Slashdot Mirror
92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
Browsing the web without a few browser mods is the only to surf these days anyway.
Well at least the iPhone is safe...
Will Flash just die already! We have the video tag, IE users can suck it up as well. FlashBlock for Firefox, but what to use for Chrome?
This is the reason why we either need diversity in software or OSS. Flash is installed on practically ever computer, and for good reason, many sites require Flash. However relying on a single software and single software versions is a bad idea, even more so when it is closed-source.
Taxation is legalized theft, no more, no less.
Everybody, Roll back to Flash player 5 for a little bit. And then have that warm gooey feeling of when you first tried animating with it... Now change your pants.
This makes FlashBlock all the more useful. No flash that I don't explicitly enable ever runs in my browser, which should stop these drive-by attacks in their tracks (unless they somehow infect flash objects I would normally allow, instead of injecting a new "hidden" object into the hacked sites).
The fix to all Flash problems lies here on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control.
If you're not using this, or something like it, then your Admin isn't doing their job.
It looks like none of the users are getting flash until thursday. Sorry guys, no pandora for you. (also looks like I won't be getting a cake on sysadmin day).
NewslilySocial News. No lolcats allowed.
is like RealNetworks was years ago.
The only difference is that when Real started raping people's computers it was replaced.
I've always said(for years) that Flash would be the killer infection vector and that its cross platform ubiquity would be the Achilles heel for Linux and Mac.
This is but a taste of things to come. Flash is an abomination. It has too much power with too little end user control over that power. Combined with its insanely large install base and you have disaster waiting to happen.
I'm not sorry for being right all the time. So suck it!
Zero-Day attack
The coder: whack
One means to stop
The furbrained attack
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.
A computer worm that spreads through Flash and PDFs on PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.
Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.
"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."
"Yes," said Phagge. "Yes, they do."
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.
http://rocknerd.co.uk
You should get that lisp checked out.
I am the lawn!
9 out of every 10 Windows users are vulnerable to the XXXXXX vulnerability.
Flash is installed on almost every PC. The large majority of Windows users still use Internet Explorer, so the majority right there are vulnerable. Firefox has a respectable percentage of the user base, but very few of those people (outside of the Slashdot crowd) seem to use tools like Flashblock. The other browsers - Chrome, Safari, Opera round out the group; their users are pretty much all vulnerable too.
It's sad, I agree - but we already knew this was the case since we've known about this unpatched flaw for a while now...
#DeleteChrome
This gives a new meaning to the term Killer App
Well at least the iPhone is safe
+1 Funny!
In times of universal deceit, telling the truth gets you modded -1 Troll
If it were an actual mistake, then I would agree with you. It wasn't an error.
He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.
"A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems" (emphasis added.)
TFA only mentions Windows because they don't bother scanning Macs or Linux boxes.
You know ...
I hate Adobe software.
There, I said it.
Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).
You know you're in trouble when freakin' MicroSoft is putting out better software.
Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.
Dear god.
Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.
Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
throw new SuccessException("Sig read successfully");
An interesting approach, using IP addresses as version numbers
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
So do you have to be on an administrator account for the attack to work?
I am becoming gerund, destroyer of verbs.
IBM Corporation - 9.0.159.0
Internet Assigned Numbers Authority - 10.0.22.8
Tinfoil hats now half off.
... if everyone knows about it?
Or am I missing something here?
Comment removed based on user account deletion
Privilege separation is a useful tool, but minimizing the surface area for the initial attack is critical. Security is like sex, once you're penetrated, you're ****ed.
The biggest problems Windows has are related to the surface area exposed to attack:
1. The lack of the ability to bind most survices to a specific IP address means that even services intended for internal use have to be blocked by a firewall rather than being bound to 127.0.0.1.
2. The lack of ability to pass parameters to a program without passing through a re-parsing step, leading to quoting attacks against helper applications.
3. ActiveX.
4. ActiveX.
5. The use of a common set of helper application bindings for the shell and browser, a vulnerability alas copied by Apple.
6. Did I mention ActiveX?
Windows has privilege separation issues, but not nearly as great as they used to, so I wouldn't put this even in the top 10 security problems.
Common runtimes, like Flash, Silverlight, and Java, are a problem because they create the possibility of a "one size fits all" attack. You shouldn't ignore the danger whether you're running Windows or UNIX.
were turned off at the moment of the counting.
The other 8% were:
1 -- Downloading Flash because they felt "left out"
2 -- Powered off
3 -- Already infected
4 -- At the local Geek Squad store having their Owners' Personal Information "backed up" to the technician's USB stick (It's value-added!)
5 -- Some combination of the above choices
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
the best thing to ever happen to Silverlight?
