Adobe Warns of Critical Flash Bug, Already Being Exploited

Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."

Re:How to prevent Reader from using Flash?

[GameboyRMH]

Huh didn't know there was a Windows port of evince. I'll have to look at replacing Foxit with that:

http://live.gnome.org/Evince/Downloads

And an .MSI installer too! I'll have to talk with the other IT guys at work tomorrow...

Re: Direct download link to Flash Player

[qubezz]

The full Flash installer is buried in a deep link. You can use Internet Explorer, choose the 'different operating system or browser' link on the Adobe Flash download page, and get the Firefox version (likewise use an alternate browser to get the IE version).

Of course, if you want a direct link to download the most recent installer without the 'download manager' slimeware or 'free Google Toolbar', here it is!:

• Flash Player installer for Firefox/Netscape
• Flash Player installer for Internet Explorer/ActiveX

Tool to neuter Flash exploits - Blitzableiter

[plover]

Here's an embarrassment for Adobe. An external researcher has created a tool called Blitzableiter, which is simply a Flash parser written in .Net. Its only job is to verify that any Flash you load is fully compliant with the Flash file format, and to hurl an exception if anything fails to parse correctly. I saw FX's presentation at DefCon and was suitably impressed.

The cool thing is that he claims it's caught every exploit, past and present, that he's been able to find to test it with.

Think about it. Someone external to Adobe is keeping Adobe's products safe simply by enforcing Adobe's own rules. Way to go, Adobe, you're completely awesome.

Configuring Blitzableiter to work in Firefox takes a little bit of work. He asked the NoScript guy to provide an external plugin mechanism, which launches Blitzableiter to check out the SWFs before they're permitted into the Shockwave player. So you have to load the NoScript extension, then configure it to run Blitzableiter. I look at it as a fairly small price to pay for safety.

I will say that it's pretty damn picky, and there's a lot of probably-safe-but-badly-written Flash out there that it won't let you load. Since there's actually very little Flash content I want to see anyway, it's not been a real problem for me. For expediency I put youtube.com in the exception list, just because I do trust the youtube player and don't feel I need to wait the extra two seconds to have it scanned every time I watch a video clip. Otherwise, it just rocks!

Re:Abode Is The Weakest Link

[mkro]

The problem is that it is not "only supposed to be a document display". Someone gave a pretty good summary on Reddit about a month ago. The conclusion is that Adobe Reader is most likely overkill for 90% of the users, and you should stick to something like SumatraPDF or Foxit.

Re:How to prevent Reader from using Flash?

[GameboyRMH]

Foxit's been getting a little too adware-ish for me lately, it's coming bundled with toolbars now, and it offers a browser plugin which can only be bad news for security, browser speed and browser stability. Between the two I definitely prefer evince.