Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe To Patch Flash 0-Day Friday

Posted by CmdrTaco on from the flash-in-the-pan dept.

Trailrunner7 writes "Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday — just four days after it was disclosed — for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents. Adobe said it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel, but Reader X users will have to wait till June for a fix."

113 comments

  1. They're planning to patch a 0-day? by gazbo · · Score: 2

    Impressive.

    1. Re:They're planning to patch a 0-day? by Anonymous Coward · · Score: 0

      Apparently it was disclosed 2 days ago so its not a 0 day, so it isn't impressive and if they gave a shit they could patch it today.

    2. Re:They're planning to patch a 0-day? by Riceballsan · · Score: 4, Interesting

      This may be one of the few times 0 day was actually used right. 0-day hits without warning, and it has to be patched after the fact, assuming of course there was no warnings by white hats beforehand that were ignored/covered up. That being said, as much as I hate adobe and the ridiculous amounts of security flaws that actually allow these issues to occur, Seriously who the heck would want the ability to use flash in a word document, so they can print animations? That being said, 4 days is actually decent response time. compared to say word itself that will probably have the patch for this itself in a few months.

    3. Re:They're planning to patch a 0-day? by phantomfive · · Score: 0

      No, look it up, you're wrong. Zero-day means the developer doesn't know about it. It's here. This particular exploit has been known, by Adobe, for at least four days. Don't make the mistake of thinking because YOU don't know what the exploit is, it's still a zero day.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:They're planning to patch a 0-day? by Culture20 · · Score: 1

      I know parent is a troll since everyone knows this, but as long as an exploit is made available before the developer knew (or disclosed they knew) about the vulnerability, the exploit is referred to until the end of time as a zero-day exploit. It successfully attacked 0 or more days before work on a patch started. George Washington didn't stop being the first President of the United States when he stepped out of office, he stopped being the current president.

    5. Re:They're planning to patch a 0-day? by IB4Student · · Score: 1

      so, that'd make it a 4-day? >__>

    6. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 2

      No, zero-day means that the developer didn't know about it when the attack went live. They'll eventually discover the vulnerability and patch it, but that doesn't change the fact that it was a zero-day attack.

    7. Re:They're planning to patch a 0-day? by syockit · · Score: 1

      In /., you're supposed to give a car analogy, not a statesman, nor a politician.

      Let's see.. if a car can't work even while its mileage is still zero, you call it, uh... what?

      That shows how little I know of cars.

      --
      Democracy is for the people; you only vote once per season and we'll do the rest of the work for you don't have to.
    8. Re:They're planning to patch a 0-day? by MozeeToby · · Score: 1

      The attack was a zero day attack, Adobe didn't know the vulnerability existed until the attack was discovered. They are now patching said attack on day 4. Saying that Adobe is patching a zero day attack 4 days after it was discovered doesn't seem unreasonable to me.

    9. Re:They're planning to patch a 0-day? by Anonymous Coward · · Score: 0

      Yes.

    10. Re:They're planning to patch a 0-day? by quenda · · Score: 1

      So it is actually a "minus four day" attack?

    11. Re:They're planning to patch a 0-day? by phantomfive · · Score: 1

      Except it's no longer a 0 day once it is discovered. They are not patching a zero day vulnerability, they are patching a vulnerability that used to be a zero day and no longer is.

      --
      "First they came for the slanderers and i said nothing."
    12. Re:They're planning to patch a 0-day? by phantomfive · · Score: 1

      Zero-day attack = attack perpetrated using a zero-day vulnerability.
      Zero-day vulnerability = vulnerability the developer doesn't know about.

      Please read the summary again and realize which one we are talking about here.

      --
      "First they came for the slanderers and i said nothing."
    13. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 1

      It doesn't change the fact that it was a zero-day vulnerability, either.

      And Adobe themselves called it one:

      During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris

    14. Re:They're planning to patch a 0-day? by phantomfive · · Score: 1

      Please read that and tell me, do you think it was written by a PR agent, or by a security expert?

      We know what a 0-day vulnerability is. Whether Adobe uses the term correctly or not is irrelevant to the discussion.

      --
      "First they came for the slanderers and i said nothing."
    15. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 3, Insightful

      It was a zero-day vulnerability. The fact that it's no longer a zero-day vulnerability isn't nearly as important as the fact that it was one, since the very fact that we're discussing it means that it's no longer unknown.

      If you want to be that pedantic, you might as well just throw out the term altogether, because as soon as you find out that a 0-day exists, it ceases to exist.

