Slashdot Mirror
New Adobe Flash 0-Day
Trailrunner7 writes "Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well, and is being used in some highly targeted attacks right now. The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X's Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris."
Someone said no exploits for Mac and Linux, huh?
I re-installed Windows and cleared up the infestation last year. Not a particularly happy episode.
A feeling of having made the same mistake before: Deja Foobar
What the hell for? Fucking Adobe.
There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.
During testing, the particular exploit was not able to run successfully on Windows 7. It did work on Windows XP.
for those of you who want to check which version you have and which is the latest:
http://www.adobe.com/software/flash/about/
The world is made by those who show up for the job.
The attack vector is a excel spreadsheet delivered via an attachment that contains a swf file that has this vulnerability. Looks like it is not a drive by download. Not sure if the streamed flash videos have the vulnerability. It does not affect Win7. Affects XP. If it is leveraging some specific bug in excel and then a bug in flash, it is very specific to that combination. XP+Excel+Adobe. The rest of us can rest easy and enjoy a little bit of schadenfreude.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
First, it only infected Windows running exploited Flash. Now it's going after Acrobat and other platforms. Soon, it will reboot your PC and install an entire Flash based virus as its own OS from an infected MBR. Together, they will all form a botnet, a dark cloud if you will. It shall be named, SKYNET!
Seriously, get FoxIt PDF reader. It's free, and approximately 5 million times faster than Adobe Reader.
then there's still time. we could spend it a little better, in case it speeds up, or goes away, before we're done.
intentionally, there's time, and a time-out 'room' for out-of-control grownups to think/feel something/anything, thanks;
1. DEWEAPONIZATION (not a real word, but they like it) almost nothing else good happens until some progress here, 'they' say.
2. ALL BABYS CREATED/TO BE TREATED, EQUALLY. (a rough interpretation (probably cost us. seems like a no-brainer but they expressed that we fail on that one too(:)->) 'we do not need any 300$ 'strollers', or even to ride in your smelly cars/planes etc..., until such time as ALL of the creators' innocents have at least food, shelter, & some loving folks nearby.' again, this is a deal breaker, so pay attention.
3. THOU SHALT NOT VACCINATE IRRESPONSIBLY. this appears to be a stop-gap intention.
the genuine feelings expressed included; in addition to the lack of acknowledgment of the advances/evolution of our tiny bodies/dna (including consciousness & intellect), almost nobody knows anymore what's in those things (vaccines) (or they'd tell us), & there's rumor much of it is less than good (possibly fatal) for ANY of us. if it were good for us we'd be gravitating towards it, instead of it being shoved in our little veins, wrecking them, & adversely affecting our improving immune systems/dna/development? at rite-aid, they give the mommies 100$ if they let them stick their babys with whoknowswhat? i can see why they're (the little ones) extremely suspicious? many, oddly? have fading inclinations to want to be reporters of nefarious life threatening processes, ie. 'conspiracies', as they sincerely believe that's 'stuff that REALLY matters', but they KNOW that things are going to be out in the open soon, so they intend to put their ever increasing consciousness, intellect, acute/astute senses & information gathering abilities, to the care & feeding of their fellow humans. no secrets to cover up with that goal.
4. AN END TO MANUFACTURED 'WEATHER'.
sortie like a no-(aerosol tankers)-fly zone being imposed over the whole planet. the thinking is, the planet will continue to repair itself, even if we stop pretending that it's ok/northing's happening. after the weather manipulation is stopped (& it will be) it could get extremely warm/cold/blustery some days. many of us will be moving inland..., but we'll (most of us anyway) be ok, so long as we keep our heads up. conversely, the manufactured 'weather' puts us in a state of 'theater' that allows US to think that we needn't modify our megaslothian heritage of excessiveness/disregard for ourselves, others, what's left of our environment etc...? all research indicates that spraying chemicals in the sky is 100% detrimental to our/planet's well being (or they'd talk to US about it?). as for weather 'extremes', we certainly appear to be in a bleeding rash of same, as well as all that bogus seismic activity, which throws our advanced tiny baby magnets & chromosomes into crisis/escape mode, so that's working? we're a group whose senses are more available to us (like monkeys?) partly because we're not yet totally distracted by the foibles of man'kind' (including; eugenatics, weapons peddlers, fake 'weather', media hoopla etc..). the other 'part' is truly amazing. we saw nuclear war being touted on PBS as an environmental repair tool (?depopulation? (makes the babys' 'accountants' see dark red:-(-? yikes. so what gives? thanks for your patience & understanding while we learn to express our intentions. everybody has some. let us know. come to some of our million baby play-dates. no big hurry? catch your breath. we'll wait a bit more. thanks.
do the math. check out YOUR dna/intention potential. thanks again.
