Slashdot Mirror
Adobe Warns of Critical Flash Bug, Already Being Exploited
Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."
I hope Apple and Adobe come to an agreement because I want to live on the edge too.
Adobe's Acrobat, Reader & Flash are the weakest security links on any PC. This isn't really news any more ... it's expected.
And, of course, no where in the article or linked articles does it mention how you get it. Infected website? Particular websites(warez, etc)? What? Anyways. NoScript wins again, regardless.
How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?
Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?
I think it's about time to go from using Click2Flash to just deleting the Flash plugin completely.
Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader.
How do I keep Adobe Reader from being able to use Flash?
Seems like this could prevent the exploit and greatly reduce the attack surface in general.
Can someone please explain to me why it will take Adobe two weeks to get a patch out? It seems like it should be an "all hands on deck" project to get this fixed and distributed.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
In other news, Steve Jobs now has even more arguments to push aside Flash and Shockwave.
Wait, Shockwave? That thing is still alive?
The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can. And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.
Bye Bye Flash
Html5, here we come!
-F
...but just hold on for two weeks and we'll make it alllll better
Attention browser developers:
Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.
Any user-initiated visit to a web site would be a new session.
Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.
Basically, if you aren't trusted, you get a very limited view of the local computer and once you quit, you get amnesia.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
After a decade of huge hacker security breakthroughs of systems, I wonder how long we have to go before automated code structure and testing gets good enough to be able to routinely find all the typical things that might represent a problem. Acrobat has been around so long it ought to be basically bullet-proof, but isn't. What gives here? I use a lot of Adobe applications and I personally want to see them get out of this problem.
is now clear.
>"The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac"
What horrible wording. One could read that to mean Linux is not a "relevant platform" in general, or that the vulnerability can't use the exploit to do anything to a Linux system or several other things.
From the article:
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh."
Why the FUCK does a document display program have the ability to alter anything on my machine?
Not to let Adobe off the hook, but OS makers should make it easier for users to limit the abilities of vulnerable or dangerous programs.
Quick, how would you start Adobe Reader on Linux, OS X, and Windows such that it isn't allowed to write to files? How would you do the same for however your browser starts Flash? Could you easily step several users through this process?
"won't be patched for nearly two weeks"
In 25 years of computing, the only virus I've ever had was due to an Adobe Reader exploit. So, thank you Adobe for hurrying to get this patch out urgently. I'm sure there is no conceivable way you could get it out in less than 2 weeks.
In the meantime I should remove Reader from my system.
I'm running the 64-bit "preview" Linux plugin called "Square". Adobe reports,"You have version 10,2,161,23 installed" when I check by right-clicking on a video and choosing About. Does that mean I'm not vulnerable to this flaw?
this one
Am I the only one who finds it ironic that a web site that warns of a critical bug in the Flash player tries to install the Flash plugin?
(yes, I don't have Flash installed anywhere and so the linked web page demands to install it)
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
This is why Apple no longer ships Flash pre-installed, and why they do their own PDF readers. Regardless of any tiffs (or .TIFFs, har! see what I did there?) between Adobe and Apple, I'm sure that Adobe wants its products preinstalled in OSX. Even through its contentious history with Adobe, Apple has preinstalled Flash for many software releases now because it made business sense to do so. It no longer does.
Recent trends show that Adobe is the most readily-exploited software vendor (per US-CERT). Critical flaws are being discovered faster than operating system installer "golden images" can be put through the update-certification-release cycle. Any version of Flash or Acrobat/Reader that is incorporated into an OS golden image will almost certainly be vulnerable by the time a system with that OS installed reaches a customer. You're going to have to update the moment you're out-of-box, so why pre-install something you're going to have to patch anyway (assuming you patch at all)? And Apple can't autopatch it... their Software Update only updates Apple products (i.e. products which they actually have the legal right to patch).
And, of course, the headlines would (and do) read "Macs being exploited" instead of "Adobe being exploited". Apple doesn't want that, and is in a position to do something about it.
Do we perhaps understand why Apple does some of the things it does a little better now? Do we perhaps understand why Microsoft doesn't include Flash/Reader as part of its OS? Does Adobe need to get its goddamned act together before they start throwing rocks at OS vendors?
Everybody gets what the majority deserves.
OMG, I just reinstalled flashplugin-prerelease for 64bit, and I have to uninstall again. Bring on HTML5!!
Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)
Attention N900 users:
If you don't want to totally disable your flash plugin, you can either install adflashblock-css for combined ad and flash blocking, or if you don't want to block ads, use my custom flashblock:
http://talk.maemo.org/showpost.php?p=625937&postcount=3
"When information is power, privacy is freedom" - Jah-Wren Ryel
Does the "Flashblock" plugin for Firefox help block this exploit? The only sites in my whitelist are YouTube, Amazon.com, and NewEgg.
Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.
Two words: foxit reader.
Problem solved. People seriously still use adobe products? godamn
And FYI, I doubt Apple is SOOOO altruistic to the point where they don't include flash pre-installed anymore. Give me a break.
Get to work today. Refresh security site firefox tabs. Coffee in hand, ready to see what internet evils I have to fight today.
Zero day.. Ok
Adobe.. No.. Please no..
Reader.. GOD FUCK DAMN IT
I really, really, really have a fine hatred for Adobe today. They make their products indispensable and then don't bother to secure them worth a damn. What I hate most about adobe security vuln notice is the time it takes for an actual fix.
"Yeah. We know there is an active exploit being spammed to your users as we speak.. We'll have a fix in a month. Yeah."
On top of that, their installers and auto update systems are complete and utter garbage. You don't even have a way of knowing what version of software you're downloading off their site. You just have to assume it's the latest.
They also seem to think that you've got time to run around to all 200pcs in your organization and either install it yourself, or use admin privileges to let the installer run.
You can, though, get .msi versions of the of the installers to push via active directory or other system management systems. Even this is a crapshoot. The installers are bugy and flash will often silently fail with no explanation. An adobe update might be a msp patch file. Might be a whole new release that installed. Sometimes getting a pushable version of the current version is an undocumented pileof msp patches you need to find yourself. On top of all that, hand editing the msi installer instructions in ORCA or similar is often needed to strip out the bloat you don't want. Adobe Air? Acrobat.com? Advertising links on the desktop? WTF Adobe
On behalf of computer users everywhere.
Adobe, clean up your fucking act.
I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081
1. to not use any computers
2. to use unique operating system and programs unless you are directly targeted (which is not 100% but very close)
please point me towards a better solution as those are not practical...
... this makes me very wary of buying a device where all apps, and the OS/UI itself are written in Adobe AIR (which is pretty much Flash.) So when a vulnerability comes along you... what... quit using the whole device? I'm sure that will go over really well with the large businesses that are BlackBerry's intended customers. And for those who think I'm hyperbolizing, watch the video and listen close--the head of RIM says (at the 2:20 mark) "what we've done is... really embed AIR right into 'the metal' and the operating system." By "metal" I think he means "as low-level as we possibly could."
Wait, scratch that... large businesses have been buying Windows for two decades, so never mind me. I be this thing will fly off the shelves. Hmm, maybe I should write an antivirus app in Flash so it can run on a PlayBook. :-)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
The GP probably based his post on this presentation from Charlie Miller @ CanSectWest:
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
See slide 53 in particular.
What's important to realize, however, is that Charlie's fuzzing run was based on a set of PDF files that he chose. It's not stated whether any of the seed PDF files contained any flash objects or 3D or JavaScript or any of the other features that contribute to the size of Adobe Reader.
But that should be an eye-opener for you. Preview doesn't come with support for Flash. Or probably a whole slew of other features that Reader supports. In addition to code quality, the attack surface (or lack thereof) and popularity are also major factors of the risk of using a particular product.
I don't think anybody believes that e.g. SumatraPDF is written in some special, uncrashable way. That would just be naive. But the much smaller attack surface combined with greater obscurity could be the motivating factor for some people.
... of why Apple is correct in keeping this steaming pile of insecurity off of their devices.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
Ironically, illegitimate copies of Acrobat Pro are probably not affected.
!#@%*)anks for hanging up the phone, dear.
The full Flash installer is buried in a deep link. You can use Internet Explorer, choose the 'different operating system or browser' link on the Adobe Flash download page, and get the Firefox version (likewise use an alternate browser to get the IE version).
Of course, if you want a direct link to download the most recent installer without the 'download manager' slimeware or 'free Google Toolbar', here it is!:
Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)
Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.
"A witty saying proves nothing." - Voltaire
>Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.
I know, but it still drives me crazy. It looks like a list of different things instead of a single number.
A shot for every time an adobe product is exploited. Of course, the morning after I tried this, I woke up left for dead in Guatemala...
"People don't want to learn linux" hasn't been a valid excuse since '03.
Here's an embarrassment for Adobe. An external researcher has created a tool called Blitzableiter, which is simply a Flash parser written in .Net. Its only job is to verify that any Flash you load is fully compliant with the Flash file format, and to hurl an exception if anything fails to parse correctly. I saw FX's presentation at DefCon and was suitably impressed.
The cool thing is that he claims it's caught every exploit, past and present, that he's been able to find to test it with.
Think about it. Someone external to Adobe is keeping Adobe's products safe simply by enforcing Adobe's own rules. Way to go, Adobe, you're completely awesome.