    16. Re:They're planning to patch a 0-day? by bunratty · · Score: 1

      Yes, Adobe will patch a vulnerability that was used in a 0-day attack. Or "Adobe To Patch Flash 0-day" for short.

      I suppose when I ask if you know what time it is you'll say "Yes", then give me a lecture on how my question was improperly phrased if I'm not satisfied with your answer.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    17. Re:They're planning to patch a 0-day? by Anonymous Coward · · Score: 0

      Seriously who the heck would want the ability to use flash in a word document, so they can print animations?

      PDF, the Portable Document Format, allows embedding of video and audio. Flash-in-DOC is a symptom of a larger problem.

    18. Re:They're planning to patch a 0-day? by 0xdeadbeef · · Score: 1

      No, it refers to a crack released on or before the day the game it targets is released. Script kiddies only use the term because they think warez d00ds are the coolest.

    19. Re:They're planning to patch a 0-day? by Anonymous Coward · · Score: 0

      You are very persistent at making incorrect statements. I'll explain what a zero day is again, and see if you can understand it.

      A zero day exploit is one that the vendor doesn't know about. It doesn't mean it's unknown.

      Make sense? If I know about it, and I am not the vendor, then it is still a zero-day. If you know about it, and you are not the vendor, it is still a zero-day. If a hacker knows about it, and the vendor doesn't, then to him/her it is a very useful zero-day. Once the vendor knows about it, it's day one.

    20. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 1

      I understand that perfectly well. It means that it is unknown to the vendor. I was stating it from the point of view of the vendor of the product.

    21. Re:They're planning to patch a 0-day? by lennier · · Score: 1

      as soon as you find out that a 0-day exists, it ceases to exist.

      The 0day that can be named is not the true 0day.

      What is the sound of one buffer overflowing?

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    22. Re:They're planning to patch a 0-day? by arth1 · · Score: 1

      This may be one of the few times 0 day was actually used right.

      Actually, no. It's a prime example of it being used wrong, as crisis maximization.

      Zero day is a vulnerability before you discover it.
      First-day is when you immediately put out a fix.
      4 days after discovery, like this is, is three days after that and has nothing whatsoever to do with zeroth-day exploits.

    23. Re:They're planning to patch a 0-day? by arth1 · · Score: 1

      No, the Heisenphrase is still quite useful, but just like "undiscovered species" it has to be qualified with a word like "previously" when talking about a specific occurrence, and not used in statistics, forecasts and speculations.

    24. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 1

      Why does it need to be qualified with a word that's redundant given the context?

    25. Re:They're planning to patch a 0-day? by arth1 · · Score: 1

      Would you call a new species that was discovered last week a "previously undiscovered species", or insist on "undiscovered species" because "previously" was redundant given the context?

    26. Re:They're planning to patch a 0-day? by _0xd0ad · · Score: 1

      If you're talking about its discovery, it's redundant to say that it was previously undiscovered.

    27. Re:They're planning to patch a 0-day? by phantomfive · · Score: 1

      Why do you think this has anything to do with what time it is? Please write clearly.

      --
      "First they came for the slanderers and i said nothing."
    28. Re:They're planning to patch a 0-day? by Phoghat · · Score: 1

      Actually I'd like to go a day WITHOUT a notice from Adobe about patching something.

      --
      Think of how stupid the average person is, and realize half of them are stupider than that.
    29. Re:They're planning to patch a 0-day? by Anonymous Coward · · Score: 0

      Please write clearly.

      Okay. "clearly".

      Oh, look at me, I'm so witty and clever that I can get a grammatically valid but obviously incorrect meaning from a perfectly clear statement! Isn't this fun?

      "Adobe to patch Flash 0-day" is a perfectly clear and succinct way of saying that "Adobe is going to patch a vulnerability exposed in a 0-day attack". You could, of course, misunderstand it if you're a pedant, but that's about as helpful to the discussion as answering "you just did" when someone says "can I ask you a question", or answering "yes" when you're asked "do you know what time it is". You're so clever. Now QUIT.

  2. Via Word ... by WrongSizeGlass · · Score: 1

    This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

    1. Re:Via Word ... by ledow · · Score: 2

      HOW MANY MORE TIMES?

      Do NOT open a document that you're not expecting, that isn't from someone you know, etc. Yeah, you could say that this can be passed legitimately from person to person but come on - this is the first rule of virus protection - don't open documents without screening them (not via some magical software that "knows" if it's bad or not, but by using your brain) first.

      The fact that you can even still GET a Word virus whether it executes in macros, integrated Flash or some other ActiveX-based crap, tells you that Microsoft just don't care any more.