Yes, who are they to support all platforms in equal manner allowing same functionality in all sites?
My suggestions are:
1) Drop PowerPC support
2) Drop Linux support
3) Find some sold out once open source heroes to implement half ass functional thing with a cool name.
4) Go mono! err.. profit!
Comment removed based on user account deletion
Comment removed based on user account deletion
I visit a site
It uses Flash 10 Player
I am truly fucked
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Let's not let the facts get in the way of rabid fanboyism! After all, Linux is 100%, completely secure! There are magical GPL fairies in the kernel that protect it from any and all attacks, even when the app in question is from a 3rd party.
When there is a zero day issue exploited in the wild and if it is effecting near billion computers, some questions must be asked.
1) Will the FBI and security organizations look to this matter as a threat to global security and this time, actually find the gang to question them?
2) When did we start supporting zero day exploiting black hat mafia?
3) Who is really behind this?
4) Why would it take until Tuesday to fix the issue? Can't they provide a quick hotfix until Tuesday and ship the real thing with more testing with 1 week later?
5) Will Adobe do some serious internal investigation, working with the law enforcement agencies to find out the root cause of this issue, this kind of behavior among their developers, team leaders and testers?
Some company known to work in a very dirty ways when it got cornered is at version 3 of their software and nobody, including their media puppets seems to care. Just saying...
So, are you saying Windows is not done until Adobe is broke, so that people will use M$ stuff instead? They have done that before. I don't think Adobe is at fault, since the same problem appears many times for them, but no issues on Silverlight. Interesting, Adobe works on the Mac and Linux flawlessly. So it's got to be the evil empire again. Look out for the fine they are going to get now. WOW.
Flashblock will not save you from this vulnerability. Flashblock only blocks flash objects in your internet browser (firefox/seamonkey.) This attack uses flash objects embedded in pdf documents which are handled by Adobe Reader. Now, who decided it was a good idea to allow pdf documents to have flash embedded in them?
Does this affect us who never upgraded from 7/8?
This is something that can be detected and stopped by Antivirus software, right? Since my Avast! updates every day, if it can protect me against this Flash vulnerability, then it shouldn't matter to me when Adobe issues the patch.
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
Other than the large security problem of handing Microsoft any degree of weight in the market for internet clients.
Particularly given Microsoft's history, which suggests they barely have the slightest idea of how to create anything secure, chances are that Silverlight's record has a lot to do with its small market share.
But mostly, they're simple not trustworthy. We saw what they did with IE6. Even if you ignore the rest of their history, trusting them is foolish.
Tweet, tweet.
Adobe should give a notification in their updater that their software is insecure, and give the option to disable it until the next patch. Quarantine is usually the immediate response to an outbreak before we have a suitable vaccine.
These bloated plugins seem to also be responsible for 80%-ish of the crashes I have in Mozilla.
They are the big weakness of the web: what if someone decides to start putting a non-standard format out there that becomes a de facto standard because it's the easiest way to do something?
Flash seems to be the easiest way to put up an animation.
PDF is the best format for distributing documents that you don't necessarily want others to edit.
No one wants to explore alternatives because the content is in these somewhat unwieldy formats.
Futurist Traditionalism
I noticed in early July that my Kubuntu 8.10 machine started showing corruption in the EXT3 filesystems, and it seemed to happen everytime I used Firefox (which had Flash installed). I finally got so sick of restoring from backups that I rebuilt a totally new Kubuntu 9.04 image, without Firefox. I now run Firefox in VirtualBox, using a sandboxed image of Kubuntu 9.04. This has stopped the filesystem corruption in the host OS, but I continue to see EXT3 corruption in the sandboxed Firefox with Flash. It's beginning to look very sensible to use 3 virtual machines for browsing the web now. Green Sandbox for just my banks. Yellow Sandbox for email and Paypal, and Red Sandbox for everything else (including Slashdot). Even with Noscript, the Red Sandbox gets dirty still, and needs rolling back to the initial snapshot. I haven't run rootkit detection or virus scanning yet, but I'm beginning to believe that integrated intrusion detection will be the next Great Thing (tm) for virtual machines. Charlie Stross thought about this years ago in Accelerando. It's worth a read.
Yes he did, but he's not some huge, evil megacorporation. He's one guy who has cooked up this software that everybody wants to use, isn't he?
His only mistake was not telling people in the first place - not the whole whitelist/redirect thing. If you want to use NoScript than obviously a condition of that use is that the NoScript site is automatically whitelisted and the page opens up every time you have an update. For all of the benefits it gives one that is an awfully generous tradeoff.
