Slashdot Mirror
New Adobe Flash 0-Day
Trailrunner7 writes "Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well, and is being used in some highly targeted attacks right now. The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X's Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris."
Secure OS's are only as good as the software running on it.
Good luck leaving userland from a flash plug-in, unless you are dumb and run everything from root.
I re-installed Windows and cleared up the infestation last year. Not a particularly happy episode.
A feeling of having made the same mistake before: Deja Foobar
What the hell for? Fucking Adobe.
There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.
During testing, the particular exploit was not able to run successfully on Windows 7. It did work on Windows XP.
Careful. This guy probably has no idea what "root" is.
for those of you who want to check which version you have and which is the latest:
http://www.adobe.com/software/flash/about/
The world is made by those who show up for the job.
Only the strawman that whispers in your ear.
The attack vector is a excel spreadsheet delivered via an attachment that contains a swf file that has this vulnerability. Looks like it is not a drive by download. Not sure if the streamed flash videos have the vulnerability. It does not affect Win7. Affects XP. If it is leveraging some specific bug in excel and then a bug in flash, it is very specific to that combination. XP+Excel+Adobe. The rest of us can rest easy and enjoy a little bit of schadenfreude.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yeah, because local privilege escalation exploits in Linux are just so rare...
Hey, don't you know? Real men run as root.
I'll be honest, we're throwing science against the wall to see what sticks. -Cave Johnson
Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
First, it only infected Windows running exploited Flash. Now it's going after Acrobat and other platforms. Soon, it will reboot your PC and install an entire Flash based virus as its own OS from an infected MBR. Together, they will all form a botnet, a dark cloud if you will. It shall be named, SKYNET!
On a full desktop distro that's probably the easiest part.
Seriously, get FoxIt PDF reader. It's free, and approximately 5 million times faster than Adobe Reader.
Secure OS's are only as good as the software running on it without administrator privileges.
There, fixed it for ya.
Reader 8 and 9 were tolerable, but Reader X seems like less of a reader app and more of a bloated advertisement for Adobe's other products. I suppose my machines will remain vulnerable but usable.
Sent from my iPhone
The payload might only be leveraging a specific bug in XP, but what's to say that a different payload couldn't be delivered through the same attack vector? One that targets other versions of Windows, even other operating systems altogether?
I am totally sick and tired of the constant wave of security bugs in these products. How hard can it really be after all these years to render compressed postscript without all of the underlying nonsense?
The rest of us can rest easy and enjoy a little bit of schadenfreude.
I'm sorry, I can't even pronounce that. I'd like a Kahlúa please.
Faster! Faster! Faster would be better!
Foxit is much slower than Acroat and loading -> displaying a PDF. Foxit is slow, period exclamation mark
I still use it anyway now since I don't get to PDFs all the time like I used to. Acrobat shows immediately what takes Foxit several seconds, even small, simple PDFs.
What does that have to do with anything? Do you think that malware can't do bad things unless it gets root?
How can it be a 0 day attack when Acrobat takes 2 days to start?
There's no -1 for "I don't get it."
This story was on Engadget this morning. Slashdot was at one point the place you went for nerd news. Now they are regularly posting stories that are days old as top news.
I had no end of problems using "other PDF" readers when I print postage from USPS.COM (yeah, I sells stuff on and off on fleaBay) This is not to say that I am a fan of Adobe, but with some things, there's just no substitute.
ELOI, ELOI, LAMA SABACHTHANI!?
Secure OS's are only as good as the software running on it without administrator privileges.
There, fixed it for ya.
So if I understand correctly...
Protect the operating system at all costs... but pay no attention to what really matters ... YOUR DATA.
TFA says DEP is the reason it doesn't work on Win7, so doesn't that mean 32-bit Win7 is still affected?
The same could be said about Windows now. Since Vista, it's been highly discouraged to run as root. Also you can do quite a bit of damage from userland.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Hey, don't you know? Real men run as root.
I just laughed for the first time today.
Most exploits are written as an attempt to get root/admin or affect system settings. In my testing of adobe exploits (not this one, but previous ones) I noticed that if I ran as a limited user the exploits don't usually work. If I run as admin with UAC running, the UAC never comes up and the exploit works. UAC + admin is not the same as running as a limited user.
Yes, you're right about malware running in user userspace and that's a real problem with this approach, but running as limited gives some benefits that are not obvious. Arguably, AV and smart computer usage makes up for the rest. This excel file seems to already be in all the major virus definitions.