    2. Re:Via Word ... by Anonymous Coward · · Score: 0

      Or open it using Google Docs*.

      *Replace with your favorite cloud [sigh] office suite

    3. Re:Via Word ... by ackthpt · · Score: 1

      This one comes in via Word. MS released a security update this week that installs an Office add-in that scans 2003, 2007 & 2010 Office docs for malicious code. Hopefully MS's efforts will prevent the next Adobe security hole.

      I've always assumed Word Processor was not the same as Compiler or Interpreter. Shows just what a marvelous world it is when your Word documents aren't even documents at all, but full environments of their own.

      Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

      --

      A feeling of having made the same mistake before: Deja Foobar
    4. Re:Via Word ... by softWare3ngineer · · Score: 1

      Long live gedit. also and on the plus side, it is a simpler tool that makes you focus on the content of what you are writing.

    5. Re:Via Word ... by s122604 · · Score: 1

      Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?

      I've been modded down to troll for asking these kinds of questions before. I'm really just curious, I ask with all humility, grace, and supplication...

    6. Re:Via Word ... by ColdWetDog · · Score: 1

      Generally THIS is why I don't use Word at home - I use a Word Processor which is a Word Processor and nothing more.

      Emacs users all of the world spit in scorn at your shameful statement.

      --
      Faster! Faster! Faster would be better!
    7. Re:Via Word ... by Entropius · · Score: 2

      Why should I?

      It's a fucking document. It's a series of bits which are converted into pixel values and shown on a screen, not code.

      If you get your computer compromised by a document, then the only person who's fault it is is the one who wrote the document decoder (and/or the idiot who decided that documents should include embedded code, which is ridiculous).

      You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

      Likewise, you feel, or you should feel, perfectly safe running vim on anything that comes your way, since going "vim virus.txt" is not going to do bad things to you, no matter what's in there -- because the people who wrote vim are not morons.

      The same ought to be true for other document formats. Perhaps I am an old fuddy-duddy, but there is absolutely no reason that any responsible document format needs to contain executable code -- and if any document decoder mistakes data for code (via a buffer overrun or similar), then their ass is the one to blame.

    8. Re:Via Word ... by Entropius · · Score: 1

      Unsophisticated people use hundred-megabyte software packages to prepare documents.

      Sophisticated people use vim and latex.

    9. Re:Via Word ... by WrongSizeGlass · · Score: 1

      Does it come in via word, or via a word document? i.e. if I opened up a malicious .doc/.docx in Open Ofice, would I be affected?.

      From Adobe's security bulletin:

      There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.

      I don't know if OO will try to use the .swf payload inside the Word document.

    10. Re:Via Word ... by Riceballsan · · Score: 1

      Well as much as part of that is true, for the most part it is terrible advice. "Don't open anything given to you by people you don't know" is solid advice, but it is half the time interpreted as something is safe if it is from someone you know and trust. Virus's don't work that way, most infections I run into these days were given to the person by their grandmothers who wouldn't hurt a fly. Second part is unexpected, this is also true, getting "hahafunny.doc" out of the blue is almost a guaranteed virus, but opening your bosses quarterly financial is also a risk if there is even a possibility he has used it on a compromised machine and the virus rather then forcing the computer to spread it out, just implants itself into everything silently.

    11. Re:Via Word ... by Anonymous Coward · · Score: 0

      "You have your computer configured right now to accept documents that you're not expecting -- jpegs, all over the web. But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss."

      Actually, you don't really know that. Remember a few years ago the big scare when *any* file of *any* type once loaded onto a windows machine could unload a nasty attack hidden inside the file? Even a .txt file could have this issue. It wasn't an IE thing either, it was at the OS level, and for a period of about a week MS was trying to tell people for the love of all that is holy to stay off the internet until they patched the hole.

    12. Re:Via Word ... by rssrss · · Score: 1

      "Microsoft just don't care any more."

      I did not think Microsoft ever cared about anything other than Microsoft's profits.

      --
      In the land of the blind, the one-eyed man is king.
    13. Re:Via Word ... by Anonymous Coward · · Score: 0

      Or even leather, nylon and spikes.

    14. Re:Via Word ... by gstoddart · · Score: 1

      I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

      It's no wonder we get so many *(&$^& viruses when word-processors attempt to launch embedded executable files without asking or anything.

      To me that sounds like the security equivalent of picking up used syringes off the ground and sticking them into your arm to see what's in them.

      I mean, WTF? Does Microsoft just sit around and try to identify new sources of arbitrary code they can execute?

