Slashdot Mirror
Adobe To Push Emergency Fix For Flash Bug
Trailrunner7 writes "Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have an emergency fix ready on Thursday. The company still plans to patch Reader two weeks from now. The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15."
What is the point of waiting to deploy these fixes? Do they need to age before they are palatable to the public?
"revealed last week"
"emergency fix"
"Thursday"
You are fucking stupid to have flash installed on any machine with ANY information in it.
Yes those computers with no information stored in them would be much safer, if they could exist.
Let me guess. With this new fix, we will have the best, safest Flash ever.
I tried to look at a photo of someone who won a Governors office today via Google images. The site I landed on popped up the Firefox Flash update screen for a second, then asked to update Firefox from a .cc site, which I denied. Was I almost taken by this exploit, or am I being paranoid?
When are FroYo devices running 10.1 getting the update? When's HTC and Sprint, HTC and AT&T, HTC and TMobile and HTC and Verizon planning on doing an OTA? When's Motorola? Samsung? etc. etc. etc.
Non impediti ratione cogitationus.
This is another pet rock idea in the making...
"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"
In my experience outdated third party plugins like flash, reader and even java seem to be the way a lot of the attacks are happening lately. I watched a fake antivirus load to my PC after it somehow launch adobe reader about a year ago. An outbreak of fake antiviurses on machines revealed the same outdated version of java loaded on those machines. Sadly the end users affected normally were pretty good about their surfing habits even though the job required a lot of research work. It isn't just windows updates to worry about anymore.
I miss my tandy :(
just moved my entire network (243 computers) off of reader 9 to reader 8.Testing repl acements now. F*ck Adobe.
I already replaced it with gnash and I am satisfied.
In fact it would even get faster if you threw it.
*rimshot*
This is why the NSA have stopped harping on about the clipper chip and other mandatory back doors.
They don't need 'em!
Makes me laugh about eulas in general:
"I the customer promise not to reverse engineer or copy this big security hole, and to let you disperse all my private data, and in return you promise that you may or may not abuse me in the aforementioned fashion, or permit such abuse by third, fourth and fifth parties."
Where's all the class action lawsuits?
blog.sam.liddicott.com
Well if you really cared you could pass --safe-plugins to Chromium and sandbox Flash. It'll break some websites but YouTube works. Details: click. Linux details: click. On Linux the sandbox is using either chroot (SUID) or policies (AppArmor, SELinux, seccomp...).
I think the time is ripe to get on the bandwagon of safety-critical software development methodologies. It has been shown over an over that there is a bunch of code, in widespread use, whose failures cause extensive economical harm -- even if the harm to the individual is small, the collective expense is major and measured in USD billions. Flash Player and Reader fall into the category of software whose safety shortcomings cause extensive economical harm. Why are those developed using "standard" (read: cavalier) methodologies, I don't know. Flash Player and Adobe Reader should be developed at least to FAA software level C, ideally to level B. Or SIL3 per IEC61508. At least Adobe would directly feel how much it really costs to have feature bloat. No one adds features willy-nilly to SIL3 code.
A successful API design takes a mixture of software design and pedagogy.
The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.
The flash updater now has the checkbox checked by default for mcafee security scan plus, and they moved the checkbox so you don't notice it when you are glancing at the installer.
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
I have a Tandy 1000 RLX. With its 80286 processor, VGA video, IDE support and 1.44 MB floppy drive, it's the best, smallest Tandy 1000 to have while still being able to easily find legacy parts for it (monitor, hard drive, etc).
If you only run MS-DOS, replace the hard drive with the biggest supported Compact Flash card you can find. You can store all your old games on it and still have lots of room left.
A disclaimer: I'm not in any way assosciated with Adobe but I do teach courses on Flash (among other subjects).
