Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Adobe Flash Remote Code Execution Flaw Exploited In the Wild 187

An anonymous reader writes "Adobe has released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux, and OS X, the exploitation of which can result in an attacker gaining remote control of the victims' systems. The flaw is being actively exploited in the wild, but apart from crediting its discovery to researchers Alexander Polyakov and Anton Ivanov of Kaspersky Labs, no details about the ongoing attack has been shared." They even updated the explicitly unsupported NPAPI GNU/Linux version.
This discussion has been archived. No new comments can be posted.

Adobe Flash Remote Code Execution Flaw Exploited In the Wild

Comments Filter:
  • Shocking (Score:5, Funny)

    by sunderland56 ( 621843 ) on Wednesday February 05, 2014 @10:12AM (#46162329)
    A security flaw in Flash? Really? How surprising.
    • by Anonymous Coward

      The Internet is a security flaw.

      Browsers are have security risks. The plugin model has security risks. Any client on an end-user's machine that runs code is a risk.

      Is Flash really any worse? Is it any worse than any other plugin? Is it any worse than javascript? Any worse than the browser itself?

      Nice to see Adobe releasing fixes and crediting the researchers at least.

      • Re:Shocking (Score:4, Informative)

        by Timothy Hartman ( 2905293 ) on Wednesday February 05, 2014 @10:41AM (#46162633)
        You really can't compare it to other plugins. It's such a far leader in being the worst that it is like comparing stepping on an ant to the holocaust.

        I don't think Adobe could really just decide not to fix this and ignore the researchers who brought it up. Hardly something to praise.
        • Re:Shocking (Score:4, Funny)

          by ColdWetDog ( 752185 ) on Wednesday February 05, 2014 @10:46AM (#46162681) Homepage

          Godwin in one, two -- three posts!

          A winner!

        • Just keep in mind Flash is a target due to its ubiquity. The same applies to (desktop) Windows, IE and Android. That's not to say these products are without flaw. After all, they're software - of course they have flaws. It's just there's far more people looking for these flaws than in, say, OSX.
          • Comment removed (Score:4, Insightful)

            by account_deleted ( 4530225 ) on Wednesday February 05, 2014 @04:04PM (#46166021)
            Comment removed based on user account deletion
            • by rsborg ( 111459 )

              Seriously try out any video in Flash+ VP6 and compare it to HTML V5 H.26x and disable hardware acceleration (which is a bandaid designed to cover up how big a pig H.26x is) and look at the numbers yourself.

              So you're essentially saying that turning off hardware acceleration is going to require Core2 specs to play video?

              Let's do this: play H.264 on an original iPhone (i.e., youtube app) and tell me why it's performant. That's a seriously slow (400mhz older ARM) processor compared to even a mid-decade Intel part.

              How is any of this a good comparison? Your rant is not meaningful whatsoever.

              • by rakslice ( 90330 )

                The iPhone 2g has hardware h.264 acceleration. So why is its general purpose CPU speed relevant?

            • BTW how many of you are planning to split when they force us onto that shitstain that is /. beta? I don't know about you but if I wanting another tweeting twits for shits I'd be on Reddit. The thing is a mess, it looks like shit, hard to follow flow, comments even more broken, obviously designed for pads (which I bet my last buck is less than 3% of the daily readership of this site) it is the windows 8 of the web!

              Consider:

              1. The majority of Slashdot's useful content comes from its users, in comments. Thus, t
      • by Anonymous Coward

        Is Flash really any worse?

        Yes.

        Is it any worse than any other plugin?

        Yes.

        Is it any worse than javascript?

        Yes.

        Any worse than the browser itself?

        Yes.

        Any more questions? Yes!!!

        • by Saei ( 3133199 )
          Oh, how quickly ActiveX has been forgotten.
        • by Sigma 7 ( 266129 )

          As you know, Flash can be disabled (or at least set to Click-to-play) on any non-braindead browser. Because of that alone, Flash cannot be worse than any browser.

