Adobe Flash Zero-Day Attack Underway

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

And people

And people wonder why I use noscript and flashblock. When untrusted adds in flash are being served on big "trusted" websites people are eventually going to get bit.

Re:And people

[mrbluze]

And people wonder why I use noscript and flashblock I imagine those using the malware are not hoping that sensible people such as yourself get infected at all, but the PC's belonging to the members of the unwashed e-masses who wouldn't have the foggiest what anyone's talking about. Their computers are much better because the life of your exploit is likely to be long and chances of anyone chasing and finding you are slim.

Re:And people

Protip: Noscript will not save you.

I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.

I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.

I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)

What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.

"I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.

Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.

NoScript won't protect me against any sites that I visit often, really.

Re:And people

NoScript is like a condom. It will only protect you if you use it properly. If you know one of your lovers is sleeping around with hundreds of others, perhaps it is time to see someone else. Otherwise you're going to get the HIV^Wmalware.

Re:And people

[stzein]

noscript block flash too, no need for flashblock. I do recommend noscript to everyone I know, but most people just don't care.

Re:And people

[zwei2stein]

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I have seen it quite few times, someone had problem with noisy ads, someone else suggests adblock, site admin appears, has long sad speech how adblockers are worst thing ever and bans person suggesting use of adblock and tells person which has problem with ads to deal with it or move on.

There is some pressure NOT to use such tools. And nice people do listen.

Re:And people

[Daengbo]

That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.

Re:And people

[mrbluze]

hat's why you should be using Gnash

I tried it once and didn't like it at the time, but I might try again. I remember someone referring to it as "all it really does is let me watch banner ads". Does it work properly yet?

Re:And people

[Opportunist]

That's pretty much it.

It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.

And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).

And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.

Re:And people

That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.

Re:And people

[Opportunist]

Well, ads are a necessity for many pages. Someone has to pay for it. So of course they don't enjoy adblockers.

On the other hand, invasive and outright obnoxious ads tend to kill the experience, so people start looking for ways to get rid of them.

As usual, the best way is something both sides can "live" with. Take /. Yes, the page has ads. Yes, I see them (sometimes I even click on some). They don't bother me. They are topical. Often even interesting. So I don't block them. And I'm fairly sure nobody here took /. as the reason to start hunting for an adblocker.

It's pages that run full page in-your-face ads that make their users turn to adblockers. And those ads will be blocked. Some pages turned to tools that ensured that, if you block their ads, you don't get to see their content. Which in turn often backfired and kept people who didn't block the ads but just happened to have some sort of freaky setup to be locked out as well.

Hmm... honestly, I didn't want to turn this into a tirade about DRM.

Re:And people

and tells person which has problem with ads to deal with it or move on. To which the correct response is "screw you, your crappy ad-riddled forum and the horse you rode in on".

These asshats just don't get it. If I have configured MY browser not to obey every link on your shitty page, that is none of your business.

Re:And people

Yes, but if you use both you can run java-script on a site and still not get the Flash crap from the same site. It's a little easier for me than to run noscript alone.

Adding adblock into the mix is good too.

Re:And people

[NoobixCube]

Last time I used it, about two months ago, it didn't show a Youtube video properly. Since that's pretty important to a lot of Flash users, I wouldn't say it's ready yet.

Re:And people

[NoobixCube]

An example of the knowledge of the masses: When I commented to my mother that I spent the day watching flash cartoons, she thought I meant animated porn.

Re:And people

It plays them now

Re:And people

[Spad]

Lucky guess?

Re:And people

[Opportunist]

Umm... there are other cartoons on the net?

Re:And people

[obi]

It's not as if there never have been any exploits for the JPG or PNG decoders in common browsers. Will you now browse the web with images blocked too?

Re:And people

i find swfdec to be better with youtube atm

Re:And people

And these people are a problem. Only in the sense that people who get the flu are a problem. The real troublemaker here is a tiny program called Flash which needs updates every few weeks to fix yet another vulnerability. The quality of that program is atrocious, especially considering its market penetration and the size of the company which spawned it. Pointing fingers at people who do not make system maintenance their mission does exactly nothing to solve the problem. The only people who can solve it are the people who write bad software, and with very few exceptions that's all software today.

Re:And people

[pizzach]

Even if the current version in your distribution's repositories is not able to play YouTube videos, the cvs version at least can. I remember reading somewhere that getting and keeping YouTube movies playable was a top priority.

Re:And people

If it worked at all.
I use swfdec to open youtube videos and download them before it crashes itself and firefox. It doesn't even play anything until you ask it to, so it is more secure than Adobe plug-ins even if less stable.
Gnash is yet to display anything right. And what's wrong with you GNU zealots that force us to have no flash in the Windowses we are forced to use. Not that it is a big loss. I wish all those "creative" web designers went to hell and we went back to plain HTML. Something you could(and still can) display with 1k now takes up half a Meg.
Shame on you Web 2.0!

Re:And people

Or you can just not install flash.
Slightly more obvious solution.

Re:And people

[NoobixCube]

That's completely beside the point :P

Re:And people

[NoobixCube]

I didn't know the CVS version worked properly. I might have to look into that.

Re:And people

[lgw]

The sure way to block flash: just uninstall it! http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157

Do I need flash for anything but watching Youtube these days? C'mon Google, you guys are supposed to be the masters of all web technology, won't you please change Youtube to use some more secure technology so I can abandon Flash entirely?

Re:And people

[David+Gerard]

It doesn't play Weebl and Bob videos properly yet, so I can't put it into place until it does or my kid's too old for Weebl and Bob (probably around sixty).

Re:And people

I'm running a 64-bit fork of Ubuntu Hardy called Ultimate Linux.

http://ultimateedition.info/Ultimate_Edition_1.8/

Adobe's flash player doesn't work 64-bit, and as far as I know it doesn't even work 32-bit with pulse audio ... which Hardy uses.

So I'm running firefox 3.0 beta 5 and gnash 0.8.2.

http://www.gnu.org/software/gnash/

As it says on the gnash website:
"Streaming Video
        Gnash supports the viewing of streaming video from popular video sharing sites like Lulu.tv or YouTube.com."

Perfectly correct. On Ultimate Edition 1.8 Linux, gnash supports Youtube videos. Even with Firefox, even with Pulse Audio, and even with a 64-bit OS. ... Probably about the only thing it doesn't support is this 0-day vulnerability ...

Re:And people

Protip: don't play flashgames on the internet.

It's basically the dancing pigs problem.
Using NoScript, but disabling it to use those funny sites is the same as having a dual-boot machine and using Linux for work, but when you play games or browse the internet using Windows which shares the same drives.
You can still get infected by a windows virus, run the risk of having critical data stolen or having files corrupted.

Just don't play those webgames, or run it in a sandbox (VM machine that you scrub every time).

Re:And people

>life of your exploit is likely to be long...

Made all the more so due to a lack of an automated update mechanism for adobe flash

Re:And people

[grm_wnr]

There is no alternative to Flash. Flash would likely be marginalized by now if FLV hadn't come along; it saved Flash's ass and, to Adobe's credit, made ubiquitous video on the web a reality. Seriously, remember the olden days? Quicktime and WMV, of which the former works fine on Mac OS but is an abomination of a plugin on Windows (easily worse than Flash), and the latter being what you went with if you wanted shit to work for at least the majority of people, even though it was horrible and, philosophically speaking, just plain WRONG? Or use Java, with its massive startup time and memory footprint, to play the pretty laughable (right now) Theora codec? Flash is (relatively) fast, crossplatform, and EVERYWHERE, so it's the smallest of a whole lot of evils. Unless you want Google to include a video layer in their toolbar, and therefore be forced to istall it, your best bet is to bother Adobe to make Flash more secure.

Re:And people

[SanityInAnarchy]

Offtopic, but it looks like Savannah gives them a choice of CVS or Git. And they chose CVS??

Re:And people

[edmicman]

Like Quicktime! Or Windows Media!

Re:And people

Yeah, Gnash 0.8.2 comes with Hardy Heron as well, and seems to do handle Youtube just fine.

Re:And people

[SanityInAnarchy]

And that is what text ads are for.

If a site is going to insist on me watching Flash ads, I'm not going to use that site. End of story.

Re:And people

[Rojo^]

Now that you mention it, Strongbad is topless far too often....

Re:And people

[gmdiesel]

Monoculture ... is a bad thing when an infection occurs. Do we think people will wake up to a vulnerability in using ubiquitous Flash (which many probably haven't heard of or couldn't tell you what it does), while little or no concerns exist about Microsoft Windows, Microsoft Internet Exploder, Microsoft Outlook, Microsoft Office....?

Re:And people

[Monx]

NoScript lets you do that. Just tell it to block embeds from all sites (including trusted ones). Then you can enable JavaScript and Flash individually as needed. There's no need for flashblock if you have NoScript properly configured.

Re:And people

[CaptnMArk]

My guess, CVS was available sooner.

Also, for a developer who only does update/work/diff/commit, CVS (and SVN) is easier
to use than git.

Re:And people

Which perfectly demonstrates the parent's point. I had no idea what Gnash is and I consider myself pretty heavy in the IT world.

So... let me fix your comment...

That's why you (read I) should be PREACHING using Gnash.

Re:And people

[SanityInAnarchy]

SVN might be easier. I'm not sure CVS is, especially the second you have to do anything more than those four operations.

Re:And people

It seems you're way too trusting. I have less than 20 sites I "trust". You're trusting way too many sites. Thus you're not using it properly. It's not NoScript's fault if you decided to trust everyone's site! Just like it's not their fault if you choose to send money to some friendly Nigerians. ;)

Re:And people

the PC's belonging to the members of the unwashed e-masses I find it interesting that you refer to the non-computer geeks as the unwashed members f society =)

Re:And people

[Culture20]

It doesn't even do that. With gnash, I can't visit slashdot without routinely typing "killall gtk-gnash" into a root terminal. gnash isn't ready for any level of usage.

Re:And people

[aliquis]

If only that video-in-webpages-standard was implemented (is in Safari now) and used it would be so sweet to just remove that flashcrap alltogether. Too bad on webpages made only in flash but well, those suck anyway =P

Re:And people

$git init
$git commit -a -m "That was easy."

Re:And people

[pizzach]

I just installed the newest CVS 20 minutes ago. YouTube definitely still plays. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things. Afterwards its fine though.

Re:And people

[aliquis]

Your analogy fails. With or without condom I'm still well protected, and I don't have to use it.

If your analogy was correct NoScript would be something I have/use even thought I'd never stumble upon any scripts.

Re:And people

The real troublemakers are the scumbags that exploit security flaws in software.

Re:And people

[Opportunist]

That's because software, like all products, follow the unholy trinity of speed, quality and price. You can get two optimized, but never all three.

If it's good and cheap, it takes forever to do it.
If it's good and quickly done, it won't be cheap.
If it's cheap and quickly patched together, it will be anything but good.

Now, look at the market of today and tell me which strategy allows you to sell your product.