Reader 8 and 9 were tolerable, but Reader X seems like less of a reader app and more of a bloated advertisement for Adobe's other products. I suppose my machines will remain vulnerable but usable.
Sent from my iPhone
The payload might only be leveraging a specific bug in XP, but what's to say that a different payload couldn't be delivered through the same attack vector? One that targets other versions of Windows, even other operating systems altogether?
I am totally sick and tired of the constant wave of security bugs in these products. How hard can it really be after all these years to render compressed postscript without all of the underlying nonsense?
The rest of us can rest easy and enjoy a little bit of schadenfreude.
I'm sorry, I can't even pronounce that. I'd like a Kahlúa please.
Faster! Faster! Faster would be better!
Foxit is much slower than Acroat and loading -> displaying a PDF. Foxit is slow, period exclamation mark
I still use it anyway now since I don't get to PDFs all the time like I used to. Acrobat shows immediately what takes Foxit several seconds, even small, simple PDFs.
How can it be a 0 day attack when Acrobat takes 2 days to start?
There's no -1 for "I don't get it."
This story was on Engadget this morning. Slashdot was at one point the place you went for nerd news. Now they are regularly posting stories that are days old as top news.
I had no end of problems using "other PDF" readers when I print postage from USPS.COM (yeah, I sells stuff on and off on fleaBay) This is not to say that I am a fan of Adobe, but with some things, there's just no substitute.
ELOI, ELOI, LAMA SABACHTHANI!?
http://djvu.sourceforge.net/
http://djvu.org/
It even looks better on screen compared to PDF and its opensource.
TFA says DEP is the reason it doesn't work on Win7, so doesn't that mean 32-bit Win7 is still affected?
Wow, I guess it's no longer safe to open up Excel file email attachments from strangers.
but it's a great word.
I say it sha-den-froid-ah (but am likely wrong).
Someone said no exploits for Mac and Linux, huh?
Thus, the iPad is the only truly secure platform. Yet another example of the superiority of the walled garden!
So, you have to open up a pdf with one hand, unplug your power cord with the other, curl your left big toe, dial 911 with your right pinkie toe, open up excel, type "meow" into row 3, column 204, then hit ctl+space+enter? damn!
- Fun & Work : http://thegearjunkie.com
If you are considering "upgrading" to Reader X for safety, be aware that the installer does not contain an IFilter for extracting text from PDF files, so desktop search products relying on the IFilter will no longer be able to search your PDF files. Actually, it's worse than that. Not only does it lack an IFilter, it will remove the IFilter installed by older versions. More details here.
This is why i hate so many websites that use flash, why put all your eggs in one basket, so that when again another flash 0 day comes out, your like...wtf....do we really need to be stuck to a propitiatory software that is useless when it comes to security....all in the hopes of achieving greater visual effects for your site....at least offer a flashless option to view the site.....so many suffer from the fact that if you have no flash installed, you can not continue, but this means it hurts them more in the end, then the end user who will go to a competitor website without flash to do the same thing.
Gosh, I am so glad that shit won't run on my phone or tablet. Flash is an exploit all on its own.
first of all, it's not a real word, like depopulation IS? next, if it were such a good idea, our uncle sam.gov would promote it for us? finally, (& it sort of looks that way from the babys et al, groundead viewpoint ) it's only rumors that the babys et al rule now, & that stopping running weapons 24/7 would add to our life cycles? the 'math' used has been challenged by the invisible authors of the georgia stone, so that's it? ALL MOMMYS, GET YOUR BUTTS TO THE MIDDLE EAST, JAPAN, DC, LA, GA, NY, FL ETC.... WE'VE HAD IT. WE'RE DYING HERE. they hesitated to use theatrical terms due to the stuff that matters topic of the next story, but they are feeling extremely overextended (even for the advanced lifeforms they are), &/or almost dead. most of us would be a little cranky/colicky in their situation? help's on the way?
good thing they're still little/waiting to applaud us?
Article reports: "There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment"
*BOGGLE* If that sort of functionality is even possible, then it was just an accident waiting to happen.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
Kraft durch Schadenfreude.
Hail Eris, full of mischief...