Configuring Blitzableiter to work in Firefox takes a little bit of work. He asked the NoScript guy to provide an external plugin mechanism, which launches Blitzableiter to check out the SWFs before they're permitted into the Shockwave player. So you have to load the NoScript extension, then configure it to run Blitzableiter. I look at it as a fairly small price to pay for safety.
I will say that it's pretty damn picky, and there's a lot of probably-safe-but-badly-written Flash out there that it won't let you load. Since there's actually very little Flash content I want to see anyway, it's not been a real problem for me. For expediency I put youtube.com in the exception list, just because I do trust the youtube player and don't feel I need to wait the extra two seconds to have it scanned every time I watch a video clip. Otherwise, it just rocks!
John
More to the point, why the fuck would you want to embed flash within a PDF? Can anyone explain a reasonable scenario where this is a useful feature?
what happens when in 6 or 12 months, manufacturers like Samsung stop updating their current release Android phones? (Talk to a Behold 2 owner about Samsung not updating phones right after release). How are we going to be protected from the army of infected phones? Who's going to be responsible for updating a Flash vulnerability in Android if the manufacturer doesn't release updates? Will Flash updates by pushed from Adobe?
...Microsoft really would buy Adobe, they could show them how to really make something exploitable!
I wonder how this is going to effect the development of the Playbook.
It is a well known fact that Apple devices are rendered immune to viruses by the power of Smug. Have you ever seen an Apple with a virus? Apple fanboys sure haven't, and they know it! After all, wWho needs Norton Antivirus when Smug comes free with every Apple device?
Many cultures ritualistically mutilate infants' genitals, as well. That doesn't make it right.
The plug in lets you import PDFs, which you can of course read. So you could read flash-free PFDs that way. What is very nice about this plug in is that you can also modify the PDFs and re-export them as PDF or ODF. And of course you can save in native OO Draw format.
The PDF modification process is a tad kludgey, but you can do quite a lot once you get the hang of it. Sure it is not Acrobat Pro, but it is free and in a pinch can let you make a final crucial edit to a PDF. I like to take the color images out of my AAA directions. The TripTik engine creates a PDF, which always has an ink wasting graphic easily deleted in OO Draw with this plug in.
http://extensions.services.openoffice.org/project/pdfimport
"No fear. No envy. No meanness." Liam Clancy
Does anyone have any information on the technical side of the bug? is it a buffer overflow, wild pointer, stack smashing etc? I've searched online but I couldn't find any technical information about it.
No surprise no one is really upset over the fact Apple limits people freedoms and won't allow Flash or Java on the iPhone.
Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.
Yes, but it doesn't necessarily imply the same is true of version numbers. Here in Norway we swap the dots and commas in numbers (1.234,55 vs 1,234.55) but I have never seen any software package, domestic or foreign, that uses anything but dots in their numbering. I think they're more considered dividers like in chapters, that do use dots like "3.4 Crossing the beams". And ok, so (float)7.5 makes sense but what exactly would a kernel version number of 2.6.36 mean? What when you go from 2.6.9 to 2.6.10? It does not make any sense, but if you consider them equal to chapters it makes perfect sense.
Live today, because you never know what tomorrow brings
Much more interesting are the following links:
http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.msi
http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_plugin.msi
which will give you msi installers which can b easily distributed with AD.
Very very useful if you need to upgrade a while domain.
Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.
I don't have an iPhone, but I thank him for forcing web developers to find alternatives to Flash.
http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html
http://live.gnome.org/Evince/Downloads
http://www.foxitsoftware.com/downloads/index.php
sumatra, evince, foxit....pick one. personally, i use sumatra
I don't know what the options are on OSX, since I have no possible use for the OS myself.
...Just like 99% of other users have no possible use for Linux, themselves.
Number of security vulnerabilities related to Adobe products by years:
2006: 31, 2007: 35, 2008: 64, 2009: 95, 2010: 175
152 of 175 vulnerabilities published in 2010 have CVSS scores higher than 9.
See http://www.cvedetails.com/vendor/53/Adobe.html for more details
>Adobe Warns of Critical Flash Bug, Already Being Exploited ...no?
Redundant, just a wee bit
If you have an exploit, it will be used, until it is patched. end of story,
so patch the f*cker already and stop issuing (and wasting time and money) comments
telling us you have exploits you will have to fix, and just fix them already.
No man is so evil that he cannot turn around and receive God's embrace.
In light of rampant Catholic pedophilia, that statement creates a really creepy image.
Because it contains security issues, just like every other piece of software out there? At least Adobe is aware and fixing. Jobs just got biased because Flash is in the news all the time when yet another bug is found.
I am not devoid of humor.