Slashdot Mirror
Adobe Warns of Critical Flash Bug, Already Being Exploited
Trailrunner7 writes "On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won't be patched for nearly two weeks. The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader."
I hope Apple and Adobe come to an agreement because I want to live on the edge too.
Adobe's Acrobat, Reader & Flash are the weakest security links on any PC. This isn't really news any more ... it's expected.
Isn't Flash supposedly sandboxed? And, what the hell is Flash doing in a PDF viewing utility?
I think it's about time to go from using Click2Flash to just deleting the Flash plugin completely.
It happens when you open PDF documents and Flash scripts. Duh.
In other news, Steve Jobs now has even more arguments to push aside Flash and Shockwave.
Wait, Shockwave? That thing is still alive?
The nice thing about html5 is that it's plaintext, and thereby can't be exploited - only the parsers can. And the nice thing of these parsers - which we also call Browsers - is that you can choose, and secure them yourself.
Bye Bye Flash
Html5, here we come!
-F
Attention browser developers:
Start sandboxing the browser so that by default, plug-ins are sandboxed from each other and from instances of each other in other "sessions" and they are not allowed a persistent storage.
Any user-initiated visit to a web site would be a new session.
Unless the end-user overrode the settings, only highly trusted plugins would be allowed persistent local storage and cross-session communication, and one of the criteria of being "trusted" is that the browser validated the plugin against a list of known-clean plugins in the last few hours.
Basically, if you aren't trusted, you get a very limited view of the local computer and once you quit, you get amnesia.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How much you wanna bet we're going to have to wait for Adobe's next 90-day update cycle, since this was released right on the day of another patch?
Looks like not. From the article:
Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15.
Adobe said that a Flash update is scheduled for (Patch) Tuesday, November 9. Updates for Acrobat and Reader are scheduled for the week of November 15.
>"The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac"
What horrible wording. One could read that to mean Linux is not a "relevant platform" in general, or that the vulnerability can't use the exploit to do anything to a Linux system or several other things.
From the article:
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh."
I'd be more worried about the fact that majority of consumers don't update their Acrobat Reader on PCs. Clicking "Update Later" button has become something you get to click every time you reboot the computer.
Can someone please explain to me why it will take Adobe two weeks to get a patch out?
They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse. Plus, you don't give a optimistic estimate right at the start.
(Look how Chile handled that for the mining disaster. They started with a safe estimate, and got praised for beating their own deadline. Imagine the reactions if they had been too optimistic in their original estimate.)
Use one of the pdf readers that doesn't have adobe's holes and bloat.
I think there is a windows port of evince, and I used to use sumatra when I had windows boxen. I have a friend that likes foxit, but I've never used it myself. etc.
Sent from my PDP-11
I'm running the 64-bit "preview" Linux plugin called "Square". Adobe reports,"You have version 10,2,161,23 installed" when I check by right-clicking on a video and choosing About. Does that mean I'm not vulnerable to this flaw?
Just a guess, but removing authplay.dll might help mitigate the Reader portion of this exploit. I generally do that after every Reader upgrade because a similar vulnerability happened once before. Besides, who ever uses Flash inside a PDF document anyway?
Am I the only one who finds it ironic that a web site that warns of a critical bug in the Flash player tries to install the Flash plugin?
(yes, I don't have Flash installed anywhere and so the linked web page demands to install it)
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
There are many approaches. Sandboxing is one, there's Sandboxie for Windows. On Linux you could use SELinux, or AppArmor which is much more user-friendly and is ultra-convenient on Ubuntu - profiles for Firefox (with Flash) and evince are installed by default and are updated automatically with the programs.
I don't know what the options are on OSX, since I have no possible use for the OS myself.
"When information is power, privacy is freedom" - Jah-Wren Ryel
This is why Apple no longer ships Flash pre-installed, and why they do their own PDF readers. Regardless of any tiffs (or .TIFFs, har! see what I did there?) between Adobe and Apple, I'm sure that Adobe wants its products preinstalled in OSX. Even through its contentious history with Adobe, Apple has preinstalled Flash for many software releases now because it made business sense to do so. It no longer does.