It's not just software, this system works in every area. And the only thing that keeps it in check, unfortunately, is safety regulations and liability. Else we'd have gas lines that blow up every now or then and cars that make it a matter of luck whether they break when you hit the metal.

The current hype is price. How many products do you know that sell through quality? The selling point is how CHEAP it is and how much you SAVE when you buy it.

The same works for software. Yes, you could create a rock solid, absolutely stable system. Software follows the same rules as above. It can be cheap and solid, but it will take ... 17 years I think so far to make it. For reference, see Linux.

But I can't find an example for solid and quick. I guess the company that tried it went bankrupt before they were done...

Re:And people

[Junior+J.+Junior+III]

This is why I've long thought that the NoScript plug-in's method of whitelisting is fundamentally broken. Rather than whitelisting by domain, giving blanket trust to an entire domain, what should be done is give trust on a per-script basis, with a hash of the scripts that you've whitelisted stored as part of your mozilla user profile, and only those scripts which match the hashes of scripts that you've permanently whitelisted allowed to run without your explicit approval.

This should be a lot safer than applying trust to an entire domain. If the domain is compromised or co-opted or turns to the dark side tomorrow, you're still only running the code that you've authorized, not granted permission to a site to run whatever code it wants.

The last big missing feature in NoScript is a feature that gives you an abstract of what each script you are considering to allow to run in your web browser actually *does*, along with what level of access it is requesting to be granted. If I could hover over a NoScript-blocked object in a web page, and it said:

Title: xxxx;
Descr: This script plays a short movie in the web browser window, along with an advertisement. If you are logged in to this site, your user name goes on a list which we use for our advertisers demographics statistics. No personally identifying information will be gathered or used.
Local resources requested: read/write access to your browser's cache directory.

I'd feel a lot better informed about allowing or blocking scripts in my web browser.

Re:And people

[Daengbo]

I agree with the "too bad" part, but the fact is that Flash isn't used only to deliver the video. That same frame shows related videos and even sponsored content on some sites. Right now, that's a big part of the business. I don't see Flash players going away anytime soon.

Re:And people

[Yvan256]

And this is why I disable Java and plug-ins. If a website can't be used without Flash* and Java, it means it's coded like crap. And if the code is crap, the content is probably crap too.

* except video-based websites like YouTube, though I'm hoping they'll offer an "HTML5 Media"-based version soon enough for non-defective browsers.

Re:And people

If a site is going to insist on me watching Flash ads, I'm not going to use that site. End of story. ... says the guy posting on a site with flash ads on practically every single page.

Just sayin'

Re:And people

[TheGratefulNet]

Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.

I'm quite active in a lot of forums and while some webmeisters might bitch about it, they have every right to write piss poor web code (including intrusive banners) and I have every right NOT to see such crap when I browse.

do you believe it when TV shows make you feel like you are 'stealing' if you don't watch the ads between the show segments?

how is blocking ads any diff?

why would you just 'give in' to some stupid webmaster? he has his views but its not the full story. and if he goes away due to 'lack of profit motive' another (maybe better) will come along. dime a dozen.

I don't 'protect' webmasters. they are not any better than users and don't deserve any more consideration than they give users (which tends to be on the low end of the respect stick).

Re:And people

[fishdan]

The difference of course is that the image file itself is benign -- the decoders were flawed. Whereas the Flash decoder is adware BY DESIGN.

The creators of Flash, Adobe/Macromedia, deliberately resist allowing user control of Flash. Why must I go to a 3rd party to selectively block Flash? Why can't I control Flash in my browser to a very simple extent such as "Flash cannot play sound without asking permission." Why does Adobe make Flash an "all or nothing" experience? The answer was given to me straight up by Flash evangelist: "If you could control your experience, it would not be a good advertising platform." As floored as I was by that statement, I realized that is Flash's great selling point for many people -- here is an ad that is unavoidable and will generate a lot of attention.

I block flash with noscript, and I refuse to buy from a site that requires Flash. I certainly enjoy Flash games at home, but at work I've blocked flash at the firewall level for YEARS now. And I've never had one legitimate complaint of "I need flash to do this" that was work related.

Re:And people

The *day*, dude?

Re:And people

[strabes]

On ubuntu hardy I've had nothing but problems with flashplugin-nonfree (unstable with pulseaudio, no sound with alsa, etc). I removed that package and installed mozilla-plugin-gnash and have zero problems now.

Re:And people

[Ruben+Gonzales]

Educated guess?

Re:And people

So don't whitelist any sites. Grant temporary permissions only. This lets you make an individual choice, each and every time.

Is it a hassle? Sure. But it's LESS of a hassle than getting hacked.

Just a tip.

Re:And people

[SanityInAnarchy]

It doesn't insist, though. No one will ban me for blocking them, either technologically or via threatening posts.

Re:And people

how is blocking ads any diff? Mentally blocking them isn't.

Blocking them and reducing their ad view count is.

Re:And people

[obi]

Well, what are we talking about here - about security issues, or about its use for advertisement?

If you're talking about 0-day exploits, my point still stands: any decoder can potentially have exploits, and the only solution is to either keep your software (whether it's an image library or a flash plugin) up to date, or to simply stop using it (browse with no images, no flash).

If you're problem with Flash is that it's a pain for users, you can argue the same way about a lot of other things. For instance, I haven't seen functionality by default to "selectively" stop animated gifs, even though their only use these days is ads.

Personally, from a technical standpoint I find flash pretty nice. While there's a lot of people using Flash to make another silly "skip intro"-site, I've seen others making good use of Flash's capabilities to actually make a better user interface. You can try to do similar things with html, css and "ajax", but the results I've seen out there are often very messy (but again, sometimes it really works well).

In both cases, the technologies are just tools. Blame the people who bombard people with advertisement, or make crappy websites. Not the tools that are (ab)used.

My only qualm with Flash was that until recently it wasn't open at all, and I don't trust Adobe. With the specs now being fully open, and two independent open-source Flash runtime implementations, that issue has been solved too.

Re:And people

Protip: If you have several hundred sites in your NoScript whitelist, you're not using it correctly.

Visiting zillions of dumb sites (especially Flash-intensive sites) and indiscriminately whitelisting them all defeats the entire purpose of NoScript. That would be like running a firewall that asked "Someone you don't know is trying to connect on port 3l337; allow?" and answering "yes" every time. Just turn the damn thing off if that's how you're going to use it. You've just explained the reason why (e.g. arcade.fi), yet you still do it? That's your choice then.

I visit porn sites but I never, ever, whitelist them. There are *plenty* of sites that work correctly without needing to be whitelisted. Almost any site that refuses to serve content or be navigable without running code on my computer I automatically presume to be malicious, and doubly so if it's a porn, Flash, or other site of dubious character.

Protip #2: Saying "protip" makes you sound very arrogant, smug, and condescending.

Re:And people

[STrinity]

NoScript and FlashBlock aren't adblockers. Running them is no different from browsing the web with JavaScript disabled and Flash not installed, except you can selectively enable them. What's the admin going to do, declare that blind users browsing in Lynx aren't allowed to use his site?

Re:And people

I turn off third-party images. It doesn't seriously impair most sites; it turns off almost all images I don't want while leaving on almost all that I do want, and makes for a much more serene browsing experience. From a security standpoint it's not bulletproof, but it's a big help, and it prevents cross-site request forgeries too.

In Firefox, set permissions.default.image to 3 (in about:config).

Some legitimate sites (e.g. NetFlix, Ebay, and Yahoo) serve useful images from special image servers, presumably as a load-management technique. You can whitelist these as you discover them.

Re:And people

Take /. Yes, the page has ads. It does?

Re:And people

Plays them yes, but poorly, resolution-wise. Youtube videos are of poor enough quality as it is...

And both gnash and swfdec has way too many problems in general for them to be used by anyone who doesn't do it because of their beliefs.

Don't get me wrong, it's awesome that you do, and the only way to get to the real free player which I want, but it is just not there and when you lie about it, you are hindering adoption!

Tell it like it is, honestly, and let people make an informed descision instead of being disappointed and never trying it again.

Re:And people

[Hoi+Polloi]

Bingo. You are not alone in this world and you can do everything right with your pc and still suffer from the problems caused by others who are less knowledgable and not careful. Their machines will pump out the spam and their web servers will be comprimised. It is just like being a extra careful and considerate driver keeping an eye on your own driving. It still won't protect you 100% from the distracted, reckless and careless drivers in this world.

Re:And people

[Actually,+I+do+RTFA]

how is blocking ads any diff?

TV makes money by broadcasting the ads, websites when you download the image (or clickthru, I forgot which). But basically, it hurts the website when you block their ads. This state is also becoming true for TV. The advent of TiVo has led to people skipping commercials, and I don't doubt that in the not-too-distant future (some claim, in the not-too-distant past) programs that appeal to an intelligent audience will be able to charge less for their ads than with the same-sized, dumber, audience. This will result in the cancelation of good shows in favor of crap.

Re:And people

[icydog]

For instance, I haven't seen functionality by default to "selectively" stop animated gifs, even though their only use these days is ads. Not true.

Re:And people

[DrYak]

With gnash, I can't visit slashdot without routinely typing "killall gtk-gnash" into a root terminal. That's due to the crazy amount of adds, specially since /. started inserting ad banners whenever you expand a thread in their Web 2.0 interface. With the official flash plugin you would be complaining of memory leaks (the 200 instance of flash ads are all run inside Firefox's process) or about firefox crawling to death.

You can either :
- "set startstopped on" in ~/.gnashrc so it doesn't start playing all the ads automatically
- Install AdBlock+ (removes the ads, Slashdot suddenly has a normal amount of flash)
- Install NoScript (you must click to enable flash)

Re:And people

[homer_ca]

There's an alternative but less convenient than streaming. There's plenty of free Youtube downloader utilities. Download the FLV file and play it in Media Player Classic or VLC. Of course, if there's a vulnerability in MPC's or VLC's FLV decoder...

Re:And people

There are flash ads on /.?

Re:And people

[grm_wnr]

You think that's an alternative? That's like saying bash is an alternative to KDE. It's just that this "download video to look at it" was getting pretty annoying ten years ago; I guess some people consider inline images decadent as well. I personally consider that attitude the geek equivalent of "640k should be enough for anybody".

Re:And people

Better switch to a text-only browser from now on.

Re:And people

[crimsun]

To be precise, the "Flash doesn't work with PulseAudio in hardy" symptom is due to three components (already addressed in intrepid):

1) broken Flash plugin retrieved by flashplugin-nonfree;
2) missing libflashsupport dependency (to fix symptom: FF instability, bug 192888) in flashplugin-nonfree;
3) outdated libasound2 and libasound2-plugins.

Intrepid addressed all three by:

1) pulling in the Flash 10 beta via flashplugin-nonfree;
2) (re)adding flashplugin-nonfree's versioned dependency on libflashsupport|libasound2-plugins;
3) updating to alsa-lib and alsa-plugins 1.0.16.

Thus, it's not so much that Flash doesn't work on 32-bit with PulseAudio in hardy. It's that the "less-PA-broken" Flash 10 beta wasn't released until 15 May, long after hardy was made available.

