Slashdot Mirror
Adobe To Push Emergency Fix For Flash Bug
Trailrunner7 writes "Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have an emergency fix ready on Thursday. The company still plans to patch Reader two weeks from now. The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15."
I would imagine that there is a certain amount of testing with any software patch thats released.
No doubt they have a "process" that includes running regression tests on release builds.
Also no doubt this process is completely inadequate for most needs and products, and exists only to serve a pro-forma certification process, meaning in this case they should have tested the feature they changed and released it, planning to update it on the original schedule if testing showed a regression problem. Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.
But then you get IT droids whining that they have to push it to their herds twice.
I would imagine that there is a certain amount of testing with any software patch thats released.
Exactly. They'd hate to introduce more bugs, security vulnerabilities, etc into their otherwise stable and secure product.
"revealed last week"
"emergency fix"
"Thursday"
Indeed. If patches carried the risk of having the programmers executed if it didn't go well, there would be no software bugs at all.
And that testing is only as good as what it does test for. Really good QA is tough stuff and unfortunately, that level of expertise is often undervalued. Adobe has been pushing out lots of updates as of late. Good that they're doing it; bad that it's so often.
You are fucking stupid to have flash installed on any machine with ANY information in it.
Yes those computers with no information stored in them would be much safer, if they could exist.
there would be no software at all....
Let me guess. With this new fix, we will have the best, safest Flash ever.
I tried to look at a photo of someone who won a Governors office today via Google images. The site I landed on popped up the Firefox Flash update screen for a second, then asked to update Firefox from a .cc site, which I denied. Was I almost taken by this exploit, or am I being paranoid?
Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.
No, your security doesn't matter to them a bit. But a risky beta release can give them bad publicity.
Nobody gives a damn about your security but you. Especially not the proprietary software houses. FOSS, at least, usues their own systems, so they have a reason to worry about security.
Any way, this doesn't affect me (yet) because I'm using a different PDF reader (came with the distro) and haven't been able to get Flash working at all.
Free Martian Whores!
When are FroYo devices running 10.1 getting the update? When's HTC and Sprint, HTC and AT&T, HTC and TMobile and HTC and Verizon planning on doing an OTA? When's Motorola? Samsung? etc. etc. etc.
Non impediti ratione cogitationus.
It's good that they are doing it so often.
It must cost them a small fortune every time.
Hopefully someone there who signs checks is getting tired of it all and is pushing for changes.
This is another pet rock idea in the making...
"The Computer Rock! It never gets viruses, it never gets slower and when it crashes it's the one doing the damage!"
In my experience outdated third party plugins like flash, reader and even java seem to be the way a lot of the attacks are happening lately. I watched a fake antivirus load to my PC after it somehow launch adobe reader about a year ago. An outbreak of fake antiviurses on machines revealed the same outdated version of java loaded on those machines. Sadly the end users affected normally were pretty good about their surfing habits even though the job required a lot of research work. It isn't just windows updates to worry about anymore.
just moved my entire network (243 computers) off of reader 9 to reader 8.Testing repl acements now. F*ck Adobe.
I already replaced it with gnash and I am satisfied.
In fact it would even get faster if you threw it.
*rimshot*
This is why the NSA have stopped harping on about the clipper chip and other mandatory back doors.
They don't need 'em!
Makes me laugh about eulas in general:
"I the customer promise not to reverse engineer or copy this big security hole, and to let you disperse all my private data, and in return you promise that you may or may not abuse me in the aforementioned fashion, or permit such abuse by third, fourth and fifth parties."
Where's all the class action lawsuits?
blog.sam.liddicott.com
Well if you really cared you could pass --safe-plugins to Chromium and sandbox Flash. It'll break some websites but YouTube works. Details: click. Linux details: click. On Linux the sandbox is using either chroot (SUID) or policies (AppArmor, SELinux, seccomp...).
