Slashdot Mirror
92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
Well at least the iPhone is safe...
Will Flash just die already! We have the video tag, IE users can suck it up as well. FlashBlock for Firefox, but what to use for Chrome?
This makes FlashBlock all the more useful. No flash that I don't explicitly enable ever runs in my browser, which should stop these drive-by attacks in their tracks (unless they somehow infect flash objects I would normally allow, instead of injecting a new "hidden" object into the hacked sites).
is like RealNetworks was years ago.
The only difference is that when Real started raping people's computers it was replaced.
Zero-Day attack
The coder: whack
One means to stop
The furbrained attack
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?
Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?
If the FOSS community is any indication, it takes anywhere from a few hours to a couple of days after the vulnerability is disclosed.
I am surprised how Microsoft often gets a pass on these issues, considering the vast resources at their command and the fact that Windows is a monoculture so their mistakes simultaneously affect millions of people. Most FOSS software is written by a "rag-tag band" by comparison, so why isn't Microsoft held to a higher standard of responsibility?
It is a miracle that curiosity survives formal education. - Einstein
If it were an actual mistake, then I would agree with you. It wasn't an error.
He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.
Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.
The world's burning. Moped Jesus spotted on I50. Details at 11.
"A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems" (emphasis added.)
TFA only mentions Windows because they don't bother scanning Macs or Linux boxes.
You know ...
I hate Adobe software.
There, I said it.
Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).
You know you're in trouble when freakin' MicroSoft is putting out better software.
Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.
Dear god.
Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.
People get pissed when Open Source patches break things too.
The difference is that in the Open Source world things tend to be more modular so making a change isn't as likely to cause unintended side affects.
as this problem was worked on some months ago.
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
He admitted his error
You're kidding us right? Look up the definition of the word "error" and compare it with the definitions of the words "willful", "deliberate" and "intent".
Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.
Huh. The post you're replying to is talking about Windows updates, not Flash, because the discussion got sidetracked at some point. I haven't heard of a Flash update bringing down Windows, except maybe if it messes with boot.ini or MBR or system files. I would imagine the same thing would happen in Linux or OS X.
Now if you're talking about Flash vulnerabilities in Windows, remember that OS X/Linux is similarly exploitable through Flash.
From http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/
In an advisory that was updated after this article was published, Adobe says the "vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems."
The company expects to release an update fixing Flash in Windows, OS X and Unix on July 30 and fixing Acrobat and Reader on those same three platforms on July 31.
This space for rent.
Wait a minute, you mean errors can't be willful ? So if someone does something willfully, deliberately and with an intent, he can't later realise his mistake and make amends ? I think you need to review your position on this.
"Not to mention all the idiots who use words like boxen."
Anonymous Coward on Monday August 04, @06:49PM
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
That's a pretty dismal view of human nature. I, on the other hand, believe people can change.
--Bruce
There are 10 kinds of people in the world: those who understand binary, and those who don't.
As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
If by "decent", you simply mean, "holds your archaic worldview", I suppose...
The notion that people's character is set in stone at birth is laughably absurd.
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
How about:
3) people who make mistakes.
The real "test of character" isn't whether he made a mistake, but what he does about it afterwards. So far, he seems to have responded appropriately, which shows good character, actually.
No decent psychologist I know of would ascribe personality (of which character is a part of) to inborn traits, disregarding experience and environment. Character as an inborn trait is an asinine idea: neither the behaviorist nor the biopsychologist would take that statement seriously.
Flashblock will not save you from this vulnerability. Flashblock only blocks flash objects in your internet browser (firefox/seamonkey.) This attack uses flash objects embedded in pdf documents which are handled by Adobe Reader. Now, who decided it was a good idea to allow pdf documents to have flash embedded in them?
Because a "rag-tag band" doesn't have to QA their source change against an entire operating system? Remember how people tend to get pissed when MS releases patches that break functionality?
So if I understand you correctly, you are saying this is an unfair comparison, like comparing an apple and an orange.
I disagree because the concern you have raised applies to every general-purpose operating system on the planet. Certainly the software license (MS EULA or GPL) does not change this situation. If a bug is found in the Linux kernel or an important piece of userspace software, the people who patch it also have the same concerns about whether their fix is going to break anything else. So, I am satisfied that we are comparing an orange to an orange. We are still without a good explanation as to why the entity with superior resources and superior manpower is not doing the better job.
