Slashdot Mirror
Adobe Warns of Flash, PDF Zero-Day Attacks
InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."
... my iPad isn't affected !
Figure it out, Steve. Every other platform is getting Flash, I want the same opportunity for malware exploits that other mobile platforms will be getting.
Blu-Ray = Flash = Bag of Hurt.
Conservative, mod down for violating
...a patch will be released sometime in the Fall quarter.
Am I the only one sick of the "zero day" buzzword?
It's a vulnerability/security hole. Stop creating new 1337 buzzwords, please. It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists. (no, FBI and ATF I won't be doing that but I can dream of it!)
I see the 64 bit Flash plugin for Linux has not been updated. Anyone heard of a timeline for this update?
Problems like this are common because reader and flash are ubiquitous, flash because it has no viable alternatives and reader because most users don't realise that there are far superior pdf viewers out there (i've even seen people install reader on macs where a far superior pdf viewer comes by default)...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Imagine how hard it is to write malware. Having Flash and PDF available on all platforms reduces the amount of time necessary to infect people. Good work Adobe.
The closest platforms to getting it right are Apple and Linux distros. I say that because they provide a central software base and can push out updates all coming from one place. If you use something like Windows, you have to get updates from Microsoft, your hardware manufactures and then your 3rd party software. AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.
Even if I say that Apple and Linux are better, they too are broken. And then there are 3rd party apps that continually want you to upgrade them before you run them. Its obnoxious. I can't think of any consumer or professional piece of equipment that needs such care and feeding. If my car has issues (yeah car analogy), then there is a recall. Its a big deal. I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"
I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.
No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:
Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.
troll? Somebody doesn't like the truth. There are a lot of people in India. They produce a lot of high quality, top notch, computer scientists. But they also produce average, above average, and below average programmers. So a company outsources to India because they want to save money. Well, the outsource shop wants to make money, and that means getting cheap labor. Good quality Indian talent works for less than good quality American (or European or whatever) talent in the same way that low quality Indian talent works for less than good quality Indian talent. It's a fucking race to the bottom and Indian colleges are printing cs degrees like Ben Bernanke prints dollars.
var sig = function() { sig(); }
If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?
Can You Say Linux? I Knew That You Could.
Use Sumatra PDF instead of Adobe Reader.
Use Flashblock with Firefox. You can whitelist your daily sites as you use them. Furthermore you save CPU, heat, noise and money from the beginning.
Can't wait for HTML 5 and friends (JavaScript, WebM, Canvas, WebGL, ...) to kick Flash's ass.
It would be also nice people moving from PDF to ODF; I think it's technically viable (same features, zero cost, what I am missing?), besides the obvious gain in security and stability.
It's job security for us computer janitors, but still fucking annoying that their security is so bad.
Hail Eris, full of mischief...
E pluribus sanguinem
You don't need it, but some people want it, so everyone gets it.
They probably don't even need to use a PDF file at all.
No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:
Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.
Ironically, Adobe abandoned PostScript in favor of PDF because PostScript was executable and could be exploited by malicous people. That, speed (hard to understand if you compare PostScript documents with the PDFs of today), size (PDFs are usually larger than the same documents as a ps.bz2-file (or even ps.gz)) and searching in document (yeah, thats a laugh) was the reason I have heard for abandoning the beautiful, simple, very evolved and rock solid PostScript for the complicated kludge that is PDF. I think the real reason was that it is so simple to create good PostScript-tools that everybody can do it (and did), not just Adobe.
Version 10.1 is considered a fix for this. http://ve3d.ign.com/articles/news/55171/Critical-Flash-Vulnerability-Discovered-Please-Upgrade and http://labs.adobe.com/technologies/flashplayer10/
If Adobe had the brains of a hamster, it would prohibit executable content in PDF files. Anything fancier than a fill-in-the-blank form has no place in a document format. Business needs some sort of standardized format in which to exchange written documents electronically, and PDF has fulfilled this role until now (barring the dimwits who still send Word files around). Allowing PDF to include executable content is not only dumb - it will eventually destroy PDF as a trusted format.
Enjoy life! This is not a dress rehearsal.
How exactly is an Adobe exploit news? This happens all the time.
This is my signature. There are many like it, but this one is mine.
Sent from my iPhone.