Flash is a much more complex system than many people realize. Lots of people (including lots of programmers) think of flash as only some small browser plugin that can be used for annoying banners and such. But really, flash is a large development enviroment (and rather interesting one at that). Object oriented programming language (ActionScript) is ran in a full scale virtual machine (complete with garbage collectors and the like) and can be used to view multimedia, manipulate files... It is in many ways a lot like Java. Of course, there are also many people who think of annoying browser applets when they hear "Java" but I doubt I even need to explain why they're silly.
There are three reasons why Flash has all the negative reputation that it has:
1) The ugly history. For example, switch from AS2 to AS3 meant massive speed improvements (Adobe claims that Flash got ten times faster. I might not sign that number... But it got a LOT faster). However, though it happened several years ago, geeks are rather slow to change their stereotypes on this kind of issues. There have been a lot of other improvements like that so Flash is quite different from what it was a decade (or even half a decade) ago.
2) It is used in ugly ways. We all know how annoying it is when websites have a dozen different flash elements (especially if you have 10 tabs open)... But is an issue with webmasters using their tools to create poor sites, not with the tools themselves. It could reasonably be argued that Adobe should give end user more control to protect them from the dickish developers (easier mute, etc.) but I don't think that even that is a given. People who program in C can create applications that are impossible to mute (except at OS level). People who program in Java can create applications that are impossible to mute (except at OS level). We don't say "C sucks" or "Java sucks" because of that, we say "The developer was an idiot. I'll just close this application, then.".
3) It is too easy to create (crappy) applications. I think that Java also suffers (or, at least used to suffer) from this. It is easy to create something that seems like it works, even though it is a horrible mess in the background. So... There are a lot of people who could never produce anything in more demanding languages (like C++) but can create something in Flash. Because of that, many people who create flash applications don't have any background in software engineering, computer science, etc. and that is reflected in the end result.
I consider flash to be where Java was some years ago. A decent concept and a decent virtual machine, though the API is still somewhat messy and too many people still assosciate it with slow and annoying browser applications. It might well be that Flash will die soon but I also wouldn't be shocked if Adobe would manage to conquer new areas and we would see a second era of Flash.
Where do I click to get 'infected`, besides there is no authplay.dll on my computer.
..
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX" link
Shockwave Flash 10.1 on Ubuntu 10.10
Flash has always been an appalling security nightmare. We have been seeing exploits for it for years now. Adobe simply can't be trusted to write 'hello, world!' without adding a pile of remotely exploitable holes.
At this point we should be seriously considering using silverlight and moonlight instead, that's how bad this adobe situation has become.
This is another pet rock idea in the making...
"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"
Hi, I'm a Mac!
To continue using Adobe's software?
"Speaking about Mr. Jobs's assertion that Adobe is the No. 1 cause of Mac crashes, Mr. Narayen says if Adobe crashes Apple, that actually has something 'to do with the Apple operating system.'" (WSJ: http://blogs.wsj.com/digits/2010/04/29/live-blogging-the-journals-interview-with-adobe-ceo/?mod=e2tw)
by that logic, it means
IF Flash and Reader have a major vulnerabilities across ALL OS, Windows, Mac, Linux, Android, Symbian...
Oh, well it must have something to do with the operating system
Most of us who are knowledgeable about programmatic structure, syntax, idiosyncracies, faults, and exploits advised Adobe, either formally and directly through communique or informally and indirectly through public message boards, to patch their vulnerabilities about fifteen years ago.
One ring to rule them all? Patch one bug and patch them all? For #$*@'s sakes... you people have more code-holes than Ivory running 300 BAUD and a caller drop carrier with an immediate callback.
The only sane approach is to just assume (sane > CV_assume) that everything you do on modern day networks is compromised, intercepted, audited, and screened by someone with more money than you will ever even count.
the NPG electrode was replaced with carbon blac
KILL IT WITH FIRE.
Hail Eris, full of mischief...
E pluribus sanguinem
Doesn't this story get posted every week? Why not just make it a permanent item on the /. home page?
Or you could just...this is a thought, just throwing it out there...use Foxit with SandboxIE and call it a day. Or if you would prefer even more protection run Comodo AV or Internet Security and have EVERYTHING sandboxed. And that is of course if you are running on an older Windows, as Vista and 7 already do file and registry virtualization.
