Adobe Warns of Flash, PDF Zero-Day Attacks

InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."

Good thing ...

... my iPad isn't affected !

Re:Good thing ...

[hedwards]

Um, neither is my FreeBSD box, you make it sound like that's a good thing. As long as the other platforms use Flash, you're just kinda left out in the cold.

Re:Good thing ...

[ushering05401]

It is a good thing when non-technical customers start saying they are sick of the trauma of using a dominant proprietary product. Whether or not that results in a willingness to embrace an alternative is a different matter, but it is a start.

Re:Good thing ...

[AnonymousClown]

As long as the other platforms use Flash, you're just kinda left out in the cold.

Pfft. There's plenty of porn on MP3 and WMV.

Re:Good thing ...

[MrHanky]

You would have a point if the same non-technical customers weren't happily tied to use iTunes.

Re:Good thing ...

[Vekseid]

Some of my non-technical clients are getting plenty fed up with iTunes. There is plenty of room for something better to come along.

Re:Good thing ...

[Darkness404]

Not if you use an iPod or iPhone.

Re:Good thing ...

[Culture20]

And my non-techy friends are buying android phones and saying they got a phone just like my iPhone. Apple failed to remain different.

Re:Good thing ...

[Darkness404]

Oh Apple is still different just different as in "we're not going to give you what you want unless its what we want".

Re:Good thing ...

[jo_ham]

Shame they're stuck on 1.6.

*ducks*

Re:Good thing ...

[testadicazzo]

No, he has a point whether or not the same non-tech customers are still tied to iTunes.

A step in the right direction is a step in right direction. Maybe getting rid of all proprietary formats would be better, but an improvement is an improvement, whether or not there is more which could be improved.

Re:Good thing ...

[Runaway1956]

Did you just say "jailbreak"? My kid has an iPod that was jailbroken within 4 hours after he got it. (Not a new one - he bought a used one, just so he could jailbreak it. Wasn't worth the risk of bricking a NEW phone!"

Re:Good thing ...

Let them actually USE the iPhone and they'll know different. On paper and via spec sheets, everything "looks" to be the same, but, even at this point, Android just doesn't have the "fit and finish" of the iPhone OS.

Re:Good thing ...

Its close enough that honestly no-one but a picky, geeky, myopic, crazy would notice on day-day usage.

Re:Good thing ...

Pfft. There's plenty of porn on MP3 and WMV.

For the love of gawd folks, please provide citations.

Re:Good thing ...

Dude, look up humor in a dictionary. You'll find a screenshot of the Good thing... post

Re:Good thing ...

[Quixotic+Raindrop]

Wait, so ... Flash is buggy, and a security risk?!? WHO FREAKING KNEW?!? (oh, that's right. Steve Jobs did. Thank God.)

Re:Good thing ...

MP3 porn ?

Are you some kind of pervert ?

Re:Good thing ...

[DJRumpy]

Why would you think you are tied to iTunes with an iPhone. You do realize that the music in the iTunes music store are simple AAC (un-encrypted at that). The iPhone/iPod Touch/iPad hardware will play standard MP3 and AAC without issue, which pretty much covers just about any music store out there. There are also a ton of open source alternatives to iTunes. iTunes exposes a standard XML which can be used to maintain the library with any third party software.

Try harder....

"Not if you use an iPod or iPhone."

Re:Good thing ...

[MrHanky]

Not at all. Flash is available for several platforms; iTunes only for Windows and Mac. Flash is a resource hog on OS X and Linux, iTunes is a resource hog on Windows (and possibly on OS X too, but you can't properly remove it, so you would never know). Flash content can be accessed by other clients (gnash and that new plug-in), iTunes actively locks out clients not approved by Apple (like Palm Pre). iTunes is designed to make it difficult for the consumer to switch to less expensive hardware, Flash in't.

Re:Good thing ...

[paimin]

Where did all the Apple haters go? I thought Flash was "the whole internet" and "drop-dead gorgeous", and big evil Apple was ruining everything by using their mystical powers of mind control and beating up on poor little Adobe.

Oh, I see, everyone just took off their Apple hater hats and put on their Flash hater hats.

Re:Good thing ...

[HiThere]

Largely a different group of people. When you homogenize your idea of the audience, you loose crucial perspective.

FWIW, I use neither Apple nor Flash, and will happily bash either, as appropriate. I consider Flash trashy and a security risk, and Apple has an intolerable EULA, despite the nice hardware.

Re:Good thing ...

[toriver]

Because iTunes has two roles: One as a music library and player (like WMP), and the other as a sync program for Apple's devices (like HotSync for Flash back in the day).

Other devices come without sync software but just mount as a remote disk, letting the tech-savvy user navigate cryptic folder structures themselves instead.

Re:Good thing ...

[king+neckbeard]

Some people are capable of hating Adobe and Apple, even without hats. In fact, a lot of the criticisms of one apply to the other. Both companies have been proponents of open systems while not being that open themselves.

Re:Good thing ...

[zippthorne]

iTunes is mediocre, but everything else plain sucks. It's not Apple's fault everyone else is barely even trying.

Re:Good thing ...

[paimin]

If people hate Apple's tactics, fair enough. What I do think is utterly ridiculous is this recent pro-Flash line that's been going around, as if Flash and Adobe aren't at least as much of a scourge as Apple.

If you hate anything proprietary and any kind of tech lock-in, then you hate both Apple and Adobe. But the Apple-hate crowd jumping on the bandwagon and acting like Flash is getting some kind of raw deal is pure hypocrisy.

Re:Good thing ...

[Quixotic+Raindrop]

Not everyone.

<-- admits to being an Apple fanboy. I've hated Flash from the outset; nothing against Adobe /per se/, just that from "GO!" Flash was a memory hog, still leaks even today, and was a major security backdoor through which an otherwise fairly secure web browsing experience could be hijacked, and rather easily.

Apple's recent changes to drive lock-in, such as through the App Store, don't sit well with me, but I'll wait and see what the outcome is. Flash is a miserable piece of crap, and always has been. Forgive me for continually despising it, but I do loathe it so.

Re:Good thing ...

[flowwolf]

I've tried syncing to my iphone with different systems. It doesn't work. We iphone users are stuck with itunes if we want to easily sync music. The other way makes things even more difficult than itunes did in the first place. sigh. I'll compromise though because android isn't nearly as polished yet. I want to do android but I feel like it'll be an overall step backwards.

Re:Good thing ...

[cheeseboy001]

Are we thinking of the same iTunes? Any music from earlier than last year has DRM and will pretty much only work on an iPod. Heaps of other music stores sell music in WMA format with DRM, which decidedly won't work on Apple hardware. The iTunes library format and the iPod syncing protocol are anything but standard, and while there are a few alternatives to iTunes (which in my experience are not that great), they're only around because of the massive reverse-engineering effort the community's put in. I'm not sure why you got Insightful for that...

Re:Good thing ...

[DJRumpy]

http://www.simplehelp.net/2007/07/08/10-alternatives-to-itunes-for-managing-your-ipod/

They also missed a few others like EphPod:
http://www.ephpod.com/

A few minutes on google will find you a decent depth of choices on Linux, Mac, and Windows.

Re:Good thing ...

I think the point is, that you don't have to buy your music from iTunes music store, and you don't have to use iTunes. If you do choose to use iTunes, the music is unencrypted AAC, and will work on any modern player.

If you happen to have older stuff that is encrypted, you can use any number of FOSS to decrypt it, or simply burn it and re-rip it using any old RW disc which will also un-encrypt it.

It's not rocket science. Even non-technical folks know how to burn and rip music. You can do about a 1000 songs in an hour or so on any modern burner. Since the bitrate on these AAC's is pretty high to begin with, there is little loss in quality.

Re:Good thing ...

[Wovel]

Your non-techy friends are wrong :)

Re:Good thing ...

[king+neckbeard]

Those who are blessing Flash only because Apple is hating it are quite annoying. They are almost as bad as those who hated tablets for years, and now want a non-Apple tablet because Apple made people fogret how much they hate tablets. There are plenty of good reasons to hate Apple, so I don't see a point in defending Adobe. I sort of like this 'war' myself, since I want Flash gone and only Apple users and Flash devs suffer, and I'm not part of either group.

Re:Good thing ...

[Wovel]

So it is Apple fault that others stores used a proprietary DRM format? DRM was all the record labels decision anyway. Apple removed it and offers a relatively inexpensive upgrade for anything you already own.