(Yes, I'm partially responsible for the horrible Flash/PulseAudio interaction in hardy. We've resolved the symptoms in intrepid by going with an asoundrc configured to use PulseAudio, though the user currently needs to issue one command from the terminal. Hopefully we can obsolete libflashsupport entirely and just use patched alsa-plugins. We'll get these pieces into hardy-updates and hardy-backports after sufficient testing.)

Re:And people

[TheGratefulNet]

the essence, as I see it, is economic self-convergence. (I just made that term up, btw).

things settle. eventually. free-market economics is another term for it, I think.

its the excuse WE get (as engineers and 'paid thinkers') for why we are losing our jobs to outsourcing. free market. let the market decide.

so why am I 'compelled' to click thru or even allow ads on my system? am I to surrender and let ALL content thru? at what point do I have any choice in what hits my eyeballs?

the compulsory 'you must watch' feature on dvds - you like that, too, I suppose? I couldn't believe it when I bought my first dvd player and this 'NO!' screen came up when I tried to FF past the 'fbi warning'. the nerve of The Industry(tm) to force manufacturers (mafia tactics, essentially) to comply with the PUO (the real name for this, 'prohibited user operations') rules.

are you proposing consumers just sit back and act like alex in clockwork orange; with our eyes pinned open for whatever some sponsor (or later, The State) want to force on us?

freedom means I can say 'NO!' too. I say NO all the time to ads and flash and javascript. I find NOTHING morally wrong with this.

much of life is an arms race, of sorts. you learn that the longer you live. advertisers raise the bar and we raise it back. much of life is like this, in fact.

Re:And people

[homer_ca]

Hey, I said it was less convenient. Still, sometimes you want to save the file for later or to put on your smartphone/PDA.

Re:And people

I'm happy to accept advertisements that are simple and don't bog down the download or browser-rendering process.

Flash is hardly a necessity. And if advertisers are smart they will make sure there is a way to gracefully degrade the type of advertisement delivery depending upon the browser capabilities. This broadens their audience whether the reason for the lesser browser capability is due to ancient technology or due to disabling features. No javascript, no flash? Is it really THAT difficult to deliver an ordinary image of the ad instead?

Re:And people

[radish]

No, you shouldn't be forced to do anything, of course. The free market will decide. However, part of the free market process isn't just punishing things you don't like by not buying them, it's also rewarding things you do like by supporting them. Hence, whilst I do run adblock, I disable it for sites I particularly like and wish to support. Why? Because I want that site to stay around, simple really. A value judgement - am I willing to put up with some ads in exchange for this content.

Re:And people

[aliquis]

I was thinking about youtube exclusively, true that things like gaming review sites and such add flashads before the actual videos. Thought nothing stop them to do that in a regular video file either.

Re:And people

[lgw]

Why would I need to see any kind of animaiton in my browser in the first place? If I want to watch a movie, show me an mp4 or some such (there has to be some worthwhile movie format that's open and not patent encumbered). Flash seems to serve no useful purpose.

Re:And people

[zzottt]

Thanks for this news, I have switched over and its working great!

Re:And people

I'm not quite sure that flashblock would protect you - I have seen many times during opening pages that the flash banners start showing animations before they get "flashblocked". It's a very short time (half a second), but enough to run swf exploit.

Re:And people

[sponga]

ughhh comparison?

Well if the T.V. ads were posted between two characters in a show talking to each other 'while the show was live', than you have a valid point.
In fact I seem to remember during the show '24' on Fox they would briefly flash ads at the bottom of the screen.

I dunno, bust out the post it notes and start putting them over the T.V. screen on the ads while the show is going.
Most annoying flash ever is the one where you highlight over some text and it brings up a box that does not go away for a little while, annoying.
I guess it comes down to priorities in life and avoiding ads is not one of my priorities that causes me mental stress issues, I just turn it off and go on with my life. Solution....

Re:And people

[Actually,+I+do+RTFA]

freedom means I can say 'NO!' too. I say NO all the time to ads and flash and javascript. I find NOTHING morally wrong with this.

Well, it fails the categorical imperative, as you benefit from the advertising revenue. So Kantians would say that it was morally wrong. Rawls would probably claim that subjecting you to ads helped the less fortunate, so he would also say it was morally wrong. Utilitarians would claim it was wrong because obviously the ads cost less than the TV is worth, yet it collapses without them.

Why would you not see anything wrong with it? It's not as though you are boycotting the channel/site. You're just depriving them of revenue. Just because they didn't expressly make you sign a contract? And you complain when they try to force you to watch (extrapolated from the "arms race" ending).

the nerve of The Industry(tm) to force manufacturers (mafia tactics, essentially) to comply with the PUO (the real name for this, 'prohibited user operations') rules.

It's part of the spec. Love it or hate it, either it is okay to go off the spec (apologize for 1/3 of MS bashing now) or it is not (apologize to the industry now). Anything else is hypocritical.

Re:And people

[ksd1337]

Doesn't SourceForge have Flash ads?

Re:And people

[SanityInAnarchy]

SourceForge doesn't threaten/ban me for adblocking them.

Re:And people

[toddestan]

. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things.

So in other words, it's just like Flash now?

Re:And people

[Omnifarious]

Even for simple diff/commit purposes I find Mercurial much easier to use than either CVS or SVN. And I find CVS easier to use for such purposes than SVN. The biggest reason for this is that Mercurial is blindingly fast in comparison to SVN or CVS.

IMHO, SVN is a very poor tool who's only real advantage over CVS is that it happens to work whereas CVS fails to in several important cases.

Re:And people

I have an example of solid, quick, and cheap: Computers (that is unless you absolutely need a gamer pc).

Re:And people

[zobier]

Ah, The Project Triangle. My main objection to The Project Triangle is the combination:

• Design something with high quality and cheaply, but it will take a long time.

How can something take a long time and be cheap?

Re:And people

[MaryBethP]

you can get the latest snapshots at getgnash.org

Re:And people

Because properly-done ads should not slow down your browsing experience. Content should load, then ads.

Also:On my favorite forums, I leave ads unblocked. Why? Because I like the forum, I consume hundreds of megabytes of his bandwidth (as opposed to broadcast TV where 1 more or less user has NO effect on distribution, or cable/satellite where it's paid for) a day (image-heavy) and I feel like helping him pay for the cost.

Re:And people

do you believe it when TV shows make you feel like you are 'stealing' if you don't watch the ads between the show segments? how is blocking ads any diff? "Not watching" is different than "blocking". Blocking ads is the same as removing (auto-skipping) commercials: even the option to pay attention is gone. The people paying for ads have no right to force me to pay attention, but I can see why they'd be annoyed if I never even know the ads are there.

Not watching is a choice. Blocking is an abuse.

Re:And people

[Opportunist]

Easy. Actually I can think of two possible scenarios.

First, the one that built Linux. A lot of people contributing spare time when they feel like it. You won't get any cheaper than that, and the quality is high due to people enjoying what they're doing (not to mention constant peer review).

But let's look at a "commercial" example. I can see your problem: How could something be cheap when you have a huge amount of manhours tacked to it? The answer is rather simple. In every job, in every company, you run into downtime sooner or later. Time when you're waiting for another project to build, when you wait for results from other teams, or when there is simply no project about to meet a deadline. This time is pretty much "wasted" unless you can put it to some good use. That's where those "slow and sure" projects fit in. It's nothing that has to be done over night, it's something that is 'done when it's done', and you can take your time doing it right. Since the time you invest here can already be written off as waste (or, in case you're in a huge corp, can already be tacked to the cost center of the team you are waiting for), it is fairly cheap.

SNAFU

Situation Normal, All Flashed Up

Re:SNAFU

[bill_kress]

I would have said: Situation Normal, Adobe's Fucked Up

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

At one point, they had some competition from some other terribly flashy web software, but they quickly rectified that by buying the company so they could retain their title of Extreme Web Fuckups and earn the SNAFU title.

(Second use of the F was quite gratuitous, but in for a penny, in for a pound)

Re:SNAFU

Their TrueType patenting and PDF hogging weren't too cool either, but wanted to note that Flash is too often abused to flash your computer, in the trench coat variation. Once exposed, it's in the memory. Am sure other Adobe products could be similaryly listed as well. Executives get sucked into telling tech to add Flash to their web pages, because like far too many gamers they like the "oohh, PRETTY" over real substance and worth.

Re:SNAFU

[jimmypw]

How exactly is it the worst company ever to supply software for the web. I fail to see where your coming from. Dont forget that until a while ago they didnt own macromedia and their neiche was high quality still and moving images which back in the day of windows 3.0 wasn't anywhere near web software.

Your arguement is essentially flawed as this exploit has probably been in flash player since macromedia owned it and yet your blame gets directed at adobe.

Re:SNAFU

You do, of course, realise that Flash was not created by Adobe but rather by Macromedia, and that they only bought Macromedia relatively recently?

If you had said "Situation Normal, Flash Fucked Up", I would've agreed (although that wouldn't have worked for the acronym), but you rather make it sound like Adobe magically corrupts all software they come in touch with, and that Flash was all pure and golden before that.

Neither's true.

Re:SNAFU

[1u3hr]

Adobe has to be the worst company ever to supply popular software for the web, and it has always been a horrid company--at least since "ATM" started destroying my PCs back in the ole Windows 3.0 days.

Sorry, I find this absurd. I've been using ATM ever since Win 3.0 too. Never had any issues with it. T1 fonts are essential (to DTP anyway). I use Acrobat every day (though I stick with Acrobat 4 mostly, it has all I need). There are many, many more obnoxious web software products -- who can forget RealPlayer? And many weird and wonderful "enhancements" whose main and often only function was to deliver ads and spy on you while using your bandwidth and hogging your cycles. I'm sure a quick tour of some porn sites would find many more hostile/useless/spammy programs.

Re:SNAFU

[0xygen]

Must say though, if I were Adobe, staking my reputation on the reliability of some of the highest exposure software on the web, one of the first tasks after the acquisition would have been a thorough review of the Flash client codebase.

Not that this vulnerability would necessarily have been picked up...

Re:SNAFU

[Divebus]

How exactly is it the worst company ever to supply software for the web. Here's my short list:

1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.

Re:SNAFU

[gaspyy]

Intentionally or not - you're trolling.

1. Adobe Reader 8 launches almost instantly for me after the first run, when it optimizes its launch (and I always disable the startup option). Version 6 was awful but things have changed. I do agree that it's bloated (over 200Mb) but I had problems displaying complex/cmyk docs in Foxit. YMMV.

2. Flash - use AdBlock. The technology is not at fault as flash is pretty lightweight itself. It's the advertisers who think I'll click their stupid ads if they add annoying sounds and the webmasters who think that by cramming more ads there's a better chance of me clicking on one.

3. The update agent is slow 'cause it downloads only when the connection is idle. I do agree that it's annoying for it to ask to close almost all programs when updating.