      This is one of the reasons I don't install Flash on my machines.

      --
      Lost at C:>. Found at C.
    15. Re:Via Word ... by mlingojones · · Score: 1

      But you do this all the time, because you know that the folks who wrote your browser managed to not fuck up a jpeg decoder -- no matter what's in that file, the worst it can make you do is get in trouble with your boss.

      I can think of at least one way a JPEG can get you in bigger trouble than that. >_>

    16. Re:Via Word ... by GameboyRMH · · Score: 1

      What happens when you receive a document meant to produce a browser exploit when rendered by a web-based office application?

      Hey, it could happen.

      Reminds me of a virus from the novel Jennifer Government. A popular antivirus suite would gather info on any files it picked up with a heuristic scan and send that info to the server, which would then distribute virus definition updates to all the clients. The virus was meant only to be picked up by the heuristic scan, but it was made so that the resulting virus info would exploit the antivirus' virus definition handling. It would then wipe the disk of the host PC - which would be the server and all the clients.

      It was also cross-platform (ran on Windows and *nix-based OSes)...I'm pretty sure that part's impossible IRL.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    17. Re:Via Word ... by aztracker1 · · Score: 1

      Well, I've experienced plenty of documents that pull in real-time data for a portion of the document... unfortunately Flash is commonly installed as a "safe for scripting" active-x plugin in windows... I prefer simple pdf viewers, and don't open unexpected attachments... I really would just prefer that there were two differing extensions for such "interactive" documents, opposed to read-only, no interaction...

      --
      Michael J. Ryan - tracker1.info
    18. Re:Via Word ... by hairyfeet · · Score: 1

      You want to know why MS Office gets bit (and also why OO.o isn't gaining any traction)? simple: Business are hooked on Macros like crack, that's why. You'd be amazed at how many "mission critical apps" I've seen that were some horrible kludge of VB and Office Macros.

      Hell why do you think VB6 was so damned hard for MSFT to kill? Because businesses had WAY too much shit running on it. Same thing with MS Office, as VBA is all over the damned place and anything they patch has to make sure it don't shit all over all those macros.

      So I'd say the whole thing is a "be careful what you wish for" as businesses wanted something that even non coders could whip up basic office programs with and MSFT gave it to them. Well letting anybody and his dog run any code embedded in something else is a BAD IDEA, and then add to the fact that Adobe has added the kitchen sink into what was supposed to be a "Portable Document Format" and we have a serious SNAFU.

      As much as I thiunk sandboxes are band aids on bullet wounds maybe that's what we are gonna end up needing here: an automatic "drop your broke ass code here" sandbox that lets businesses keep their big kludge VBA nightmares and horribly written PDF bloatware while letting the rest of us just look at a PDF or open a word doc without the BS.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    19. Re:Via Word ... by lennier · · Score: 1

      A million times this.

      What bugs me is that all the programmers who wrote these format decoders riddled with buffer overruns still have jobs. How can that be possible? Either they knew at the time that they were writing unsafe virus-holes - and went ahead anyway, thus committing gross negligence - or else, even worse, they had no way of telling if the code they were writing was safe or unsafe and yet went ahead and released it on a "who knows, what's the worst that could happen?" sort of policy.

      Either way, it's bad.

      If a civilisation which routinely tolerated the insane lack of safety that we tolerate in programming built, say, nuclear reactors, we'd expect to have them melt down the first time we got a magnitude 9 earthq -

      oops.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    20. Re:Via Word ... by lennier · · Score: 1

      I continue to be stunned by the fact that Word will attempt to launch an embedded Flash object ... I'm completely baffled by the fact that you can put a .swf file at all. Why the hell would you need that?

      And what happens if you print that?

      Do you get a Youtube movie at 60 pages per second coming out of your laser printer?

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    21. Re:Via Word ... by Billly+Gates · · Score: 1

      I am not a hacker in this area but the word .doc format is specifically designed as an executable. The reason why is to make it harder for people to leave the MS ecosystem and switch to competing products. Also it is there to give Visual Basic an edge.

      Virus makers love this as their code can hide in a perfect container. OpenXML which is now used is far superior because nothing is hidden but it also supports legacy binary blobs of executable code.

      --
      http://saveie6.com/
  3. Keep polishing that turd Adobe by Anonymous Coward · · Score: 3, Funny

    At least my iPad is still safe.

    1. Re:Keep polishing that turd Adobe by Anonymous Coward · · Score: 0

      You mean like a golden cage is still "safe" from some food that happens to be a turd? :P â¦but also from all other food.

