that it links to exploit code or an attack site, which many Slashdotters would be interested in visiting, confident that their computers are immune. The troll hopes to get users to blindly follow the link, leading to a faceful of digital anus, producing lulz for the troll.

However experienced uber-geek users such as myself know that TinyURL offers a preview service, which can be used at any time by changing a TinyURL link from the format "tinyurl.com/whatever" to "preview.tinyurl.com/whatever," allowing a potential visitor to see where the link leads before proceeding. I did this and confirmed my suspicions that the link leads to the troll's shock site of choice, goatse.

Upon discovering the troll's weak attempt at trolling a group of technically advanced users with a technically weak trolling method, I then exposed his attempt and derided his weak trolling skills and lack of trolling experience.

I hope this answers your questions, I hate writing.

of course

[bhcompy]

And, of course, no where in the article or linked articles does it mention how you get it. Infected website? Particular websites(warez, etc)? What? Anyways. NoScript wins again, regardless.

Re:

[blair1q]

It happens when you open PDF documents and Flash scripts. Duh.

Re:

[Monkeedude1212]

Yeah. Can someone link me to a sample infected website plz? kthxbai

Re:

[bhcompy]

Didn't GI Joe teach you anything? Knowing is half the battle, dude.

Re:

[bmo]

I have to say, I actually chuckled. +1 funny if I had mod points.

No, i don't care if it's redundant, because it's the first time I've seen this one, and considering the season, apropos.

--
BMO

Too bad...

[lavagolemking]

How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?

Re:

[Jahava]

How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?

Looks like not. From the article:

Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15.

Re:

[WrongSizeGlass]

This article says: [pcmag.com]

Adobe said that a Flash update is scheduled for (Patch) Tuesday, November 9. Updates for Acrobat and Reader are scheduled for the week of November 15.

Re:

[X0563511]

I love how you have to go back to using nsplugin-wrapper for 64-bit flash... if you want any updates. Fuckers.

Re:

[makomk]

Adobe actually finally corrected this a month ago, and a 64-bit Flash plugin is now available again - for all platforms.

Adobe sucks.

[RocketRabbit]

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

I think it's about time to go from using Click2Flash to just deleting the Flash plugin completely.

Re:Adobe sucks.

[zuperduperman]

Yeah, I was kind of shocked by that. I disable Flash by default everywhere but so far have let PDF plugins stay because I need them for a lot of things and hey, it's a freakin document format! Now I find out that Reader is linked to both executable Javascript AND Flash. And anybody sending me a simple PDF document could be exploiting holes in any of those. What a nightmare.

Re:

[X0563511]

The only reason to use Adobe to read PDFs these days if for PDF Forms...

Re:

[Y-Crate]

Apple's Preview.app handles them nicely.

Re:

[shutdown -p now]

The problem with Flash isn't that it's "executable" - it's not where most of the exploits come from. The problem is that it's native code written in a memory-unsafe language, with, apparently, little attention to security. As such, it is susceptible to various forms of buffer overruns and other classic attacks which lead to injection of arbitrary native code into the process, and its subsequent execution.

Re:

[GreyLurk]

Flash ActionScript isn't native code... It's VM'ed. If it was native code, it would at least run faster. Now, that doesn't stop someone from putting native code into a string, and pushing that string past an array boundary (which sounds like what this exploit is), but the AVM Bytecode itself isn't native code. The same sort of exploit was happening in Java just a few weeks ago, see CVE-2010-3552.

Re:Adobe sucks.

[WrongSizeGlass]

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

Sandboxed? More like litter boxed.

Re:

[syousef]

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

Sandboxed? More like litter boxed.

Actually it use to be a litter box, but now it's an unrecognisable ball of patches filled with poo. You might be able to find something useful in there somewhere but it's no fun digging, and you'll wanna hold your nose during and take a shower after. With the number of stories about flash and PDF exploits I'm surprised the installers haven't grown to a gig yet. There mustn't be much original code left in there.

Re:

[DragonWriter]

Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?

Acrobat Reader is Adobe's general purpose client platform for content produced with Adobe Acrobat and related tools. That has been true, essentially, forever. Reading PDFs is, of course, an important part of that, but Acrobat hasn't been -- or been presented as -- just a "PDF viewing utility" for quite a long time, if it ever was.

Re:

[RocketRabbit]

Actually Adobe Reader was always presented as a PDF reader. All the other shit they tacked onto it was added after several revisions.

Why two weeks to fix?

[John3]

Can someone please explain to me why it will take Adobe two weeks to get a patch out? It seems like it should be an "all hands on deck" project to get this fixed and distributed.

