Adobe To Push Emergency Fix For Flash Bug 78
Trailrunner7 writes "Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have an emergency fix ready on Thursday. The company still plans to patch Reader two weeks from now. The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15."
Re: (Score:2, Informative)
I would imagine that there is a certain amount of testing with any software patch thats released.
Re: (Score:2)
No doubt they have a "process" that includes running regression tests on release builds.
Also no doubt this process is completely inadequate for most needs and products, and exists only to serve a pro-forma certification process, meaning in this case they should have tested the feature they changed and released it, planning to update it on the original schedule if testing showed a regression problem. Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.
But
Re:I have a question (Score:4, Interesting)
Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.
No, your security doesn't matter to them a bit. But a risky beta release can give them bad publicity.
Nobody gives a damn about your security but you. Especially not the proprietary software houses. FOSS, at least, usues their own systems, so they have a reason to worry about security.
Any way, this doesn't affect me (yet) because I'm using a different PDF reader (came with the distro) and haven't been able to get Flash working at all.
Re: (Score:2)
If the beta is properly disclosed as such, and is given the standard pack of disclaimers and warnings against premature use, then what business does it have getting bad publicity?
Re: (Score:2)
A beta can give an indication of what the final product will look like.
Re:I have a question (Score:5, Insightful)
On a serious note, why badmouth IT people just because adobe's products are broken?
Personally I'd be simply dumping flash and pdfs, at the proxy/email servers, til adobe fixes their software. Send out note to entire company: Due to extreme security risk in adobe's products we must block flash and pdf content in web pages and email until further notice.
It's against policy (written or unwritten) in a lot of shops to deploy beta software to users so intermediate patching wouldn't be kosher in a lot of places. It'd likely get you fired in a significant number of shops, especially in government, financial and medical industries where compliance with federal information security regulations is important.
It's usually not a preference for the IT "droid". At the beginning of my career (I'm a software engineer now), we just did what we were told to do by the boss after we informed him of a problem. I'm pretty sure it still works the same way, at least if you want to stay employed. I was actually in the software patching automation group. We deployed what we were told to. We could care less what it was we were shipping out as long as the package worked.
If we were handed an adobe update on tuesday, then another one on thursday, no one would have cared one iota that it was for the same product. We'd just push it out.
Re: (Score:2)
I presume that this vulnerability does not affect Preview on the Mac? Is that a correct assumption?
Re: (Score:2)
You have just illustrated why people badmouth IT.
Do you realise that a lot of information that people need to do their jobs comes as PDFs? Broker's research (especially when emailed to clients), regulations for particular industries, all kinds of other stuff.
Flash is not often critical, but I am sure there are examples out there.
You are doing what is easy rather than doing it right. Have you considered installing a different PDF reader? Even different Flash players (if what your users need will work with th
Re:I have a question (Score:4, Funny)
Indeed. If patches carried the risk of having the programmers executed if it didn't go well, there would be no software bugs at all.
Re: (Score:2, Insightful)
Re: (Score:1, Redundant)
There wouldn't be much software, either.
Re:I have a question (Score:5, Funny)
It's well known that North Korea publishes the most secure Hello World program in the world.
Re: (Score:1)
Yep, i agree, there is no real liability or accountability in this field right now, except for the airlines, they also use in house development though....but all in all if we even came close to what the car or plane industry goes through to make sure no problems arise BEFORE selling the product, we also would have maybe 1/100the of the apps out there available to us....of which windows would not be part of, neither adobe products
Re: (Score:3, Funny)
I would imagine that there is a certain amount of testing with any software patch thats released.
Exactly. They'd hate to introduce more bugs, security vulnerabilities, etc into their otherwise stable and secure product.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
It's good that they are doing it so often.
It must cost them a small fortune every time.
Hopefully someone there who signs checks is getting tired of it all and is pushing for changes.
Re:I have a question (Score:4, Interesting)
Re: (Score:1)
Contradiction of terms (Score:5, Funny)
"revealed last week"
"emergency fix"
"Thursday"
Re:Contradiction of terms (Score:4, Funny)
Re: (Score:2)
So, they're late because time is an illusion? I'd hate to see how long their lunches last...
Re:Contradiction of terms (Score:5, Funny)
"Hello, 911, what's your emergency?"
"I'm having a heart attack! Aaah, hurry!"
"Okay, we can have someone over there by Thursday."
"UUUGGGGYHH *thud*"
Re:Don't care... (Score:5, Insightful)
You are fucking stupid to have flash installed on any machine with ANY information in it.
Yes those computers with no information stored in them would be much safer, if they could exist.
Re: (Score:2)
This is another pet rock idea in the making...
"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"
Re: (Score:1, Offtopic)
Re: (Score:1, Offtopic)
I have a Tandy 1000 RLX. With its 80286 processor, VGA video, IDE support and 1.44 MB floppy drive, it's the best, smallest Tandy 1000 to have while still being able to easily find legacy parts for it (monitor, hard drive, etc).
If you only run MS-DOS, replace the hard drive with the biggest supported Compact Flash card you can find. You can store all your old games on it and still have lots of room left.
Re: (Score:2)
*rimshot*
Re: (Score:2)
This is another pet rock idea in the making..
The Commodore PET made a pretty good rock. If you could lift it.
LOAD "SPACE INVADERS",1
Re: (Score:1, Informative)
Well if you really cared you could pass --safe-plugins to Chromium and sandbox Flash. It'll break some websites but YouTube works. Details: click [chromium.org]. Linux details: click [google.com]. On Linux the sandbox is using either chroot (SUID) or policies (AppArmor, SELinux, seccomp...).