5. You do realize that camera and mic are turned off by default, don't you? You need to expressly enable them on a site-by-site basis.

So there you have it.

That's not to say that I don't hate Adobe myself for other things:
- activation is a pain in the ass, especially if you don't get the chance to deactivate the software first from the old computer and activate on the new one (happened to me after a hdd crash).
- the software is artificially segmented in some cases, e.g. Premiere and After Effects should be one software, or Illustrator and Indesign (CorelDraw acts as a combination between the two).

Re:SNAFU

[halcyon1234]

Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

Neither do I, but I have to wonder. Has anyone ever tried leaving these settings ON be default, just to see if anyone, anywhere even attempts to exploit them?

I know the dataset is kinda skewed-- no one tries because everyone already has blocked them-- but I'd be curious how many Flash games / ads / crap / etc has code to try to use the mic & cam JUST IN CASE

Re:SNAFU

[Divebus]

Intentionally or not - you're trolling. How did you get a Flamebait sticker? That was a reasonable set of responses. Anyway:
1) Yeah but usually the Reader plugin comes up at 400% with just the top of the document showing and you have to size it to read it - silly thing.
2) I know, but it's too bad you have to use AdBlock. Imagine if there were six RealPlayer movies playing on every web page - you'd have to use RealBlock and everyone would complain about RealPlayer (more than they do).
3) The download is fine, even if it is a few '00 MB - the updater takes its time loading things I have little interest in like Adobe AIR, putting the Reader plugin back in. You can hear it digging through your hard drive. Ick.
4) The camera and mic is turned off... or is it? Some malware infested ad might be able to turn them on.

Re:SNAFU

How exactly is it the worst company ever to supply software for the web.

I don't know about the worst, but they are damn annoying.

A normal company would make it easy to deploy their windows software using .msi deployment tools. Not Adobe.

Acrobat is one of the worst applications for a scripted installation. For some versions I actually had to write a vbscript file to run the regular installer and click on the buttons.

Even for the free flash player you need to create an account and sign a license agreement before getting the .msi installers.

Re:SNAFU

[bill_kress]

My argument is that Adobe Type Manager broke PCs constantly and was pointless.
Adobe Acrobat is the only app that pretty regularly crashed my browser.

They still tend to lock up browsers when downloading a long document, and if your connection is slow, it probably still crashes them--luckily few have to deal with that any more.

They try to force their crappy software onto every machine I use. Often preloaded. Honestly, since the windows 3.1 days I have been crashed more often by Adobe than probably every other cause combined.

I have to admit less often lately, but then I try to keep their garbage off my machines, but maybe it's gotten better and people who have only used them for the past couple years (esp. with fast internet connections) don't have a problem with them.

Lucky they bought Flash--the OTHER great bane of the web.

Re:SNAFU

[STrinity]

Don't forget that certain Adobe programs, including Photoshop and Premiere, place DRM in the master boot record, which makes it impossible to run TrueCrypt boot-time encryption and have the Adobe programs work.

Re:SNAFU

it's even worse!

camera and microphone being a choice but not SOUND CARD?! I cannot watch any flash videos in unbuntu. They play fine but flash uses the WRONG SOUND CARD! There is no way to change this, I've tried every configuration for sound in the OS. All other apps listen to my sound settings.

Re:SNAFU

[bill_kress]

Real Player never crashed my machine (That I remember, at least I can say it never became enough of a pattern for me to recognize it as one). Adobe Reader used to almost every time I hit a PDF file--if it was a large file over dialup--guaranteed.

Not only that, but typically it would hang your entire browser--not just that one window--while it loaded a PDF; I'm not sure how they pulled that off.

I began to dread encountering pdf files.

Type manager was deeply wired into windows. A single bug (and it had many) would screw up your entire system. It never worked and played well with other apps, and lots of crap would make you install it for no reason. Nobody but marketing dweebs care that a font is rendered exactly as their font was, and beyond the flakeyness, I was somewhat annoyed at them allowing that kind of "Push" onto my machine--I want "Read as TEXT" so I could wrap to my screen size, adjust the font, and simply read--Adobe insisted on huge downloads for ugly, unmanagable text with awkward zooming/scrolling instead. The whole concept is anti-web... (ATM and Reader both)

If it hadn't been for Adobe, we would have had nice, simple, readable HTML-based documents instead. Sure I could blame incompetent companies for using Adobe in the first place, but can you blame a baby if you give it a lollipop-shaped gun and it shoots itself in the head?

Flash also bothers me conceptually, it's overused but has some very valid uses and I believe it's pretty stable these days--most of my bitching about flash is legacy.

Windows 3.1 used to crash all the time, when I removed ATM, it crashed significantly less. Well, not remove so much as re-install windows without it.

Re:SNAFU

[jimmypw]

Here, Here.

well elaborated.

Re:SNAFU

you forgot the biggest one: The broker process that runs under Vista to allow Flash plugin to do privilege escalation from the web.

Re:SNAFU

[1u3hr]

Real Player never crashed my machine (That I remember, at least I can say it never became enough of a pattern for me to recognize it as one). Adobe Reader used to almost every time I hit a PDF file--if it was a large file over dialup--guaranteed

Real didn't crash, but it was unpleasant in many other ways. As for reading PDFs online; if it's a short document I might view it in the browser, but I almost always r-click to download and view it once it's all there, rather than try to view inline. You have to specifically optimise a PDF for viewing inline so it's not really Adobe's fault if it doesn't work. Print PDF files are different.

Not only that, but typically it would hang your entire browser--not just that one window--while it loaded a PDF; I'm not sure how they pulled that off.

So why use the browser plugin if it was so much hassle?

If it hadn't been for Adobe, we would have had nice, simple, readable HTML-based documents instead.

Sometimes PDFs are gratuitous, but often the alternative would be nothing at all, or a horrible bitmap page scan, or worst of all, Word DOC files, complete with macro viruses. Print-to-PDF allowed many documents originally designed for print to be easily repurposed as downloads. I have a collection of PDF manuals for all kinds of hardware that I really doubt I would have if the manufacturers had had to translate to HTML. Windows 3.1 used to crash all the time, when I removed ATM, it crashed significantly less. Well, not remove so much as re-install windows without it.

Maybe you had too many fonts, or corrupt ones. In any case, I used 3.1 for years, with ATM and using CorelDraw. It crashed occasionally, almost always when editing large bitmaps, so I doubt it was related to ATM.

If you do any DTP, Adobe products are essential.

Re:SNAFU

[bill_kress]

Real didn't crash, but it was unpleasant in many other ways. As for reading PDFs online; if it's a short document I might view it in the browser, but I almost always r-click to download and view it once it's all there, rather than try to view inline. Correct, you just forgot to add "I got into this habit because the Adobe reader plugin is a piece of crap and my pain/response mechanism took over".

So why use the browser plugin if it was so much hassle? I Generally uninstall it (as I have said) but since most browsers seem to come pre-corrupted, you will eventually accidentally click on a link.

Print-to-PDF allowed many documents originally designed for print to be easily repurposed as downloads.... Sometimes PDFs are gratuitous, but often the alternative would be nothing at all Yes, and Print-to-Text actually does the same thing but in a more world-friendly format. Are you saying it couldn't have been used anywhere print-to-PDF could?

If you do any DTP, Adobe products are essential. Absolutely. I never said adobe products weren't absolutely necessary for self publishing, they are pretty much the only answer--and they do a good job at it from what I've seen.

I was very careful when I decided to mention the technology was problematic when "Used on the web" not in general. In a mostly vertical niche such as DTP, you expect poor, glitchy software that doesn't have competition. You become willing to ignore flaws--heck you often don't even see them.

I vaguely remember another vertical DTP app that was really bad--way back in the early 90's There used to be this absolutely terrifying GUI word processor for Unix called "Frame" or something like that. It had the silliest menu system you ever saw. I finally figured it out, they came up with this "Trick" of tear-off menus that you could set beside the window--this meant, however, that all the useful functions were buried at the bottom leaves of the menu. I don't know exactly how to describe it but it was virtually impossible to find typically used functionality. If this piece of garbage had survived, it might have given Adobe a run for their money--both in the decent DTP and the crappiest app ever departments.

I believe it handled large collections of "Chapters" in a huge document MUCH MUCH better than word did though, and did have some kind of real send-to-the-printer rendering IIRC...

----
My wife and I were talking the other day while she was looking something up on the web, suddenly she said "Oh Crap", I said what, she said "This document is PDF." I know she's heard me bitch about Adobe, but I also know she, like everyone who uses computers (and apparently you mr. parent) dread bringing up that plugin.

Isn't that dread alone enough to give it at least the "Most hated web-rendering technology" award? When even the plugin's defenders say "Don't use it".

Re:SNAFU

I would gladly post this under my username, however, something is SNAFU right now and I cannot log on despite my trying for the last 10 minutes.

1.) Adobe Reader and "instant" do not belong in the same sentence. It's only "fast" to start if you've launch it repeatedly. If you compare it to any third party reader, it's painfully slow even on the most blazing machines.(BTW, the modifier "almost" doesn't save your statement.)

2.) Flash is NOT lightweight. It IS a resource hog and is bog slow. Blocking ads is not the debate here, the debate is Flash is SLOOOOOOW and I challenge you to prove it's not.

3.) Update agent is disabled and I manually update CS3 because Divebus nailed it... It's annoying, it's slow, it's ALWAYS in your face and for a background app it certainly needs a lot of coddling.

No, Adobe is ass-tastic, they rival Microsoft with their slow, bloated crapware such as Reader and Flash.

That said, I've been using many/most of Adobe's products for the last 7 years and I'm not sure what I'd do without them.
 
I generally have few complaints about their "core" pro applications, I just wish they'd make their supporting apps leaner I.E - Flash Player, Update Agent, Adobe Reader etc...

Re:SNAFU

[1u3hr]

I vaguely remember another vertical DTP app that was really bad--way back in the early 90's There used to be this absolutely terrifying GUI word processor for Unix called "Frame"

If that's "FrameMaker, it was bought by Adobe. Still around, in Windows versions now, and I'm trying to learn it, it's very powerful (footnotes, references, etc) but not user friendly. Still a standard in academic and technical publishing. (InDesign will eventually replace it, it's clear that's Adobe's plan, but not yet.)

I was weaned on Xerox Ventura, but that changed hands many times, is now owned by Corel, but hasn't been updated for years and is pretty flaky now, sadly. I still use the old DOS GUI version 3 for simple projects (novels, poetry, etc).

Re:SNAFU

[bill_kress]

Yeah, that was it. Amazing, it's like every piece of software that I really dislike ends up in their hands.

Although I'm sure FrameMaker has improved a lot since then--I remember it being quite powerful, but that was lost to me since I never needed anything more powerful than word.

(Well, actually the large document handling was nice, word would just roll over and die if you fed it a large enough document)

But the usability--ugh.

Flash perpetual vulnerability

[amrik98]

This isn't the first or the last time Flash will have vulnerabilities discovered, and I understand this can happen with any software. It is just the frequency and consistency of these vulnerabilities that concerns me. When I install a binary blob from Adobe its always in the back of my mind that I could be opening up my system to attack.