Re:

[Anonymous Coward]

I'd be more worried about the fact that majority of consumers don't update their Acrobat Reader on PCs. Clicking "Update Later" button has become something you get to click every time you reboot the computer.

Re:Why two weeks to fix?

[mean pun]

Can someone please explain to me why it will take Adobe two weeks to get a patch out?

They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse. Plus, you don't give a optimistic estimate right at the start.

(Look how Chile handled that for the mining disaster. They started with a safe estimate, and got praised for beating their own deadline. Imagine the reactions if they had been too optimistic in their original estimate.)

Re:Why two weeks to fix?

[0123456]

They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse.

Indeed: just imagine the riots in the streets if they accidentally broke Farmville. Having millions more PCs in botnets will be much less harmful.

Re:

[colinrichardday]

(Look how Chile handled that for the mining disaster. They started with a safe estimate, and got praised for beating their own deadline. Imagine the reactions if they had been too optimistic in their original estimate.)

Did they get the idea from Scotty?

Re:

[by (1706743)]

Type this into a terminal:
apt-get remove flashplugin-nonfree

So...you're logged in as root? I think I'll look elsewhere for security advice...

(I know, you can have it aliased to 'sudo apt-get', but I couldn't pass up an opportunity to be snarky.)

In other news

[Yvan256]

In other news, Steve Jobs now has even more arguments to push aside Flash and Shockwave.

Wait, Shockwave? That thing is still alive?

There's a safe alternative!

[Anonymous Coward]

The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can. And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Bye Bye Flash
Html5, here we come!

-F

Re:

[maxwell demon]

The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can.

JavaScript is a programming language. Just because the code is delivered in source form, it doesn't mean there cannot be security holes. And Flash exploits are actually Flash player exploits.
However, the following still remains true:

And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.

Re:

[tsm_sf]

JavaScript is a programming language. Just because the code is delivered in source form, it doesn't mean there cannot be security holes.

You're not thinking literally enough. (and just go ahead and ignore my sig for this post)

Re:

[bunratty]

Ah, that sweet, sweet sound of technobabble.

Re:There's a safe alternative!

[Jahava]

And the same thing could be said about Flash too.

There's little-to-no practical opportunity to choose a Flash implementation, and Flash is not open-source, so we cannot secure it ourselves. Nothing you said is true.

Re:

[h4rr4r]

Try using it first.
I say this as someone who constantly installs it to see progress and has pretty much lost hope. The recent lightspark thing would be neat if it supported hulu.

Re:There's a safe alternative!

[sootman]

From the source: "Gnash... supports most SWF v7 features and some SWF v8 and v9. SWF v10 is not supported by GNU Gnash." [gnu.org]

Yeah. Sounds really useful. They support MOST of a SEVEN YEAR OLD VERSION. [wikipedia.org] Woo hoo, sign me up!

And by the way, who's to say that Gnash is free of bugs and/or exploitable holes? One problem with re-implementing something is that you're likely to (and sometimes need to) reproduces the original, bug for bug and flaw for flaw. Just ask the WINE guys.

Re:

[RocketRabbit]

GNASH is a joke.

We really need to sandbox all browser sessions

[davidwr]

Attention browser developers:

Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.

Any user-initiated visit to a web site would be a new session.

Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.

Basically, if you aren't trusted, you get a very limited view of the local computer and once you quit, you get amnesia.

Re:We really need to sandbox all browser sessions

[0123456]

Attention browser developers:

Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.

Or run Linux and use an Apparmor wrapper to prevent Flash from doing anything bad if it's compromised.

On my systems it can't read much of anything, can't write to anything other than /tmp and its own config files, and web sites can't download flash turds to track me... all enforced by the kernel.

Re:

[shutdown -p now]

How do you do that, given that it is loaded in the browser process - or did you put those restrictions on your entire browser?

Re:

[0123456]

How do you do that, given that it is loaded in the browser process - or did you put those restrictions on your entire browser?

It runs inside nspluginwrapper, which can be restricted in arbitrary ways. I didn't realise until later that it's only doing that when running 32-bit Flash on a 64-bit Firefox, I thought it was being sandboxed in that way by default.

Code Exploit Discovery Automation

[BoRegardless]

After a decade of huge hacker security breakthroughs of systems, I wonder how long we have to go before automated code structure and testing gets good enough to be able to routinely find all the typical things that might represent a problem. Acrobat has been around so long it ought to be basically bullet-proof, but isn't. What gives here? I use a lot of Adobe applications and I personally want to see them get out of this problem.