          Meanwhile, Javascript allows instantly redirecting you from any page to today's "Your Flash Is Outdated" malware page - with the back button never bringing you back to the page you were reading.

          Oh, and you haven't encountered IE's ActiveX plugins, which have less sandboxing than Flash.

    • Don't forget to install McAfee bundled with your flash update! Because that will help you!
  • Not much longer? (Score:3, Insightful)

    by HetMes ( 1074585 ) on Wednesday February 05, 2014 @10:13AM (#46162339)
    How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?
    • Look at IE6 declining curve... Flash will probably be worse than that.
      • Actually IE is the reason flash won't die! That and XP users who can't upgrade to a modern browser. As long as websites cater to them the longer they wont upgrade.

        IE 6 lasted for 12 years as a result of this cycle back and forth waiting for the other to upgrade. Corps liked and locked them down and website makers worked for free for +10 years supporting them so why change?

        If IE 8 gets below 5% then expect youtube and porn sites to phase out flash.Right now it is the worlds most popular browser thanks to Chi

        • by Anonymous Coward

          Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

          I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, th

          • Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

            I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, that's right at the 0.30 mark, but it should be noted that we don't have a 1:1 people:computer ratio. I forget how many computers we have, but it's over 4,000.

            From the website point of view, there's really no reason to hold out once Windows XP is phased out. All other systems can handle HTML 5(well, the systems with large enough market share to matter), which means all the website will have to do is put up a banner saying "You are missing the required plug-in, please click the following link to upgrade your browser." as opposed to "You are missing the required plug-in. Please click the following link to install flash."

            Either way, it's one click, one download, and one install. People who are smart enough to install flash should also be smart enough to install a browser that supports HTML 5, even if they don't know what HTML 5 is or understand why their current browser can't support it.

            Conversely, just because IE 6 or 8 has x% of market, doesn't mean all of those machines need or require flash.

            Alternatively, other platforms that people are familiar with, like smart phones, consoles, tablets, are all HTML 5 compatible. If they get used to seeing HTML 5 features, like stopping a .gif, they'll get to a point where they need/severaly want that feature. That alone will drive them to update their desktop web browser.

            Very little is corporate now. Most have already upgraded or in the final stages of phasing out the XP boxen from the internet all together.

            The majority now are grandmas and Chinese with pirated copies with Windows Update disabled and IE 6 for the latter in Asia. Home users do not know any of this and are sitting ducks with no IT department to protect them.

            I really wish MS would give a friendly polite warning to let them know support is ending soon and you have a few weeks to upgrade before security updates

    • We're, at the very least, seventy three libraries of congress away.

    • How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?

      When most of the popular casual games are non-Flash.

      Even knowing all the evils and dangers of Flash, if I for some reason were forced to stop using most websites and had to chose only a few to continue using, this [flasharcade.com] would be on that list of what to keep (I'm a tower defense game addict).

      • The most popular casual games for iOS are not Flash (unless you count AIR). Nor are the most popular casual games for Android.
    • Didn't we already pass critical mass? I uninstalled Flash from my system over a year ago and don't run into Flash very often these days. If you're using a Flash blocker, you may have an inflated sense of how many sites still rely on Flash, since many of them will detect that you have Flash installed and will attempt to serve up a Flash version of the page (which your blocker will then block). In contrast, if you outright uninstall Flash, they'll serve up a Flash-free version of the page.

      At this point, the o

    • Slashdot has taken the obvious next step and adopted Flash as the new interface for beta.slashdot.org [slashdot.org]! Adobe, the Industry leader of web technologies, hailed Dice Holdings, Inc. on their commitment to innovation and is in works with Dice to create a premium Dice Toolbar [TM] to further enhance the two companies' browsing authority.

  • by gstoddart ( 321705 ) on Wednesday February 05, 2014 @10:13AM (#46162341) Homepage

    Adobe Flash has been a security hole for at least 10 years now.

    That people still use it (or install it) boggles the mind.