Stevie
PDF has always seemed to me like a solution in search of a problem. There were plenty of better alternative formats available, both editable and non-editable. Then Adobe helped one of its former executives get elected to the Senate and the gov't suddenly decided that PDF was going to be official format of all government documents forever-and-ever-amen.
One of the first things that I do on my customers' servers (after asking permission, of course) is uninstall Acrobat. They're generally thankful that we're concerned about the security of their systems, and frequently unaware that Acrobat was even on the thing to start with.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
The saddest part of that downmod is that he's absolutely right. Just before uninstalling it and replacing it with Foxit, I checked the credits for Reader, and almost all of the names were clearly Indian.
Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.
Bibo Ergo Sum.
When an industrial standard is dominant with implementation from different vendors (think WWW, JPEG, ODF, XMPP and even PDF), there is interoperability and better security through diversity. When a single product dominates (think Flash, Windows), we bring "write once, play everywhere" to malicious code writers.
What a confusing mixture of product names and version numbers. Do they mean to group as in (Adobe Reader and Adobe Acrobat ) 9.x or Adobe Reader x.x and Adobe Acrobat 9.x ?
I don't doubt there's sloppy programming involved, but this sounds like a flaw in the spec... who the hell reviews the PDF spec and how much does Adobe pay them to approve of things like allowing code execution when it's supposed to be a secure document spec that is a mandated standard in critical venues like government and legal filings.
Make sure everyone's vote counts: Verified Voting
Why do you need _______ on a computer? Ink and paper should be good enough for anyone.
Look, I hate the PDF mess too, but the Luddite arguments against it have to stop. The problem is lack of effective sandboxing. You may want to believe that any document should only ape dead trees, but the rest of the world can actually find utility in interactivity. And honestly, I think you can too. You're just letting frustration get the better of you.
We've got to stop the eye-rolling raging granddad comments about PDF. It's like the arguments against CRT versus paper rolls for terminals back in the day -- it has no traction. That's not your lawn, and those aren't kids.
Only Mac users with Adobe Reader set as the default PDF reader (like many Fed Macs) are affected. The fix is to revert back to factory settings with Preview as default, and only open trusted pdfs with Adobe Reader. (required for some gov't apps)
I wonder about this. I'm sure it's a rather complex issue (that will be picked apart time again for years to come), but the one idea that leapt out at me was one you pointed out:
... HTML5 core part of browsers will likely be much better maintained & secured than [Flash], will help.
HTML5 may not be a silver bullet, but my intuition tells me we'll be much better off. But not having a clear idea of exactly why this is and spouting my intuition out, while perhaps a Slashdot tradition, is not very constructive, so I offer this intuition with this disclaimer.
Note: This is prerelease code:
http://labs.adobe.com/downloads/flashplayer10.html
"Flash Player 10 Prereleases
This page contains download information of developer prerelease and beta versions of Adobe® Flash® Player 10 software for Windows, Macintosh, Linux, Solaris, and Android. It is being made available for developers to test their content to ensure new features function as expected, existing content plays back correctly, and there are no compatibility issues. Consumers can try the prerelease of Flash Player 10.1 to preview hardware acceleration of video on supported Windows PCs and x86-based netbooks. The Flash Player 10.1 prerelease is available in all supported languages; however, the prerelease installers are only in English and we can only accept feedback in English at this time."
Some days it's just not worth
chewing through my restraints.
It's pretty obvious that Adobe added SWF support because it's another Adobe product, not because it was what modern documents really need. It's also pretty obvious that this is one of the biggest things you can do to make PDFs even more insecure. I recall the first time I read about this feature, and how I immediately thought of how stupid it was and that it begged for an Xzibit style comment: "Yo dawg, I heard you hate security, so we put Flash in your PDF so you can get exploited while you get exploited"
This is my signature. There are many like it, but this one is mine.
"Go screw yourself" as you said to Apple.
I cannot imagine who on earth would want Flash content in PDFs. I imagine it is still some brainless marketing fuck at Adobe who thinks PDfs will trump Powerpoint for presentation and so they have to cram in just as much useless shit as can be crammed into a pptx/pps file.
What truly fucking bothers me is that the "fix" they offer is not a fix at all. Installing a release candidate Flash player across a company will not be easy in many cases and who the fuck is going to go searching for craptasticadobeshit.dll on all their machines. Sadly, this is such a problem that you have no choice, unless you want to block all Flash content and in many industries, such as media or design, that's simply impossible.