Re:Flash perpetual vulnerability

I wonder if you could mitigate this threat reasonably painlessly by running a flash enabled browser in an isolated virtualized application environment, using something like Thinstall http://www.thinstall.com/ or Codeweavers crossover http://www.codeweavers.com/products/ ?

Re:Flash perpetual vulnerability

Solution: don't install flash. (There are gnash and swfdec if you're sadly addicted to the content.)

I personally require none of that dada.

Re:Flash perpetual vulnerability

[BollocksToThis]

I personally require none of that dada.

Slow down on the keyboard there, Oedipus.

Re:Flash perpetual vulnerability

[hairyfeet]

Actually I would suggest SandboxIE which,despite the name,will let you sandbox any app without having the overhead of most other VMs. It is free(Windows 2K-Vista only,I'm afraid) and if you are like me and have to run Windows on an Internet enabled machine I can vouch for the fact it does run very nice,even on this old 1.1Ghz with 512Mb of RAM.

And to the earlier poster who said limit whitelists in Noscript: Why use whitelists at all? I mean,it only takes a couple of seconds to click allow and since on flash objects doing so allows you to see the URL,isn't it safer to just take the extra few seconds? I know there have been a few times in the past where I have gone to watch a flash on a site I trusted only to see the URL redirecting all over the web and passed. Sure enough in a day or two I would read about some massive hack hitting thousands of sites. I personally would rather take the time than be boned.But that is my 02c,YMMV

Malware-laden

[MPAB]

Look out! Ben's brother has servers, and he plans to exploit them!

Re:Malware-laden

[Opportunist]

Won't anyone here PLEASE think of the servers?

Another reason I despise swf on webpages

[rts008]

I always use noscrpt and flashblock extensions in firefox on Linux, so I'm not too concerned about this.

Re:Another reason I despise swf on webpages

[Vectronic]

Every site? every time?

I'm not concerned either, and I dont use and blocking stuff (other than Opera and a few blacklisted sites)

See, im being stupid, and just going by odds... if something crazy happens that a virusscanner doesnt detect (when i decide to run it) and I can't fix it, reformat! w00t...

Re:Another reason I despise swf on webpages

That's fine as long as you don't care who controls your computer. Malware tries to stay undetected while doing who knows what in the background.

You may not notice anything for years, while your computer participates in ddos attacks, serves as a warehouse for who knows what illegal files, gathers information about you and sends it to some nice people who then sell it in the black market to identity thieves, scammers, spammers, any folk wanting to know what things you like, read, buy, watch, listen to...

Damn we should all be as irresponsible, I mean there's infinite bandwidth out there who cares if botnets roam it, it's not like they can clog it or anything...

I can even give you a car analogy:

Why bother locking the car? I mean so what if it gets stolen and used in a bank robbery, you can just buy a new one or your insurance does it for you.

Re:Another reason I despise swf on webpages

[Vectronic]

Buying a new car envolves money though...reformatting on the off chance something does happen (or about every 6 months regardless), doesnt.

And I never said i was completely careless, everything is pretty much locked down, and I monitor my traffic from time to time just to see if anything odd is going on... plus other than telling people I meet online my real first name, I dont do any online banking, buying, or other transactions that could be "dangerous". And scan everything I download that isnt from a reliable (HTTP/FTP) source. And if this PC gets hit with something, one of my other PC's will tell me eventually...

I just see it as more of a problem to be paranoid, than not be, my computers are for the most part work horses, everything I dont need is disabled or removed, and virus scanners and firewalls are included in those things most of the time, I have a single port blocked in my router (Helkern spam)... so be it.

Re:Another reason I despise swf on webpages

[Vectronic]

Oh, and to continue babeling...

I also always at least dual boot, all my machines, with XP or Vista, and then either Slackware or (pick random Linux)

The one im typing from at the moment has all four... XP/Vista/Slackware and Mandriva currently... so the odds of it hitting all 4 are slim, and the odds of none of the 4 seeing something odd are just as slim.

Welcome to the proprietary internet.

[NotZed]

A taste of what it could've been and what it might yet become?

Re:Welcome to the proprietary internet.

I am glad that MSN ... that is the MS _Network_ (as apposed to the MS non-standard closed messeging client) didn't take off. Imagine if 'internets' were still like AOL, MSN, Prodogy et al with no interoperability etc.

Re:Welcome to the proprietary internet.

I've never been so happy that Flash doesn't support my platform!

Er, except for all those annoying banner ads and games and the music players and stuff. I guess I'm pretty happy when I don't see those either.

But my point remains!

Oh... dear... God

[religious+freak]

What kind of horrible, horrible update scheme will Adobe come up with to try to combat this?! The thoughts are too terrible to imagine...

Re:Oh... dear... God

[naz404]

Flash has had auto-update since version 8 and up.

Once Adobe's fixed up the patch, they just have to command all players to update themselves to the latest fixed version.

Re:Oh... dear... God

so you're saying... Adobe is in command of their Flash botnet?

Re:Oh... dear... God

[WK2]

That wouldn't even work. Flash runs as a regular user, but needs administrator access to update its own code.

Re:Oh... dear... God

[HyperQuantum]

Just hope that they do not silently include a webbrowser with their updates.

Re:Oh... dear... God

[SanityInAnarchy]

Actually, they already include a Webkit engine in Air, which is their Flash-based desktop app platform. It's not hard to imagine them porting that to Flash.

As distasteful as that seems, it would have one nice side effect -- there are a few places where Flash is pretty much the only option. MySpace, for example, allows Flash widgets, but not iframe widgets, because Flash widgets are more secure. With Webkit inside Flash, we'd be able to build a normal AJAX/iframe widget, and just wrap it in Flash for retarded sites like MySpace.

Re:Oh... dear... God

[rrohbeck]

What kind of horrible, horrible update scheme will Adobe come up with to try to combat this?! The thoughts are too terrible to imagine... Can't be worse than Apple's Quicktime updater.

Hmm Windows only... and SQL injection?

[foniksonik]

Once again Windows is open to attack from some 3rd party app... and what's this, SQL injection is being used... is that another MS product being abused or is it a free for all on open source DB driven websites?

Seems like there is plenty of blame to go around... Adobe included but certainly not alone. If Windows wasn't so easily subverted by a 3rd party app with a bug this wouldn't be an issue (as it's not for Mac and Linux users)... but of course were it not for lax security in countless websites, there would be no vector... so shame on web developers...

enjoy.

Re:Hmm Windows only... and SQL injection?

SQL injection is being used... is that another MS product being abused or is it a free for all on open source DB driven websites? As far as I understand it SQL injection attacks exploit sloppy handling of user input in the web app code, not the database management systems. This makes every DBMS "vulnerable" to SQL injection, since there's little you can do to protect against it on the DBMS level.

Re:Hmm Windows only... and SQL injection?

And who says it's not an issue on the MAC and Linux besides you? Nowhere in any of the linkedarticles (Yes, I actually RTFA) does it mention that it is a Windows only bug...

Re:Hmm Windows only... and SQL injection?

[Hal_Porter]

It's Windows only because Microsoft wrote it to promote their Silverlight initiative. Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there.

Re:Hmm Windows only... and SQL injection?

Silverlight does run on Mac OS X.

Re:Hmm Windows only... and SQL injection?

It can also Moonlight on Linux.

Re:Hmm Windows only... and SQL injection?

FYI, "MAC" in uppercase is usually an abbreviation for Media Access Control. You probably meant "Mac" which is short for Macintosh, a line of computers made by Apple, Inc.

As for the topic at hand, I'd like to see more exploit details that more directly confirm the problem is limited to Windows. TFA simply states it does affect Windows, but I didn't see any statement that the bug categorically does not compromise systems running OS X or Linux. Without more details I have to operate under the assumption the same flaw may exist, and may be exploitable, under those systems.

Re:Hmm Windows only... and SQL injection?

[linal]

SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB

Re:Hmm Windows only... and SQL injection?

[setrops]

It's not an SQL vulnerability, they are infecting badly coded web sites.
Basically they use SQL injections to upload snippets of code to redirect or upload SWF and in some cases .jpg (which are really SWF files).

The vulnerability is on the Flash application. So people are visiting known sites that they trust and being infected.

Re:Hmm Windows only... and SQL injection?

Siverlight doesn't work on Macs except... it does work on Mac... i'm using Safari right now with Silverlight installed.

Fail.

Re:Hmm Windows only... and SQL injection?

[zobier]

except... it does work on Mac... i'm using Safari right now with Silverlight installed. Why would you want to go and do a thing like that?

Re:Hmm Windows only... and SQL injection?

[foniksonik]

I said that there is enough blame to go around... the vulnerability isn't only in Flash, it's also in whatever is allowing websites to become pawns of hackers... and in Windows which allows Flash to do anything other than execute swf files within the browser.

All the players above are at fault...

Flash in the pan

Plain text is the only way to go! There's nothing more secure than plain text, except Silverlight!
.
.
.
.
.
Windows Live Mail: Want to get paid to post on forums? Visit www.microsoft.com today!

Why is SQL injection even still a problem?

[MichaelCrawford]

And I'm not saying the web application developers need to prevent it: it needs to be fixed in the database and its communication protocols. I think it's quite an outrageously bad architecture that has payload and control data together on the same channel.

After all, it's my God-Given Right to name my son Robert'; DROP TABLE STUDENTS. I shouldn't be getting nasty phone calls from every school he's ever attended!

Re:Why is SQL injection even still a problem?

[SanityInAnarchy]

I think it's quite an outrageously bad architecture that has payload and control data together on the same channel. I think it's actually nicely flexible, sometimes. I like that I can type SQL commands at a MySQL console.

I agree in principle, but this is a solved problem. Most database APIs allow prepared statements. Platforms like Rails abstract away most of the need to write any SQL yourself -- AND it fakes prepared statements.

The only reason we still have SQL injection is, we still have armies of morons writing crappy PHP and VB pages. Not that it's impossible to write good PHP, but it sure as hell doesn't encourage it -- do I use mysql_escape_quotes, or mysql_real_escape_quotes, or what?

Re:Why is SQL injection even still a problem?

[Tim+C]

And I'm not saying the web application developers need to prevent it

Well, I am. There is simply no excuse for anyone to be writing web apps that are vulnerable to SQL injection attacks. The attack vector should be known to anyone with even a passing interest in programming for the web, and there are standard library calls for all the languages I've used that take care of it for you.

Besides which, this is really just a special case of the old maxim: never trust your input data. Anyone writing code that is vulnerable to SQL injection attacks is almost certainly writing vulnerabilities into their code in other ways too.

Yes, the design of SQL communication protocols makes it easy to do stupid things and open your code up to attack. That's no excuse for actually doing so however.

Re:Why is SQL injection even still a problem?

[zobier]

You have an error in your SQL syntax near ', 'Crawford'

Proverb

[Rastignac]

In France, a popular IT proverb says "Adobe, c'est de la daube". True one more time today...
(won't translate; lost in translation).