E pluribus sanguinem
And who are they after?
the description made me twitch a bit too.
next step i guess is to e-mail xp vmware images running internet explorer iframing excel using flash embedding a pdf
shaw den froy duh (lightly roll the "r" in froy for some extra authenticity)
German for "bad pleasure", means taking pleasure at the misfortune of others.
In related news, SumatraPDF, the primary open-source PDF viewer for Windows, just had its 1.4 release a couple of days ago. In the course of the past ~6 months they've added GDI support so documents can print quickly (rather than sending huge bitmaps to printers), improved performance in all sorts of ways (notably including much-faster zooming and searching), and quashed lots of bugs. They've also added a browser plugin and a Windows Search filter (both optional). So even if you've tried it in the past and it didn't meet your needs, it's likely worth trying again.
Outside of multimedia (e.g. Flash) and JS- both of which I've never seen used in a PDF for anything other than an exploit- the only thing Sumatra lacks at this point, AFAIK, is the ability to work well with forms.
WinXP + MS Excel + Acrobat is probably the single most common configuration on the planet, no?
Flash is archaic and should be on it's way out. Advertisers are waisting a lot of money on flash as they're missing a huge market share (iOS devices). HTML5 does anything flash can do... but better and is openly supported cross platform. Even google got the smack down when they tried to nix HTML5 out of chrome as it got patched by microsoft to support it.
Seriously, this is front page news? How many bugs do windows, linux and osx have? How many bugs do IE, Firefox, Chrome, Safari have? Who really gets this up in arms about a pdf bug.... apple fanboys, that's who. http://www.computerworld.com/s/article/9197184/Apple_patches_critical_drive_by_Safari_bugs
Considering their track record, Adobe would have to release something that DIDN'T have gaping security holes for it to actually count as "news".
"Adobe software exploit-ridden" is about as novel as "New Pope is Catholic".
Seems to me, if any other type of business that produces goods, had as many bugs and other crap as the adobe reader has had, wouldn't they be given large fines and other crap and not allowed to put products out until they fix it?
While I surf safe (even with the large amount of pirated/cracked/copyrighted stuff I download, I don't get hit with virus/trojans/worms/whatever. Yet, my family, friends don't have the talent, or brains to be online like i do. Update their flash player? doubt it. update acrobat? probably not. Do they use the firefox & foxit that I put on their computers? nope.
Seems to me a class action lawsuit against software companies that have a track record of buggy/exploitable software is what is needed.
Oh wait, 'cept the fucking lawyers will win. damn.
Be seeing you...
No wonder I never get any + Funny mods anymore. People think I'm serious.
Sigh.
Faster! Faster! Faster would be better!
Excel supports OLE, and has since the 90s. Note that it's not actually putting the reader or any other directly executable code in the spreadsheet, but it can contain a reference saying "I have a SWF object that I'd like to render here" and the OS will load whatever it has that renders those.
There's no place I could be, since I've found Serenity...
Nobody mentioned evince ? It makes a good, open-source alternative to Adobe PDF reader on Windows
Adobe tells me that I'm running version 10.3.180.42. Or rather, mostly *blocking* version 10.3.180.42 with ClickTo Flash in 64 bit Safari.
Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.
Where do you get your misinformation? Reader X runs just fine on my MacBook Pro with Snow Leopard.
How about a 0-flash day ? That should be much better for the community
The usual "Ragging on Flash" roundup rolling in.
Let's look at the facts:
1) Flash is by far the most ubiquitous end-user plattform in existance.
2) For a little more than a decade competitors have tried to dethrone Flash. And even the most promising of those failed miserably due to pure and utter incompetence in delivering what people want and rich client developers need. (Java Media Framework and JavaFX anyone?)
3) Compared to it's penetration and availability, Flash actually is one of the safest plattforms out there. Which is why it's so popular. Duh. Or are you telling me that Firefox would have less security problems if it had a 97.5% worldwide installbase? ... Didn't think so. And that 97.5% is a conservative estimate for Flash, btw.
So all of you know-all Flash bashers STFU and come up with a viable FOSS alternative. And no, this isn't an alternative. It's a joke, emphasising that the GNU frontline fighters for freedom are good at building compilers, maintaining ancient editors and doing evagelism, but totally suck at delivering anything usable that tend to computing with a mouse and a GUI.
Bottom line:
How about you guys stop living in your dreamworld and start thinking about what makes Flash so popular and what it would actually take to build a competitor that doesn't fall flat on it's face. Then you'd probably notice that there actually still is quite a bit of work to be done in the field before FOSS can catch up.
We suffer more in our imagination than in reality. - Seneca