Adobe Patches One Flash Zero Day, Another Still Unfixed 49
Trailrunner7 writes Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn't being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.
Is there a world record for the most insecure code (Score:4, Funny)
Adobe seems to be trying hard to get it.
Re: (Score:3)
Re: (Score:2)
Postfix? I thought postfix was pretty solid.
Re: (Score:2)
Re: Is there a world record for the most insecure (Score:2)
Java by far.
Oracle waited for a year to pit in a patch for +100 exploits!! Yes you should be arrested for running that in your browser.
Why use Flash? (Score:1)
Seriously, it's not needed anymore. No one should use it or have it installed.
Re: (Score:2)
Anything else that uses Flash is better served with an app.
While that might be true, everything that uses flash hasn't been converted to an app just quite yet.
Re: (Score:2)
That would be ... a massive step backward. Computing like it's 1994.
Re: (Score:1)
That would be ... a massive step backward. Computing like it's 1994.
My 2013 MBP came without Flash Installed; and to be perfectly honest, while I have, on about one or two occasions, been tempted to install it, ultimately, there has been nothing so far that I MUST have to the point that I have pulled that trigger.
Unless you have a work-requirement to run some sort of Flash app; it just isn't worth the security risk anymore.
One thing that DOES frost me, though, is browsing to a site that works FINE without Flash on iOS (and I presume Android); but which simply REFUSES to
Re: (Score:2)
Unless you have a work-requirement
Or children. Everything from games to stuff for school seems to require flash.
it just isn't worth the security risk anymore.
It's still better, security wise, than installing an app for every little thing. That was really my whole point.
I'll agree with the AC here, we finally have an opportunity with HTML5 to abandon Flash. It'll take a while, but we can get there eventually. It's cool (on slashdot) to put-down HTML5, but it's the best opportunity to ditch Flash that we've ever had.
Re: (Score:2)
Zero day (Score:3)
Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.
Zero-day vulnerabilities make hackers happy because the users don't know about it, and thus can't prevent exploitation. Once the vulnerability is made public, you can block access to that port, or disable the functionality, or avoid exploitation in other ways. It is no longer a zero-day vulnerability.
IF the vuln was made public 5 days ago, then it's a five-day vuln. If the vuln was made public 10 days ago, then it's a ten-day vuln. Once it's patched, it's no longer a vulnerability. That is where the name 'zero-day' comes from.
Re: (Score:2)
Back in my day, "zero day" meant that an exploit was known at the time the exploitable version was released, and we liked it!
oh goodie.. (Score:5, Interesting)
Another chance to block the installation of McAfee Security Scan Plus. Will someone please rid me of this nuisance crapware?!?
Re:oh goodie.. (Score:5, Informative)
Bookmark this:
https://www.adobe.com/products/flashplayer/distribution3.html
Re: (Score:2)
http://www.adobe.com/products/... [adobe.com]
Fricking US-CERT (Score:2)
You know, I subscribed to US-CERT alerts to get notified about this kind of thing, but thank goodness I also browse Slashdot from time to time.
The US-CERT alert for this critical patch probably won't arrive for another couple days or so.
Re: (Score:1)
How about the flash integrated into chrome? (Score:2)
Can anyone tell us if that's vulnerable (& on what platforms)?
I don't have flash installed but I do have chrome (with it's integrated flash) for those sites that just cannot keep up with the times. Yes, I use flashcontrol to autoexecute only whitelisted sites, but you never know...
Re: (Score:2)
Re: (Score:2)
Thanks but if I use a locked down browser for the few sites left, it's because I cannot avoid flash for some sites. Turning off flash isn't an option.
Re: (Score:2)
I use firefox for general browsing and paste the URL into Chrome for the remainder of sites that need flash (or choke Firefox's HTML5 video implementation)
Bottom line, Flash is still an attack vector but at least I know I'm conciously invoking it each time rather than relying on the vagaries of a blocker or click-to-play.
Re: (Score:2)
Yeah, but you're no safer than I am. I only surf with chrome to sites that I've white listed.
It'd be nice to know whether or not chrome's flash is vulnerable or not.
ClickToFlash for me, thanks. (Score:3)
There's some Flash content I still want to view. But I want to look at content, not fight to focus my attention away from screaming, flashing, pulsing, squirming ads on every side. If you want me to run your program, make it worth my while. Especially when the platform on which you want me to run it might let it infect my machine.
Static ads are still fine. I don't much care if you track me and focus them. I'll even click through them occasionally. But I won't let you run down my battery and my brain with animations. I don't care if your marketing macaques say they get more clicks. I've made my choice. I'll never see them.
Re: (Score:3)
I've used the flashblock plugin on firefox for a long damn time, but I'm finding it has stopped working properly on a lot of websites, including just recently youtube. I'm guessing this is due to some javascript shenanigans, but haven't had time to investigate.
Re: (Score:2, Informative)
It's due to a transparent overlay they added recently which prevents you from clicking the play button (https://www.mozdev.org/bugs/show_bug.cgi?id=25936).
Re: (Score:3)
Thank you for this. I had disabled Flashblock, and my web experience had gotten annoying. Hoping the Greasemonkey script in that bug report will let me re-enable it.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Adblock Plus... Install it, love it... no more crazy flashing ads.
...Install Ghostery because privacy... Install NoScript because many reasons... Realize Adblock Plus is now useless.... Deinstall it.
Re: (Score:3)
Adblock Plus... Install it, love it... no more crazy flashing ads.
...Install Ghostery because privacy... Install NoScript because many reasons... Realize Adblock Plus is now useless.... Deinstall it.
http://lifehacker.com/ad-block... [lifehacker.com]
Re: (Score:1)
Re: (Score:2)
What you say about NoScript isn't quite true. Yes, every other site needs to explicitly have their scripts allowed, or whitelisted, but that does not mean having to allow 3rd party scripts.
For instance, on this page on
Only the first two are required to make the site usable.
Re: (Score:2)
I'm beginning to think that all links to goat.cx are actually encrypted messages.
Have they fixed the memory leak yet? (Score:1)
Releases starting somewhere in the 11.3's and onwards are still consuming all available memory. Without THAT fix I'll stick with 11.2 and flashblock the items I don't want.
Re: (Score:1)