Recent trends show that Adobe is the most readily-exploited software vendor (per US-CERT). Critical flaws are being discovered faster than operating system installer "golden images" can be put through the update-certification-release cycle. Any version of Flash or Acrobat/Reader that is incorporated into an OS golden image will almost certainly be vulnerable by the time a system with that OS installed reaches a customer. You're going to have to update the moment you're out-of-box, so why pre-install something you're going to have to patch anyway (assuming you patch at all)? And Apple can't autopatch it... their Software Update only updates Apple products (i.e. products which they actually have the legal right to patch).
And, of course, the headlines would (and do) read "Macs being exploited" instead of "Adobe being exploited". Apple doesn't want that, and is in a position to do something about it.
Do we perhaps understand why Apple does some of the things it does a little better now? Do we perhaps understand why Microsoft doesn't include Flash/Reader as part of its OS? Does Adobe need to get its goddamned act together before they start throwing rocks at OS vendors?
Everybody gets what the majority deserves.
There's no correlation between age of a product and security. If anything the older the project and more nebulous the code base, the less likely anyone inside Adobe even understands it all. I use sumatrapdf and evince so I'm not affected personally but I think the only hope is either replacement or freeing the source code for the product. From a business perspective, Adobe will only go and fix bugs that become a big enough PR disaster that they can't ignore them. There would also need to be a viable alternative to their products.
Similarly to how Microsoft has had to acknowledge OpenOffice, at some point hopefully GIMP and Inkscape and other creative tools will cause Adobe to address their own issues. The software industry has a serious lack of competition and without free software that closely mimics commercial products, it's hard to imagine anything improving substantially in the near future.
Huh didn't know there was a Windows port of evince. I'll have to look at replacing Foxit with that:
http://live.gnome.org/Evince/Downloads
And an .MSI installer too! I'll have to talk with the other IT guys at work tomorrow...
"When information is power, privacy is freedom" - Jah-Wren Ryel
They need to come up with a reliable way to fix this, make absolutely sure it actually fixes the problem, and then make sure the patch doesn't cause crashes on any of the OS variants out there. Otherwise the chaos would be worse.
Indeed: just imagine the riots in the streets if they accidentally broke Farmville. Having millions more PCs in botnets will be much less harmful.
Every time I see a story like this (which is often) I thank Steve Jobs for no Flash on my iPhone along with all the wonderful people who develop the various Flash blockers for web browsers.
On Windows, you can force any program to run at Low IL (Integrity Level support requires Vista or above). Low IL processes, regardless of their nominal user permissions, can only write to Low IL folders. There are only a couple of these in the base install - %USERPROFILE%\AppData\Local\Low contains things like the Temporary Internet Files folder (IE runs at low IL by default).
Low IL processes also can't start other processes at higher integrity levels. If for some reason you need a higher level (the usual reason is saving files) you can have a "broker process" that runs at the standard level (Medium IL) and exposes some interprocedural communication to the Low IL process. Strictly speaking this opens a hole in your sandbox, but it's a lot easier to lock down that broker process since it's very special-purpose and has a very small attack surface. Also, the broker process can be used to present a warning to the user when it is invoked for anything potentially dangerous (IE's "Protected Mode" warning appears when the browser asks the broker process to start an external application).
It's not as customizable as AppArmor, but it's less complicated. Unfortunately, it also takes a little tweaking to find out how to set process or folder IL.
There's no place I could be, since I've found Serenity...
I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081
... this makes me very wary of buying a device where all apps, and the OS/UI itself are written in Adobe AIR (which is pretty much Flash.) So when a vulnerability comes along you... what... quit using the whole device? I'm sure that will go over really well with the large businesses that are BlackBerry's intended customers. And for those who think I'm hyperbolizing, watch the video and listen close--the head of RIM says (at the 2:20 mark) "what we've done is... really embed AIR right into 'the metal' and the operating system." By "metal" I think he means "as low-level as we possibly could."
