Slashdot Mirror
New Adobe Flash 0-Day
Trailrunner7 writes "Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well, and is being used in some highly targeted attacks right now. The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X's Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris."
Good luck leaving userland from a flash plug-in, unless you are dumb and run everything from root.
What the hell for? Fucking Adobe.
for those of you who want to check which version you have and which is the latest:
http://www.adobe.com/software/flash/about/
The world is made by those who show up for the job.
The attack vector is a excel spreadsheet delivered via an attachment that contains a swf file that has this vulnerability. Looks like it is not a drive by download. Not sure if the streamed flash videos have the vulnerability. It does not affect Win7. Affects XP. If it is leveraging some specific bug in excel and then a bug in flash, it is very specific to that combination. XP+Excel+Adobe. The rest of us can rest easy and enjoy a little bit of schadenfreude.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Seriously, get FoxIt PDF reader. It's free, and approximately 5 million times faster than Adobe Reader.
Secure OS's are only as good as the software running on it without administrator privileges.
There, fixed it for ya.
The payload might only be leveraging a specific bug in XP, but what's to say that a different payload couldn't be delivered through the same attack vector? One that targets other versions of Windows, even other operating systems altogether?
I am totally sick and tired of the constant wave of security bugs in these products. How hard can it really be after all these years to render compressed postscript without all of the underlying nonsense?
The rest of us can rest easy and enjoy a little bit of schadenfreude.
I'm sorry, I can't even pronounce that. I'd like a Kahlúa please.
Faster! Faster! Faster would be better!
How can it be a 0 day attack when Acrobat takes 2 days to start?
There's no -1 for "I don't get it."
Secure OS's are only as good as the software running on it without administrator privileges.
There, fixed it for ya.
So if I understand correctly...
Protect the operating system at all costs... but pay no attention to what really matters ... YOUR DATA.
Most exploits are written as an attempt to get root/admin or affect system settings. In my testing of adobe exploits (not this one, but previous ones) I noticed that if I ran as a limited user the exploits don't usually work. If I run as admin with UAC running, the UAC never comes up and the exploit works. UAC + admin is not the same as running as a limited user.
Yes, you're right about malware running in user userspace and that's a real problem with this approach, but running as limited gives some benefits that are not obvious. Arguably, AV and smart computer usage makes up for the rest. This excel file seems to already be in all the major virus definitions.
Someone said no exploits for Mac and Linux, huh?
Speaking of which, this pretty much means that every PowerPC Mac ever made has to be thrown in the scrap heap, doesn't it? Because Adobe has stopped updating Flash for PowerPC, which means it will be vulnerable forever. So unless you want to give up Hulu, YouTube and half the internet, they're pretty much doorstops now. Or pretty Linux home servers.
I wonder if anybody wants to buy a G4 PowerBook? It's faster than a lot of the Atom netbooks they're still selling.
Agreed. Local privilege escalation exploits are a dime a dozen on desktop Linux distributions (especially those that install the full Gnome suite). Surprisingly enough, Ubuntu is one of the better distributions in this regard because it ships with reasonably decent App Armor profiles.
Someone said no exploits for Mac and Linux, huh?
I've also heard rumors that zero Windows ME users are getting infected. Just sayin...
Exactly and I would argue the next big malware attacks most likely will simply ignore trying to get root as new features like ASLR and DEP make it harder to use the old tricks like buffer overflows.
And the simple fact is to do most of the stuff your average malware writers want to do (send spam, steal data, etc) it isn't even needed. See this example of how to write a Linux virus in 5 easy steps with no need for root, just good old social engineering like we see every day, and it will autorun, send spam, do anything the malware writer wants to do.
So I would argue the reason we saw so many viruses running as root before was because it was easy to obtain root and now that that is not the case malware in the future simply won't bother and will instead do its damage from userland.
ACs don't waste your time replying, your posts are never seen by me.
In related news, SumatraPDF, the primary open-source PDF viewer for Windows, just had its 1.4 release a couple of days ago. In the course of the past ~6 months they've added GDI support so documents can print quickly (rather than sending huge bitmaps to printers), improved performance in all sorts of ways (notably including much-faster zooming and searching), and quashed lots of bugs. They've also added a browser plugin and a Windows Search filter (both optional). So even if you've tried it in the past and it didn't meet your needs, it's likely worth trying again.
Outside of multimedia (e.g. Flash) and JS- both of which I've never seen used in a PDF for anything other than an exploit- the only thing Sumatra lacks at this point, AFAIK, is the ability to work well with forms.
I've also heard rumors that zero Windows ME users are getting infected.
Apparently, having to run System Restore every hour also wipes out viruses.
Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!
Because .PDF is the new ASCII, and DjVu isn't.
I'm willing to gamble that when I want to open a .PDF document 30 years from now, it's not going to be a problem on whatever platform I'm using at the time. But if my data was saved in some nonstandard but "optimized" format like DjVu, it will effectively be gone forever.
Replacing one file format with another is not the solution, because the file format itself is not the problem. Piss-poor engineering practices at Adobe are the problem.