Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug Security IT

Adobe To Patch Flash 0-Day Friday 113

Trailrunner7 writes "Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday — just four days after it was disclosed — for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents. Adobe said it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel, but Reader X users will have to wait till June for a fix."
This discussion has been archived. No new comments can be posted.

Adobe To Patch Flash 0-Day Friday

Comments Filter:
  • by gazbo ( 517111 ) on Thursday April 14, 2011 @10:58AM (#35818654)
    Impressive.
    • by Riceballsan ( 816702 ) on Thursday April 14, 2011 @11:09AM (#35818802)
      This may be one of the few times 0 day was actually used right. 0-day hits without warning, and it has to be patched after the fact, assuming of course there was no warnings by white hats beforehand that were ignored/covered up. That being said, as much as I hate adobe and the ridiculous amounts of security flaws that actually allow these issues to occur, Seriously who the heck would want the ability to use flash in a word document, so they can print animations? That being said, 4 days is actually decent response time. compared to say word itself that will probably have the patch for this itself in a few months.
      • No, look it up, you're wrong. Zero-day means the developer doesn't know about it. It's here. [wikipedia.org] This particular exploit has been known, by Adobe, for at least four days. Don't make the mistake of thinking because YOU don't know what the exploit is, it's still a zero day.
        • so, that'd make it a 4-day? >__>
        • No, zero-day means that the developer didn't know about it when the attack went live. They'll eventually discover the vulnerability and patch it, but that doesn't change the fact that it was a zero-day attack.

          • Zero-day attack = attack perpetrated using a zero-day vulnerability.
            Zero-day vulnerability = vulnerability the developer doesn't know about.

            Please read the summary again and realize which one we are talking about here.
            • It doesn't change the fact that it was a zero-day vulnerability, either.

              And Adobe themselves called it one:

              During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris

              • Please read that and tell me, do you think it was written by a PR agent, or by a security expert?

                We know what a 0-day vulnerability is. Whether Adobe uses the term correctly or not is irrelevant to the discussion.
                • by _0xd0ad ( 1974778 ) on Thursday April 14, 2011 @12:15PM (#35819600) Journal

                  It was a zero-day vulnerability. The fact that it's no longer a zero-day vulnerability isn't nearly as important as the fact that it was one, since the very fact that we're discussing it means that it's no longer unknown.

                  If you want to be that pedantic, you might as well just throw out the term altogether, because as soon as you find out that a 0-day exists, it ceases to exist.

                  • by lennier ( 44736 )

                    as soon as you find out that a 0-day exists, it ceases to exist.

                    The 0day that can be named is not the true 0day.

                    What is the sound of one buffer overflowing?

                  • by arth1 ( 260657 )

                    No, the Heisenphrase is still quite useful, but just like "undiscovered species" it has to be qualified with a word like "previously" when talking about a specific occurrence, and not used in statistics, forecasts and speculations.

                    • Why does it need to be qualified with a word that's redundant given the context?

                    • by arth1 ( 260657 )

                      Would you call a new species that was discovered last week a "previously undiscovered species", or insist on "undiscovered species" because "previously" was redundant given the context?

                    • If you're talking about its discovery, it's redundant to say that it was previously undiscovered.

        • The attack was a zero day attack, Adobe didn't know the vulnerability existed until the attack was discovered. They are now patching said attack on day 4. Saying that Adobe is patching a zero day attack 4 days after it was discovered doesn't seem unreasonable to me.

          • Except it's no longer a 0 day once it is discovered. They are not patching a zero day vulnerability, they are patching a vulnerability that used to be a zero day and no longer is.
            • Yes, Adobe will patch a vulnerability that was used in a 0-day attack. Or "Adobe To Patch Flash 0-day" for short.

              I suppose when I ask if you know what time it is you'll say "Yes", then give me a lecture on how my question was improperly phrased if I'm not satisfied with your answer.

      • by quenda ( 644621 )

        So it is actually a "minus four day" attack?

      • by arth1 ( 260657 )

        This may be one of the few times 0 day was actually used right.

        Actually, no. It's a prime example of it being used wrong, as crisis maximization.

        Zero day is a vulnerability before you discover it.
        First-day is when you immediately put out a fix.
        4 days after discovery, like this is, is three days after that and has nothing whatsoever to do with zeroth-day exploits.

    • I miss reading a Slashdot article about a 0-day (within hours of the actual vulnerability), then going to patch it and discover I'd already patched via my distro's repository.

    • Actually I'd like to go a day WITHOUT a notice from Adobe about patching something.
  • This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.
    • by ledow ( 319597 )

      HOW MANY MORE TIMES?

      Do NOT open a document that you're not expecting, that isn't from someone you know, etc. Yeah, you could say that this can be passed legitimately from person to person but come on - this is the first rule of virus protection - don't open documents without screening them (not via some magical software that "knows" if it's bad or not, but by using your brain) first.

