Slashdot Mirror
Adobe Flash To Be Top Hacker Target In 2010
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
Sometimes when I go to a website, it will have Flash malware which forces me to download unwanted content and then plays it without my consent.
Damn you Youtube!!!
Let me guess, Microsoft are just ready to offer the solution in the form of Silverlight, right?
With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
This post brought to you by your friendly neighborhood MBA.
Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.
Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.
For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.
Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.
I really hope HTML 5 phases out the popularity of Flash.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Even if they updated regularly, it would still be an easy target. Something like six of the top ten browser crasher bugs are in Flash plug-ins. There are so many crasher bugs that nobody can even keep count. When you realize that every single one of those is probably an exploitable attack vector, you quickly understand why I use click2flash. Swiss cheese belongs on sandwiches, not on the public Internet....
Check out my sci-fi/humor trilogy at PatriotsBooks.
"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
I've abandoned my search for truth; now I'm just looking for some useful delusions.
The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.
Developers can stop using flash and end-users should uninstall it. There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework. For the remaining 10%, HTML 5 will be able to handle most of it (canvas tag, videos, better form support, etc), and the remainder of things that javascript/html can't do that flash can do (if there is anything), is not even worth implementing in a website. Since javascript and HTML is all open and much easier to work with, I foresee flash and silverlight on the decline. This especially holds true when HTML 5 is fully supported in most people's browsers.
Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.
First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called
This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.
Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.
No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.
So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.
PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.
Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.
It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.
For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.
HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.
You might update, but "people" are stupid and do not.
"People" tend to minimize or close anything that pops up in between start up and opening the app that one started the computer to use. Whether it be windows update, virus scan update, or updates of nagging software. Of those three the updates of nagging software will be the most likely to just be closed without any update taking place.
Don't know something? Look it up. Still don't know? Then ask.
their V2 dropped support for PowerPC macs which several people
So Silverlight can't possibly compete with flash because it doesn't support a hardware platform that hasn't been produced in 5 years now and already has negligible market share?
In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one
The only differences I'm aware of between mac and windows silverlight 3 are quite trivial
While mentioned, where is the iPhone/Symbian and even Windows Mobile support?
In the works . Admittedly, MSFT is dissapointingly behind schedule on this front.
Some of your complaints with Silverlight have merit. It isn't perfect yet, but it has made remarkable progress in the 2 years it has been out and most certailnly is a rival to flash. Flash had an 11 year head start and Silverlight already does just about everything it does and a few things better. Silverlight lags behind flash in market penetration and platform support, but at the rate it is going, it will catch up quite soon.
Hikery.net - The best hiking site ever. Made by yours truly.