Random Thoughts From A Diseased Mind (Not For Dummies)
I don't know if it does, but I would certainly like to know the secret to living with Flash 7 when everyone and their uncle check the version of Flash before allowing me in to their website. Is there a way to declare a different version instead of updating something that is (was) actually working fine?
I stopped reading there. Obviously a slow news day.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Flash is a ongoing security nightmare. Users demand the functionality but don't understand or care about the security cost.
Flash is one abomination that should be put out of its misery ASAP.
I would highly suspect by now the entire eco-system involved in an average patch in FOSS software is very much outstripping the resources of MS. At least on the eyeball side. What does MS put at any given problem a few hundred or a few thousand programmers? Yea, there might be a whole lot more people in the marketing spin department, but they don't really count as helpful.
It is not just the guys around one project, a particular writer in FOSS that vets the patch. It is the entire community of hundreds of different distros, sub-projects, individual users, and so on that vet a patch or change and decide to include it, ignore it, put it on the shelf, and push changes back up the food chain as problems are found.
I consider myself to be fairly much an end user of FOSS, but perhaps leaning more on the power users side of things. I remember a bug in a early development release of Firefox I found. From the time it was released, to the time I found it, verified it, and went to report it, was less than 30 mins. Guess what? 100 other people found it, 10 proposed patches had been submitted, and the best was already accepted and in to the next version a full 15 mins earlier than me. That is just normal in FOSS.
No one can tell me a company with massive bureaucracy of rules and procedures would be able to mobilize anything at that speed. It likly takes them a week just to get authorization to look at the source code they wrote from the legal department.
Living in Chile
This is not so much a Windows issue as it is a browser issue. Secunia reports MSIE7, Mozilla, Chrome, and Opera ALL insecure for browsing for the same reasons: Flash, Adobe Reader, and Sun Java being the consistently prime culprits, but it also reports MSIE 7 and Mozilla as unsecure all by themselves.
Secunia is an interesting program in many ways, but it reports 'vulnerabilities' as soon as anyone releases a new version of anything. Suddenly, you are 'insecure.'
Regardless, Secunia is well worth taking a look at. http://www.secunia.com/
How about a moderation of -1 pedantic.
You read the numbers in a weird way. The pages of Secunia say:
- Secunia has issued a total of 193 Secunia advisories in 2003-2009 for Microsoft Windows Server 2003 Enterprise Edition. Currently, 6% (12 out of 193) are marked as unpatched with the most severe being rated Less critical
- Secunia has issued a total of 130 Secunia advisories in 2003-2009 for Apple Macintosh OS X. Currently, 4% (5 out of 130) are marked as unpatched with the most severe being rated Moderately critical
At least on OSX, the most critical vulnerability requires you to download and mount a malcrafted disk image, which most likely can only crash your system, and perhaps expose kernel memory.
Furthermore, it is 4 against 12 unpatched (in favor of OSX), and of course the other Windows systems (XP, Vista, 7) have got a different set of vulnerabilities. And your language and mark-up suggest mild paranoia. You have not been attacked, and the Pravda doesn't deal with Windows viruses. Get treatment, or move to Montana and join the militia.
1. You are comparing the aggregate of security vulnerabilities of OSX 10.0, 10.0 Server, 10.1, 10.1 Server, 10.2, 10.2 Server, 10.3, 10.3 Server, 10.4, 10.4 Server, 10.5 and 10.5 Server to Windows Server 2003. Feel free to add the vulnerabilities of the other Windows Desktop and Server releases from 1999 and onwards.
2. Apple and Microsoft shipped software have different disclosure policies. Microsoft never patches until they are forced to (witness the 18 month lead time on the ActiveX vulnerability just disclosed). MacOSX includes software that have "disclose everything now" policies.
3. MacOSX simply bundles more software than Windows Server. A quick look at the MacOSX advisories show that they include vulnerabilities in Python, Perl, PHP, Ruby, Java, ClamAV, SquirrelMail, X11, Apache, BIND, OpenSSL, OpenLDAP, MySQL, Flash etc.
Secunia writes:
4. Secunia has some weird counting going on. Check out the XP Professional 2009 advisory page. I count 25 vulnerabilities in 12 advisories - yet the total statistics claim 244 advisories with 253 vulnerabilities. If the numbers are to add up, previous years would have to have more advisories than vulnerabilities.
So - you cherry-picked a release and even this one has several unpatched and known exploits in it? Congratulations!
http://blogs.zdnet.com/security/?p=1708 http://zerodayinitiative.com/advisories/upcoming/
Whether Windows can run loads of software is irrelevant. If it did not ship with it - it will not get counted as a flaw.
As for your last comment - you just don't get it do you?
Comment removed based on user account deletion