Someone said no exploits for Mac and Linux, huh?
Speaking of which, this pretty much means that every PowerPC Mac ever made has to be thrown in the scrap heap, doesn't it? Because Adobe has stopped updating Flash for PowerPC, which means it will be vulnerable forever. So unless you want to give up Hulu, YouTube and half the internet, they're pretty much doorstops now. Or pretty Linux home servers.
I wonder if anybody wants to buy a G4 PowerBook? It's faster than a lot of the Atom netbooks they're still selling.
Wow, I guess it's no longer safe to open up Excel file email attachments from strangers.
Agreed. Local privilege escalation exploits are a dime a dozen on desktop Linux distributions (especially those that install the full Gnome suite). Surprisingly enough, Ubuntu is one of the better distributions in this regard because it ships with reasonably decent App Armor profiles.
I wanted to read up on djvu but I went to the site and they didn't have the info posted in a PDF file, so I skipped it. ;)
Seriously though, why isn't it more popular? Easy. It's for the same reasons opendoc isn't popular yet:
* like MS Office, Adobe Reader is already entrenched
* Commerce has largely standardised on PDF
* PDF is basically encapsulated postscript, which makes it ideal for proofing work that is going to press
Also, PDF is an open standard, and you can choose from a number of readers and print filters to generate the files in the first place. Why abandon one open press and printer-compatible format for a new open format that enjoys very little support, where you have to explain to everyone where to download the software to open it, and the current reader offerings are free to begin with (both free as in beer and free as in speech options are available)?
So, you're moving from an established corporate-originated (Adobe) "free/open" to corporate-originated (AT&T) "free/open" format, except the new format has less support and the file sizes are much larger. Where is the benefit again?
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
but it's a great word.
I say it sha-den-froid-ah (but am likely wrong).
Someone said no exploits for Mac and Linux, huh?
I've also heard rumors that zero Windows ME users are getting infected. Just sayin...
Someone said no exploits for Mac and Linux, huh?
Thus, the iPad is the only truly secure platform. Yet another example of the superiority of the walled garden!
So, you have to open up a pdf with one hand, unplug your power cord with the other, curl your left big toe, dial 911 with your right pinkie toe, open up excel, type "meow" into row 3, column 204, then hit ctl+space+enter? damn!
- Fun & Work : http://thegearjunkie.com
Most malware doesn't give a fuck about your data, it simply wants to send spam and connect you into a botnet.
If you are considering "upgrading" to Reader X for safety, be aware that the installer does not contain an IFilter for extracting text from PDF files, so desktop search products relying on the IFilter will no longer be able to search your PDF files. Actually, it's worse than that. Not only does it lack an IFilter, it will remove the IFilter installed by older versions. More details here.
Good luck leaving userland from a flash plug-in, unless you are dumb and run everything from root.
cause non of your important files are in userland?
This is why i hate so many websites that use flash, why put all your eggs in one basket, so that when again another flash 0 day comes out, your like...wtf....do we really need to be stuck to a propitiatory software that is useless when it comes to security....all in the hopes of achieving greater visual effects for your site....at least offer a flashless option to view the site.....so many suffer from the fact that if you have no flash installed, you can not continue, but this means it hurts them more in the end, then the end user who will go to a competitor website without flash to do the same thing.
Gosh, I am so glad that shit won't run on my phone or tablet. Flash is an exploit all on its own.
Article reports: "There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment"
*BOGGLE* If that sort of functionality is even possible, then it was just an accident waiting to happen.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
Is that so bad? Perhaps what we need is an OS (maybe a meta-OS) which can ensure that exploits only use a limited percentage of your resources. Then everybody will be happy.
All of which can be done from a user account, even if it is only limited to when the user is logged in.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Kraft durch Schadenfreude.
Hail Eris, full of mischief...
E pluribus sanguinem
Exactly and I would argue the next big malware attacks most likely will simply ignore trying to get root as new features like ASLR and DEP make it harder to use the old tricks like buffer overflows.
And the simple fact is to do most of the stuff your average malware writers want to do (send spam, steal data, etc) it isn't even needed. See this example of how to write a Linux virus in 5 easy steps with no need for root, just good old social engineering like we see every day, and it will autorun, send spam, do anything the malware writer wants to do.
So I would argue the reason we saw so many viruses running as root before was because it was easy to obtain root and now that that is not the case malware in the future simply won't bother and will instead do its damage from userland.