    2. Re:Keep polishing that turd Adobe by Anonymous Coward · · Score: 0

      You mean like a golden cage is still "safe" from some food that happens to be a turd? :P â¦but also from all other food.

      And yet its residents are fat and happy. Whoda thunk?

    3. Re:Keep polishing that turd Adobe by Tackhead · · Score: 2, Informative

      At least my iPad is still safe.

      Not necessarily. Even without Flash support, those things are huge vectors for earworms.

      7 am, waking up in the morning
      Zero-day fresh, gotta get my warez,
      Gotta sign my key, gotta have serials
      Crackin' everything, the time is goin'
      Tickin' on and on, everybody's codin'
      Gotta log on to the Slash - dot
      Gotta slash my dot, I click Refresh...

      PDF for printouts,
      Flash is for online,
      Gotta make my mind up,
      Which code did they break?

      It's Friday, Friday
      Zero-day on Friday,
      Sysadmin's lookin' forward to the weekend, weekend,
      Friday, Friday,
      Patch it up by Friday,
      Sysadmin's lookin' forward to the week-end.

      Updatin', updatin' (Huh?)
      Integration testin' (Damn!)
      Fuck, fuck, fuck, fuck,
      Adobe's blown another weekend...

      (We-we-we so excited...)

    4. Re:Keep polishing that turd Adobe by ph0rk · · Score: 1

      The important thing about the gilded cage is, in some cases, the gilt. Not the bars.

      --
      semantics are everything!
    5. Re:Keep polishing that turd Adobe by Anonymous Coward · · Score: 0

      Sure but at this point an iPad is still just a great SECONDARY computing device. Gloat all you want but there's still a lot of Flash-based content online out there that you miss out on unless you also have something like just a basic computer. Flash was great for what it was originally developed for, then it was dragged into becoming a multimedia tool beyond its means. It's very, very hard to defend Adobe but Flash works in a relative sense -- playing online Flash games on the Internet as it was ten years ago was fun, but things just aren't the same and Flash has been pushed beyond it means. Until HTML5 catches on more Flash is more or less the standard we're stuck with. Anyone who is seriously into computing and can say they can live with just an iPad is lying, or in the case of some people like at TWIT, they have a shitload of staffers with real computers backing them.

    6. Re:Keep polishing that turd Adobe by GameboyRMH · · Score: 1

      Just as a Power Wheels truck is safe from a high-speed crash.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    7. Re:Keep polishing that turd Adobe by PNutts · · Score: 1

      You mean like a golden cage is still "safe" from some food that happens to be a turd? :P æbut also from all other food.

      I'm not sure what you meant by that but thanks for reminding me to check my iPhone for an Angry Birds update.

    8. Re:Keep polishing that turd Adobe by Anonymous Coward · · Score: 0

      7:45, I should be on the highway
      Cruisin' so fast, but I just want to cry,
      Holes, holes, think about holes,
      You know what it is;
      I got this, you got this,
      They didn't get this right, and
      I got this, you got this,
      We must patch it;

      Kickin' in the PC,
      Throwin' it in the street,
      This has fucked my mind up,
      How much more can I take?

    9. Re:Keep polishing that turd Adobe by heff_sf · · Score: 1

      One keeps hearing the Flash fanbois harping about the great lot of "Flash-based content online out there that you miss out on", always, always failing to articulate exactly what all this great content is. Crappy Flash-based ads that suck up 95% of the CPU, drain battery life and crash the browser, and this is somehow hindering one's computing experience? Or are they referring to crappy Flash-based games? If Flash games are indeed what they mean then the rejoinder "anyone who is seriously into computing" does not apply. Hell, just four posts up today Slashdot is running an article about Flash on Android being deadly, successfully loading up the device with a bunch of Flash ads that weren't visible without Flash, competing with the browser and bringing performance to its knees. And yet Flash advocates mock the iPad for failing to bring this wondrous universe of crap to the tablet experience, seemingly with a straight face. Boggles the mind.

  4. Linux? by Lunaritian · · Score: 1

    If the malware is distributed with Word docs, then how can it infect Linux? Does it work with Open/LibreOffice too?

    1. Re:Linux? by machxor · · Score: 3, Informative

      The vulnerability exists in Flash Player not Microsoft Word. A Word document is simply the package being used to distribute the payload.