Re:Code Exploit Discovery Automation

[Statecraftsman]

There's no correlation between age of a product and security. If anything the older the project and more nebulous the code base, the less likely anyone inside Adobe even understands it all. I use sumatrapdf and evince so I'm not affected personally but I think the only hope is either replacement or freeing the source code for the product. From a business perspective, Adobe will only go and fix bugs that become a big enough PR disaster that they can't ignore them. There would also need to be a viable alternative to their products.

Similarly to how Microsoft has had to acknowledge OpenOffice, at some point hopefully GIMP and Inkscape and other creative tools will cause Adobe to address their own issues. The software industry has a serious lack of competition and without free software that closely mimics commercial products, it's hard to imagine anything improving substantially in the near future.

Relevant? Bah

[markdavis]

>"The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac"

What horrible wording. One could read that to mean Linux is not a "relevant platform" in general, or that the vulnerability can't use the exploit to do anything to a Linux system or several other things.

From the article:

"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh."

"Square" (10.2.x) plugins vulnerable, too, or not?

[yuna49]

I'm running the 64-bit "preview" Linux plugin called "Square [adobe.com]". Adobe reports,"You have version 10,2,161,23 installed" when I check by right-clicking on a video and choosing About. Does that mean I'm not vulnerable to this flaw?

Re:

[markdavis]

Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)

Re:

[Paradigm_Complex]

Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)

Many cultures use commas instaed of periods for the decimal mark. Specifically, see here [wikipedia.org].

Re:

[markdavis]

>Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.

I know, but it still drives me crazy. It looks like a list of different things instead of a single number.

Re:

[RocketRabbit]

Many cultures ritualistically mutilate infants' genitals, as well. That doesn't make it right.

Re:

[Kjella]

Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.

Yes, but it doesn't necessarily imply the same is true of version numbers. Here in Norway we swap the dots and commas in numbers (1.234,55 vs 1,234.55) but I have never seen any software package, domestic or foreign, that uses anything but dots in their numbering. I think they're more considered dividers like in chapters, that do use dots like "3.4 Crossing the beams". And ok, so (float)7.5 makes sense but what exactly would a kernel version number of 2.6.36 mean? What when you go from 2.6.9 to 2.6.10? It d

Square" (10.2.x) is vulnerable

[WD]

I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081 [cert.org]

Quick fixes for Maemo 5's MicroB

[GameboyRMH]

Attention N900 users:

If you don't want to totally disable your flash plugin, you can either install adflashblock-css for combined ad and flash blocking, or if you don't want to block ads, use my custom flashblock:

http://talk.maemo.org/showpost.php?p=625937&postcount=3 [maemo.org]

Two weeks

[Andy Smith]

"won't be patched for nearly two weeks"

In 25 years of computing, the only virus I've ever had was due to an Adobe Reader exploit. So, thank you Adobe for hurrying to get this patch out urgently. I'm sure there is no conceivable way you could get it out in less than 2 weeks.

In the meantime I should remove Reader from my system.

Re:Two weeks

[today]

Just a guess, but removing authplay.dll might help mitigate the Reader portion of this exploit. I generally do that after every Reader upgrade because a similar vulnerability happened once before. Besides, who ever uses Flash inside a PDF document anyway?

Re:

[chitokutai]

This is probably going to be more and more of a problem in the near future. I just got back from an Adobe seminar yesterday, and all of the tools in the CS5 Design series are focused on making Flash movies and Flash-based (interactive) PDFs much easier. I can't even imagine the security holes in an interactive PDF that's been generated using In Design or Illustrator.

Re:

[GameboyRMH]

The only one that ever got me was an early flash drive autorun virus. I knew all about autorun, but thought double-clicking the drive in Explorer only ran it on CDs. Learned something that day.

Ironic

[Kazymyr]

Am I the only one who finds it ironic that a web site that warns of a critical bug in the Flash player tries to install the Flash plugin?

(yes, I don't have Flash installed anywhere and so the linked web page demands to install it)

Re:

[Statecraftsman]

The views expressed by the stories and comments submitted on this site do not necessarily reflect the opinions of Geeknet or its subsidiaries. Or something like that...

Understand Apple a bit better?

[Caerdwyn]

This is why Apple no longer ships Flash pre-installed, and why they do their own PDF readers. Regardless of any tiffs (or .TIFFs, har! see what I did there?) between Adobe and Apple, I'm sure that Adobe wants its products preinstalled in OSX. Even through its contentious history with Adobe, Apple has preinstalled Flash for many software releases now because it made business sense to do so. It no longer does.