    I won't even install it on my machines.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      But iDevices couldn't view "the whole web" (though Android can't either now) because Apple wouldn't let this exploit vector on iOS. Seems Steve Jobs really was pretty smart to tell Adobe to fuck off with their bloated malware

      • by Anrego ( 830717 ) * on Wednesday February 05, 2014 @10:28AM (#46162495)

        Agree.

        I'm a long time apple hater, but when I read that letter regarding flash, I was nodding the whole time.

        Flash is a pile of junk, and if they are going to go all walled garden, flash seems a great thing to keep out of said garden.

      • Seems Steve Jobs really was pretty smart to tell Adobe to [expletive] off with their bloated malware

        Or, maybe he was just smarting from Adobe's prior treatment of Apple, as Walter Isaacson and others [businessinsider.com] have reported.

    • That's a convienent position to take but sometimes you don't have a choice. VMware, for example, requires flash for their web client while at the same time removing functionality from their thick client. I can either take a philosophical stand or I can do my job.
      • That's a convienent position to take but sometimes you don't have a choice.

        You know, I have yet to find more than a few places where I truly don't have a choice. And all of those are work-related and maybe only 2-3 times/year.

        For those, my work laptop with IE is what gets used. But there is little else that I discover which uses that. Certainly nothing I voluntarily use for my own purposes -- my current desktop is 5+ years old and has never had Flash on it.

        I've only used VMWare workstation, not the web c

        • By VMware client, I actually meant Vsphere. Part of my job is managing the several hundred virtual servers that run a state wide law enforcement agency. VMWare hasn't updated their thick client to support all of the features in ESXi 5.5. To access those features and have passthrough authentication, you have to use Flash, and a windows based browser. Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.
          • Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.

            LOL, oh god, I am most definitely not claiming to be an authority on VMWare (or anything else for that matter).

            I'm saying that for me, in my experience with the web, Flash is useless crap that I have no interest in. That I've successfully avoided using it for most of the last decade tells me that, for me, it's hardly indispensable.

            2-3 times a year something work re

          • by mlts ( 1038732 )

            VMWare apparently wants more people to start paying for vSphere, so the ESXi 5.5 client supports basic features, but not the new stuff. Want that, you have to do a web client install, which means having vSphere up and running (and licensed.)

            It would be nice if they dispensed with Flash as well.

          • by swb ( 14022 )

            It's kind of funny that VMware seems to be pushing for less dependence on Windows, yet I think you need flash in your browser even if you want to use the web client that's part of the linux-based appliance.

    • by robmv ( 855035 )

      Do you think your browser is secure? every Firefox and Chrome feature releases contain critical security fixes [mozilla.org] and I don't hear people giving them the same treatment Flash get. I am not a Flash fan, but It is not fair how browser vendors are not blamed too for their bugs with the same emotion people talk about other technologies. Every time a Slashdot post talk about a new browser release never mention the security bugs, only the nice things

      • Do you think your browser is secure?

        Hell no. Which is precisely why I have Noscript, disable 3rd party cookies, use a hosts file to block stuff, don't have Flash installed on my machine, use Ghostery and several other things to block as much crap as possible.

        I don't trust the interwebs at all -- which is precisely why I refuse to allow arbitrary code to be executed by any random web site I hit.

        Do I think that I'm 100% secure as a result of that? Nope. Do I think I've minimized the risk by disabling/unins

        • by mlts ( 1038732 )

          If I -have- to use Flash, I fire up a VM that has a normal (no admin access) user account and run it under a sandboxed Web browser. That way, if/when an exploit happens, it would have to be a very good one to get out of the sandbox and a full context as a user, get Administrator rights, then bash the hypervisor to get out of that.

          Not 100%, but it is easy to use, and when done, a closing of the VM rolls all changes back.

          • Totally agree.

            A have a Linux Mint VM which I use for such things, a completely unprivileged user and the user name is set to be fairly meaningless.

            I treat Flash like a pointy object which needs to be handled with care.

    • > I won't even install it on my machines.