    2. Re:Linux? by Abstrackt · · Score: 1

      Neither TFA nor TFS say it infects Linux, though it sure reads like that at first, it actually says a patch will be available for Windows, MacOS X and Linux. It's probably minimal effort to plug the hole in all of them at once.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    3. Re:Linux? by Anonymous Coward · · Score: 0

      I do not think anyone really cares if Linux is safe or not. It is obvious that your a Linux fan boy and just trying to start stuff so I will just leave it at that. Linux is good for some tasks like servers but not for ease of use in other areas.

    4. Re:Linux? by Anonymous Coward · · Score: 0

      "I do not think anyone really cares if Linux is safe or not."

      Just cause you don't care doesn't mean there's not others that do.

      If we are to believe 1% - 2% of desktops are using Linux then that's still an awful lot of people out there using it, whether you like it or not.

    5. Re:Linux? by Anonymous Coward · · Score: 0

      Support for putting Flash into or referring to Flash from within a Word document would seem to be the fundamental problem: regardless of the details of this flaw, why in HELL enable that? It shouldn't even be possible. Disable it. Permanently.

  5. Linux 64 bit by Anonymous Coward · · Score: 0

    Of cource there is not going to be a patch for 64 bit Linux. How silly to run a 64 bit Operating System in 2011. Proprietary software at it's best. Fuck you adobe.

    1. Re:Linux 64 bit by ObsessiveMathsFreak · · Score: 1

      Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit. Just last week I had to spend 4 hours fixing a 32-bit library bug. Flash has of course been the single biggest and most obnoxious problem with my still ongoing 64-bit upgrade process.

      --
      May the Maths Be with you!
    2. Re:Linux 64 bit by 0123456 · · Score: 1

      Personally, I've had such ongoing, persistent library and software problems since I switched to 64-bit in 2006, that at this point I just want to go back to 32 bit.

      Meanwhile every computer I own that has a 64-bit CPU runs 64-bit Linux and I've never seen any issue with the 64-bitness other than Adobe's inability to ship a working 64-bit Flash plugin.

    3. Re:Linux 64 bit by Anonymous Coward · · Score: 0

      Just run the 32-bit version of Firefox. That's what I do.

      This has two benefits: The latest flashplayer will work and all the shit preinstalled plugins from your distro won't work.

    4. Re:Linux 64 bit by GameboyRMH · · Score: 1

      I don't even have problems with Adobe's 64-bit Flash plugin. What can I say, it just works.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  6. Article is Dup by Anonymous Coward · · Score: 5, Funny

    Doesn't Slashdot post this same article every week?

    1. Re:Article is Dup by indeterminator · · Score: 1

      The previous one was about Flash embedded in an Excel file. I'll predict next week a Powerpoint file is involved.

  7. 40..50 years of computing by countertrolling · · Score: 2

    And the whole damn country can be taken down by a media player. Truly fascinating.

    --
    For justice, we must go to Don Corleone
    1. Re:40..50 years of computing by geek · · Score: 1, Funny

      Unless you're on an iPad

    2. Re:40..50 years of computing by countertrolling · · Score: 1

      Keyloggers

      --
      For justice, we must go to Don Corleone
    3. Re:40..50 years of computing by ColdWetDog · · Score: 1

      Keyloggers

      No keyboard! (Well, none to speak of, anyway).

      --
      Faster! Faster! Faster would be better!
    4. Re:40..50 years of computing by smelch · · Score: 1

      Yes, because key loggers go in the hardware. No physical keyboard, where will you put the keylogger? Genius.

      --
      If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
    5. Re:40..50 years of computing by GameboyRMH · · Score: 1

      Yeah for those we use other browser exploits, like the old jailbreakme.com, or the HTML-based forced-dialing vulnerability.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    6. Re:40..50 years of computing by lennier · · Score: 1

      I used to think that William Gibson's Neuromancer was wildly unrealistic for portraying a future Net so riddled with vulnerabilities that any cowboy kid with a cyberspace console could hack their way into a bank and escape barely milliseconds ahead of the Intrusion Countermeasure Electronics.

      Now I know that the unrealistic part is that there's any countermeasures at all.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  8. US grammar? by Anonymous Coward · · Score: 1

    They are planning to patch Friday?
    Why does Friday need patching?

    1. Re:US grammar? by OffaMyLawn · · Score: 2

      If it's that horrible song, maybe they could patch some talent into it.

    2. Re:US grammar? by rfuilrez · · Score: 1

      Because of this http://www.youtube.com/watch?v=CD2LRROpph0

  9. chosen ones life0cidal holycost ends on fatal fri. by Anonymous Coward · · Score: 0

    nobody's betting much on that, likely not knowing that the 'longshots' win over 1/2 of the races, with better returns guaranteed. all races are 'fixed' in some way. remember to wager early & often on the true winners.

