Slashdot Mirror
92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.
Sounds like someone doesn't keep current on events, as this problem was worked on some months ago.
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.
He admitted his error and has stopped doing this. See this link. The very first line? "I screwed up. Big time."
Any fool can make a mistake. It takes some guts to admit it, correct it, and try to move on especially in public like that. For that reason I do not count myself among the folks who still want to figuratively crucify him.
It is a miracle that curiosity survives formal education. - Einstein
Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
throw new SuccessException("Sig read successfully");
WRONG on many levels. If you're not running as admin, only your user files will get affected in all the current OSes including XP. But IE8 on Windows 7/Vista does sandboxing and hence is more secure than Firefox on Ubuntu out of the box. Don't believe me? Read is straight from the horse's mouth. http://blogs.zdnet.com/security/?p=2941
Why Safari? Why didnâ(TM)t you go after IE or Safari?
Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.
Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it.
[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]
With my Safari exploit, I put the code into a process and I know exactly where itâ(TM)s going to be. Thereâ(TM)s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I donâ(TM)t know where it is. Even if I get to the code, itâ(TM)s not executable. Those are two hurdles that Macs donâ(TM)t have.
Itâ(TM)s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But thatâ(TM)s only half the equation. The other half is exploiting it. Thereâ(TM)s almost no hurdle to jump through on Mac OS X.
This space for rent.
the exploit demo they link to does not work in 3.5, so it seems the bypass gap was closed...
Let's not let the facts get in the way of rabid fanboyism! After all, Linux is 100%, completely secure! There are magical GPL fairies in the kernel that protect it from any and all attacks, even when the app in question is from a 3rd party.
A computer worm that spreads through Flash and PDFs on PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.
1) This vulnerability exists on OSX, Windows, and Linux.
2) The annual pwn2own competition, among others, shows that Linux and Windows are similarly secure and OSX is much less secure. OSX goes down first every year, while Windows and Linux both last until later days of the competition when more direct access to the systems is granted to the contestants.
A Windows machine is more likely to be compromised, but that's because of market share. "Insecure by design" implies that you're talking about the security of the OS against someone who wants to compromise it. It's proven every year that only OSX lags in this area, and it lags quite badly (this year's winner rated the difficulty of compromising Vista and Linux as a 9-10, and the difficulty of breaking into OSX as a 3, IIRC).
3) Goto 1)
"I zero-index my hamsters" - Willtor (147206)
as this problem was worked on some months ago.
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
trifish: I'm getting quick on the Citation Neededs. I know from firsthand experience that people can and do change. So please, please rattle off some quotations or links providing evidence to support your theory that people can't change their "character."
The MAZZTer: I would just like to inform you that there are are entries in the about:config menu that allow you to turn off the first run "pop-op." I'm not sure that your "NoScript whitelisting NoScript" is a legit complaint, as you are capable of removing that, and I see nothing unethical about a software provider whitelisting their own site in their own software.
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
I'm on 3.0.11 and it didn't even work...