Slashdot Mirror
Adobe Flash To Be Top Hacker Target In 2010
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
Sometimes when I go to a website, it will have Flash malware which forces me to download unwanted content and then plays it without my consent.
Damn you Youtube!!!
Let me guess, Microsoft are just ready to offer the solution in the form of Silverlight, right?
Enforced centralised updating for Adobe products with GP, without local admin rights is what we need (like WSUS).
With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
This post brought to you by your friendly neighborhood MBA.
People often just don't update Flash much. It's a little better for Adobe Reader from what I see; but just a little - automatic updates are treated more like a nuisance to hide, it seems.
Overall - good riddance. Simple & small PDF readers with scripting disabled are all almost anybody needs anyway. As for Flash - everybody here keeps whitelists of pages already, right? And perhaps those few whitelisted ones will feel the need to enable HTML5 video tag sooner.
One that hath name thou can not otter
i expect a fix in 5 minutes. everyone knows that anything delivered from the cloud is highly secure and easy to fix if problems arise
Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.
Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.
For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.
Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.
I really hope HTML 5 phases out the popularity of Flash.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
64-bit windows isn't a target of flash virus :)
Do the hacks exploit buffer overflow or wilder pointer issues? anyone knows?
It's time to start seriously chipping away at Adobe's stranglehold on multimedia. Or at least give it some serious competition that will inspire them to work harder.
As someone else has mentioned, this might be HTML 5's time to step up.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Are there Flash-based keyloggers or bots?
"I don't know, therefore Aliens" Wafflebox1
I'm not clicking on that one!
"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
I've abandoned my search for truth; now I'm just looking for some useful delusions.
McAfee reports that PDF attacks are going to be tops in the upcoming year by releasing reports in PDF form. Maybe they're trying to collect stats on who is vulnerable...
I wish the media would spend as much time reviewing the forecasts from the previous year as they do reporting what experts think will happen next year. I predict the big security issue for 2010 will be... annoying. And profitable for the security industry, even for the expert who said the problem will be something else.
Developers can stop using flash and end-users should uninstall it. There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework. For the remaining 10%, HTML 5 will be able to handle most of it (canvas tag, videos, better form support, etc), and the remainder of things that javascript/html can't do that flash can do (if there is anything), is not even worth implementing in a website. Since javascript and HTML is all open and much easier to work with, I foresee flash and silverlight on the decline. This especially holds true when HTML 5 is fully supported in most people's browsers.
McAfee, of course, has a product to sell.
For Adobe Reader, the solution is really easy. Either install something faster and more secure as your browser's PDF plugin, or disable javascript in Adobe Reader. All the security vulnerabilities in AR have been related to javascript, which is a feature that almost nobody wants or needs in pdf files anyway.
I'm skeptical about any risk from flash. Flash apps run in a sandbox. Are they referring to things like malicious facebook apps? That seems like a relatively minor concern to me. Sure, it would be embarrassing to have all your facebook friends get spam from you, but the potential damage seems relatively minor. It can't take over your machine, can't access your banking info, etc. And of course flashblock, which I would never be without in any case, will protect you from running untrusted flash apps on random webpages that you hit.
Find free books.
So how do we keep Flash updated, assuming that Adobe tries to keep it patched? Is there a better way than going to Adobe's website and downloading a new version and installing it manually?
As long as IT salesmen sell "flashy" sites and bleat that it is professional to put a flash lock on your site, developers will have to build it.
As you already say that most things can be done in javascript, I don't see that HTML5 support would hurt the use of flash.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Oh wait... Java applets already do all this.. maybe we just need to dump flash!
:)
I'll wait while the Java bashing commences.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7. Both have excellent patching mechanisms that consumers use regularly.
Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system calls are you going to start making? Linux? Mac? Hardly.
Just like in the past, Flash exploits will be something Windows users have to worry about while Linux and Mac users just sit back and shake heads that so many people put up with the problems of an overly large monoculture.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.
First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called
This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.
Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.
No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.
So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.
PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.
Why don't they design the underlying Operating System to be immune to bugs in the applications. Or at least mitigate the effects and fail safely. Why about applications deliberately designed to exploit some defect in the Operating System to give crooks access to your online banking information. Who is legally responsible if my online bank account gets hacked ?
"'Cybercriminals have long picked on Microsoft products due to their popularity"
Really, I thought it was to do with the defective nature of the underlying Operating System, the one that was never designed with Internet security in mind.
...that the report identifying Flash and Reader as the top vectors for 2010 is released in PDF format? At the risk of shouting "get off my lawn", what happened to good old plain text? The margins and logos did not add to the content. If you need all that then you probably should't have opened the PDF.