  10. Summary not quite accurate... by fahrbot-bot · · Score: 3, Informative
    The Flash Player for Windows will get patched on April 25, but the Flash Player bug in Reader X for Windows will get fixed in June because the Reader X sandbox prevents exploitation. From TFA:

    Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

    The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe's relationship with Google.

    --
    It must have been something you assimilated. . . .
    1. Re:Summary not quite accurate... by trparky · · Score: 1

      Even if they don't release the patch for Google Chrome, Google Chrome users are still fully protected.

      All of these exploits in Adobe products is why everyone is coming out with their own PDF viewers or sandboxing the hell out of Adobe Flash.

      Google Chrome has it right, wrap Adobe Flash in the same nearly impenetrable sandbox that the browser itself is wrapped in. The Google Chrome sandbox has proven time and time again that no matter what exploit is found in the browser, the sandbox has rendered them completely useless to do anything really bad to the surrounding operating system. Three years running as the reigning champion at Pwn2Own!

    2. Re:Summary not quite accurate... by Anonymous Coward · · Score: 0

      And what is strange to me is where I work the machines with issues all have Google Chrome installed. It appears that Chrome allows the locked down user to install plugins that can touch the OS in ways that said user would not normally be able to do. When we fix the machine and remove Chrome the only complaint we get is where is Google Chrome. The machine otherwise works fine.

      Granted it is the same 4 people that hate not having admin rights to every machine they may touch who are doing this. The fact that they can use Chrome to screw with the host OS is an issue.

    3. Re:Summary not quite accurate... by Entropius · · Score: 1

      Smells astroturfy, because you're making sure to call it "Google Chrome" every time instead of just "Chrome" like a normal slashdotter would.

  11. And in "just" four days? by SanityInAnarchy · · Score: 1

    I miss reading a Slashdot article about a 0-day (within hours of the actual vulnerability), then going to patch it and discover I'd already patched via my distro's repository.

    --
    Don't thank God, thank a doctor!
    1. Re:And in "just" four days? by Anonymous Coward · · Score: 0

      You are not alone.

    2. Re:And in "just" four days? by froggymana · · Score: 1

      My distro already has this one patched. It simply doesn't install it

      --
      "To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
    3. Re:And in "just" four days? by Anonymous Coward · · Score: 0

      apt-get remove adobe-flashplugin should pretty much get you back to those days.

  12. 2006 called by Anonymous Coward · · Score: 0

    Sounds like you must be stuck in a time warp, circa 2006. Everyone who isn't an idiot has been running 64-bit Linux happily for years.

    32-bit is for unevolved cavemen and dumbfucks.

  13. For those that actually deploy this by adeft · · Score: 1

    A bit hard to find, but this specific vulnerability is in "10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

  14. 0 day ... what it means. by BitZtream · · Score: 1

    Its funny to see everyone arguing over what zero day means ...

    Back in my day, and yes, I'm an old geezer apparently, zero day meant ... the first day it was discovered.

    zero day warez releases were released the same day as the software hit the shelves or went on sale somewhere.

    The next day, it was no longer zero day, it would be 1 day.

    You also had pre-release warez of course, for things that were available on ftp sites or IRC before the public release, also commonly called zero day warez as well.

    You wouldn't go to a 'zero day' warez site and expect to find something released 2 days ago, it would have been cycled out and off the site before then. Group distro sites and such being an entirely different beast as some hard larger archives and such.

    Its amusing to me to see all the young'ens talk about zero day like they invented it and know exactly what it means, but I'm sorry to inform you that the way zero day is used this decade is much different than they way it was used a decade ago, mostly because of silly bloggers who don't know what it actually meant constantly referring to something new as zero day regardless of how long it had been known or public.

    And for anyone who posts a link to wikipedia for a definition of zero day ... keep in mind, I STOPPED using the term before wikipedia even EXISTED, and its hardly an authoritative source (neither am I for that matter of course) for anything. Just because its on wikipedia doesn't mean its true or that the page on wikipedia is accurate. Have we learned nothing about crowd sourced websites in the last 10 years?

    Anyone, you guys go on and argue over your silliness about zero day, us old geezers will sit back and laugh about how you guys missed out on the good old days, and both groups will imagine how we're better than the other group ... because.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:0 day ... what it means. by Imagix · · Score: 1

      I'm with you on this one. 0-day as a descriptor is nearly meaningless noise as it is currently used. "A vulnerability that the vendor doesn't know about yet.". Big deal. "A new vulnerability" says pretty much the same thing. If it takes the crackers four years to find the vulnerability, it still counts as a 0-day. Part of the cachet around "0-day" originally was a giant raspberry to the software vendor that their copy protection for their software was so weak that it was broken the same day that it was released. So if the cracker can find a vulnerability in someone's software the same day that it is released, then fine. _That's_ a 0-day vulnerability. That says that the vendor is so bad that one can find problems the same day that it was released. If it takes 4 years... that's pretty strong.