Re:Good thing ...

[Wovel]

Real flash content can not be accessed by gnash. I suspect you already knew this, but decided trying to make a point was > than your integrity.

Re:Good thing ...

What does WMA have to do with iTunes? That's an MS thing. If you bought music in that format, you should probably surrender your geek card.

Re:Good thing ...

[AHuxley]

Some recall the font wars, we know the lock in of Apple and its itoy range.
I like the webcam broadcast interactivity of Flash.
Then you have the flash cookies and ongoing security issues.
So people enter the debate from different areas and perspectives.

Re:Good thing ...

[malkir]

Oh Apple is still different just different as in "we're not going to give you what you want unless its what we want".

Why is this modded troll? I use apple products, and this seems to be right on point.

Re:Good thing ...

[MrHanky]

Potentially, it can, depending on man hours (Flash is no less open that Apple's HTML5). Although non-Apple approved hardware "can" access iTunes, Apple actively makes sure it can't. I suspect you already knew this, too. So fuck integrity, eh?

Re:Good thing ...

[ball-lightning]

I really have to disagree. I don't own an iPhone nor do I ever plan to, but the touch recognition (I have an iTouch) is much better. I continually fat finger EVERYTHING on the Incredible.

Re:Good thing ...

You forgot to say that it is very slow. Maybe some of it is caused by bugs but I'm much more annoyed at how slow it is then how buggy it is.

Re:Good thing ...

Negative. The iTunes software is required to activate an iPhone. It is also largely necessary to transfer music to and from an iPhone. Until VERY recently, the major linux distros didn't even HAVE a solution for dealing with music on a non-jailbroken iPhone.

Re:Good thing ...

How do you buy music from the iTunes store without using iTunes ? To a lot of people iTunes is more than just the software that plays music.

Re:Good thing ...

You don't have to buy any music from iTunes. You can buy it anywhere. They are also working on a purely web based interface for iTunes if I recall, meaning you wouldn't have to install iTunes at all if you're only interested in purchasing music.

Re:Good thing ...

You do realize it has nothing to do with playing music or the iTunes library at all. iTunes is the only software that can sync the iPhone unless it's jailbroken. Even e-mail sync runs through iTunes. I know it sounds like iTunes should be a music player but Apple has expanded it into their mobile sync application. Apple doesn't allow you to use any alternatives. Period.

Re:Good thing ...

I think you missed the point entirely. No one gives a shit about ripping music. iTunes is the only app that can properly do mobile sync with Apple's devices.

Re:Good thing ...

[jamiegau]

If you have an iPhone or iPad, you HAVE TO USE itunes No choice. Thats what he is saying... Apple CONTROLS you, not the other way around, and thats why it gets so much push back by the smarter people on here. What are you?

Re:Good thing ...

[AmiMoJo]

You still need iTunes to get the music on to the iPod. Apple encrypted the database to lock out 3rd party apps.

Re:Good thing ...

[DJRumpy]

The backups from an iPhone or iPod can be encrypted. The iTunes db is not encrypted. Managing the database is as simple as copying some files to the proper locations, and modifying an XML.

[Basic info on the XML interface and hte db locations]
http://support.apple.com/kb/ht1660

Here are some free alternatives to iTunes. A few minutes of Googling should net you a larger list:

http://www.copytrans.net/copytransmanager.php

http://techcrunch.com/2010/03/10/doubletwist-podcasts-android/ (also works with a variety of devices including Android)

http://ipod.about.com/od/introductiontoitunes/tp/itunes_alterns.htm

Re:Good thing ...

[DJRumpy]

Here is the more Geek-centric info on the XML itself (schema info, key info, etc).

http://www.xml.com/pub/a/2004/11/03/itunes.html

VERY useful site if you're interested in tweaking the XML directly.

Re:Good thing ...

[testadicazzo]

The degree to which you are missing the point is disturbing. It almost makes me wonder if you are being deliberately obtuse, but I assume not.

People using flash and people using itunes are orthogonal, independent. Whether using flash or using itunes is more negative is irrelevant to either my point or to the OP.

Look at it this way: Mr. X kicks puppies and kittens every day. One day someone teaches him that puppies have feelings, and mr X stops kicking them. He continues to kick kittens however.

Is mr X's cessation of his puppy kicking not a good thing? Of course it's a good thing. It would be better if he would additionally stop kicking kitties, but the net harm being done is reduced, so it's a good thing. A step in the right direction is a step in the right direction, even if you haven't reached your goal yet.

Whether or not it's worse to kick kitties or to kick puppies is completely irrelevant. If you're doing both, and you stop doing one, it's an improvement. Additionally, if mr X. learns that kicking puppies is wrong, we have raised mr. X's awareness, and it may make it easier to teach mr X that it's wrong to kick kitties, by analogy. Oh Look! The same argument applies to using proprietary tools for music and video. Wow!

Re:Good thing ...

[MrHanky]

Your analogy is stupid and wrong.

Flash for the iPhone WHEN???

[swb]

Figure it out, Steve. Every other platform is getting Flash, I want the same opportunity for malware exploits that other mobile platforms will be getting.

Re:Flash for the iPhone WHEN???

[dazjorz]

I've heard some rumors that Steve himself is responsible for the exploit ;-)

Re:Flash for the iPhone WHEN???

[cpghost]

At least, we FreeBSD-ers aren't getting Flash... I guess we were lucky this time.

Re:Flash for the iPhone WHEN???

[Conley+Index]

Why do you think, "we FreeBSD-ers aren't getting Flash"?

I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox. (Of course, it is usually blocked by noscript and flashblock.) A few years ago that might have been difficult to get running, but now it is just ports.

If we really want Flash is another story...

Re:Flash for the iPhone WHEN???

[WrongSizeGlass]

Of course, it is usually blocked by noscript and flashblock.

This appears to be a SWF file being run by Adobe Reader or Acrobat. Browser based plugins aren't going to help when it's opened by a desktop application.

Re:Flash for the iPhone WHEN???

[davester666]

Steve Nash? I suppose, since the Suns are out of the playoffs and he's got a bit of free time...

Re:Flash for the iPhone WHEN???

[king+neckbeard]

I doubt anyone using flashblock will use an Adobe PDF reader, and I don't think any other readers have implemented SWF playback

Re:Flash for the iPhone WHEN???

[hedwards]

Nah, it's Steve Wonder, he's kind of pissed about being left out of this whole Flash thing.

Re:Flash for the iPhone WHEN???

[hedwards]

I'm finding that gnash seems to fill my needs for things like Youtube, which lets face it is the only real reason why anybody wants flash apart from web games. And with Youtube's owners being interested in ditching flash, I'm not sure how much longer it will even be needed for that.

Re:Flash for the iPhone WHEN???

While 'Youtube's owners' may not want to be shackled to flash, I dont see any indicators pointing to them "being interested in ditching flash". It's just another medium for them, I'm sure. The more "devices" they reach, the better for them. Flash gets them a huge audience, easily.

Re:Flash for the iPhone WHEN???

[toriver]

Since the "open" Flash is only "open" if you want to make dev tools and Adobe maintains a monopoly on making runtimes (Gnash does little more than open FLV container movies), "every other platform" excludes anything Adobe do not see a reason to spend resources on. No Flash on Nintendo DS, Sony PSP, the PS3 browser - the list goes on. Just because the few-ish platforms Flash runs on are dominant does not mean every other platform than the Apple devices has Flash.

Re:Flash for the iPhone WHEN???

[evilviper]

I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox.

Unfortunately, those of us on FreeBSD 7.x, 6.x or perhaps even below, are limited to Flash 7. And frankly, I haven't even been able to get that port to work. And that's even after I reluctantly accepted the need to have hundreds of MBs of Linux binaries installed for a single application...

Re:Flash for the iPhone WHEN???

[Lennie]

1. Youtube's owners, would be Google
2. lookup the WebM annoucement from Google at Google I/O hint it's about On2/VP8 and Ogg and even Youtube

Re:Flash for the iPhone WHEN???

[Russellkhan]

This appears to be a SWF file being run by Adobe Reader or Acrobat. Browser based plugins aren't going to help when it's opened by a desktop application.

Which bring us to the question I've been unable to find the answer to: Are you still vulnerable if you don't use Reader or Acrobat? Very few Mac or Linux users use either of those.