As Silverlight's vendor was busy with feeding that once famous, now puppet idiot and his gang, their V2 dropped support for PowerPC macs which several people, including their market uses. No, PowerPC Macs didn't explode and reject to turn on when Apple announced Intel transition. They are in use by schools, people who keeps hardware which works, musicians (as 12" PB is still waiting for replacement), company terminals which does nothing than mailing and browsing.
In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one. Besides lack of real development tools on most popular Web designer tool (Mac, even in darkest days), now people will also need to be careful about the functions they use since some won't simply exist on Mac and possibly iPhone in future.
While mentioned, where is the iPhone/Symbian and even Windows Mobile support? None. In couple of months, Adobe&Nokia/Symbian Foundation starts rolling full Flash on portable devices. Windows Mobile "full flash" is already up and running on select handsets. Where is Silverlight for Win MO?
So, we will rely on MS, that same company and their sold out puppet's wannabe, lacking clones and replace Flash with it? The reason? Flash being more popular and coming to a point that everything having CPU will show our content?
Silverlight couldn't be rival to Flash. The issue is deep inside Microsoft, they are like 1980s IBM, they didn't convert themselves like Big Blue. They are all fine with 1990s "run windows or be second class citizen". Issue is, it doesn't work anymore. MSNBC shows only Silverlight? I go to CNN and use GPU/SMP accelerated Flash video. It would be MSNBC's loss, not mine.
Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.
It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.
For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.
HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.
Color me skeptical but based on your reply I seriously doubt you would visit MSNBC's site because of the "puppet idiot and his gang" have a stake in it.
Nice rant all the same...
... 2010 is predicted to be the year of the Linux desktop.
Why, no, I haven't meta-moderated lately. Thanks for asking!
flash expl0its just don't work with the free software Gnash flash player. I even submitted a bug report regarding one of them (yes, actually, it's listed at savannah). If you know C/C++ then please help hacking gnash so we free software users don't miss out on getting robbed by the apparently evil "criminal hackers".
9/11: Never forget it was a false-flag operation
It's to help prove their point.
What is even MORE ironic is the whitepapers page http://mcafee.com/us/threat_center/white_paper.html that links to the article saying that adobe reader is going to be a upcoming threat in 2010, ALSO links to adobe reader!
Let's say you have two computers. One is meant for everything but web surfing (except e-mail, bank sites, anything "sensitive"), and the other is meant solely for web surfing.
The first one can have flash "un"installed. The second one would have flash installed, and would be a "play" computer, where you surf, do web research, etc., without worrying about trashing your machine because a simple reinstall will cure everything without data loss on said machine. It could even be frozen, if that is your thing.
Tell me, what would be wrong with this idea?
It's not about the size, it's about what you can do with it.
But I don't think you would understand.
their V2 dropped support for PowerPC macs which several people
So Silverlight can't possibly compete with flash because it doesn't support a hardware platform that hasn't been produced in 5 years now and already has negligible market share?
In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one
The only differences I'm aware of between mac and windows silverlight 3 are quite trivial
While mentioned, where is the iPhone/Symbian and even Windows Mobile support?
In the works . Admittedly, MSFT is dissapointingly behind schedule on this front.
Some of your complaints with Silverlight have merit. It isn't perfect yet, but it has made remarkable progress in the 2 years it has been out and most certailnly is a rival to flash. Flash had an 11 year head start and Silverlight already does just about everything it does and a few things better. Silverlight lags behind flash in market penetration and platform support, but at the rate it is going, it will catch up quite soon.
Hikery.net - The best hiking site ever. Made by yours truly.
"Flash to be top hacker target" has a far different connotation than "we anticipate...".
Every now and then, some writer tosses up some words like "Cybercriminals have long targeted xyz products due to their popularity". They don't. Criminals are lazy. They attack weak and easy spots first. It has nothing to do with "popularity". If it were, apache http servers would be the most attacked server application of them all - and they aren't.
--------
* Sigh *
Oooh you mean cracker! Phew, for a second there, I thought you thought they'll develop apps for it.
I have only been a victim of malware in windows twice. Both times it was through exploits on adobe reader.
I was happily navigating the internets and reading some datasheets when suddenly my google chrome tab with adobe reader went unresponsive. I was quick to kill it but not fast enough nonetheless. Seconds later I had swarms of randomly named processes hogging my CPU cycles and network bandwidth.
Turned out to be a rootkit.
Let me say, as a TV professional, I know another TV who spent millions in infrasacture and software/servers to offer Windows Media DRM based paytv/prime content even while the entire scene, including their rivals called the idea "stupid" and they better stick with standards.
