Slashdot Mirror

← Back to Stories (view on slashdot.org)

92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash

Posted by timothy on from the in-some-contexts-8%-is-really-good dept.

CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."

12 of 286 comments (clear)

  1. FlashBlock by asdf7890 · · Score: 3, Insightful

    This makes FlashBlock all the more useful. No flash that I don't explicitly enable ever runs in my browser, which should stop these drive-by attacks in their tracks (unless they somehow infect flash objects I would normally allow, instead of injecting a new "hidden" object into the hacked sites).

  2. Re:Noscript by causality · · Score: 4, Insightful

    Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?

    If the FOSS community is any indication, it takes anywhere from a few hours to a couple of days after the vulnerability is disclosed.

    I am surprised how Microsoft often gets a pass on these issues, considering the vast resources at their command and the fact that Windows is a monoculture so their mistakes simultaneously affect millions of people. Most FOSS software is written by a "rag-tag band" by comparison, so why isn't Microsoft held to a higher standard of responsibility?

    --
    It is a miracle that curiosity survives formal education. - Einstein
  3. Horseshit. by Anonymous Coward · · Score: 3, Insightful

    If it were an actual mistake, then I would agree with you. It wasn't an error.

    He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.

    1. Re:Horseshit. by causality · · Score: 4, Insightful

      If it were an actual mistake, then I would agree with you. It wasn't an error.

      He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.

      This is a hard thing to understand and you raise a very valid question. I hope to answer that without just dismissing it or pretending like it isn't important. I don't know the man personally and have to go by what he and others have written, so please consider this just my opinion as I cannot speak for him.

      You are right that he deliberately coded the functionality that made unauthorized and underhanded modifications of another, unrelated add-on (ABP). The mistake or error was in believing that the ends justify the means, that there is ever a good reason to do such a thing. All improper actions he took were rooted in that one error. But not for that belief, he would have probably regarded the temptation as "what the hell, I can't do that." Sometimes people get lucky and they see what's wrong with such an error on their own, before anything has to blow up in their face. Other times they have to see for themselves why it's harmful, often by being harmed by it or harming others by it, before their regret at having spectacularly failed reveals the error of their ways. It's sort of like the religious idea of "forgive them because they know not what they do," though if you asked them what they were doing they could describe their behavior accurately -- this is not really a contradiction.

      I'm not an impeccably perfect person either. I have had to learn some lessons the hard way and I suspect every other human being could say the same. So no, I don't share the willingness to condemn someone who has fully come clean and has turned away from what he was doing. I think doing that would say more about me than about him. If anything, I celebrate his courage and wish it were more common.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  4. Not just Windows by ThrowAwaySociety · · Score: 5, Insightful

    "A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems" (emphasis added.)

    TFA only mentions Windows because they don't bother scanning Macs or Linux boxes.

  5. I hate Adobe by Anonymous Coward · · Score: 4, Insightful

    You know ...

    I hate Adobe software.

    There, I said it.

    Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).

    You know you're in trouble when freakin' MicroSoft is putting out better software.

    Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.

    Dear god.

    Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.

  6. Re:Noscript by gmack · · Score: 3, Insightful

    People get pissed when Open Source patches break things too.

    The difference is that in the Open Source world things tend to be more modular so making a change isn't as likely to cause unintended side affects.

  7. Re:Noscript by trifish · · Score: 4, Insightful

    as this problem was worked on some months ago.

    It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

    The character of the author of NoScript is that of the authors of

    1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)

    2) spyware/malware (changing configuration without the user's consent).

  8. Re:Noscript by recoiledsnake · · Score: 3, Insightful

    Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.

    Huh. The post you're replying to is talking about Windows updates, not Flash, because the discussion got sidetracked at some point. I haven't heard of a Flash update bringing down Windows, except maybe if it messes with boot.ini or MBR or system files. I would imagine the same thing would happen in Linux or OS X.

    Now if you're talking about Flash vulnerabilities in Windows, remember that OS X/Linux is similarly exploitable through Flash.

    From http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/

    In an advisory that was updated after this article was published, Adobe says the "vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems."

    The company expects to release an update fixing Flash in Windows, OS X and Unix on July 30 and fixing Acrobat and Reader on those same three platforms on July 31.

    --
    This space for rent.
  9. Re:Noscript by bruckie · · Score: 5, Insightful

    It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

    That's a pretty dismal view of human nature. I, on the other hand, believe people can change.

    --Bruce

    --
    There are 10 kinds of people in the world: those who understand binary, and those who don't.
  10. Re:Noscript by node+3 · · Score: 4, Insightful

    As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

    If by "decent", you simply mean, "holds your archaic worldview", I suppose...

    The notion that people's character is set in stone at birth is laughably absurd.

    The character of the author of NoScript is that of the authors of

    1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)

    2) spyware/malware (changing configuration without the user's consent).

    How about:

    3) people who make mistakes.

    The real "test of character" isn't whether he made a mistake, but what he does about it afterwards. So far, he seems to have responded appropriately, which shows good character, actually.

  11. Re:Noscript by oasisbob · · Score: 4, Insightful

    It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".

    No decent psychologist I know of would ascribe personality (of which character is a part of) to inborn traits, disregarding experience and environment. Character as an inborn trait is an asinine idea: neither the behaviorist nor the biopsychologist would take that statement seriously.