Also, what is the OS X/Linux equivalent of authplay.dll? I couldn't find anything called authplay on my Linux box.

Re:Flash for the iPhone WHEN???

[Russellkhan]

(Of course, it is usually blocked by noscript and flashblock.) A few years ago that might have been difficult to get running, but now it is just ports

I've never understood why anyone would use both Noscript and Flashblock. I stopped using Flashblock years ago when Noscript added support for blacking Flash content. Is there some advantage to running them together, or is it just a belt & suspenders thing?

Re:Flash for the iPhone WHEN???

[drinkypoo]

Unfortunately, those of us on FreeBSD 7.x, 6.x or perhaps even below, are limited to Flash 7.

Your OS is old. Upgrade. If people running Windows XP don't get any slack for new stuff not working, neither do you.

Look at the credits for Adobe Reader.

Look at the credits for Adobe Reader. Notice that the names are almost all Indian.

If you've ever worked with software developed in India, you'll immediately understand why problems like this are so common with products like Reader and Flash.

Re:Look at the credits for Adobe Reader.

[Bert64]

Problems like this are common because reader and flash are ubiquitous, flash because it has no viable alternatives and reader because most users don't realise that there are far superior pdf viewers out there (i've even seen people install reader on macs where a far superior pdf viewer comes by default)...

Re:Look at the credits for Adobe Reader.

Completely agree. Over the years I have developed a complete disdain for Indian developers. The majority of these guys have no idea what they are doing and have next to zero experience. I have learned to expect to be let down when working with a team of Indian developers as every project I've ever been on where work was out-sourced to India, the Indian team has failed to deliver an acceptable product, leaving us to pick up the pieces. I would rather work with college interns any day of the week - they at least care about doing their job well. Unfortunately, the management types can't see beyond the cost savings and don't understand the concept of 'you get what you pay for'.

Granted, there are certainly quality developers in India, but the majority of these guys are farmed by the dozen to be nothing more than coding monkeys and have next to zero talent.

Of course this is a troll comment because it's not PC, but its an unfortunate truth in the IT world today. It just really pisses me off, so I had to rant...

Re:Look at the credits for Adobe Reader.

[rudy_wayne]

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

Re:Look at the credits for Adobe Reader.

troll? Somebody doesn't like the truth. There are a lot of people in India. They produce a lot of high quality, top notch, computer scientists. But they also produce average, above average, and below average programmers. So a company outsources to India because they want to save money. Well, the outsource shop wants to make money, and that means getting cheap labor. Good quality Indian talent works for less than good quality American (or European or whatever) talent in the same way that low quality Indian talent works for less than good quality Indian talent. It's a fucking race to the bottom and Indian colleges are printing cs degrees like Ben Bernanke prints dollars.

Re:Look at the credits for Adobe Reader.

You don't need it, but some people want it, so everyone gets it.

They probably don't even need to use a PDF file at all.

Re:Look at the credits for Adobe Reader.

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

Ironically, Adobe abandoned PostScript in favor of PDF because PostScript was executable and could be exploited by malicous people. That, speed (hard to understand if you compare PostScript documents with the PDFs of today), size (PDFs are usually larger than the same documents as a ps.bz2-file (or even ps.gz)) and searching in document (yeah, thats a laugh) was the reason I have heard for abandoning the beautiful, simple, very evolved and rock solid PostScript for the complicated kludge that is PDF. I think the real reason was that it is so simple to create good PostScript-tools that everybody can do it (and did), not just Adobe.

Re:Look at the credits for Adobe Reader.

[cusco]

PDF has always seemed to me like a solution in search of a problem. There were plenty of better alternative formats available, both editable and non-editable. Then Adobe helped one of its former executives get elected to the Senate and the gov't suddenly decided that PDF was going to be official format of all government documents forever-and-ever-amen.

One of the first things that I do on my customers' servers (after asking permission, of course) is uninstall Acrobat. They're generally thankful that we're concerned about the security of their systems, and frequently unaware that Acrobat was even on the thing to start with.

Re:Look at the credits for Adobe Reader.

The saddest part of that downmod is that he's absolutely right. Just before uninstalling it and replacing it with Foxit, I checked the credits for Reader, and almost all of the names were clearly Indian.

Re:Look at the credits for Adobe Reader.

Why do you need "SWF content" in a PDF file?

Why do you need _______ on a computer? Ink and paper should be good enough for anyone.

Look, I hate the PDF mess too, but the Luddite arguments against it have to stop. The problem is lack of effective sandboxing. You may want to believe that any document should only ape dead trees, but the rest of the world can actually find utility in interactivity. And honestly, I think you can too. You're just letting frustration get the better of you.

We've got to stop the eye-rolling raging granddad comments about PDF. It's like the arguments against CRT versus paper rolls for terminals back in the day -- it has no traction. That's not your lawn, and those aren't kids.

Re:Look at the credits for Adobe Reader.

[king+neckbeard]

It's pretty obvious that Adobe added SWF support because it's another Adobe product, not because it was what modern documents really need. It's also pretty obvious that this is one of the biggest things you can do to make PDFs even more insecure. I recall the first time I read about this feature, and how I immediately thought of how stupid it was and that it begged for an Xzibit style comment: "Yo dawg, I heard you hate security, so we put Flash in your PDF so you can get exploited while you get exploited"

Re:Look at the credits for Adobe Reader.

[mr_matticus]

There were plenty of better alternative formats available, both editable and non-editable.

Such as?

The point of PDF wasn't about editable or not editable, which is probably why you think it was a solution in search of a problem.

The PDF format started out as a way to ensure complete display fidelity across display media and platforms. Unlike a word processor file, you did not have to worry about rendering differences, formatting inconsistencies, whether the destination system had the proper fonts or supported a given typographical control. These were the days before you could embed fonts in your .doc file and before hardware was powerful enough to piece together a Photoshop or Illustrator file on the fly.

It was a lightweight format for documents consisting of type and media files. Then Adobe started cramming everything under the sun into it, piling on code year after year in its ever-bloated Acrobat (a development model shared with almost all Adobe software). The fact that it was a finished display format meant that end-user editing was generally not possible with the viewer software. That wasn't the point of the design, it was just a consequence of the focus on display rather than creation--one that some people liked and one that others despised. Hence editable forms and the whole array of "interactive PDF" tools that got crammed into Acrobat.

PDF itself is still pretty lightweight and powerful, and it's extremely useful for compositing (OS X uses a very similar framework in its desktop compositor, hence the seamless PDF integration with Macs--and PDF rendering speed blowing the doors off anything Adobe has shipped in 15 years).

PDF is an ideal document format for ensuring everyone gets the same file in that you can make it once and show it everywhere. LaTeX is a tool for professionals, geeks, and typesetters. PDF is the only successful format for everyone.

Steve Jobs wins.

Steve wins, again.

The new Jobs equation

[m0s3m8n]

Blu-Ray = Flash = Bag of Hurt.

Re:The new Jobs equation

[toriver]

Blu-Ray uses Java. Where do you see Flash in Blu-Ray?

In other news...

[Bieeanda]

...a patch will be released sometime in the Fall quarter.

Give us Flash on iStuff now!

Woo! One more argument for having Flash on the iPad and iPhone.

Zero-day?

Am I the only one sick of the "zero day" buzzword?

It's a vulnerability/security hole. Stop creating new 1337 buzzwords, please. It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists. (no, FBI and ATF I won't be doing that but I can dream of it!)

Re:Zero-day?

Fine.

Adobe Warns of Flash, PDF Negative-One-Day Pwnage

Re:Zero-day?

Am I the only one sick of the "zero day" buzzword?

Not nearly as sick of hearing about "software ecosystems." That one moved to the top of the jargon file of every Microsoft executive after BillG said it once.

Re:Zero-day?

[Culture20]

Am I the only one sick of the "zero day" buzzword?

No, but I'm only annoyed when people misuse it. Zero-day has a specific meaning that is an important distinction when talking about vulnerabilities and exploits. When I hear "Zero-day", my immediate response is: "Oh ^&@#$, who put in strange trouble tickets the last few days?" and "Yay, Overtime for out of cycle Microsoft/Adobe patching."

Re:Zero-day?

[Alwin+Henseler]

Buzzword or not, "zero day" means a vulnerability that is already being exploited by the time it's published. If vulnerability is published but no exploit exists -> no zero day.