ACs don't waste your time replying, your posts are never seen by me.
And who are they after?
the description made me twitch a bit too.
next step i guess is to e-mail xp vmware images running internet explorer iframing excel using flash embedding a pdf
Absolutely.
The main benefit to running as root/system/administrator is that it makes it easier to hide. It's much harder for a process to hide from antimalware tools (which are running as root/system/administrator) if that process is running with lower privileges. For Macs and Linux, it's almost completely irrelevant--so few people run antimalware tools on those platforms that the difference between malware with and without root is inconsequential.
I also found the PDF readers were better than the djvu readers I found. Probably has to do with like you said, PDF being around longer.
-]Phreak Out[-
shaw den froy duh (lightly roll the "r" in froy for some extra authenticity)
German for "bad pleasure", means taking pleasure at the misfortune of others.
In related news, SumatraPDF, the primary open-source PDF viewer for Windows, just had its 1.4 release a couple of days ago. In the course of the past ~6 months they've added GDI support so documents can print quickly (rather than sending huge bitmaps to printers), improved performance in all sorts of ways (notably including much-faster zooming and searching), and quashed lots of bugs. They've also added a browser plugin and a Windows Search filter (both optional). So even if you've tried it in the past and it didn't meet your needs, it's likely worth trying again.
Outside of multimedia (e.g. Flash) and JS- both of which I've never seen used in a PDF for anything other than an exploit- the only thing Sumatra lacks at this point, AFAIK, is the ability to work well with forms.
I don't need to leave userland, I'm more than happy messing around in your documents. Sincerely, Flash 0-day.
I'm Rocco. I'm the +5 Funny man.
WinXP + MS Excel + Acrobat is probably the single most common configuration on the planet, no?
LOL, yeah there are, providing that you use binary stuff like Adobe flash player, etc.
Than you also have open source substitutions...
Remember, it's not that those platforms are invulnerable, but at least with Linux 95% of users wont go down with one type of attack as with one of those OS's that you troll for.
Linux fan club will pretty much confirm my statement above, after all there were no precedents of that. And btw, a lot of stuff, that is vulnerable in same crossplatform plugin, cannot simply be exploited on Mac and Linux platforms!
Flash is archaic and should be on it's way out. Advertisers are waisting a lot of money on flash as they're missing a huge market share (iOS devices). HTML5 does anything flash can do... but better and is openly supported cross platform. Even google got the smack down when they tried to nix HTML5 out of chrome as it got patched by microsoft to support it.
Just upgrade to decent browser, Youtube supports HTML5 video
As workaround - flashblock could help, but it's now possible to survive without flash completely.
I've also heard rumors that zero Windows ME users are getting infected.
Apparently, having to run System Restore every hour also wipes out viruses.
Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!
Seriously, this is front page news? How many bugs do windows, linux and osx have? How many bugs do IE, Firefox, Chrome, Safari have? Who really gets this up in arms about a pdf bug.... apple fanboys, that's who. http://www.computerworld.com/s/article/9197184/Apple_patches_critical_drive_by_Safari_bugs
Considering their track record, Adobe would have to release something that DIDN'T have gaping security holes for it to actually count as "news".
"Adobe software exploit-ridden" is about as novel as "New Pope is Catholic".
Unless it's a multiuser system. In that case YOUR DATA may be toast but everybody else's will be fine.
No sig
Who said that?
Genuinely, who said that?
[citation needed]
There are plenty of documented exploits that have been fixed on both platforms. The only people who claim that Platform A's fans claim that there are "no exploits" are people who hate Platform A and believe everyone should use Platform B.
Everyone else is aware that no OS is safe. Well, except the users of BeOS. Both of them said they were pretty safe.
Doesn't an exploit still need to be coded for each platform specifically? If so, then it's unlikely that anyone that's writing a flash exploit would bother trying to write one for the lesser-used platforms.
Because .PDF is the new ASCII, and DjVu isn't.
I'm willing to gamble that when I want to open a .PDF document 30 years from now, it's not going to be a problem on whatever platform I'm using at the time. But if my data was saved in some nonstandard but "optimized" format like DjVu, it will effectively be gone forever.
Replacing one file format with another is not the solution, because the file format itself is not the problem. Piss-poor engineering practices at Adobe are the problem.
