Slashdot Mirror
Adobe To Push Emergency Fix For Flash Bug
Trailrunner7 writes "Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have an emergency fix ready on Thursday. The company still plans to patch Reader two weeks from now. The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15."
I would imagine that there is a certain amount of testing with any software patch thats released.
I would imagine that there is a certain amount of testing with any software patch thats released.
Exactly. They'd hate to introduce more bugs, security vulnerabilities, etc into their otherwise stable and secure product.
"revealed last week"
"emergency fix"
"Thursday"
Indeed. If patches carried the risk of having the programmers executed if it didn't go well, there would be no software bugs at all.
And that testing is only as good as what it does test for. Really good QA is tough stuff and unfortunately, that level of expertise is often undervalued. Adobe has been pushing out lots of updates as of late. Good that they're doing it; bad that it's so often.
You are fucking stupid to have flash installed on any machine with ANY information in it.
Yes those computers with no information stored in them would be much safer, if they could exist.
there would be no software at all....
Because letting your users risk getting rooted is worse than letting them take a risk on a beta release.
No, your security doesn't matter to them a bit. But a risky beta release can give them bad publicity.
Nobody gives a damn about your security but you. Especially not the proprietary software houses. FOSS, at least, usues their own systems, so they have a reason to worry about security.
Any way, this doesn't affect me (yet) because I'm using a different PDF reader (came with the distro) and haven't been able to get Flash working at all.
Free Martian Whores!
It's good that they are doing it so often.
It must cost them a small fortune every time.
Hopefully someone there who signs checks is getting tired of it all and is pushing for changes.
In my experience outdated third party plugins like flash, reader and even java seem to be the way a lot of the attacks are happening lately. I watched a fake antivirus load to my PC after it somehow launch adobe reader about a year ago. An outbreak of fake antiviurses on machines revealed the same outdated version of java loaded on those machines. Sadly the end users affected normally were pretty good about their surfing habits even though the job required a lot of research work. It isn't just windows updates to worry about anymore.
They are, there's a new from the ground up design for reader/acrobat pro coming sometime Q4. It's been in the works for a while but obviously being a new codebase it's going to require a ton of testing, and it hooks into products they've never hooked to before (Office 2010 for one) and all of that functionality needs to be tested as well.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
The Flash updater annoyed me the last time I ran it. The last update I applied snuck some Mcafee software on to my machine.
The flash updater now has the checkbox checked by default for mcafee security scan plus, and they moved the checkbox so you don't notice it when you are glancing at the installer.
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
It's well known that North Korea publishes the most secure Hello World program in the world.
A disclaimer: I'm not in any way assosciated with Adobe but I do teach courses on Flash (among other subjects).
Flash is a much more complex system than many people realize. Lots of people (including lots of programmers) think of flash as only some small browser plugin that can be used for annoying banners and such. But really, flash is a large development enviroment (and rather interesting one at that). Object oriented programming language (ActionScript) is ran in a full scale virtual machine (complete with garbage collectors and the like) and can be used to view multimedia, manipulate files... It is in many ways a lot like Java. Of course, there are also many people who think of annoying browser applets when they hear "Java" but I doubt I even need to explain why they're silly.
There are three reasons why Flash has all the negative reputation that it has:
1) The ugly history. For example, switch from AS2 to AS3 meant massive speed improvements (Adobe claims that Flash got ten times faster. I might not sign that number... But it got a LOT faster). However, though it happened several years ago, geeks are rather slow to change their stereotypes on this kind of issues. There have been a lot of other improvements like that so Flash is quite different from what it was a decade (or even half a decade) ago.
2) It is used in ugly ways. We all know how annoying it is when websites have a dozen different flash elements (especially if you have 10 tabs open)... But is an issue with webmasters using their tools to create poor sites, not with the tools themselves. It could reasonably be argued that Adobe should give end user more control to protect them from the dickish developers (easier mute, etc.) but I don't think that even that is a given. People who program in C can create applications that are impossible to mute (except at OS level). People who program in Java can create applications that are impossible to mute (except at OS level). We don't say "C sucks" or "Java sucks" because of that, we say "The developer was an idiot. I'll just close this application, then.".
3) It is too easy to create (crappy) applications. I think that Java also suffers (or, at least used to suffer) from this. It is easy to create something that seems like it works, even though it is a horrible mess in the background. So... There are a lot of people who could never produce anything in more demanding languages (like C++) but can create something in Flash. Because of that, many people who create flash applications don't have any background in software engineering, computer science, etc. and that is reflected in the end result.
I consider flash to be where Java was some years ago. A decent concept and a decent virtual machine, though the API is still somewhat messy and too many people still assosciate it with slow and annoying browser applications. It might well be that Flash will die soon but I also wouldn't be shocked if Adobe would manage to conquer new areas and we would see a second era of Flash.
Where do I click to get 'infected`, besides there is no authplay.dll on my computer.
..
"A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX" link
Shockwave Flash 10.1 on Ubuntu 10.10
These are not the droids you're looking for.
On a serious note, why badmouth IT people just because adobe's products are broken?
Personally I'd be simply dumping flash and pdfs, at the proxy/email servers, til adobe fixes their software. Send out note to entire company: Due to extreme security risk in adobe's products we must block flash and pdf content in web pages and email until further notice.
It's against policy (written or unwritten) in a lot of shops to deploy beta software to users so intermediate patching wouldn't be kosher in a lot of places. It'd likely get you fired in a significant number of shops, especially in government, financial and medical industries where compliance with federal information security regulations is important.
It's usually not a preference for the IT "droid". At the beginning of my career (I'm a software engineer now), we just did what we were told to do by the boss after we informed him of a problem. I'm pretty sure it still works the same way, at least if you want to stay employed. I was actually in the software patching automation group. We deployed what we were told to. We could care less what it was we were shipping out as long as the package worked.
If we were handed an adobe update on tuesday, then another one on thursday, no one would have cared one iota that it was for the same product. We'd just push it out.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
What makes you think reader 8 is any better, security rise? It's just unsupported.
Most of us who are knowledgeable about programmatic structure, syntax, idiosyncracies, faults, and exploits advised Adobe, either formally and directly through communique or informally and indirectly through public message boards, to patch their vulnerabilities about fifteen years ago.
One ring to rule them all? Patch one bug and patch them all? For #$*@'s sakes... you people have more code-holes than Ivory running 300 BAUD and a caller drop carrier with an immediate callback.
The only sane approach is to just assume (sane > CV_assume) that everything you do on modern day networks is compromised, intercepted, audited, and screened by someone with more money than you will ever even count.
the NPG electrode was replaced with carbon blac
How is this even legal, given they are security updates? Plus, we now have to seek out the more obscure 'clean' update to prevent the Adobe Download Manager (DLM) from infecting our browsers. Adobe is really starting to feel like a virus.