They are, there's a new from the ground up design for reader/acrobat pro coming sometime Q4. It's been in the works for a while but obviously being a new codebase it's going to require a ton of testing, and it hooks into products they've never hooked to before (Office 2010 for one) and all of that functionality needs to be tested as well.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I think the time is ripe to get on the bandwagon of safety-critical software development methodologies. It has been shown over an over that there is a bunch of code, in widespread use, whose failures cause extensive economical harm -- even if the harm to the individual is small, the collective expense is major and measured in USD billions. Flash Player and Reader fall into the category of software whose safety shortcomings cause extensive economical harm. Why are those developed using "standard" (read: cavalier) methodologies, I don't know. Flash Player and Adobe Reader should be developed at least to FAA software level C, ideally to level B. Or SIL3 per IEC61508. At least Adobe would directly feel how much it really costs to have feature bloat. No one adds features willy-nilly to SIL3 code.
A successful API design takes a mixture of software design and pedagogy.
The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.
The flash updater now has the checkbox checked by default for mcafee security scan plus, and they moved the checkbox so you don't notice it when you are glancing at the installer.
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
It's well known that North Korea publishes the most secure Hello World program in the world.
A disclaimer: I'm not in any way assosciated with Adobe but I do teach courses on Flash (among other subjects).
Flash is a much more complex system than many people realize. Lots of people (including lots of programmers) think of flash as only some small browser plugin that can be used for annoying banners and such. But really, flash is a large development enviroment (and rather interesting one at that). Object oriented programming language (ActionScript) is ran in a full scale virtual machine (complete with garbage collectors and the like) and can be used to view multimedia, manipulate files... It is in many ways a lot like Java. Of course, there are also many people who think of annoying browser applets when they hear "Java" but I doubt I even need to explain why they're silly.
There are three reasons why Flash has all the negative reputation that it has:
1) The ugly history. For example, switch from AS2 to AS3 meant massive speed improvements (Adobe claims that Flash got ten times faster. I might not sign that number... But it got a LOT faster). However, though it happened several years ago, geeks are rather slow to change their stereotypes on this kind of issues. There have been a lot of other improvements like that so Flash is quite different from what it was a decade (or even half a decade) ago.
2) It is used in ugly ways. We all know how annoying it is when websites have a dozen different flash elements (especially if you have 10 tabs open)... But is an issue with webmasters using their tools to create poor sites, not with the tools themselves. It could reasonably be argued that Adobe should give end user more control to protect them from the dickish developers (easier mute, etc.) but I don't think that even that is a given. People who program in C can create applications that are impossible to mute (except at OS level). People who program in Java can create applications that are impossible to mute (except at OS level). We don't say "C sucks" or "Java sucks" because of that, we say "The developer was an idiot. I'll just close this application, then.".
3) It is too easy to create (crappy) applications. I think that Java also suffers (or, at least used to suffer) from this. It is easy to create something that seems like it works, even though it is a horrible mess in the background. So... There are a lot of people who could never produce anything in more demanding languages (like C++) but can create something in Flash. Because of that, many people who create flash applications don't have any background in software engineering, computer science, etc. and that is reflected in the end result.
I consider flash to be where Java was some years ago. A decent concept and a decent virtual machine, though the API is still somewhat messy and too many people still assosciate it with slow and annoying browser applications. It might well be that Flash will die soon but I also wouldn't be shocked if Adobe would manage to conquer new areas and we would see a second era of Flash.
Where do I click to get 'infected`, besides there is no authplay.dll on my computer.
..
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX" link
Shockwave Flash 10.1 on Ubuntu 10.10
These are not the droids you're looking for.
On a serious note, why badmouth IT people just because adobe's products are broken?
Personally I'd be simply dumping flash and pdfs, at the proxy/email servers, til adobe fixes their software. Send out note to entire company: Due to extreme security risk in adobe's products we must block flash and pdf content in web pages and email until further notice.
It's against policy (written or unwritten) in a lot of shops to deploy beta software to users so intermediate patching wouldn't be kosher in a lot of places. It'd likely get you fired in a significant number of shops, especially in government, financial and medical industries where compliance with federal information security regulations is important.
It's usually not a preference for the IT "droid". At the beginning of my career (I'm a software engineer now), we just did what we were told to do by the boss after we informed him of a problem. I'm pretty sure it still works the same way, at least if you want to stay employed. I was actually in the software patching automation group. We deployed what we were told to. We could care less what it was we were shipping out as long as the package worked.