Recent trends show that Adobe is the most readily-exploited software vendor (per US-CERT). Critical flaws are being discovered faster than operating system installer "golden images" can be put through the update-certification-release cycle. Any version of Flash or Acrobat/Reader that is incorporated into an OS golden image will almost certainly be vulnerable by the time a system with that OS installed reaches a customer. You're going to have to update the moment you're out-of-box, so why pre-install something you're going to have to patch anyway (assuming you patch at all)? And Apple can't autopatch it... their Software Update only updates Apple products (i.e. products which they actually have the legal right to patch).

And, of course, the headlines would (and do) read "Macs being exploited" instead of "Adobe being exploited". Apple doesn't want that, and is in a position to do something about it.

Do we perhaps understand why Apple does some of the things it does a little better now? Do we perhaps understand why Microsoft doesn't include Flash/Reader as part of its OS? Does Adobe need to get its goddamned act together before they start throwing rocks at OS vendors?

Re:Understand Apple a bit better?

[edelbrp]

And, thankfully, content providers still want their stuff to work on computing devices (like iPhones and iPads) that don't support Flash and so are providing non-Flash alternatives. That's not just good for Apple customers, but everybody in the long run.

Re:Understand Apple a bit better?

[cbhacking]

You do realize that Apple's PDF reader is *WAY* less secure than Adobe's, right? We're talking 15x as many exploitable vulnerabilies across the same test set of fuzzed files. Adobe and their miserable security practices are a scourge the computing world, you hate their stuff, you remove it all from the computer.. OK, fine. You go with an alternative that has more than an order of magnitude worse security... wait, what?!?

Citation here:

[WD]

The GP probably based his post on this presentation from Charlie Miller @ CanSectWest:
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt [securityevaluators.com]
See slide 53 in particular.

What's important to realize, however, is that Charlie's fuzzing run was based on a set of PDF files that he chose. It's not stated whether any of the seed PDF files contained any flash objects or 3D or JavaScript or any of the other features that contribute to the size of Adobe Reader.

But that should be an eye-opener for you. Previe

Re:

[SatanicPuppy]

Apple does the things it does because Jobs isn't afraid of shit. It's not like other companies don't hate Adobe as well, but only Steve-o would be willing to drop his pants and scream "Suck my diiiiiick!" at Adobe.

And good on him. I don't think the web as a whole is ready to move off Adobe products, but Apple has a history of driving those sorts of migrations (floppy whats?) and advertisers and websites can't afford to ignore millions of iPhone/iPad owners, who are, by definition, possessed of more money th

Re:

[Reaperducer]

He's a shaaaaaark!

Or is that too Fark for this crowd?

Thanks Uncle Jobs!

[krizoitz]

Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.

Also...

[sootman]

... this makes me very wary of buying a device where all apps, and the OS/UI itself are written in Adobe AIR [youtube.com] (which is pretty much Flash.) So when a vulnerability comes along you... what... quit using the whole device? I'm sure that will go over really well with the large businesses that are BlackBerry's intended customers. And for those who think I'm hyperbolizing, watch the video and listen close--the head of RIM says (at the 2:20 mark) "what we've done is... really embed AIR right into 'the metal' and the operating system." By "metal" I think he means "as low-level as we possibly could."

Wait, scratch that... large businesses have been buying Windows for two decades, so never mind me. I be this thing will fly off the shelves. Hmm, maybe I should write an antivirus app in Flash so it can run on a PlayBook. :-)

Exhibit number 23 ...

[mr_death]

... of why Apple is correct in keeping this steaming pile of insecurity off of their devices.

What about bastard copies?

[PhxBlue]

Ironically, illegitimate copies of Acrobat Pro are probably not affected.

Re:

[mirix]

Use one of the pdf readers that doesn't have adobe's holes and bloat.

I think there is a windows port of evince, and I used to use sumatra when I had windows boxen. I have a friend that likes foxit, but I've never used it myself. etc.

Re:How to prevent Reader from using Flash?

[GameboyRMH]

Huh didn't know there was a Windows port of evince. I'll have to look at replacing Foxit with that:

http://live.gnome.org/Evince/Downloads [gnome.org]

And an .MSI installer too! I'll have to talk with the other IT guys at work tomorrow...

Re:How to prevent Reader from using Flash?

[GameboyRMH]

Foxit's been getting a little too adware-ish for me lately, it's coming bundled with toolbars now, and it offers a browser plugin which can only be bad news for security, browser speed and browser stability. Between the two I definitely prefer evince.

Re:

[cbhacking]

Foxit's security is pretty weak, but it's even less targeted than Apple's Preview (also very weak).

The KDE project has ported most of their desktop environment, including the PDF reader, to Windows. I mostly only use it for amoraK, but there's lots of good software in there.

Re:

[melikamp]

Simple! Just uninstall the Reader.

Re:

[The_mad_linguist]

3. Don't connect to the internet. Ever.