Re:Proverb

[Zironic]

Adobe, it's a mess?

Re:Proverb

[lgw]

You can't translate the pun (thankfully), but the closest idiomatic thing might be "Adobe, it's name is mud".

Re:Proverb

[iminplaya]

A slightly lees popular proverb says "Adobe, c'est de la merde". This might translate a bit easier? I wouldn't know. No hablo frances.

Does displaying accented characters have to be so difficult?

Re:Proverb

[OneSmartFellow]

Adobe, it's shit

Re:Proverb

[sayfawa]

I'm guessing the pun is from the fact that the word 'adobe' means some kind of mud-based brick or structure? If so, then the translated pun is just as good (or bad), as adobe means the same thing in english.

Re:Proverb

[Gandalf]

And here in Holland the proverb goes "Rather than Adobe, a doobie". (True every day...)

Re:Proverb

[Jesus_666]

Compare "Adobe" and "la daube". Very similar.

Hey Adobe: Try Using Stack Canaries!

[MichaelCrawford]

No doubt someone from Adobe will be reading this Slashdot story.

A Stack Canary is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.

So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.

To enable canaries:

• Visual Studio for Windows: Use the /GS option
• GCC for Mac OS X: use -fstack-protector in your "Other C Flags" option in XCode

The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.

I'll send you my bill in the mail.

Re:Hey Adobe: Try Using Stack Canaries!

[LaskoVortex]

No doubt someone from Adobe will be reading this Slashdot story.

If the guys who wrote the software that shows up on stories like this actually read slashdot, we probably would stop getting stories like this. I mean, when was the last time Ad0b3Hax0r /. id #113434124 said "Sorry guys, that bug was me. I'll try to do better next time. Thanks for the heads-up."

Re:Hey Adobe: Try Using Stack Canaries!

You should read up on the vulnerability before posting. It was quite famous because the exploit was one of the rare cases where a heap attack worked.

real reason? french simply are not funny - EVER !

The french can't be funny.

It just doesn't happen.

Jerry Lewis is NOT funny !!

repeat: Jerry Lewis is NOT funny !!

Make a goodie virus

[Crookdotter]

I think the time has come to make a virus that counters spambots, trojans, viruses and everything else. Limited lifespan, get them into the wild, let them run through networks doing a good deed then martyr themselves. I know people would be worried about any possible damage done by these things, but if your system is open, then it's a risk vs potential damage assessment. If you have the right security in place, then neither goodie or baddie viruses will get near you.

Re:Make a goodie virus

Primum non nocere

Re:Make a goodie virus

[Crookdotter]

...and of course a good virus does no harm.

Re:This is NOT a 'zero day flaw'.....

[shird]

That is not the definition of zero day. If you are going to condemn people for using it incorrectly, at least use it correctly yourself. The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed. This day is important due to the fact it is basically impossible for people to be patched against the vulnerability on this day. In other words, tomorrow this will no longer be a 'zero day exploit'. (no doubt it was disclosed several days ago and isn't a zero day exploit today either).

That's sort of what the Welchia worm does

[MichaelCrawford]

When I was staying in a hotel in between moving out of one house and into another, I hooked my Win2k box directly to the Internet via dialup. At my old place I used Linux as an IP masquerading gateway, and never had any trouble.

Well it didn't take long for me to notice that my modem often showed activity even when I wasn't doing anything online. At the advice of a friend I bought the ZoneAlarm firewall.

It informed me that I was infected with the Welchia worm. What it does is apply security fixes to your Windows installation, and then it propagates itself on to other Windows hosts over the Internet!

This drove home to me the importance, when using Windows, of having a firewall that prevents connection coming from my own computer. ZoneAlarm does this.

Most firewalls just prevent attacks from outside. But if you're already infected, you want to know about network traffic originating from your own computer.

Adobe is an advertising company

Right click on your next youtube video. See the privacy manager? Click through all the options and see that it's recorded EVERYTHING you've ever done and seen, including flash ads. And better than googlecookies.

The Adobe ad network is even more lucrative than Adsense.

Re:Adobe is an advertising company

[Daengbo]

This must be on Windows ....

Flash dependent sites

[Mathinker]

> That's what temporary permissions are for.

Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".

Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)

I never enable JS or Flash in order to see sites which I get to through advertisements, however.

Re:Flash dependent sites

[MagikSlinger]

Check your NoScript options. You can tell it to block Flash from even trusted sites.

MOD PARENT INSIGHTFUL!!11

He's absolutely right about the idea of separating the control from the data. No other well-designed architecture does things this way. Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data. Or Ethernet where you have to have two pairs of wires, one for control data and one for real data. Other examples where this is employed are RPC, UDP, and even the telephone system.

At first glance, it might seem like you'd need to introduce control characters into the data to differentiate the various parts of the data, in case you ever needed to put multiple fields with a single control statement (I know, it's rare, but some people _do_ need this). However, the TCP people invented an ingenious way of dealing with this by designating a special character for separating fields. All you need to do is escape it every time it occurs naturally in the stream. Then, all your problems are solved.

Well, you've still got the problem of associating the control data with the payload. They are, after all, on two different channels and could arrive at different times. That's a trivial problem, though, because you just send the control data first and wait a short time before sending the real data. Electronic signals always travel at the same speed.

Oh, we're not quite done yet. What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. I think that should work perfectly.

Re:MOD PARENT INSIGHTFUL!!11

[SanityInAnarchy]

Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data. ...what?

Sorry, I haven't looked at the structure of an actual TCP packet in a long time, but I have no idea what you're talking about.

What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. Great, so now we can have exploits based on manipulating the data instead.

There are incredibly simple solutions here, already implemented. There's prepared statements, which I think may work at the SQL level, not sure. Then there are higher-level APIs, like ORMs -- the better ones make it easier to be secure.

Making yourself vulnerable to a SQL injection is every bit as stupid as running 'eval' on that user-entered data. And I really do like that my language of choice has eval. Just because idiots use it to make themselves insecure is no reason to throw the technology away.

Re:MOD PARENT INSIGHTFUL!!11

[Tim+C]

Sorry, I haven't looked at the structure of an actual TCP packet in a long time, but I have no idea what you're talking about.

He's being sarcastic.

Re:MOD PARENT INSIGHTFUL!!11

I have no idea what you're talking about. He's being sarcastic. TCP and SQL require vastly different amounts of parsing, so the sarcasm doesn't work very well. It's also funny he should mention the telephone system, because that is an example of a system which greatly benefited from correcting the mistake. The phreaking phenomenon was made possible by inband signaling, i.e. mixing data and control, and the resurgence of DTMF signaling for controlling complex PBX functions is a step back.

Re:MOD PARENT INSIGHTFUL!!11

[myowntrueself]

Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data.

I think that the first instance of TCP there should read FTP

Then the rest of it makes some sense.

Re:MOD PARENT INSIGHTFUL!!11

[SanityInAnarchy]

Oh good!

With two other posts saying that it was sarcastic, I was beginning to suspect I was slipping. If it was sarcastic, it wasn't a particularly good joke.

Re:MOD PARENT INSIGHTFUL!!11

You had to do it, didn't you? You just had to?

The 1s in the subject...

Every "fact" in the entire message was wrong...

My solution included every problem that exists in the original design and more besides...

I did everything but throw in a Jonathan Swift reference.

Congratulations, sir, you have made me lose my last shred of faith in humanity. At this point, I really don't care if you really thought I was serious, or you were just pretending to think I was serious to troll me back.

And it wasn't a joke. I was ridiculing him. The two-channel idea is asinine. If you go back and read my post again, maybe you'll figure out why. Hint: nobody else does it (except FTP, which sucks), it creates synchronization problems between the channels, you still have to escape the data on the channel, and you still probably want to dynamically build the control statements. All these things are clear if you would but think for even one instant upon what you've read. Why do you do this to me? Please, god, kill me now.

Dual of xkcd's "virus zoo"!

[Mathinker]

> XP/Vista/Slackware and Mandriva .... and the odds of none
> of the 4 seeing something odd are just as slim.

You're telling me that from each of those 4 OS's you run virus/malware scans on the other 3? I'm impressed at that setup. It's the dual situation to the following widely-posted-on-Slashdot xkcd comic.

When do you have time to do real work / play with them?

BTW, I wouldn't be so sure that your scanners are going to pick up everything. Anything which is specially targeted has a fairly good chance of slipping under the wire, the scanners mainly pick up "mass infection" tools and attacks. Of course, unless there is something special about your computers (like being in an especially interesting IP address block) you probably won't get specially targeted.

Re:Dual of xkcd's "virus zoo"!

[Vectronic]

"When do you have time to do real work / play with them?"

Well, thats fairly easy, I boot into whichever OS is appropriate for the job, I split my windows installations, one for programming related things, one for graphical related things, and likewise for linux...

If it was my only machine, it would be over-kill and almost a job unto itself, but thanx to automation, and networking, I can leave one PC to do something it needs to do, and switch over to another PC thats free.

"...scanners are going to pick up everything..."

Well no, but the probability is higher, even if the dual(+) boot was the same OS for all installations. Which, ive actually had the pleasure (haha) of doing, and then being hit with an infection (about 7 years ago when XP first came out) boot into an OS, try and fix some stuff, crashes, boot into the other OS, try and fix stuff... granted I did end up losing about 1/3 of my stuff (installed software, plus backup installers) but I did manage to tame the worm, and was left with at least one OS that still booted... it was not a good afternoon...

Re:This is NOT a 'zero day flaw'.....

[OneSmartFellow]

The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed

If that's your definition, ('zero day' == <time of publication>) then it still hasn't been used correctly, since the linked article is already a day old.

Given that the phrase 'zero day' is made of two single syllable words, I can understand the propensity for its use. However, it conveys no information, except to indicate that the author is a buzz-word junkie. Why not call it a 'Same Day exploit ' or 'This Day exploit ', or even a 'Today exploit' ?? Because then people would realize that it's a vacuous phrase. Oddly, when there's a number involved, it sounds technical, and confusing, and causes alarm ! Do you think that's a coincidence ?

Furthermore, it is practically inconceivable that a vulnerability could have been discovered, incorporated into a 'Chinese version of the MPack exploit kit', whatever that is - as a side note: do you suppose they do a pre-release test on the new version of MPack kit? - , and reported by Ryan Naraine, 'security evangelist' - another meaningless phrase - at Kapersky Lab - can you say conflict of interest - at "11:19 am" on ZDNet all within the space of 24 hours.

Of particular interest is a phrase in a linked article (published some time on May 27) that states "At the moment these domains [Chinese hosted MPack sites] do not appear to be resolving"

I find it very suspicious that a 'dangerous' exploit was discovered on a 'Chinese' website, analysed, and made public all within the space of a day, and in the same day (presumably within a very few hours) the 'Chinese' had already taken the site offline. It's also suspicious that there are so few real details about when and how it was discovered.

Oblig

Not new, but still funny:
http://www.xkcd.com/350/

Kids these days...