      My sentiments exactly. One of the reasons I use Chrome: Don't have to install's Adobe's bloatware for Flash and/or PDFs. If a browser has security issues with plugins then you know there are bigger problems. :-)

    • Adobe Flash has been a security hole for at least 10 years now.

      I keep wondering how something on the limited scale of Flash could still have an ongoing stream of security issues after all these years. Is there something about its design that's just inherently unsecure?

  • by Billly Gates ( 198444 ) on Wednesday February 05, 2014 @10:20AM (#46162407) Journal

    + standard user account and stop using XP.

    Common sense folks.

    Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.

    Chrome is nice in that its flash in Pepper has extra protection as well.
    I recommend flashblock. I can still watch videos on youtube. I just need to click on it.

    Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.

    I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.

    Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.

    • The method to block Flash in IE is a bit hidden so I'll explain it here. Open the Gear Menu, go to Safety submenu and tick ActiveX Filtering. To whitelist certain sites, use the blue icon in the address bar.
    • I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site.

      I take the opposite approach. Most websites do not need Java for what I am using them for. But I have no interest in multimedia, mostly just the text parts.

      For a very specific site for a specific task I'm willing to manually (temporarily) allow Javascript -- but my default position is not to allow it.

      For me, I find there's very few contexts w

      • And style and preference too.

        I find adblock and flashblock work extremely well. Modern browsers with lowrights mode sandbox the javascript fairly well and even IE 8 now supports XSS protection thankfully.

        I also use Norton DNS which filters out known bad domains. While my system is not 100% perfect it is pretty darn secure with Avast running as well.

    • Recommending any proprietary software to do any task is recommending a security hole. It's trivially easy for any proprietor to include code that spies on you, as computer programmers have long known and Edward Snowden has shown us again. No amount of experience running proprietary software will tell you what you need to know to fix its problems, share your fixes with others, hire others you have good reason to trust to fix problems on your behalf, or even allow someone you have good reason to trust to insp

    • by epine ( 68316 )

      I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain.

      No, it doesn't. It's the difference between a toddler who puts everything into his mouth, and an adult who only puts food from the A-list into her mouth.

      Granted, one can die from taking contaminated pill from a legitimate bottle of Tylenol. But generally one doesn't die from visiting name brand w

      • Man, and about those third-party gate crashers. Mind if I bring a friend? How about a friend of a friend? How about a friend of a friend of a friend of a friend? Don't worry, he won't do drugs [...] Does anyone who ever attended high school think this is a good security model?

        PGP fans seem to think so, and they call it the "web of trust".

    • standard user account

      User account control is pretty much useless in a single-user machine. It's a holdover from multi-user UNIX mainframes, where it perhaps worked, but we desperately need a good, convenient way to isolate individual programs and program instants run by the same user from each other. Maybe make every process run as a root of its own VM and only merge changes upstream when an upstream process requests it?

      • I know it is not cool to praise a Windows tidbit, but one interesting security benefit of Windows Vista and higher is it does tokens. Also lowrights mode as well with ACL. So in essence with UAC you send a token to wininet to run it on another account. With a standard account this is removed and you manually have to enter a password. This is useful for alot of XP and IE 6 related trojans that target users with a local admin account.

        Just switching to a standard account even in XP hugely cuts down malware if

  • Looks like it's already out for Ubuntu

    to check and see your version:

    http://www.adobe.com/software/... [adobe.com]

  • Not even sure it would help not knowing how this exploit works, but I've tended to disable all plugins from running on page load, rather on demand when I click. Similar to NoScript/FlashBlock addons. You can then whitelist the sites that you want to allow have flash on load. http://lifehacker.com/5685352/... [lifehacker.com] Wonder what percentage of exploits center around Flash / Acrobat. Thanks Adobe! If your not tricking me into installing unwanted toolbars your exposing my computer to malicious twats.
  • It seems like just a few months ago... http://tech.slashdot.org/story... [slashdot.org]
  • "They even updated the explicitly unsupported NPAPI GNU/Linux version. "

    Afraid of pissing off one of the GNU zealots?