Today, their webmaster stares to 40% of hits coming from Apple OS X and iPhone OS X based clients while they have nothing to serve to them. The reason? MS took their toys and went home, they stopped maintaining Windows Media Player for OS X right after Intel switch which should make things a LOT easier (use same SSE optimisations, no endian issue etc).
If they sticked with MPEG standards, even under Windows, the possibilities were endless. iPhone client, OMA DRM MP4 (just like BBC), Flash (just pack the container).
Does MS talk about the amazing instability, performance and security issues if one Mac Intel user using a modern OS X installs their outdated Windows Media Player to their system? No? They even enjoy it is being one of the top 100 OS X downloads. Each unstable mac/os x is a "good thing" for some sick minds out there.
I would go with Applet based stuff rather than switching to a plugin from that company. The reason behind their backwardness on Symbian is very interesting since they promised Nokia a WORKING silverlight and Nokia agreed to them. It would be really funny if Nokia sued them for not delivering their promises right?
PS: Adobe didn't only continue to maintain their Flash plugin, they also accelerated it by enabling SMP/multi processing as low as dual G4 macs. That is how a professional company who is interested just in reach of marketshare and respect operates. For lots of people out there, MS is some pathetic company who can't even compile things for PowerPC, a 32/64bit CPU. While PowerPC is dead at Apple factories, it also means their code is tied to X86 and X86 only enhancements which is very alerting as embedded market recently exploded. Try to find X86 and SSE instructions on iPhone ARM :)
Well, what I say is, VP3 is a freaking outdated piece of junk abandoned and got donated to open source community.
If Google has balls to donate the real deal (VP7,8) or even IF it is possible, things may change. Why IBM , big blue with army of lawyers couldn't open OS/2? Why some abandonware can't open their source but gives away free license instead? Why some can't? Because it is how such huge things work. All parties, including the companies, TV stations, TV industry organisations must agree that they will throw away billions of dollars worth know-how and formulas, methods just to make 1% or less happy.
Industry spent billions for H264 and they want their money back somehow. That is the idea. Do you really think some people, especially at .CN will really care about the intentions of opening the codec? They use open source freely and fail to credit/ship modifications even while that is the only thing open source folks want.
Even if Adobe rolls over and dies tomorrow, the Flash is so needed that some major .edus may give huge help to Gnash project to make it actually replace Flash, at least to the point until V10. It would be some service to the web and even World economy.
I can't imagine the price required to replace Flash on entire web including old sites and multi billion dollar occasional games industry which is dominated by Flash thanks to stupid Sun.
Besides people dreaming H264/AAC getting open, is the Flash open enough for an army of developers to replace it with Gnash? That is the real question. Not the "codecs" part, the actual protocol/file specs, everything minus the codecs.
How long will it take for them to move to Real Networks model? See, Helix is open, minus the codecs. Anyone can contribute and it works, millions of desktops, mobile handsets.
Unless crime gangs all went to some course learning to code massively multi platform, the "issue" will basically put some .exe file to users computer and run it. It won't be some amazingly universal binary which runs on ARM/x86/PPC/MIPS and dozen of different operating systems.
I understand your sarcasm and it is really alerting that there are like 10% of market who believes their platform is something like NSA Terminals we see at movies but Flash exploit isn't the one which the real doomsday for OS X will come. It will be a real, working, specific designed worm/virus/whatever which will actually send itself to others. The next day, newspaper you read won't be on your doorstep as the multi xeon/quark/indesign workstation wasn't running a security solution or firewall since "it is OS X".
Of course, what does Mac AV companies code, what the hell they really check, what about unknown threats is another issue.
Not on my platform. On yours, perhaps.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.
;) But I'm sure they're even more against that then releasing an MSI.
Currently I have to wade through a bunch of retarded forms and sign a corporate distribution agreement and wait a few hours so they will send me a link to an MSI so I can update flash.
Put an MSI on your home page that I can download in a few clicks and push out via Group Policy.
With a deb, I can update all the linux systems I manage using cssh, wget to grab the deb, and 'dpkg -i' to install.
If they're not willing to do that, they aren't being helpful.
Although they could always release the source and let us take care of the updates for them...
There's no place like
It doesn't work fine in the browser I normally use.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
both of the security holes in flash and acrobat aren't holes in the adobe products themselves, they are both fairly secure, the problem is that both allow you to run code through them, with flash you can socket just about anything into it and the big hole in acrobat is running javascript through it- really adobe ought to do what macromedia did when they had flash and only allow code to run that modifies local files through a standalone projector file and not through a .swf file