That is genuinely un-true. Just last month, I was talking to a friend who was shifting his home studio from Windows to OSX (not as expensive as some might claim - he had made sure all of his software was dual-liscenced before he bought anything, and all of his studio hardware still worked with the Mac.) He was upgrading anyway, because his PC was old enough not to be able to handle some of the work he was doing. I asked why he was switching to Mac, and the reason he gave was that "On the mac, I don't ever have to worry about security." That was the main "selling point" that was making him switch. No longer caring about security. He's not the only person I've talked to that either considered going Mac for that reason, or did. This is not to say that there aren't security concious mac users, or Windows users who don't care about security at all - just anecdotal evidence that - especially among creative professionals, rather than IT professionals, or even perhaps general users, there is a percieved benefit to "not having to care about security, not running a firewall, not having to run antivirus" in terms of performance (which isn't entirely untrue - having very limited security can be helpful for performance) - combined with the notion that MacOS is invulnerable, because there are "no exploits for OSX."
Apple stopped supporting PowerPC Macs years ago, and has patched *more* security holes in the OS since then than have been reported in Flash.
Seems to me, if any other type of business that produces goods, had as many bugs and other crap as the adobe reader has had, wouldn't they be given large fines and other crap and not allowed to put products out until they fix it?
While I surf safe (even with the large amount of pirated/cracked/copyrighted stuff I download, I don't get hit with virus/trojans/worms/whatever. Yet, my family, friends don't have the talent, or brains to be online like i do. Update their flash player? doubt it. update acrobat? probably not. Do they use the firefox & foxit that I put on their computers? nope.
Seems to me a class action lawsuit against software companies that have a track record of buggy/exploitable software is what is needed.
Oh wait, 'cept the fucking lawyers will win. damn.
Be seeing you...
Apple stopped supporting PowerPC Macs years ago, and has patched *more* security holes in the OS since then than have been reported in Flash.
Leopard was the last version of OS X to run on PowerPC. This is a security update for Leopard published last week.
That's the most idiotic statement i've read in a while. By that logic OS security only matters if you intend on not running any software.
No wonder I never get any + Funny mods anymore. People think I'm serious.
Sigh.
Faster! Faster! Faster would be better!
Excel supports OLE, and has since the 90s. Note that it's not actually putting the reader or any other directly executable code in the spreadsheet, but it can contain a reference saying "I have a SWF object that I'd like to render here" and the OS will load whatever it has that renders those.
There's no place I could be, since I've found Serenity...
Nobody mentioned evince ? It makes a good, open-source alternative to Adobe PDF reader on Windows
Adobe tells me that I'm running version 10.3.180.42. Or rather, mostly *blocking* version 10.3.180.42 with ClickTo Flash in 64 bit Safari.
Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.
Where do you get your misinformation? Reader X runs just fine on my MacBook Pro with Snow Leopard.
How about a 0-flash day ? That should be much better for the community
It makes you wonder if my netbook (XP, limited user) is more secure than my notebook (Vista, UAC). Both have Microsoft Security Essentials and Secunia PSI.
Sadly PSI doesn't complain about Flash being insecure even though I only have 10.2.152.26, even though that's what it is installed for.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
The usual "Ragging on Flash" roundup rolling in.
Let's look at the facts:
1) Flash is by far the most ubiquitous end-user plattform in existance.
2) For a little more than a decade competitors have tried to dethrone Flash. And even the most promising of those failed miserably due to pure and utter incompetence in delivering what people want and rich client developers need. (Java Media Framework and JavaFX anyone?)
3) Compared to it's penetration and availability, Flash actually is one of the safest plattforms out there. Which is why it's so popular. Duh. Or are you telling me that Firefox would have less security problems if it had a 97.5% worldwide installbase? ... Didn't think so. And that 97.5% is a conservative estimate for Flash, btw.
So all of you know-all Flash bashers STFU and come up with a viable FOSS alternative. And no, this isn't an alternative. It's a joke, emphasising that the GNU frontline fighters for freedom are good at building compilers, maintaining ancient editors and doing evagelism, but totally suck at delivering anything usable that tend to computing with a mouse and a GUI.
Bottom line:
How about you guys stop living in your dreamworld and start thinking about what makes Flash so popular and what it would actually take to build a competitor that doesn't fall flat on it's face. Then you'd probably notice that there actually still is quite a bit of work to be done in the field before FOSS can catch up.
We suffer more in our imagination than in reality. - Seneca
cool, this is now moderated as flamebait :p