    • If you're referring to the use of "GNU/Linux" rather than just "Linux", I would guess the use of "GNU/Linux" was intended to contrast desktop Linux [pineight.com], for which this fix was released, with Android, for which support had been terminated even earlier.
  • No software in common use today is mathematically proven to be correct; therefore, all software is buggy.

    The most likely place for bugs is in error handling code, because no matter how many tests you write it is impossible to simulate every possible error condition.

    We hope that everyone walking into a store doesn't steal something. Only a tiny minority do but a much larger number could get away with it.

    The same goes for software. Any halfway decent programmer can find bugs in error handlers. If he chooses t

    • Error Handling is one of the most annoying things to do in programming. Some people hate the whole exception handling mechanisms some languages have (be it for code elegance or performance), but I dread to think how to architecture system without those. Even with them it is still very annoying. I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

      • Funny error handling and throwing an exception is the number 1 area used to 0wn Windows machines. The debugger will run the overflow at ring 0 everytime. It has been fixed for Windows 7 but IE 8 and XP you just need to crash IE to 0wn the system.

      • > I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

        That would be extremely nice; In the past I would of argued TINSTAAFL but now that 4-core 2.x GHz is starting to get common switching away from the fundamental root problem of "von Neumann architecture" might be an option. However I don't see anyone switching to the Harvard Architecture anytime soon which means yet another 40+ years of buff

        • However I don't see anyone switching to the Harvard Architecture anytime soon

          Modern processors already run a "modified Harvard architecture" with separate instruction and data caches. A purist would not even allow code to be copied from storage into RAM. A strict W^X policy, such as that implemented in iOS, would ban any JIT engine. And besides, executing code from the stack or heap is old and busted; a newer practice is return-oriented programming [wikipedia.org], which uses the "return from subroutine" instruction as a threaded code interpreter. All code in a return-oriented program runs from exe

    • by Aaden42 ( 198257 )

      No software in common use today is mathematically proven to be correct; therefore, all software is buggy.

      Absence of proof is not proof of absence. Yes, very little code can be mathematically proven to be correct, but there’s still some room for either getting lucky, or having enough skill to recognize the portions of the code which are exposed to outside control and exercising extreme care & diligence in crafting that code to ensure that it can safely respond to every possible input.

      The entirety

  • Are the browsers providing sufficient sandboxing, or is the situation the same as its been for the last 10 years? Does this flash vulnerability require another vulnerability in the browser ecosystem that has already been blocked in current versions?

    • Is Flash -designed- to be impossible to sandbox? Cannot the browser vendors force adobe to bend and setup their plugin to be easier to sandbox? I don't understand why this is still a problem after all these years.

    • by Aaden42 ( 198257 )

      Flash is native executable code. It’s not encumbered by any sandboxing function in the browser. That’s by design.

      Browser plugins are intended to be allowed unfettered access to the system so that they can accomplish tasks not normally possible within a browser. The only sandbox provided by most browsers relates specifically to JavaScript, and as far as I can tell, this is unrelated to JavaScript at all.

      It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linu

      • It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linux AppArmor, SELinux, etc.) might be able to contain an exploit within Flash, limiting it to a user account or a directory; but that would take some careful crafting in terms of OS sandbox configuration.

        Then I guess exploits like these are the operating system publisher's fault for not exposing an API that lets a web browser program create and configure a suitable jail for its plug-ins.

  • Interesting. I just checked: the Flash bundled with my Chrome is the older version (but it's sandboxed to some extent). So then I opened up Firefox and checked the plugin version, and discovered it was already at the newest patched version. I don't recall any update, so I guess the Flash Player plugin updated itself in the background without me noticing, and actually managed to do that faster than Chrome did. Impressive!

  • It's pretty obvious that Flash has become one of those legacy products where there are only two guys in the entire company that know their way around the codebase. Both have developed chronic alcoholism from maintaining this disaster of a product for so long.

    We need an alternative to Flash. An open source alternative which can be forked and maintained by anyone for years and years to come. Something without royalties, patents trademarks and is free to use and modify by whoever wants to and can be implemente

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...