It is a miracle that curiosity survives formal education. - Einstein
I wonder how true that really is.
Microsoft take so long to produce patches because they have to do a huge amount of testing. The figure they gave was something like 250 versions of Internet Explorer, when you take in to account every OS, every architecture, every language, every service pack level and so on that it runs on. I don't know if they test them all, but the implication was that extensive testing to avoid breaking the Elbonian language version running on Windows XP N SP2 took far longer than developing the patch itself.
Don't get me wrong, I'm not advocating delaying security patches to check for compatibility. It makes more sense to fix the vulnerability immediately and stop people getting infected, even if you break certain configurations in the short term. What I question is the proposition that OS software, perhaps by virtue of being more compartmentalised, is somehow less prone to this sort of thing, as opposed to simply doing the right thing even if it breaks stuff.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Umm, I never said there won't be any issues with Silverlight. In fact I bet there would be. My point is that MS seems to have finally woken up to security threats and is trying to clean up by having proper security audits to avoid many(NOT ALL) security holes. For example: http://cplus.about.com/b/2009/05/15/microsoft-security-and-cc-programming.htm http://tech.slashdot.org/article.pl?sid=09/05/15/152213 This seems to be paying dividends with Vista, most of the security holes discussed over the past few weeks either flat out don't work on Vista or trigger a UAC prompt. Adobe has yet to do something like this. That's my whole point. Now if you argue that I am a (paid) shill, I have nothing to say but point you to this http://linux.slashdot.org/story/09/07/25/1757253/Linus-Calls-Microsoft-Hatred-a-Disease
This space for rent.
Silverlight doesn't have any reported issues since not enough people use it for the bad guys to bother investing resources in finding its vulnerabilities. It's related to the same "macs don't get viruses" argument that was floated around right up until the point that macs became popular enough for virus writers to bother with them.
2) The annual pwn2own competition, among others, shows that Linux and Windows are similarly secure and OSX is much less secure. OSX goes down first every year, while Windows and Linux both last until later days of the competition when more direct access to the systems is granted to the contestants.
First, I don't understand why this myth keeps appearing. Ubuntu is the only one that came out without being cracked.
Second, pwn2own shows what can happen if someone specifically targets your machine. No system is unbreakable to a truly determined and resourceful attacker, and nobody claims Linux is magically untouchable to such a concerted effort.
But that kind of targetted attack is not really what people care about when talking about general desktop security, is it? Nobody is targetting your mother's Windows machine, specifically. Her machine gets infected because trojans, viruses, and other malware is absurdly easy to pick up on the Windows platform just by going about her day to day work.
The thousands of exploits and vectors documented in Windows are of far more consequence to the average user than a focussed attack by a dedicated hacker deliberately trying to get into that specific machine. pwn2own demonstrates the latter threat, which is of no real concern to most users. It says nothing about the former threat, by far the more dangerous.
A Windows machine is more likely to be compromised, but that's because of market share.
This is such a tired argument. There are millions of LAMP stacks out there sitting on fat pipes. You think hackers and spammers wouldn't love to get their hands on those? The ones under my control get hammered all day, every day.
"Market Share" has nothing to do with the primary vector I notice plagues users either: Getting new apps. In any modern "desktop" disto, you get software out of a respository, which has been examined, vetted, and verified. If something's wrong with the package it won't get into the repo, and if it does, someone's going to notice quickly. It's not 100% foolproof but it's pretty damned great.
But Windows users don't have that option. Instead they scour the web looking for software which might do what they want, sift through the crippled versions, the trial versions, etc, and download a compeltely unknown binary from an unknown source, and run it. BIG SURPRISE, many of these come bundled with little extras -- trojans, adware, toolbars, and other party favors. Next thing you know the hapless Windows user is calling you to complain about how slow their computer is...
This is not a marketshare issue, it is one of many fundamental differences in the approach and structure of Windows versus Linux. If some genie made it such that Ubuntu had 90% marketshare tomorrow, that 90% of users would still be using Synaptic, and the 10% Windows users would still be downloading random executables from the web.
1) This vulnerability exists on OSX, Windows, and Linux.
As far as I can tell it exists on any platform where Flash is installed. It's not really an OS problem (though this is debatable, I guess), but an application problem. Though, the Zealot in me just has to point out that this is what happens when you deal with closed software. Now we're all waiting around twiddling our thumbs hoping Adobe will get off their butts and do something about this, because nobody else can.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.