Regardless of what you think of reasons for using that "zero day" label, this is very relevant to end-users: zero day -> you're at risk, NOW. No zero day -> you're probably safe (for the time being, that is).

Re:Zero-day?

[BitZtream]

Wrong

Zero Day means freshly discovered exploit. Period.

It means brand new, not yesterday, just found today.

It started with zero day warez, which meant you could get them from IRC or the FTP site the day they were released, not later.

End users don't know shit about zero-day, it means nothing to them, as stated above its nothing more than a scary buzzword that they don't understand.

Newbies like yourself need to not tell people where these words came from when you weren't around when they were created.

Re:Zero-day?

[guruevi]

No zero day -> You're probably safe for the next 24 hours, less if you're on Windows.

Re:Zero-day?

[selven]

Zero day -> you're at risk, now.

No zero day -> well, we published the vulnerability, so it'll take 12-48 hours for someone to write and start using an exploit.

Re:Zero-day?

[Leebert]

Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.

So if, for example, someone reported this to Adobe previously, and Adobe hadn't fixed it yet, then it isn't a zero day exploit. If Adobe only found out about the vulnerability because people were exploiting it, it was a zero day vulnerability.

Which might be what you were saying, but it didn't come out unambiguously that way. :)

Re:Zero-day?

Wrong.

Zero day means means the exploit was fully disclosed to the public without giving the vendor a grace period to release a fix.

Warez kiddies like yourself need to stop acting like you know everything just because you can use FTP.

Re:Zero-day?

[Alwin+Henseler]

It means brand new, not yesterday, just found today.

I think you may be confusing 'found' with 'published'. Until a vulnerability (or an exploit using that vulnerability) is published, there's no way to know for sure it isn't being exploited. The only way to be sure, is if you are doing the exploiting, or you see yourself being exploited. Lacking that, you won't know if a vulnerability exists, and maybe it's being exploited somewhere below the radar. "Zero day" just means that 'being exploited' and 'published' have an overlap in the same 24-hour timeframe.

Re:Zero-day?

Zero Day means freshly discovered exploit. Period.

No, it means exploit freshly discovered by someone other than the software maker, and other than someone who only tells the software maker.

No need to a asshole about correcting someone, especially when you're wrong to begin with.

Re:Zero-day?

[cpghost]

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

Re:Zero-day?

you know you're getting old when w4ReZ puppies are old schoolers...and correct.

Re:Zero-day?

You do understand there were 0 day warez releases before MS dos even existed right?

Re:Zero-day?

[the_humeister]

What I want to know (but neither the summary nor Adobe's announcement say) is how the exploit actually works. No details are given other than that the reader and flash are vulnerable.

Re:Zero-day?

[dave562]

I present the motion that from this moment, we substitute "fresh no day" for the term "zero day". It was good enough for warez kids so it will be good enough for security researchers.

Re:Zero-day?

Wrong

Zero Day means freshly discovered exploit. Period.

It means brand new, not yesterday, just found today.

It started with zero day warez, which meant you could get them from IRC or the FTP site the day they were released, not later.

End users don't know shit about zero-day, it means nothing to them, as stated above its nothing more than a scary buzzword that they don't understand.

Newbies like yourself need to not tell people where these words came from when you weren't around when they were created.

There's a reason the post you responded to is rated 5 Informative and yours isn't. Your comments are especially interesting because the author of that post has a lower ID than you do so I'm not sure I'd be so quick to make claims on "newbies" status.

With that said, there is a source that disagrees with you: http://en.wikipedia.org/wiki/Zero-day_exploit

And get off my lawn.

Re:Zero-day?

[TheLink]

Not sure if it's related to the announcement, but today when I opened a whole bunch of Yahoo Finance pages at a go, I got an "open/download p.pdf" prompt. By reflex I cancelled that (and I don't use Adobe for PDF stuff anyway), but it may mean that someone has managed to use popular servers to infect machines.

Perhaps I should have downloaded and tried analyzing it. Not sure where it actually comes from- yahoo may use 3rd party servers for caching, and nowadays stuff like facebook also gets involved etc.

Re:Zero-day?

[Lars+T.]

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

No, the bulletin is already out before the attack. Well, if he's already climbing the stairs, we can talk about it...

Re:Zero-day?

[frizzantik]

Get out of here with your IRC and FTP, noob.. "Zero Day" has been used since the time of BBSes

Re:Zero-day?

Urgh. I've only known the scene since mid 90's, and I still think you're wrong.

the warez part is right based on prior experience--

But, let's try to be correct. There's two "consumers" of 0-days. Programmers/sysops and crackers.
    0-day does not mean a "fresh exploit". If I buy or find something, it's not a 0-day until it makes its way to the vendor. It's just an exploit. It could exist for MONTHS and still be a 0-day.

What it *really* (effectively) means, is the exploit is not published or documented. It may pass hand-to-hand, it might even exist on a heavily protected forum or lurk around in a dropbox--but it's not KNOWN or available to the world at large.

If you want to get really technical, and claim all exploits that are freshly discovered are 0-days, because only crackers write exploits, you're full of something. There's year old zero-days out there. Probably decades old (Kaminsky DNS bug...).

Re:Zero-day?

You are all wrong. Zero day as a term comes from warez scene and as a term is old enough to buy booze legally in every western country. The freshness of the warez was determined by a day count from release. You see back then warez was commonly snail mailed or transferred with modems (process that could again take days). The best warez groups had a competition to reduce time spent until the mass delivery phase and occasionally some managed to get some warez to masses on the same day they were released by publishers. Hence the term zero day.

It actually used to be uber cool and rare to manage that. I recall vividly waiting for the snail mail to deliver the warez... Took a damned week at worst.

Re:Zero-day?

[v1]

Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.

I would slightly adjust (loosen) that definition and say that it's an exploit for which there is not currently a patch available (number of days the patch has been available: zero) whether or not the vendor is aware of it. (and that has just suddenly started being exploited on a broad scale in the wild)

Reason is, we've many times seen things widely described as 'zero day', that when the dust settled, it turned out to be an issue the vendor had known about for anywhere from weeks to even years and had simply not seen it being exploited. (often with references to the 9 months ago when it was submitted and registered in their bugbase) So they believed it would be "extremely difficult to exploit AND extremely difficult to patch" and thus landed at the bottom of the fixit queue.

And if it then starts getting exploited heavily in the wild suddenly, they scramble to make a fix for it and we see "OMG ZERO DAY!" all over the news.

Re:Zero-day?

[dotgain]

I suppose you think they should have posted Proof of Concept Code as well? Believe me, no matter how you and I think the disclosure process should go - it'd be a cold day in Hell if Adobe did this.

Re:Zero-day?

[Leebert]

That's the way it's used now, but that's not what it used to mean. No big deal, though, it's like the word "hackers", it evolved, and we just have to deal with it. :)

Re:Zero-day?

[AHuxley]

When developers are allowed to write quality code, test it and use modern operating systems security functionality "zero day" buzzword ...
Long term learn to enjoy "zero day"

Re:Zero-day?

[Lennie]

Most likely it was download through an ad-network.

Re:Zero-day?

[v1]

agreed. the meaning of a word is not defined by webster, but by the interpretation of the current generation.

Re:Zero-day?

A lot of script kiddies really want to know how it work too.

64 bit Linux

I see the 64 bit Flash plugin for Linux has not been updated. Anyone heard of a timeline for this update?

Re:64 bit Linux

[Sir_Lewk]

I see the 64 bit Flash plugin for Linux has not been updated.

Does that really suprize you?

Re:64 bit Linux

To tell you the truth, yes. Why not update it?

Re:64 bit Linux

[king+neckbeard]

Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.

Re:64 bit Linux

Given the processors being sold nowadays I'm really surprised that there are still people installing 32 OS on their 64 bit boxes.

Re:64 bit Linux

[0123456]

Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.

Unlike Windows where there is _no_ 64-bit support.

In any case, I just checked adobe.com and no version seems to have been updated yet.

Re:64 bit Linux

[king+neckbeard]

Windows users don't expect 64-bit versions, and I don't think you can get Windows without the 32-bit libraries. GNU/Linux users may find the only thing holding them back from a completely 64-bit system is flash. Thus, they were the loudest voices complaining about the lack of 64-bit support. It seems odd, though, as I seem to recall parts of CS5 being 64-bit only.