It is a complex system (Score:3, Interesting)
A disclaimer: I'm not in any way assosciated with Adobe but I do teach courses on Flash (among other subjects).
Flash is a much more complex system than many people realize. Lots of people (including lots of programmers) think of flash as only some small browser plugin that can be used for annoying banners and such. But really, flash is a large development enviroment (and rather interesting one at that). Object oriented programming language (ActionScript) is ran in a full scale virtual machine (complete with
Re: (Score:1)
And when exactly did Java become associated with fast and cool browser applications?
Re: (Score:2)
Finally Safe (Score:1, Funny)
Is thit what the exploit looks like? (Score:1)
I tried to look at a photo of someone who won a Governors office today via Google images. The site I landed on popped up the Firefox Flash update screen for a second, then asked to update Firefox from a .cc site, which I denied. Was I almost taken by this exploit, or am I being paranoid?
Case against flash on mobile devices. (Score:2)
When are FroYo devices running 10.1 getting the update? When's HTC and Sprint, HTC and AT&T, HTC and TMobile and HTC and Verizon planning on doing an OTA? When's Motorola? Samsung? etc. etc. etc.
Re: (Score:2)
No need for OTA for Carriers, it is in the market.
Third party plugins & apps (Score:3, Insightful)
Re: (Score:1)
flash update (Score:1)
just moved my entire network (243 computers) off of reader 9 to reader 8.Testing repl acements now. F*ck Adobe.
Re: (Score:3, Insightful)
Re: (Score:2)
Did you know that all you had to do was remove one DLL? I just rolled a logon script out to rename authplay.dll (the flash component of Reader) on every machine, problem mitigated. Unfortunately, most people here need the real Adobe reader, as we do a lot of graphics and print, so 3rd party replacements aren't an option yet.
Too late (Score:1, Informative)
I already replaced it with gnash and I am satisfied.
clipper chip (Score:2)
This is why the NSA have stopped harping on about the clipper chip and other mandatory back doors.
They don't need 'em!
Makes me laugh about eulas in general:
"I the customer promise not to reverse engineer or copy this big security hole, and to let you disperse all my private data, and in return you promise that you may or may not abuse me in the aforementioned fashion, or permit such abuse by third, fourth and fifth parties."
Where's all the class action lawsuits?
Re: (Score:2)
From "Good Omens" by Terry Pratchett and Neil Gaiman:
Learn from other industries, Adobe (Score:2)
I think the time is ripe to get on the bandwagon of safety-critical software development methodologies. It has been shown over an over that there is a bunch of code, in widespread use, whose failures cause extensive economical harm -- even if the harm to the individual is small, the collective expense is major and measured in USD billions. Flash Player and Reader fall into the category of software whose safety shortcomings cause extensive economical harm. Why are those developed using "standard" (read: cav
Flash forces McAfee on you (Score:5, Informative)
The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.
The flash updater now has the checkbox checked by default for mcafee security scan plus, and they moved the checkbox so you don't notice it when you are glancing at the installer.
Re: (Score:2, Informative)
Click to download, DONT accept their stupid "Download Assistant" and start clicking through the support pages...eventually you'll find the executables in the clear...
http://kb2.adobe.com/cps/855/cpsid_85599.html
Re:Flash forces McAfee on you (Score:4, Informative)
The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.
Thank you greatly for posting this. On my workstation I had an Adobe Flash Updater pop up on me in the last week or 2, I let it run and do it's thing. So, the next day at work I noticed Mcafee Security Scan (or some such) on my computer, I thought it was strange and even double checked that the corporate mandated Symantec was still installed and running. I just chalked it up to some manager deciding to inflict the masses with another ill conceived GPO push. I meant to question our helpdesk about it, but I glossed over it by the next day.
They must have really snuck that checkbox in very well, I'm pretty diligent with my usual "is this software trying to push additional crapware on me" scan for checkboxes and didn't see it. I often expect them in pretty much everything these days (I'm looking at you Java), but I hadn't noticed the Flash Updater sneaking them in before.
Re: (Score:1)
Amen (Score:3, Insightful)
Where do I click .. (Score:3, Informative)
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX" link [threatpost.com]
Shockwave Flash 10.1 on Ubuntu 10.10
Re: (Score:1)
Your quote said that autoplay.dll is in Acrobat Reader 9.4 for Windows. You maybe be vulnerable only to Flash part of this security report
You don't have Shockwave Flash on your machine. You have only Flash. Adobe does not provide Shockwave packages for Linux. Current Shockwave version is 11.5 something.
Re: (Score:2)
YHBT etc, but that is an interesting point. Your two examples are unrelated, but in a way Mr Narayen is right about crashes. If any application is able to 'crash' a whole computer, then the operating system has a problem. The OS should remain stable, regardless of what programs are executed. (Of course, the fact that an application is buggy means that it too is broken.)
Belated (Score:2, Interesting)
Most of us who are knowledgeable about programmatic structure, syntax, idiosyncracies, faults, and exploits advised Adobe, either formally and directly through communique or informally and indirectly through public message boards, to patch their vulnerabilities about fifteen years ago.
One ring to rule them all? Patch one bug and patch them all? For #$*@'s sakes... you people have more code-holes than Ivory [wikipedia.org] running 300 BAUD and a caller drop carrier with an immediate callback.
The only sane approach is to j
Oh, for fuck's sake. Again? (Score:2)
KILL IT WITH FIRE.
Sticky? (Score:2)
Doesn't this story get posted every week? Why not just make it a permanent item on the /. home page?
A Humble Request (Score:2)
Update is now available (Score:2)
http://www.adobe.com/support/security/bulletins/apsb10-26.html [adobe.com]