Wait, scratch that... large businesses have been buying Windows for two decades, so never mind me. I be this thing will fly off the shelves. Hmm, maybe I should write an antivirus app in Flash so it can run on a PlayBook. :-)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is probably going to be more and more of a problem in the near future. I just got back from an Adobe seminar yesterday, and all of the tools in the CS5 Design series are focused on making Flash movies and Flash-based (interactive) PDFs much easier. I can't even imagine the security holes in an interactive PDF that's been generated using In Design or Illustrator.
... of why Apple is correct in keeping this steaming pile of insecurity off of their devices.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
The full Flash installer is buried in a deep link. You can use Internet Explorer, choose the 'different operating system or browser' link on the Adobe Flash download page, and get the Firefox version (likewise use an alternate browser to get the IE version).
Of course, if you want a direct link to download the most recent installer without the 'download manager' slimeware or 'free Google Toolbar', here it is!:
Good question. Mine reports 10,2,161,22 installed (can't they figure out how to use decimal points?)
Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.
"A witty saying proves nothing." - Voltaire
Here's an embarrassment for Adobe. An external researcher has created a tool called Blitzableiter, which is simply a Flash parser written in .Net. Its only job is to verify that any Flash you load is fully compliant with the Flash file format, and to hurl an exception if anything fails to parse correctly. I saw FX's presentation at DefCon and was suitably impressed.
The cool thing is that he claims it's caught every exploit, past and present, that he's been able to find to test it with.
Think about it. Someone external to Adobe is keeping Adobe's products safe simply by enforcing Adobe's own rules. Way to go, Adobe, you're completely awesome.
Configuring Blitzableiter to work in Firefox takes a little bit of work. He asked the NoScript guy to provide an external plugin mechanism, which launches Blitzableiter to check out the SWFs before they're permitted into the Shockwave player. So you have to load the NoScript extension, then configure it to run Blitzableiter. I look at it as a fairly small price to pay for safety.
I will say that it's pretty damn picky, and there's a lot of probably-safe-but-badly-written Flash out there that it won't let you load. Since there's actually very little Flash content I want to see anyway, it's not been a real problem for me. For expediency I put youtube.com in the exception list, just because I do trust the youtube player and don't feel I need to wait the extra two seconds to have it scanned every time I watch a video clip. Otherwise, it just rocks!
John
what happens when in 6 or 12 months, manufacturers like Samsung stop updating their current release Android phones? (Talk to a Behold 2 owner about Samsung not updating phones right after release). How are we going to be protected from the army of infected phones? Who's going to be responsible for updating a Flash vulnerability in Android if the manufacturer doesn't release updates? Will Flash updates by pushed from Adobe?
Many cultures ritualistically mutilate infants' genitals, as well. That doesn't make it right.
The problem with web browsers executing arbitrary code is really only "solved" with sand-boxing when you assume that your private personal data is stored on your hard disk. Unfortunately, since most personal data is now stored and accessed through a web browser, you have essentially allowed arbitrary code to operate on your personal data.
Emacs was compromised by a similar line of thinking, that:
Because the ability to execute code is sometimes useful when editing documents, everything should be implemented in Emacs.
Likewise, Javascript is sometimes useful for displaying information on webpages. However, this does not imply that web browsers should be an application platform.
Carrying these assumptions forward blindly gives rise to many of the current challenges of today.
Adobe actually finally corrected this a month ago, and a 64-bit Flash plugin is now available again - for all platforms.
Many cultures use commas instaed of periods for the decimal mark. Specifically, see here.
Yes, but it doesn't necessarily imply the same is true of version numbers. Here in Norway we swap the dots and commas in numbers (1.234,55 vs 1,234.55) but I have never seen any software package, domestic or foreign, that uses anything but dots in their numbering. I think they're more considered dividers like in chapters, that do use dots like "3.4 Crossing the beams". And ok, so (float)7.5 makes sense but what exactly would a kernel version number of 2.6.36 mean? What when you go from 2.6.9 to 2.6.10? It does not make any sense, but if you consider them equal to chapters it makes perfect sense.
Live today, because you never know what tomorrow brings
Foxit's been getting a little too adware-ish for me lately, it's coming bundled with toolbars now, and it offers a browser plugin which can only be bad news for security, browser speed and browser stability. Between the two I definitely prefer evince.
"When information is power, privacy is freedom" - Jah-Wren Ryel