Re:64 bit Linux

[0123456]

Windows users don't expect 64-bit versions, and I don't think you can get Windows without the 32-bit libraries.

My Windows 7 install has 64-bit IE, which is pretty much pointless for the average user without 64-bit Flash. 64-bit Linux can install 32-bit Firefox though I guess you do need to install some 32-bit libraries if the distro didn't do that by default.

Re:64 bit Linux

[0123456]

Given the processors being sold nowadays I'm really surprised that there are still people installing 32 OS on their 64 bit boxes.

One issue is that 64-bit Windows 7 won't run 16-bit apps; there aren't many that are any use these days, but I'm sure there are still businesses reliant on them and it means you can't run old DOS games without an emulator and Carmageddon, for example, won't run acceptably in any emulator I've tried... either the graphics are corrupt, it's too slow to play on a CPU that's 20x faster than recommended at release, or the game timer counts down at 10x normal speed so you can't finish the race before it runs out. Best results were in Win98 running in VirtualBox, and that's still about half speed on a 2.26GHz i5.

Re:64 bit Linux

Maybe your mum's knickers are a half-arsed gesture to make sure I stick my dick in her mouth so it will have at least some lubrication before I wholesale assault her not so virgin bunghole.

Re:64 bit Linux

[king+neckbeard]

Yes, there is 64-bit software for Windows, but it is still in the minority. You may find a 64-bit version of software, but you'll find plenty of software without a 64-bit port and it's not feasible for many Windows users to go all 64-bit. Most GNU/Linux distros often only have a handful of software without a native 64-bit port. I think it's basically Flash, WINE (although I know a 64-bit version is in development), and a SNES emulator that's written in assembly. Almost all of this software also has ARM and MIPS ports as well, but I've got a limited amount of hope for Adobe bothering with those.

Re:64 bit Linux

The 64 bit build of IE has its uses, especially dealing with websites which have to have IE, and refuse to support any other browser. No flash? Fine with me. One less exploit vector.

Trust me, as a college grad who graduated into a market where HR people tell you that you wasted your time getting a B. S., you end up having to deal with a lot of government sites who consider IE the only Web browser on the planet, to the point of actually doing JavaScript tricks to check for different Referer headers.

Maybe the high school counselor was right, where she said that anyone who had any sense should go to law school, as there is no such thing as an unemployed lawyer unless they get disbarred.

Re:64 bit Linux

Well yes, but there are also hardly any users of 64-bit Windows. Linux on amd64, on the other hand, has quite a lot of users and they are left out in the cold by the lack of updates.

Re:64 bit Linux

[HiThere]

There actually are plenty of lawyers that have trouble making the rent. They just aren't the ones you hear about.

your Fail It

GNNA on slashdot, cons1stent with the brain. It is the Performing.' Even to the crowd in Case you want to

This is why a universal platform is important

Imagine how hard it is to write malware. Having Flash and PDF available on all platforms reduces the amount of time necessary to infect people. Good work Adobe.

Current software is fundamentally broken

[hackstraw]

The closest platforms to getting it right are Apple and Linux distros. I say that because they provide a central software base and can push out updates all coming from one place. If you use something like Windows, you have to get updates from Microsoft, your hardware manufactures and then your 3rd party software. AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

Even if I say that Apple and Linux are better, they too are broken. And then there are 3rd party apps that continually want you to upgrade them before you run them. Its obnoxious. I can't think of any consumer or professional piece of equipment that needs such care and feeding. If my car has issues (yeah car analogy), then there is a recall. Its a big deal. I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.

Re:Current software is fundamentally broken

[CosaNostra+Pizza+Inc]

Maybe HTML5 is a step in the right direction. It would be nice to get rid of Adobe Flash, Silverlite, etc plugins that have security holes and make our browsers slow and bloated memory hogs.

Re:Current software is fundamentally broken

[filesiteguy]

Well, IMO, that's not a valid assumption. Adobe pushes out updates all the time on my Wintendo machines. I've been online since last night with two Ubuntu machines and haven't gotten an update yet.

As for third party plugins going away, not bloody likely.

In fact, I'm writing this using Google Chrome browser, which is *supposed* to be a next-gen browser and will handle more plugins than even the ActiveX-ridden Internet Explorer.

Also, the web has moved so far away from HTML/JavaScript only that you are pretty much unable to browse most sites without flash, or some video player or various other plugins.

(By the way, I load PDF files in a separate viewer - Foxy Reader in Wintendo and Evince (which came with the distro) in Ubuntu.

Re:Current software is fundamentally broken

[larry+bagina]

Don't worry, Michael Crawford (aka Super Debugger aka Jonathan Swift aka Jesus h-Bar Christ aka hotcoder@gmail.com) will solve the software problem. Solve it? Yes. He's one of the best (if not the greatest) debuggers ever. He can find most bugs by merely reading the source code.

Software failure is not a technical problem but a human problem. Michael Crawford realized this and has developed the Crawfordian Psychoanalysis Manifesto which will end the software problem once and for all. He will fix not just bugs in code but bugs in the mind

I am absolutely serious.

Re:Current software is fundamentally broken

AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

I would settle for an easy way to remove these plugins. You might think it should be easy in Firefox, but noooo.

If a third-party application installs a firefox plugin, I should be able to go Tools - Add-ons - Plugins and REMOVE the plugins.

But I can't do that, I can only mark them as "disabled", and they are easily re-enabled by other software. I WANT THESE PLUGINS GONE without having to hunt through directories to find & remove the files.

Re:Current software is fundamentally broken

[icebraining]

I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

Bullshit. It's called maintenance, and yes, cars do require it. In fact, it's much more onerous than clicking a few times and call it done - not to mention it's much cheaper.

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.

First, I trust third parties with *some* of my data, carefully selected. The "cloud" solution requires you to trust all your data.
Second, trusting everything in the cloud is nice because it never fails.

Re:Current software is fundamentally broken

[Alwin+Henseler]

Using HTML5 to replace plugins like Flash will in itself do nothing to improve security: right now, those plugins are optional, and if you don't have them installed you have a 'simpler', mature, HTML4-capable browser left. When HTML5 becomes mainstream, that core part of browsers will be even more complex (HTML5 >> HTML4), with fewer optional parts. Or do you think browsers will have a 'disable HTML5 support' somewhere buried in their preferences? (for the sake of simplicity, I'm ignoring whatever HTML5 support may have been built into browsers already).

Which means (other variables unchanged) that the common, core part of popular browsers will be an even larger attack surface. How this would improve security, is beyond me. Of course the fact that 99% have plugins like Flash installed, and that HTML5 core part of browsers will likely be much better maintained & secured than some of those plugins, will help. But again: in itself it means nothing. And don't forget that adding HTML5 support to browsers, means a lot of new code in the first place. Which all needs to be debugged, tested & fixed over time.

So the only thing that really helps, is improving the quality of code that goes out the door in the 1st place. And reduce the amount of code that's needed for an average set of functionality. If HTML5 support in browsers helps us do that, I'm all for it. But don't mistake HTML5 for some kind of silver bullet.

Re:Current software is fundamentally broken

[Like2Byte]

Software failure is not a technical problem but a human problem. Michael Crawford realized this and has developed the Crawfordian Psychoanalysis Manifesto which will end the software problem once and for all. He will fix not just bugs in code but bugs in the mind

Look, until this manifesto is released in a PDF I'm not reading it.

Re:Current software is fundamentally broken

[0123456]

Also, the web has moved so far away from HTML/JavaScript only that you are pretty much unable to browse most sites without flash, or some video player or various other plugins.

Strange: Flash is the only plugin I have installed and I have Flash and Javascript disabled on most sites... doesn't seem to be a problem.

Re:Current software is fundamentally broken

[filesiteguy]

If you're on some very basic sites, that can be done. My home page does not require flash but does have some javascript elements.

This site is heavy with javascript.

Re:Current software is fundamentally broken

[Captain+Spam]

[...] and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

I certainly don't hold that belief. If not for third party plugins, we'd have to trust that all the major browsers would support any new, as-yet-unknown technologies as they come out, all on a timeframe that allows for people to test it and get used to it, else web browsers would stagnate pretty quickly, or we'd wind up with a walled garden of web technology, wherein only what the major browsers say goes into their browsers, first-party, goes in.