[Digestromath]

Back in my day the only way to animate porn was flip the pages real fast. When technology does all the hard work for you, you lose any sense of personal accomplishment.

Re:Kids these days...

[Alpha830RulZ]

But you have to admit, using flash frees up a hand. The loss of, as you put it, a sense of accomplishment is perhaps made up for by the increased possibilities.

Fucking useless

But what operating systems are affected and/or browsers? All of them? Some of them? Windows?
This advisory is fucking useless.

"This advisory is to alert you that if you are using Adobe Flash you're pretty much fucked, oh, there is no fix currently. Have a good day"

Re:This is NOT a 'zero day flaw'.....

[Gewalt]

No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.

NoScript WILL Save You (most of the time)

[Giorgio+Maone]

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

Windows ecosystem ?

[rs232]

"This threat should be considered very serious because of the widespread distribution that Adobe Flash enjoys on the Windows ecosystem"

Shouldn't that be monoculture .. :)

Re:This is NOT a 'zero day flaw'.....

Wow, nice job. You got it wrong too, in a post devoted to defining it.

It's the number of days after a security patch that an exploit is released that exploits the patched hole.

If a hole is exploited before the hole it takes advantage of is patched, or even known about, then it is a zero-day exploit.

Re:This is NOT a 'zero day flaw'.....

[OneSmartFellow]

tomorrow, this will STILL be a zero day exploit.

Which further supports my claim that the phrase is meaningless. It's an exploit with no 'patch' as of yet. Aren't all (working) exploits unpatched ?. When the patch (which probably isn't a 'patch' at all, but a new version of an application - binary patches are pretty rare ) arrives but is not deployed on a particular site, is that site a 'zero day' site still ? Does it become a "-X day" site ? On the day the the patch is released is the exploit named a X-Day exploit (X being elapsed days between discovery and patch), What happens the next day, does the name change again ?

Face it, the phrase is empty. For the love of Dog, please stop using it, it's driving me insane !!!!

Besides, isn't this just an Sql Injection exploit ? They've been around for years.

Re:This is NOT a 'zero day flaw'.....

[Daengbo]

If that's your definition, ('zero day' == ) then it still hasn't been used correctly, since the linked article is already a day old.
and
Given that the phrase 'zero day' is made of two single syllable words ...

OneSmartFellow isn't today.

no point porting the exploit ?

[rs232]

"Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there"

I thought it was a Flash vuln and don't you mean it doesn't work on Linux. As the exploit does uses generic browser redirection scripts and SQL-injection.

"Malware hunters have spotted a previously unknown - and unpatched - Adobe Flash vulnerability"

Re:This is NOT a 'zero day flaw'.....

[Gewalt]

ya, now you're just mumbling incoherent gibberish. So sad. Either accept that your perceived definition was wrong, or stop talking about how you don't like what it doesn't mean.

The phrase is not meaningless, there is no reason to stop using it.

tell that to Youtube ..

[rs232]

"Adobe has to be the worst company ever to supply popular software for the web"

I do believe it's the flakey OS that is at fault here ..

NoScript can block Flash even if JS is enabled

[Giorgio+Maone]

Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock, and it works on plugins different from Flash as well.

Re:This is NOT a 'zero day flaw'.....

[OneSmartFellow]

Given that the phrase 'zero day' is made of two single syllable words ... ,/em>

Good catch - very funny !
OK, zero is indeed two syllables.
Odd, make me wonder what else does zero have in common with the letter 'W' and the number '7' ?

what about the designers of the OS ?

[rs232]

"This isn't the first or the last time Flash will have vulnerabilities discovered"

Do the designers of the OS bare any responcibility? What kind of a design allows remote code execution on a malformed media file? And this one happened by accident, does that mean that there are dozens of exploits out there waiting to be utilized by the criminal fraternity.

x86 processor + Windows + Internet Explorer = ..

[rs232]

"Hey Adobe: Try Using Stack Canaries! (Score:5, Informative)"

How about building a stack that isn't vulnerable to stack exploits. And no - don't say it isn't possible. It just means the current batch of 'innovators' aren't able to manage it. So to summerise: x86 processor + Windows + Internet Explorer = the current fucked up security situation ..

Re:This is NOT a 'zero day flaw'.....

[daveyboy79]

Oh dear, looks like another one that can't read TFA..

The original poster is correct, as Zero day (as you explain) refers to the amount of time after a patch or update, that the vulnerability is exploited.
However multiple versions of adobe flash are affected by this meaning that it's at least a 162 day exploit...
(V9.0.115.0 release date is December 18, 2007)

That's why the dutch live below sea level...dopers

Dopers are studid. Only stupid people live below sea level. The Dutch live below sea level. Ergo, the dutch a) live below sea level, b) are stupid, c) are dopers.

No, I am not french. I know the dutch are lazy dopers.

Bree Olsen Makes Me Cum, so does Big Brother

I'm certain there are plenty of backdoors in Flash, what better way for a shadow org in government to backdoor your Linux/Windows/Mac/Etc box? After all, most people use Flash, even if its just for YouTube or Tube8.

"but I use Linux! ha haa!" laughs the elite geek

"and Flash!" cries the wolf

"doh!" the geek whimpers, returning to jack it to bree

No worries

[__aavonx8281]

I'll just install the open source alternative to Flash on my Windows desktop...

Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!

Re:This is NOT a 'zero day flaw'.....

Wow.. You sure spend a lot of energy talking crap.
Zero Day is just what the previous poster said. The exploit came out today, before being given to the company to get an update prior to it being released to public. Get with the program and let it be. Author was simply using the term that is widely used.
As far as the other crap in your post.. I'll simply let people read it and have a laugh at you.

I....

[Max+Night]

I miss Macromedia. Sigh.

Re:x86 processor + Windows + Internet Explorer = .

'x86 processor + Windows + Internet Explorer =' yet another linux snob who thinks they are better than everyone else because they use linux.

DROP the attitude. The type of attack the dude was talking about is in just about every framework/system out there (including macs and linux and bsd). Java does it FOR you, .Net does it for you. VS c++ makes it optional. Why would they do that? I have a 1 off application that is going to run for 20 days then be chucked. Do I need that check? Not really. It is a side effect of the call/return arch we use for just about every single computer made since the 70s.

Not all appications are going out to the 'unwashed masses'.

Where would YOU propose we put local function variables? In some 'other memory area'? OH WAIT thats a stack. Even if you make it PER function you still have a stack. A small one but still a stack. You also need a bit of memory to tell you how to get back to where you were. And a bit of memory to put the registers back into a state that can be used by the caller function.

To 'fix' this 'type' of attack you would have 1 function copy per call. So that way you can just do a goto back to the correct spot of code. However that bloats code and blows processor cache to hell. So you might as well inline the WHOLE program. Come find me when you code runs 200x as slow as someone elses who doesnt do that.

Fuzzing and canaries are a EXCELENT way to find this sort of bug. Plus things like boundschecker and purify. It CAN be done. It takes work. You know, using that thing holding your ears apart. But you like to make grand statments of 'oh just do it MY way and it will be fixed'. Yet you do not say HOW to fix it.

Flash

[roman_mir]

Last Friday at work I was approached by a PM who was panicking: we lost the people who were working on Flash components for the corporate website. Someone was supposed to be flown from India to work on the component, but they couldn't make it for personal reasons. So the question was: can this be done in dynamic html? Well, of-course it can be done in dhtml, I said. It can look exactly like flash and do exactly what flash is doing. Some of the devs who were also working on Flash components, but who couldn't handle the Flash problem in this case, were insisting that it is in fact 'impossible' to do this, to make a dhtml component that would look and do exactly the same thing as Flash, and dhtml will not work in all browsers etc. 3 days later they were proven wrong.

In any case, my point is that Flash is an overkill for most GUIs on the web, it's good for video streaming, but even for that it is not absolutely necessary. However for whatever reason various dynamic functionality is often required by the business to be done within the browser. Something that cannot be done without some sort of scripting - sliding tabs, smooth transformations between images/text whatever. Such functionality is what browser side scripting is for. In order to be able to use this functionality at least javascript will have to be allowed. Whether anyone really wants to go to the website is a different question, but some websites provide useful functionality that is welcomed by the customers.

Updated info re this sploit...

[Fallen+Andy]

ShadowServer has updated information on this here.

See also Symantec Threatcon here

So it looks as if you have the latest flash plugin (9.0.124) you may be ok.

Andy

Re:x86 processor + Windows + Internet Explorer = .

[rs232]

"How about building a stack that isn't vulnerable to stack exploits", rs232

"Where would YOU propose we put local function variables?"

In other words, you for one don't know how to do it. The rest of your comments are so much attitudenal waffle.

re: Score 1, Flamebait ..

[rs232]

Just how many accounts do you have .. :)

Finally...

[AmonEzhno]

Quick! Everybody stop using flash!

Plugin problematic

[DrYak]

The main problem that I find with SWFDEC is that their plugin functions the exact same way as the official flash :
it's a huge library containing a full fledged flash player that runs inside the same process as FireFox. Should Swfdec happen to crash (or every time the official flash crashes) it takes the whole browser with it.

Gnash on the other hand functions differently : it's a small library whose main function is to call the standalone player and embed it inside the webpage. When Gnash crashes, only that instance crashes. The browser (or any other instance of Gnash, for that matter) remain unaffected.

Firefox 3 allows live plugins switching

[DrYak]

Starting from version 3, you can turn plugins on and off from the Addon menu without needing to restart the browser.
You can therefore use gnash for most of the usual browsing (Flash used for embedding fonts for titles, Flash used for menus) and turn on the official flash whenever you want something more heavy (Games or Flash animation that don't work with Gnash)

Re:This is NOT a 'zero day flaw'.....

[99BottlesOfBeerInMyF]

Which further supports my claim that the phrase is meaningless. It's an exploit with no 'patch' as of yet. Aren't all (working) exploits unpatched ?

It refers to exploits where no patch is yet available. Your attempt to redefine it, again, to make it meaningless is not helpful. Most incidents where an exploit is successful are effecting machines that simply have not applied an available patch. These mostly hit home users using software that does not auto-update.

The term "zero day" is useful because it differentiates exploits where there is no available patch, which are of particular concern to security minded people, especially administrators. Zero day exploits are the ones where they have to do something other than test and install an update, or make sure it is already up to date. In the case of a zero day, they have to look for work-arounds, potentially disabling a service, or sending out a memo to users to tell them not to do something they might normally do. Because of this, the term "zero day" is a very, very useful term for security people and seeing it normally means it is a potentially serious issue they must address.

The problem is that the media saw the term, noticed people were attentive to it, and started using it as a synonym for "bad." Likewise, the unwashed masses have started to use it the same way, having seen the term in the media.

Face it, the phrase is empty. For the love of Dog, please stop using it, it's driving me insane !!!!

The phrase is very useful for discussion among people who know what they're talking about. So for the love of Buddha, please stop misusing it, stop misinforming people about it, and why don't you stop misusing it yourself. Not all of us want our vocabularies dumbed down to the subset understandable by the least common denominator of society, nor do we want to have to use less precise language just because laypeople misuse a term.