      The fact that you can even still GET a Word virus whether it executes in macros, integrated Flash or some other ActiveX-based

      • Why should I?

        It's a fucking document. It's a series of bits which are converted into pixel values and shown on a screen, not code.

        If you get your computer compromised by a document, then the only person who's fault it is is the one who wrote the document decoder (and/or the idiot who decided that documents should include embedded code, which is ridiculous).

        You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, becau

        • But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

          I can think of at least one way a JPEG can get you in bigger trouble than that. >_>

        • Well, I've experienced plenty of documents that pull in real-time data for a portion of the document... unfortunately Flash is commonly installed as a "safe for scripting" active-x plugin in windows... I prefer simple pdf viewers, and don't open unexpected attachments... I really would just prefer that there were two differing extensions for such "interactive" documents, opposed to read-only, no interaction...
        • Comment removed based on user account deletion
        • by lennier ( 44736 )

          A million times this.

          What bugs me is that all the programmers who wrote these format decoders riddled with buffer overruns still have jobs. How can that be possible? Either they knew at the time that they were writing unsafe virus-holes - and went ahead anyway, thus committing gross negligence - or else, even worse, they had no way of telling if the code they were writing was safe or unsafe and yet went ahead and released it on a "who knows, what's the worst that could happen?" sort of policy.

          Either way, it

      • Well as much as part of that is true, for the most part it is terrible advice. "Don't open anything given to you by people you don't know" is solid advice, but it is half the time interpreted as something is safe if it is from someone you know and trust. Virus's don't work that way, most infections I run into these days were given to the person by their grandmothers who wouldn't hurt a fly. Second part is unexpected, this is also true, getting "hahafunny.doc" out of the blue is almost a guaranteed virus, bu
      • by rssrss ( 686344 )

        "Microsoft just don't care any more."

        I did not think Microsoft ever cared about anything other than Microsoft's profits.

    • by ackthpt ( 218170 )

      This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

      I've always assumed Word Processor was not the same as Compiler or Interpreter. Shows just what a marvelous world it is when your Word documents aren't even documents at all, but full environments of their own.

      Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

      • Long live gedit. also and on the plus side, it is a simpler tool that makes you focus on the content of what you are writing.
      • Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

        Emacs users all of the world spit in scorn at your shameful statement.

        • Unsophisticated people use hundred-megabyte software packages to prepare documents.

          Sophisticated people use vim and latex.

    • Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?

      I've been modded down to troll for asking these kinds of questions before. I'm really just curious, I ask with all humility, grace, and supplication...
      • Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?.

        From Adobe's security bulletin: [adobe.com]

        There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.

        I don't know if OO will try to use the .swf payload inside the Word document.

        • I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

          It's no wonder we get so many *(&$^& viruses when word-processors attempt to launch embedded executable files without asking or anything.

          To me that sounds like the security equivalent of picking up used syringes off the ground and sticking them into your arm to see what's in them.

          I mean, WTF? Does

          • by lennier ( 44736 )

            I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

            And what happens if you print that?

            Do you get a Youtube movie at 60 pages per second coming out of your laser printer?

          • I am not a hacker in this area but the word .doc format is specifically designed as an executable. The reason why is to make it harder for people to leave the MS ecosystem and switch to competing products. Also it is there to give Visual Basic an edge.

            Virus makers love this as their code can hide in a perfect container. OpenXML which is now used is far superior because nothing is hidden but it also supports legacy binary blobs of executable code.

  • by Anonymous Coward on Thursday April 14, 2011 @11:07AM (#35818770)

    At least my iPad is still safe.

    • Re: (Score:3, Informative)

      by Tackhead ( 54550 )

      At least my iPad is still safe.

      Not necessarily. Even without Flash support, those things are huge vectors for earworms.

      7 am, waking up in the morning
      Zero-day fresh, gotta get my warez,
      Gotta sign my key, gotta have serials
      Crackin' everything, the time is goin'
      Tickin' on and on, everybody's codin'
      Gotta log on to the Slash - dot
      Gotta slash my dot, I click Refresh...

      PDF for printouts,
      Flash is for online,
      Gotta make my mind up,
      Which code did they break?

      It's Friday, Friday
      Zero-day on Friday,
      Sysad

    • Just as a Power Wheels truck is safe from a high-speed crash.

  • If the malware is distributed with Word docs, then how can it infect Linux? Does it work with Open/LibreOffice too?
    • Re:Linux? (Score:4, Informative)

      by machxor ( 1226486 ) on Thursday April 14, 2011 @11:15AM (#35818868)
      The vulnerability exists in Flash Player not Microsoft Word. A Word document is simply the package being used to distribute the payload.
    • Neither TFA nor TFS say it infects Linux, though it sure reads like that at first, it actually says a patch will be available for Windows, MacOS X and Linux. It's probably minimal effort to plug the hole in all of them at once.
  • by Anonymous Coward on Thursday April 14, 2011 @11:15AM (#35818870)

    Doesn't Slashdot post this same article every week?