It really isn't hard to isolate programs anymore, or set up a machine so all but the most determined idiots can't hose it. I have my customers as well as my family on a combo of Comodo+Firefox with ABP+Foxit and frankly I can't remember the last time I had to clean a bug from one of those machines. Short of them ignoring the AV and saying "Yes, I'd like a bug, please install it!" they really have nothing to worry about. Just have everything set to autoupdate, along with an easy to setup program like Winutilities Free to automate registry and broken shortcut cleaning and defragging and the machine is as close to an appliance as one can get. It takes me less than a half hour and then I don't have to mess with it ever again.
So banning flash really is a case of chopping off your head to get rid of a headache. The users will scream bloody murder when their Farmville and videos don't work, and frankly it is unnecessary. You can even set up Filehippo update checker so all their third party programs are updated regularly as well. It really ain't hard AC.
ACs don't waste your time replying, your posts are never seen by me.
When did Adobe start to suck so badly? There was a time when I welcomed their products.
Speaking as a semi-casual user with several PCs, 75% of the snafu-fixing time I've put in over the last year has been linked to Adobe: virus attacks, zombie versions of Acrobat that won't uninstall, browser weirdnesses... Hours and hours. I am not happy.
I also find I can get along pretty well without Flash.
Could the next patched version of Flash 10.x have a 64 bit Debug Version also? Thanks in advance.
This is another pet rock idea in the making..
The Commodore PET made a pretty good rock. If you could lift it.
LOAD "SPACE INVADERS",1
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Why should i sandbox flash... When flash should BE a sandbox?
STOP trying to trick me into downloading some crappy antivirus software (Sorry for yelling)
Also, I think I've found a bug in Slashcode:
1. As anonymous coward from work using Firefox 3.6, write a longish comment in ALL CAPS.
2. Slashdot will complain about this.
3. Then fix that comment.
4. You will not be able to type in the captcha.
5. When you submit/preview Slashdot will complain.
6. You will not be able to post unless you refresh the page.
7. ???
8. Profit.
Well technically it uses the same OS measures Adobe would be using. But you're right. The only reason to crudely sandbox Flash is if you need Flash, because Adobe can't be arsed to properly secure it themselves.
How is this even legal, given they are security updates? Plus, we now have to seek out the more obscure 'clean' update to prevent the Adobe Download Manager (DLM) from infecting our browsers. Adobe is really starting to feel like a virus.
http://www.adobe.com/support/security/bulletins/apsb10-26.html
The fact that anyone was caught by this is demonstrable proof that too many idiot managers and execs are making decisions about IT in corporate u.s. who should be nowhere near anything IT - no matter how many demos, articles, or courses they fumble through!!!!!!!!!!!!!!!!
ALL Adobe products create a glut of directories on installation, maintaining old copies of files that are never completely removed or over written. The chances for intentionally accessing any of these alternative files (vulnerable authplay for example) is elementary. Additionally, any examination into the continuous and pervasive vulnerabilities of Adobe products is a study reaching back into ancient history and clear testimony that adobe will not, can not, and does not want to fix the problems, that are at the heart of many of the adobe components.
- June 2010 - same adobe components - critical vulnerabilites with methods for exploiting them publically published.
- June 2009 - exact same components - exact same situation.
What does it take to get people to realize these are pain in the az products that will see adobe fold before they even consider fixing them. Considering the price of adobe products and the number of uneccessary copies of the same components and various versions installed, you idiots should be demanding a heck of a lot more!!!, (oops sorry, if you had even the slightest clue.)
Given recent articles about the growing potentials for hardware viruses, possibly lying in wait for years to be activated on some trigger, one might easily extropolate that the inside track is - that adobe is setting up, or being set up, to bring some parts of the world to its knees. It is neigh time for a responsible government to investigate the practices and path corporate america is irresponsibly, and perhaps intentionally, dragging the world.
Fools