For example, PNG support was once just a third-party plugin. If nobody was able to use it, nobody would've even known it existed. It never would have taken off and become integrated into any modern browser nowadays, and we'd still be stuck with GIFs. SVG support, too. That was once just a third-party plugin (by Adobe, even). Would anyone have bothered to put that into web browsers if Flash could've done everything they needed back then? Who would've heard of it, or even cared about it?

Given the flexible nature of the web, we need some way to quickly extend the functionality of web browsers to keep up with it, else both get held back.

Re:Current software is fundamentally broken

AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

Uh, yeah. Why don't you make a list of all the software that Microsoft should bundle with Windows and while you're at it forward that list to a lawyer to file anti-trust lawsuits on the behalf of their competitors.

While you're all busy doing that, I'll go make popcorn ! :D

Re:Current software is fundamentally broken

[Chryana]

Your car analogy is terrible (and irrelevant). Nobody is trying to remotely control your car, which is not the case with your computer. The software used in a car is of a very limited scope, so it is much easier to make sure it is running properly. Meanwhile, an operating system is vastly more complicated, with code produced by a number of developers which is probably several orders of magnitude greater and done on a much smaller budget for the code size. Furthermore, if you think that software which doesn't get any updates is stable, you're deluding yourself. Your car firmware probably contains its share of bugs, but they're not considered worthy of making a costly recall.

Re:Current software is fundamentally broken

Amazingly your post contains no less than 247 words and literally zero content. Just thought you'd like to know. Have a nice day.

Re:Current software is fundamentally broken

Nor are they likely to kill someone if they fail.

Re:Current software is fundamentally broken

[mlts]

Why should I trust unknown servers with critical data? If I were forced to use cloud-based services for banking and file storage, I have no clue who has access to the data. Even with the best security, there are some individuals who will happily loan a blackhat their badge, PIN, and offline authentication device in return for a princely sum of cash, and barring that, there are always other exploits.

Cloud services have some uses, but not for everything. Cloud storage is a decent method of keeping files in a secure location, provided you have some sort of encryption layer, and that you have another method of storage. For example, an external hard disk with a backup program (Retrospect, Time Machine) coupled with a cloud backup service like Mozy, Carbonite, or BackBlaze should go a long way in protecting a home/SOHO user. The external hard disk protects against "oh shit" happenings that trash the machine, while the cloud backup allows files to be obtained even if the machine (and the backup drive) were destroyed.

Cloud based VMs also have their uses, but in reality these uses are limited because one would not want to store confidential data on them. One use could be a point where external network traffic from a business gets redirected to, or perhaps a mirror of publically available downloads. Anything past that is playing with fire when it comes to security.

Re:Current software is fundamentally broken

[king+neckbeard]

Yes, transitions to HTML5 will not be inherently safer, but just about everyone moves faster than Adobe in security fixes, and the browser market is more diverse than the Flash player market. Both of these things suggest that it would almost certainly be a net improvement to security even if HTML5 has all of the same design flaws as flash

Re:Current software is fundamentally broken

[lgw]

Obviously, you shouldn't store non-public data in public. If you're using "the cloud" to help with bandwidth as you broadcast data you want everyone to see, that's not a problem. Otherwise, it's all about the cryptography, which is all about the key management.

As far as the reliability - again, if you're using "the cloud" in some short-term fashion to process requests, reliability is great. But if you're storing somehting in the cloud long term - who can you trust? In the corporate world, trust is about the SLA, and the company's history during actual disasters, and the more consumer-ish cloud storage providers (such as Amazon and microsoft) don't rate very highly yet: they do good things like store data in triplicate, but actual promises and track record are a bit lacking.

However, if you already trust an archiving or records management company to store your data, a cloud-like approach to communicating that data seems like a good next step.

Re:Current software is fundamentally broken

[toriver]

Are you seriously so brainwashed by Flash DUH-signers that you have failed to see how far HTML+Javascript has come? Browsers were able to play video using OBJECT/EMBED ten years ago.

Flash is an abomination on the web, but has its use for simple games and the like. "Most sites" do not rely on Flash for anything more than ads - to blindly rely on Adobe and Flash to remain significant is akin to relying on Ashton-Tate and dBase III/IV to remain the dominant solution for desktop apps. There is no benefit to other companies to keep giving Adobe business.

Re:Current software is fundamentally broken

[Draek]

The problem of central update mechanisms is when they fail. More specifically, when the one maintaining it decides that fixing bugs is too boring a job and goes off to work elsewhere.

For an example of that, see Java on OSX and its terrible, terrible security record with respect to Linux and Windows all because the latter ports were maintained by Sun themselves rather than our favorite fruit-flavored company.

Re:Current software is fundamentally broken

I trust online banking because my bank has an incentive to not sell my data to third parties (they are liable for identity theft). I don't trust google et all because their business depends on selling information about me.

Official Workaround

[Mojo66]

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.

Re:Official Workaround

[HazE_nMe]

You can update to the RC of Flash and just don't open PDF files from untrusted sources (as usual).

Re:Official Workaround

[joe_frisch]

It seems unfortunate that to have secure code you need to use a pre-release version. There is a need for a secure, but not feature-rich document format - I don't need dancing bears.

Only reading documents from "trusted" sources doesn't work - those sources may have been compromised.

Re:Official Workaround

[Draek]

It's not the format that's insecure, only Adobe's particularly shitty implementation of it. Now, if you *want* Javascript and Flash on your document format you're screwed, but I'd say in that case you are really Doing It Wrong(tm).

Re:Official Workaround

[nadaou]

There is a need for a secure, but not feature-rich document format

You are in luck: http://djvu.org/

All the best (non-Adobe) PDF viewers already support it. It's what the Internet Archive uses for archival. http://en.wikipedia.org/wiki/DjVu

Re:Official Workaround

[Mojo66]

Encoder seems to be available only for Windows.

Re:Official Workaround

[CondeZer0]

> A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.

Sadly this days that seems to be the trajectory followed by most software projects.

More and more bloat, more and more useless crap that nobody really needs or wants but that adds more and more complexity and makes systems more and more fragile.

Re:Official Workaround

[nadaou]

GPL'd version: djvulibre

$ apt-cache show djvulibre-bin
...
Description: Utilities for the DjVu image format
  Executables including utilities for conversion between DjVu and other
  formats.

$ file /usr/bin/djvumake
/usr/bin/djvumake: ELF 32-bit LSB executable

http://djvu.sourceforge.net/

Source TAR.GZ djvulibre-3.5.22.tar.gz
Binary Packages
Fedora/Redhat Available from Fedora.
Mandriva Available from Mandrake Club.
Suse Available from OpenSuse.
Debian Available from Debian (apt-get!)
Ubuntu Available from Ubuntu (apt-get!)
SGI Irix 6.5 (mips) djvulibre-3.5.5-irix6.5-mips.tar.gz
Solaris 6 (sparc) djvulibre-3.5.5-solaris6-sparc.tar.gz
Cygwin (x86) djvulibre-3.5.17-1.tar.bz2
OS/2 (x86) Available on Hobbes
Windows (x86) Available on Sourceforge
MacOS (x86,ppc) Available on Sourceforge

etc.

Call me dumb, but...

[Rui+Lopes]

It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.

... how can the DLL affect osx & other unix OSes? And why does it ship on these OSes?

Re:Call me dumb, but...

In the end, a DLL is just x86 code that the application can load and execute. I can't imagine it being very hard to load the code on OSX/Linux which both run x86.
Wine does this already, and I wouldn't be surprised that there are uglier things at work in acrobat...

Re:Call me dumb, but...

[marcosdumay]

The DLL is part of Acrobat Reader. I've never saw a Linux that ships with Acrobat, but it is available for most of them (on some it is just a click away). Anyway, very few people do use Acrobat on Linux, unless you are one of those few that got out of your way to install it, it is not an issue.

Re:Call me dumb, but...

$ locate authplay
/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so.0.0.0
/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so

So it's not called "authplay.dll", but it's pretty much the same thing, only encoded as a shared ELF binary instead of as a PE file.

Re:Call me dumb, but...

[dotgain]

You're a "C Drive" person, aren't you?

Re:Call me dumb, but...

[Russellkhan]

I've searched for anything called authplay on my linux box and found nothing. I do have Flash installed, but not Acrobat or Reader. Keeping Flash use to a minimum via Noscript anyway until further notice.

64-bit Linux

[macemoneta]

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

Re:64-bit Linux

[WrongSizeGlass]

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

No versions have been fixed yet so all versions are still vulnerable ... this includes Linux 64-bit.