    2. Re:0 day ... what it means. by bunratty · · Score: 2

      A new vulnerability can be found by white hats and reported to the company, which is not a 0-day. A new vulnerability can be found by black hats and exploited before the company knows about it. That's a 0-day, and it's problematic because they company wasn't able to attempt to mitigate or fix the problem before it was exploited. Not all new vulnerabilities are 0-days; probably most are not. It's not important whether a vulnerability was found the first day the software was released or not. The important thing is how long it takes the company to respond. If they had no knowledge of the vulnerability, it's a worst case scenario.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
  15. And, yet iPad still is... by Anonymous Coward · · Score: 0

    Not a real computer, or anything remotely close to it, just a toy.
    It's funny to see all the iSlaves coming out woodwork and claiming they are safe.

  16. using anything Adobe is a security risk by Anonymous Coward · · Score: 0

    Adobe has to have one of the crappiest security records of anything.

  17. Flash O'Day by OglinTatas · · Score: 1

    Wasn't he a quarterback for the Irish?

    --
    More music, fewer hits
  18. 4 days sounds fairly quick by Corse32 · · Score: 1

    I guess, does it push the update out to users?

  19. Leave Flash behind by xororand · · Score: 2

    Try to uninstall Adobe Flash for a week. I did and I can't say that I miss anything.

    YouTube:
    - The HTML5 beta works rather well with modern browsers like Firefox 4.0 and nearly every video is available. You don't need a Google account. The setting is stored in a cookie.
    - If you're on Linux, try Minitube. It's a standalone player for YouTube that uses hardware acceleration.

    Thanks to the iPad, more and more web sites offer alternatives to Flash. My preferred news TV station is now streaming both with Ogg/Theora and H.264.

    Yes, I can't view the occasional funny cat video because it's only available in Flash format but guess what: I'm still alive.

    1. Re:Leave Flash behind by RocketRabbit · · Score: 1

      Really? Which news site streams OT?

    2. Re:Leave Flash behind by xororand · · Score: 1

      It's a German news program: tagesschau.de
      Screenshot.
      They got an award for it too:

      "The Free Software Foundation Europe (FSFE) and the Foundation for a Free Information Infrastructure (FFII) have used the occasion of Document Freedom Day 2011 to give an award to German broadcaster ARD's internet platform tagesschau.de for offering broadcast shows in the free Ogg Theora video format. According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

    3. Re:Leave Flash behind by The+Wild+Norseman · · Score: 1

      According to the FSFE announcement, the technical manager and vice editorial director will be presented with cakes at separate events in Hamburg and Berlin."

      It's a trap! The cake is a lie!

      --
      "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
    4. Re:Leave Flash behind by Anonymous Coward · · Score: 0

      I met a high school friend who is in web design now. He told me that his small 1/2 man company had landed (sorry) what would be considered a big contract - a short hop airline called . During our conversation it came up that I block flash, him having raved about how the WHOLE site is flash. I was then told: "Oh... you are one of those. So ye, while I agree with what you say about leave flash behind (and I do/have more or less) there are still some people out there who are your (and my) polar opposite and somehow are still allowed to create substantial websites. I'm happy not to give any of my very little short hop airline business to 1time but if I travelled more often or my company needed competitive quotes then its not worth taking the stand against the site.

  20. OK Chrome has the fix already! by fugas · · Score: 1

    Stable Channel release 10.0.648.205 is out. Thanks Google for the incredibly swift response.

  21. Just as bad as Microsoft by applematt84 · · Score: 1

    It seems they are following in suit behind Microsoft with the "we will patch it when we feel like it" attitude. Disappointing.

  22. That explains the my friend's recent infection. by BLToday · · Score: 1

    Here's the summary of the conversation:
    Him: dude, it's happened again.
    Me: too much porn man.
    Him: I didn't do anything, even used Chrome and Firefox
    Me: which site did you go to?
    Him: it's my office computer, I can't look at porn here.
    Me: OK, maybe there's not enough porn on your computer.

  23. no patch yet... by datapharmer · · Score: 1

    So still waiting on that patch. When was that going to be released again?

    --
    Get a web developer