As if Flash was needed.

[DrYak]

hat same frame shows related videos and even sponsored content on some sites. As if context-based advertising was never seen before Flash.

People have been doing such kinds of things using Javascript for ages. There's no reason that, once video-embeding-standard becomes mainstream, Javascript ads will suddenly become not possible.

In fact people can even today put an "embed" video and use "Adsense" on the page (as long as either the pages is not empty and there are at least a couple of keywords, or there are enough cure from pages pointing to the video page). (See example of Javascript ads - even with a flash animation from Weeble's Stuff - here).
Facebook is another example of site which relies on Flash mostly for the player and uses its Ajax infrastructure for nearly anything else.

Re:This is NOT a 'zero day flaw'.....

It once did, now it's used more generally, to mean an exploit that's in the wild and for which there is no patch currently available (the general meaning being you are vulnerable and cannot immediately fix it).

If you want explain why your more narrow definition is preferable to the current more general definition please feel free.

Not necessarily stack overflow

[deathjestr]

All I got from the article is that there is an "unspecified remote code-execution vulnerability". This doesn't necessarily mean a stack overflow. And while a 'stack canary' is a good security measure, it still doesn't protect against a stack overflow that overwrites local variables without touching the return address.

The reason I say this is that they may already be using these security measures. I know any version of Visual Studio that isn't prehistoric turns this feature (/GS) on by default.

Why people use flash...

[argent]

Flash is an overkill for most GUIs on the web

Underline that, set it in boldface, carve it in granite, mod parent up, the works...

I really think the main reason people use flash is because it moderately increases the difficulty of reverse-engineering an interface. Chopping up a .swf package can be done, even without a few hundred bucks worth of Adobe software, but it's more work than running "curl -o filename url" a few times. It's obfuscation, pure and simple.

Re:Why people use flash...

[nidarus]

I really think the main reason people use flash is because it moderately increases the difficulty of reverse-engineering an interface. Chopping up a .swf package can be done, even without a few hundred bucks worth of Adobe software, but it's more work than running "curl -o filename url" a few times. It's obfuscation, pure and simple.

I doubt it. It's possible to obfuscate HTML/Javascript to some extent, and yet, no one bothers to. The closest thing to obfuscation you get on the web is Javascript minimization, and that's for bandwidth reasons, not obfuscation. In fact, most modern web pages try to be clean and readable. Some commercial web sites I've looked at, even had comments.

If average Flash sites looked just like average HTML sites, I would've thought you had a point. But they don't. They're image based, have complex layouts, and annoying animation/video everywhere. It's simply much easier to make these sites in Flash. It can literally take 2-3 lines of code (and even no code).

Of course, I agree with the GP that all of these "features" are annoying and that Flash-based sites suck. But I really don't think the reason is obfuscation.

Re:Why people use flash...

[argent]

It's possible to obfuscate HTML/Javascript to some extent, and yet, no one bothers to.

People do it all the time. Just about every site that streams music or video has some kind of scheme to obscure the actual URL from casual readers. Over time most of them have switched from HTML and Javascript to Flash, even though they don't actually do much more in the flash interface than the controls you get by default when you embed Quicktime or Windows Media players in the page.

Other common places you see this is in ads and other places that have a reason to force people to follow a link to find out what they are, or to hide viewer-tracking code in web bugs.

Or worse: the only place I've seen more deliberate obfuscation of code than pre-flash streaming sites is in phishing sites... and the kind of obfuscation in both places is similar... decoding it generally involves running through a couple of layers of "take a hex-coded string, insert '%' between every third character in this string, use the URL decoder function, look up part of the name in a table of hex coded strings and do the same thing to them, and paste them all together with a partial URI...".

If average Flash sites looked just like average HTML sites, I would've thought you had a point.

Most flash isn't in flash-based sites, it's little panels in regular sites. Little panels that often have simple graphics and not even any animations, doing things that are trivial in CSS, but that require you to actually interact with them to find out what they're all about.

For all these things obfuscation is far more important than ease of generating fancy transitions.

Re:Why people use flash...

[nidarus]

Most flash isn't in flash-based sites, it's little panels in regular sites. Little panels that often have simple graphics and not even any animations, doing things that are trivial in CSS, but that require you to actually interact with them to find out what they're all about. For all these things obfuscation is far more important than ease of generating fancy transitions.

I don't know... do you have any common examples? I can only think of a few ways Flash is being used on the web:

• Ads. Those usually have some annoying animation (even text popping out from somewhere). Much easier to do in Flash than in CSS/DHTML. In fact, the actual animation requires only a couple of minutes to do, and no programming whatsoever.
• Annoying mouseover transitions and other stupid animations. As above, animation is really much easier to do in Flash, especially for non-programmers.
• Embedded video. Impossible to do without some kind of plugin, and Flash behaves much better than Quicktime or embedded Windows Media Player. Btw, both Quicktime and Windows Media try to make downloading streaming media hard, so I don't think that moving to Flash-based players is because of obfuscation.
• Pure flash sites. More common than you might think. Especially image (as in corporate image) sites for movies, bands, and the like. Also, in my experience, ~50% of graphic design/illustration/architecture portfolios and corporate sites are pure flash.

All of those are because Flash is great for simple animations, and because the Flash plugin is fast and well behaved (unlike Quicktime or Windows Media Player). The only example I can think of that actually uses Flash for obfuscation is how flickr uses it to prevent downloading images, but that's about it.

Re:Why people use flash...

[argent]

I don't know... do you have any common examples?

YouTube?

One of the things that pissed me off about Google buying YouTube is Google Video didn't used to use any obfuscation. And they ended up re-encoding a bunch of videos that were already working just fine.

Flickr is your example.

Then there's places like Ocean Footage who seem to still be using redirection tricks for obfuscation.

Flash behaves much better than Quicktime or embedded Windows Media Player.

Where "behaves much better" means "hangs more often"?

Btw, both Quicktime and Windows Media try to make downloading streaming media hard

View Source, search for ".mov" or ".wmv" is "hard"?

Re:Why people use flash...

[nidarus]

One of the things that pissed me off about Google buying YouTube is Google Video didn't used to use any obfuscation. And they ended up re-encoding a bunch of videos that were already working just fine.

Didn't they always use Flash? The "old" Google Video player certainly uses it now, and I don't remember it changing a lot since its launch. If they didn't, what did they use? WMP? Quicktime? Some kind of a Java Player? And if they did use Flash, doesn't it undermine your argument?

Where "behaves much better" means "hangs more often"?

In my experience, across several different computers and browsers, the exact opposite is true. Quicktime would constantly hang ("Why isn't my browser responding? Oh, it was a Quicktime video...") and crash, and was generally annoying and slow. Windows Media Player wouldn't even work on Firefox most of the time (all of the time?), and when/where it did, it was just as bad as Quicktime. In fact, just about every plugin aside from Flash - PDF, Java applets, whatever, suck. I really think that the speed (esp. loading speed) and (relative) stability of the Flash plugin is the one of its main selling points.

View Source, search for ".mov" or ".wmv" is "hard"?

With WMP, the source usually leads to an asx/asf file streamed over MMS. It's possible to capture, but not any easier than capturing flash videos (which aren't that hard to capture either, judging by the sheer volume of FLV capture tools). I don't know what streaming/obfuscation capabilities Quicktime offers, mostly because I've rarely encountered it in commercial sites.

Anyway, I agree that obfuscation is an important feature of the Flash video player, but since it already existed in WMP, it couldn't have been the main reason to use Flash.

Re:Why people use flash...

[argent]

Didn't they always use Flash? The "old" Google Video player certainly uses it now

I used to be able to download quicktime videos from them directly, and they sure didn't look like flash... I use flashblock, so Flash just shows up as a (>) play icon until I click on it.

Which, by the by, may be why I notice people using Flash for obfuscation. Flash web bugs and the like show up as (>) play icons for me, but they look just like regular images for most people.

Re:Why people use flash...

[nidarus]

I used to be able to download quicktime videos from them directly, and they sure didn't look like flash

What do you mean by "directly"? They didn't have an embedded player at all? Maybe it was a Flash player streaming QT files? In any case, I've been using Google Video before they bought Youtube, and the interface has been Flash-based for some time now.

In any case, you can still download videos directly. They're just in a different format (SWF) now.

My Stewped Bank' "Website"

[BattyMan]

Insists on having access to a Flash player, or it won't let me in.
"For 'Security' Reasons".
Now I have even more ammunition with which to criticize their "security". (this began when they recommended Internet Exploiter(tm)(r)(c) and the prevailing commercial "Operating System"s, and locked out me, with my Debian and IceWeasel: "IceWeasel? That's _not_ an approved browser!"

Hey, I know. I need a new bank. Does anybody know of one that's clueful enough to _not_ recommend IE?

Re:My Stewped Bank' "Website"

[Anomalyst]

I use FF and block flash with National City.
I think it does need JS enabled, though ...BRB... yup password page needs it, sigh.

Add "https://onlinebanking.nationalcity.com/OLB/offers/*"
to adblock.

From their FAQ, not really a recommendation, more of a suggestion with alternatives, although I, too, would prefer an explicit and preceding mention of FF.

Q. What are the system requirements for Online Banking via the Internet?

A. To bank online with National City via the Internet, you must have Internet access, and a browser that supports 128-bit encryption such as Microsoft Internet Explorer 6.0 or higher, Netscape Navigator 7.0 or higher or Safari 1.0 or higher.

Flashblock

[jopet]

https://addons.mozilla.org/en-US/firefox/addon/433

Useful animated gifs

[SpaceLifeForm]

Weather maps

HTML proxy

[JackRazz]

An HTML proxy can protect you by directing all html to the proxy software first, which then filters it with Regular Expressions and fordwards the filter html page to the browser. I use an old program called Proxomitron with sidki's rule set (config file) and it stops flash and then allows you to start each one with a hyperlink style click. http://en.wikipedia.org/wiki/Proxomitron Of course its a Windows only util, but linux doesn't need it.

Not 'unknown'

[supermansuper]

This was a known vulnerability that was fixed in 9.0.124.0 http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html Just make sure u upgrade.

NOT zero day, more zero years.

http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html

this has been fixed months ago. It is just an implementation of the vulnerability discovered by Mark Dowd.

Windows-only, according to Symantec.

[pyrr]

Affected platforms: Windows 95-Vista, and everything in between.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-052714-3021-99

Even though the exploit does compromise Flash running on Linux or Mac, and even if the Windows trojan horse executable somehow worked on platforms other than Windows, there's still a matter of permissions keeping the malware from getting system-level access.

As far as Vista goes, the main thing I wonder about is if the exploit requires that the user give it permission to run through UAC. Even though UAC seems to be pretty useless in terms of only teaching users to click "allow" repeatedly to get anything done, it doesn't help at all if the compromised processes happen to be running under system level permissions anyway. I'd hope at the very least users would have to click 'allow' mindlessly to be infected by the trojan.