Re:64-bit Linux

[macemoneta]

The Flash Player 10.1 Release Candidate "does not appear to be vulnerable," the company said.

The Linux 64-bit version is still at the vulnerable level, and has not been brought up to the non-vulnerable level.

Re:64-bit Linux

We heard you the first time. Maybe you should *listen* when you read: It's not fixed yet. The 10.1 RC has not been released yet (that's the whole "release candidate" part of it). There is no patch for 10.0.x.x or 9.0.x.x yet so <insert platform & architecture here> is still vulnerable. Mmm-kay?

Re:64-bit Linux

[king+neckbeard]

There is at least a workaround for other platforms. I suppose I could try nspluginwrapper, but I really don't want to have to use that again.

Re:64-bit Linux

[macemoneta]

We heard you the first time. Maybe you should *listen* when you read: It's not fixed yet. The 10.1 RC has not been released yet (that's the whole "release candidate" part of it). There is no patch for 10.0.x.x or 9.0.x.x yet so is still vulnerable. Mmm-kay?

I shouldn't respond to anonymous trolls, but the 10.1 RC is available at the Adobe beta site, just not for Linux 64-bit. That was the point of the post. If you're not familiar with Adobe's release process, maybe you should try a google before blowing smoke out of your ass.

Sumatra PDF + Flashblock

Use Sumatra PDF instead of Adobe Reader.

Use Flashblock with Firefox. You can whitelist your daily sites as you use them. Furthermore you save CPU, heat, noise and money from the beginning.

Can't wait for HTML 5 and friends (JavaScript, WebM, Canvas, WebGL, ...) to kick Flash's ass.

It would be also nice people moving from PDF to ODF; I think it's technically viable (same features, zero cost, what I am missing?), besides the obvious gain in security and stability.

Oh christ, not again

[Nimey]

It's job security for us computer janitors, but still fucking annoying that their security is so bad.

Adobe 10.1 pre-release fix

[GUNDARI]

Version 10.1 is considered a fix for this. http://ve3d.ign.com/articles/news/55171/Critical-Flash-Vulnerability-Discovered-Please-Upgrade and http://labs.adobe.com/technologies/flashplayer10/

PDF files should not "execute"

[bradley13]

If Adobe had the brains of a hamster, it would prohibit executable content in PDF files. Anything fancier than a fill-in-the-blank form has no place in a document format. Business needs some sort of standardized format in which to exchange written documents electronically, and PDF has fulfilled this role until now (barring the dimwits who still send Word files around). Allowing PDF to include executable content is not only dumb - it will eventually destroy PDF as a trusted format.

Re:PDF files should not "execute"

[lostsoulz]

I agree.

Sadly, the same idiots that send Word documents and use pdf's fancier facilities are the same idiots that are engineering bizarre business processes. For example, I had to complete an online assessment recently. There was nothing special about this assessment - marks out of five for a few key points. For some reason, the assessment was deployed using a downloaded pdf with drop-down menus. The document had to be modified, saved and then spewed back into SAP. I despair...

Re:PDF files should not "execute"

[Jahava]

Anything fancier than a fill-in-the-blank form has no place in a document format.

That's a slippery slope you're walking there. The second that you open the document up to interaction and editing, you open the platform up to issues like editing capabilities, content type, content validation, and each of those opens up their own can-of-worms.

In my opinion, PDF should do exactly what most people use it for: it should render content in a consistent, platform-independent, and read-only manner. If you need to provide a form to fill out, there are many technologies to solve that problem, but across all of them, Web/HTML stands out as the most appropriate. Web/HTML has numerous different approaches for allowing a user to fill out a form, each richer and more flexible than Adobe's PDF will (er, should) ever be. If you want the fields that are filled out to appear in a read-only document, have the web service generate a PDF document containing your answers when you complete the HTML form.

A perfect example of this is how Google's Spreadsheets can present a form view, which is capable of reproducing a significant amount of the capabilities that Adobe's executable content is used for with a concise user interface, and producing a PDF at the end of it.

Re:PDF files should not "execute"

I agree, they should have done something like MS's Office XML document formats. The standard .docx is document only. You have to goto a .docm to get the macroenabled documents that were generally the problem with the "old" office document formats. Adobe should have restricted .pdf to the PDF/A standard, and specified an extended PDF with video/audio/javascript/etc as something like .pdfx.

Re:PDF files should not "execute"

[wiredlogic]

barring the dimwits who still send Word files around

I wouldn't completely knock Word. The Word document format maintains its contents as structured data as opposed to lines of text or individually placed glyphs that is all PDF can muster. That's great for consistent page rendering but not so hot for machine processing. Extracting text from PDF is considerably more complicated because paragraphs and blocks of text have to be guessed at by analyzing the page layout. Throw in right to left and vertical scripts and it gets even more complicated. Word may have a lot of stupid cruft in its documents but the data is decidedly easier to extract.

Re:PDF files should not "execute"

I would also argue that Adobe could learn something from the way that Office 2010 opens documents in a sandboxed environment by default as well.

Re:PDF files should not "execute"

[faber0]

Leaving out the "executable content" from PDFs does not shield you from exploits at all. Hostile input can still trigger all sorts of bad reactions including complete takeover. A bug can turn any simple viewer into executing the document.

Re:PDF files should not "execute"

[drinkypoo]

The answer seems to me to be to have two grades of Reader. The basic one will only let you fill out forms. The complex one will let you use all the dynamic crap. Personally I just don't view PDF in-browser on Windows; I use SumatraPDF and it's small and simple and thus doesn't produce these kind of failures. In Linux I use evince via mozplugger.

Film at eleven

[king+neckbeard]

How exactly is an Adobe exploit news? This happens all the time.

Re:Film at eleven

[dotgain]

And how exactly is this a comment? Slashdot posters waffle on about their indifference all the time.

Saint Steve was right!

[lostsoulz]

Sent from my iPhone.

it's that you ?

Stevie

Show us the code Adobe

[Alcoholist]

Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.

Re:Show us the code Adobe

Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.

Here, here.... Open source software is the way to go. The mistaken business plan of using proprietary software is leading us into security hell. The oss community is proven to be faster at fixing bugs; we just need the average Joe to be educated in this and reject inferior products that are so full of holes. Our governments should be giving us unbiased info on security and educating pupils in schools and collages of alternative operating systems and software. My children's IT teacher, for instance, has never heard of Linux..........

Whatever

Who gives a fuck and why did this make slashdot.

dominant standards vs dominant products

[moria]

When an industrial standard is dominant with implementation from different vendors (think WWW, JPEG, ODF, XMPP and even PDF), there is interoperability and better security through diversity. When a single product dominates (think Flash, Windows), we bring "write once, play everywhere" to malicious code writers.

confused by versions

What a confusing mixture of product names and version numbers. Do they mean to group as in (Adobe Reader and Adobe Acrobat ) 9.x or Adobe Reader x.x and Adobe Acrobat 9.x ?

Flaw in the spec

[rsborg]

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

I don't doubt there's sloppy programming involved, but this sounds like a flaw in the spec... who the hell reviews the PDF spec and how much does Adobe pay them to approve of things like allowing code execution when it's supposed to be a secure document spec that is a mandated standard in critical venues like government and legal filings.

Adobe Failed to Mention Mac Users Affected only if

Only Mac users with Adobe Reader set as the default PDF reader (like many Fed Macs) are affected. The fix is to revert back to factory settings with Preview as default, and only open trusted pdfs with Adobe Reader. (required for some gov't apps)

HTML5 v. Flash security

[Onymous+Coward]

I wonder about this. I'm sure it's a rather complex issue (that will be picked apart time again for years to come), but the one idea that leapt out at me was one you pointed out:

... HTML5 core part of browsers will likely be much better maintained & secured than [Flash], will help.

HTML5 may not be a silver bullet, but my intuition tells me we'll be much better off. But not having a clear idea of exactly why this is and spouting my intuition out, while perhaps a Slashdot tradition, is not very constructive, so I offer this intuition with this disclaimer.

Re:HTML5 v. Flash security

[Vellmont]

But not having a clear idea of exactly why this is and spouting my intuition out, while perhaps a Slashdot tradition, is not very constructive, so I offer this intuition with this disclaimer.

I'll tell you why. HTML 5 browsers won't be produced by Adobe, that's why.