Adobe is so fucking lost it's not funny. Their Flash player is a buggy, unsecure piece of shit. Their Acrobat PDF Reader is even worse, slow to start up, full of utterly useless shit that easily 99% of people who need to view a pdf don't need, and regularly an opportunity for malware authors to get at your machine. On top of this, Adobe is so choking on their shit that they coded almost all the dialogs in the new CS5 suite in fucking Flash, leaving previously satisified customers seething with anger because dialogs that were already pretty unstandard in the last two version of the CS ballsup are now more often than not, simply not working anymore.
For the love of God, please someone, anyone, make a decent alternative to the CS suite so we don't have to put up with Adobe's increasingly bizarre attempt to remain relevant by shovelling ever more shit into what were previously perfectly good apps!
I mean, really yet AGAIN? That is it: rm /usr/lib/flashplugin-nonfree/libflashplayer.so
Thanks Adobe, you help keep the Internet a fun and exciting place for everyone!
There were plenty of better alternative formats available, both editable and non-editable.
Such as?
The point of PDF wasn't about editable or not editable, which is probably why you think it was a solution in search of a problem.
The PDF format started out as a way to ensure complete display fidelity across display media and platforms. Unlike a word processor file, you did not have to worry about rendering differences, formatting inconsistencies, whether the destination system had the proper fonts or supported a given typographical control. These were the days before you could embed fonts in your .doc file and before hardware was powerful enough to piece together a Photoshop or Illustrator file on the fly.
It was a lightweight format for documents consisting of type and media files. Then Adobe started cramming everything under the sun into it, piling on code year after year in its ever-bloated Acrobat (a development model shared with almost all Adobe software). The fact that it was a finished display format meant that end-user editing was generally not possible with the viewer software. That wasn't the point of the design, it was just a consequence of the focus on display rather than creation--one that some people liked and one that others despised. Hence editable forms and the whole array of "interactive PDF" tools that got crammed into Acrobat.
PDF itself is still pretty lightweight and powerful, and it's extremely useful for compositing (OS X uses a very similar framework in its desktop compositor, hence the seamless PDF integration with Macs--and PDF rendering speed blowing the doors off anything Adobe has shipped in 15 years).
PDF is an ideal document format for ensuring everyone gets the same file in that you can make it once and show it everywhere. LaTeX is a tool for professionals, geeks, and typesetters. PDF is the only successful format for everyone.
If I want to uninstall Adobe reader and install a lite viewer that lets me read PDFs without support for all the SWF/Javascript/Kitchen Sink extensions, what is the best viewer package (for Windows)?
Funny thing is, they are at RC7 level and I have been testing RC series on Mac PPC since the first RC, they aren't that crashy or buggy.
They could simply hurry with the couple of major issues (if there is) and rush out Flash 10.1. It would be way better than infecting people's machines because they use your plugin.
Same for Adobe reader... Wonder if they are coding this Sunday or having some "rich corporate coder" life as usual. Just imagine the speed of fix if this was some no-name 3 developer open source project at sourceforge. As far as I followed open/free software, they would make couple of coffees and launch their IDE right away.
OK I think the Adobe Reader is GREAT product. But it pisses me off about the amount of cunts who develop the exploits - to deliberately target and rip off people, through using this product. Fuck them.
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
You can download a flash player uninstaller from Adobe.
gee im glad now too
"Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a Safari vulnerability with a payload which retrieved the text messages from the device. Charlie Miller (Twitter: 0xcharlie) competed successfully for the third year in a row, taking home the MacBook Pro via a Safari exploit which delivered a full command shell payload." In case you missed it " for the third year in a row"!!! Before blaming all the evils on the internets on Flash some companies got some hole plugin' to do :P
http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010
Really...again yet another zero day attack....i wish we could see 100 days of zero attacks....that would be nice.!
Yawn... every 2 week the same ol same ol.... Adobe releases security bulletins describing critical security holes. Nothing new here!! I'm surprised that the updates actually affect the Linux versions. Usually, the security holes are only affected for Windows, not Linux.
What alternatives exist that are secure?
For PDFs - I know of a few other applications that can open them. For Flash? Is there anything?