If we were handed an adobe update on tuesday, then another one on thursday, no one would have cared one iota that it was for the same product. We'd just push it out.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
Most of us who are knowledgeable about programmatic structure, syntax, idiosyncracies, faults, and exploits advised Adobe, either formally and directly through communique or informally and indirectly through public message boards, to patch their vulnerabilities about fifteen years ago.
One ring to rule them all? Patch one bug and patch them all? For #$*@'s sakes... you people have more code-holes than Ivory running 300 BAUD and a caller drop carrier with an immediate callback.
The only sane approach is to just assume (sane > CV_assume) that everything you do on modern day networks is compromised, intercepted, audited, and screened by someone with more money than you will ever even count.
the NPG electrode was replaced with carbon blac
KILL IT WITH FIRE.
Hail Eris, full of mischief...
E pluribus sanguinem
Doesn't this story get posted every week? Why not just make it a permanent item on the /. home page?
I presume that this vulnerability does not affect Preview on the Mac? Is that a correct assumption?
--- What?
Yep, i agree, there is no real liability or accountability in this field right now, except for the airlines, they also use in house development though....but all in all if we even came close to what the car or plane industry goes through to make sure no problems arise BEFORE selling the product, we also would have maybe 1/100the of the apps out there available to us....of which windows would not be part of, neither adobe products
When I said "bad that it's so often" it's because it's a reflection of how many holes their software is riddled with. Yes, getting fixes out is a good thing. Not having any holes is even better. With Adobe, these days, it seems every thing needs to be patched often.
Or you could just...this is a thought, just throwing it out there...use Foxit with SandboxIE and call it a day. Or if you would prefer even more protection run Comodo AV or Internet Security and have EVERYTHING sandboxed. And that is of course if you are running on an older Windows, as Vista and 7 already do file and registry virtualization.
It really isn't hard to isolate programs anymore, or set up a machine so all but the most determined idiots can't hose it. I have my customers as well as my family on a combo of Comodo+Firefox with ABP+Foxit and frankly I can't remember the last time I had to clean a bug from one of those machines. Short of them ignoring the AV and saying "Yes, I'd like a bug, please install it!" they really have nothing to worry about. Just have everything set to autoupdate, along with an easy to setup program like Winutilities Free to automate registry and broken shortcut cleaning and defragging and the machine is as close to an appliance as one can get. It takes me less than a half hour and then I don't have to mess with it ever again.
So banning flash really is a case of chopping off your head to get rid of a headache. The users will scream bloody murder when their Farmville and videos don't work, and frankly it is unnecessary. You can even set up Filehippo update checker so all their third party programs are updated regularly as well. It really ain't hard AC.
ACs don't waste your time replying, your posts are never seen by me.
You have just illustrated why people badmouth IT.
Do you realise that a lot of information that people need to do their jobs comes as PDFs? Broker's research (especially when emailed to clients), regulations for particular industries, all kinds of other stuff.
Flash is not often critical, but I am sure there are examples out there.
You are doing what is easy rather than doing it right. Have you considered installing a different PDF reader? Even different Flash players (if what your users need will work with them)? What about providing a few kiosk machines that are regularly wiped (if nothing else works)? If its going to take time to roll out solutions, have you thought about how to give priority to the people who needed it most?
Could the next patched version of Flash 10.x have a 64 bit Debug Version also? Thanks in advance.
This is another pet rock idea in the making..
The Commodore PET made a pretty good rock. If you could lift it.
LOAD "SPACE INVADERS",1
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
If the beta is properly disclosed as such, and is given the standard pack of disclaimers and warnings against premature use, then what business does it have getting bad publicity?
YHBT etc, but that is an interesting point. Your two examples are unrelated, but in a way Mr Narayen is right about crashes. If any application is able to 'crash' a whole computer, then the operating system has a problem. The OS should remain stable, regardless of what programs are executed. (Of course, the fact that an application is buggy means that it too is broken.)
If it's in you sig, it's in your post.
How is this even legal, given they are security updates? Plus, we now have to seek out the more obscure 'clean' update to prevent the Adobe Download Manager (DLM) from infecting our browsers. Adobe is really starting to feel like a virus.
A beta can give an indication of what the final product will look like.
Free Martian Whores!
http://www.adobe.com/support/security/bulletins/apsb10-26.html