Software security isn't just about the technology or specifications, or whatever. It's really mostly (no not entirely) about the people who write the stuff. Sendmail (the ever popular SMTP agent) was the giant poster child of how NOT to write software. For a while there was a root exploit every month in the damn thing. Postfix (another SMTP agent) on the other hand was designed with security from the ground up, and has had few, if any security problems.

Adobe has a TERRIBLE reputation when it comes to security. How many exploits have I seen over the past couple years for PDF reader? How many have I seen for Flash? I don't know exactly, but it's at least several for each. After Microsoft, Adobe is by far the biggest threat to the security of your computer. Flash is so prevalent and so useful you really can't live without it being installed. I know there's a free alternative (from gnu I think) but as I recall it's a giant steaming pile of crap.

Re:HTML5 v. Flash security

[99BottlesOfBeerInMyF]

...my intuition tells me we'll be much better off. But not having a clear idea of exactly why this is...

The difference is Flash is created pretty much just by one company who has complete control. They don't really worry about competition so they have little motivation to fix security problems, or do so in a timely manner. HTML5, on the other hand, is created and implemented by a wide variety of companies and organizations all competing and interested in security and for that matter, other improvements. COMPETITION drives innovation and improvement, which is why Flash and other software where there is no competition in a niche, ewell sucks in comparison to competitive fields.

Re:HTML5 v. Flash security

[hyc]

I dunno, preserving your company's reputation and credibility ought to be big enough motivators already. The fact that Adobe code quality is still so shoddy indicates that regardless of motivation, they lack the *ability* to improve things.

Btw, for video streaming, you can just use things like get-flash-videos and rtmpdump, and never be exposed to any of that crappy Adobe code. Whether or not the base technology has any intrinsic merit, it's obvious that even today, before HTML5 is widely deployed, it's possible to implement this stuff without any of Adobe's implementation flaws.

Re:HTML5 v. Flash security

[99BottlesOfBeerInMyF]

I dunno, preserving your company's reputation and credibility ought to be big enough motivators already.

But really, they aren't. Microsoft has a terrible reputation for security and have for a long time, but until it starts affecting the bottom line, it's cheaper to pay for marketing than engineering. The same goes for Adobe. It's cheaper to hire a PR firm to talk about how Apple is hurting the industry, than it is to make a good product for the mobile market and sell it until it wins the market.

Btw, for video streaming, you can just use things like get-flash-videos and rtmpdump, and never be exposed to any of that crappy Adobe code. Whether or not the base technology has any intrinsic merit, it's obvious that even today, before HTML5 is widely deployed, it's possible to implement this stuff without any of Adobe's implementation flaws.

I don't think the discussion can be limited to just Flash used for delivering video, nor do I think reverse engineering Flash well enough to get some functionality out of it really compares favorably to an open standard specification and one can and all are encouraged to implement.

Adobe link to Flash Player deemed "safe"

[oDDmON+oUT]

Note: This is prerelease code:

http://labs.adobe.com/downloads/flashplayer10.html

"Flash Player 10 Prereleases

This page contains download information of developer prerelease and beta versions of Adobe® Flash® Player 10 software for Windows, Macintosh, Linux, Solaris, and Android. It is being made available for developers to test their content to ensure new features function as expected, existing content plays back correctly, and there are no compatibility issues. Consumers can try the prerelease of Flash Player 10.1 to preview hardware acceleration of video on supported Windows PCs and x86-based netbooks. The Flash Player 10.1 prerelease is available in all supported languages; however, the prerelease installers are only in English and we can only accept feedback in English at this time."

Re:Adobe link to Flash Player deemed "safe"

[oDDmON+oUT]

Damn, clicked Submit instead of Preview. Meant to add this from the advisory:

"Note:
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat 8.x are confirmed not vulnerable."

Re:Adobe link to Flash Player deemed "safe"

[Stan+Vassilev]

Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

The ver.8 series are not vulnerable to this exploit. They're vulnerable to a two dozen other ones that ver.9 fixes, so by all means, install Reader 8 and browse away.

And just for you, Adobe

[theolein]

"Go screw yourself" as you said to Apple.

So true

[theolein]

I cannot imagine who on earth would want Flash content in PDFs. I imagine it is still some brainless marketing fuck at Adobe who thinks PDfs will trump Powerpoint for presentation and so they have to cram in just as much useless shit as can be crammed into a pptx/pps file.

What truly fucking bothers me is that the "fix" they offer is not a fix at all. Installing a release candidate Flash player across a company will not be easy in many cases and who the fuck is going to go searching for craptasticadobeshit.dll on all their machines. Sadly, this is such a problem that you have no choice, unless you want to block all Flash content and in many industries, such as media or design, that's simply impossible.

Adobe is so fucking lost it's not funny. Their Flash player is a buggy, unsecure piece of shit. Their Acrobat PDF Reader is even worse, slow to start up, full of utterly useless shit that easily 99% of people who need to view a pdf don't need, and regularly an opportunity for malware authors to get at your machine. On top of this, Adobe is so choking on their shit that they coded almost all the dialogs in the new CS5 suite in fucking Flash, leaving previously satisified customers seething with anger because dialogs that were already pretty unstandard in the last two version of the CS ballsup are now more often than not, simply not working anymore.

For the love of God, please someone, anyone, make a decent alternative to the CS suite so we don't have to put up with Adobe's increasingly bizarre attempt to remain relevant by shovelling ever more shit into what were previously perfectly good apps!

AGAIN??????

[GPLHost-Thomas]

I mean, really yet AGAIN? That is it: rm /usr/lib/flashplugin-nonfree/libflashplayer.so

Hey!

[Wovel]

Thanks Adobe, you help keep the Internet a fun and exciting place for everyone!

Best alternative for simple PDF viewing?

[Lenbok]

If I want to uninstall Adobe reader and install a lite viewer that lets me read PDFs without support for all the SWF/Javascript/Kitchen Sink extensions, what is the best viewer package (for Windows)?

Re:Best alternative for simple PDF viewing?

[haruchai]

I haven't used Adobe Reader on my machines in a couple years due to all the security issues. Sumatra is probably closest to what you are looking for
but I've used both Foxit and PDF X-change ( for full PDF support ) for quite some time without any problems, although PDF X-change sometimes ramps up the memory usage inexplicably ( not a concern on when you have 8GB RAM ).

The nice thing about Foxit and X-change is that they support tabs, can automatically re-open all the PDFs you were reading and take you right back to the page(s) you were on.

It shouldn't be zero day

[Ilgaz]

Funny thing is, they are at RC7 level and I have been testing RC series on Mac PPC since the first RC, they aren't that crashy or buggy.

They could simply hurry with the couple of major issues (if there is) and rush out Flash 10.1. It would be way better than infecting people's machines because they use your plugin.

Same for Adobe reader... Wonder if they are coding this Sunday or having some "rich corporate coder" life as usual. Just imagine the speed of fix if this was some no-name 3 developer open source project at sourceforge. As far as I followed open/free software, they would make couple of coffees and launch their IDE right away.

A-Doobie?

[dogzdik]

OK I think the Adobe Reader is GREAT product. But it pisses me off about the amount of cunts who develop the exploits - to deliberately target and rip off people, through using this product. Fuck them.

Adobe provide a flash player uninstaller

[mister_dave]

You can download a flash player uninstaller from Adobe.

neither is foxit

[chronoss2010]

gee im glad now too

Talking of secure...

[elguapoloco]

"Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a Safari vulnerability with a payload which retrieved the text messages from the device. Charlie Miller (Twitter: 0xcharlie) competed successfully for the third year in a row, taking home the MacBook Pro via a Safari exploit which delivered a full command shell payload." In case you missed it " for the third year in a row"!!! Before blaming all the evils on the internets on Flash some companies got some hole plugin' to do :P http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

what surprise

[hesaigo999ca]

Really...again yet another zero day attack....i wish we could see 100 days of zero attacks....that would be nice.!

The bi-weekly security holes... nothing new

[apexwm]

Yawn... every 2 week the same ol same ol.... Adobe releases security bulletins describing critical security holes. Nothing new here!! I'm surprised that the updates actually affect the Linux versions. Usually, the security holes are only affected for Windows, not Linux.

Educate Me, Please...

[RobDude]

What alternatives exist that are secure?

For PDFs - I know of a few other applications that can open them. For Flash? Is there anything?