  • And the whole damn country can be taken down by a media player. Truly fascinating.

    • Re: (Score:2, Funny)

      by geek ( 5680 )

      Unless you're on an iPad

    • by lennier ( 44736 )

      I used to think that William Gibson's Neuromancer was wildly unrealistic for portraying a future Net so riddled with vulnerabilities that any cowboy kid with a cyberspace console could hack their way into a bank and escape barely milliseconds ahead of the Intrusion Countermeasure Electronics.

      Now I know that the unrealistic part is that there's any countermeasures at all.

  • by Anonymous Coward

    They are planning to patch Friday?
    Why does Friday need patching?

  • by fahrbot-bot ( 874524 ) on Thursday April 14, 2011 @11:23AM (#35818978)
    The Flash Player for Windows will get patched on April 25, but the Flash Player bug in Reader X for Windows will get fixed in June because the Reader X sandbox prevents exploitation. From TFA:

    Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

    The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe's relationship with Google.

    • by trparky ( 846769 )
      Even if they don't release the patch for Google Chrome, Google Chrome users are still fully protected.

      All of these exploits in Adobe products is why everyone is coming out with their own PDF viewers or sandboxing the hell out of Adobe Flash.

      Google Chrome has it right, wrap Adobe Flash in the same nearly impenetrable sandbox that the browser itself is wrapped in. The Google Chrome sandbox has proven time and time again that no matter what exploit is found in the browser, the sandbox has rendered them co
      • Smells astroturfy, because you're making sure to call it "Google Chrome" every time instead of just "Chrome" like a normal slashdotter would.

  • A bit hard to find, but this specific vulnerability is in "10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."
  • Its funny to see everyone arguing over what zero day means ...

    Back in my day, and yes, I'm an old geezer apparently, zero day meant ... the first day it was discovered.

    zero day warez releases were released the same day as the software hit the shelves or went on sale somewhere.

    The next day, it was no longer zero day, it would be 1 day.

    You also had pre-release warez of course, for things that were available on ftp sites or IRC before the public release, also commonly called zero day warez as well.

    You wouldn't

    • by Imagix ( 695350 )
      I'm with you on this one. 0-day as a descriptor is nearly meaningless noise as it is currently used. "A vulnerability that the vendor doesn't know about yet.". Big deal. "A new vulnerability" says pretty much the same thing. If it takes the crackers four years to find the vulnerability, it still counts as a 0-day. Part of the cachet around "0-day" originally was a giant raspberry to the software vendor that their copy protection for their software was so weak that it was broken the same day that it w
      • A new vulnerability can be found by white hats and reported to the company, which is not a 0-day. A new vulnerability can be found by black hats and exploited before the company knows about it. That's a 0-day, and it's problematic because they company wasn't able to attempt to mitigate or fix the problem before it was exploited. Not all new vulnerabilities are 0-days; probably most are not. It's not important whether a vulnerability was found the first day the software was released or not. The important thi
  • Wasn't he a quarterback for the Irish?

  • I guess, does it push the update out to users?
  • by xororand ( 860319 ) on Thursday April 14, 2011 @01:12PM (#35820216)

    Try to uninstall Adobe Flash for a week. I did and I can't say that I miss anything.

    YouTube:
    - The HTML5 beta [youtube.com] works rather well with modern browsers like Firefox 4.0 and nearly every video is available. You don't need a Google account. The setting is stored in a cookie.
    - If you're on Linux, try Minitube [gawker.com]. It's a standalone player for YouTube that uses hardware acceleration.

    Thanks to the iPad, more and more web sites offer alternatives to Flash. My preferred news TV station is now streaming both with Ogg/Theora and H.264.

    Yes, I can't view the occasional funny cat video because it's only available in Flash format but guess what: I'm still alive.

    • Really? Which news site streams OT?

      • It's a German news program: tagesschau.de
        Screenshot [imgur.com].
        They got an award for it too:

        "The Free Software Foundation Europe (FSFE) and the Foundation for a Free Information Infrastructure (FFII) have used the occasion of Document Freedom Day 2011 to give an award to German broadcaster ARD's internet platform tagesschau.de for offering broadcast shows in the free Ogg Theora video format. According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate e

        • According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

          It's a trap! The cake is a lie!

  • Stable Channel release 10.0.648.205 is out. Thanks Google for the incredibly swift response.
  • It seems they are following in suit behind Microsoft with the "we will patch it when we feel like it" attitude. Disappointing.
  • Here's the summary of the conversation:
    Him: dude, it's happened again.
    Me: too much porn man.
    Him: I didn't do anything, even used Chrome and Firefox
    Me: which site did you go to?
    Him: it's my office computer, I can't look at porn here.
    Me: OK, maybe there's not enough porn on your computer.

  • So still waiting on that patch. When was that going to be released again?

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...