Adobe Patches Second Flash Zero-Day In 9 Days

← Back to Stories (view on slashdot.org)

Adobe Patches Second Flash Zero-Day In 9 Days

Posted by samzenpus on Wednesday June 15, 2011 @11:58AM from the protect-ya-neck dept.

CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."

139 of 178 comments (clear)

Min score:

Reason:

Sort:

WTF adobe by Xtravar · 2011-06-15 12:08 · Score: 1

Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.

--
Buckle your ROFL belt, we're in for some LOLs.
1. Re:WTF adobe by jo42 · 2011-06-15 12:15 · Score: 2
  
  The best solution to the crapware known as "Flash Player" (on Adobe's own site no less): http://kb2.adobe.com/cps/141/tn_14157.html
2. Re:WTF adobe by Anonymous Coward · 2011-06-15 12:15 · Score: 1
  
  Right, because if there is anyone you should trust to to things silently in the background it is Adobe.
3. Re:WTF adobe by brucek2 · 2011-06-15 12:20 · Score: 2
  
  And also, why is the update process tied to system startup? My main desktop rarely reboots, which means I get these updates only weeks after I needed them, or after taking special action because I saw a story like this one.
4. Re:WTF adobe by PNutts · 2011-06-15 12:24 · Score: 5, Informative
  
  http://secunia.com/vulnerability_scanning/personal "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.
5. Re:WTF adobe by brucek2 · 2011-06-15 12:36 · Score: 1
  
  Thanks! Installed and scanning now.
6. Re:WTF adobe by Xtravar · 2011-06-15 12:38 · Score: 1
  
  Wow, that seems useful. I never understood why MS doesn't put 3rd party stuff into Windows Update.
  
  --
  Buckle your ROFL belt, we're in for some LOLs.
7. Re:WTF adobe by Qzukk · 2011-06-15 12:43 · Score: 2
  
  Actually, it's tied to the login process, logging out and back in triggers the updater. As for why, I'm guessing that it's because there's no central repository that can be checked periodically, and people whine and moan about having a half dozen executables sitting around and doing nothing but checking for updates. I've got computers at work that have programs in the background for Java updates, InstallShield (several programs use this), Apple's updater, Adobe's updaters and Google's updater, all on top of Windows Update whenever it runs.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
8. Re:WTF adobe by networkzombie · 2011-06-15 12:48 · Score: 1
  
  They would be assuming responsibility which is never a good thing.
9. Re:WTF adobe by Anonymous Coward · 2011-06-15 13:00 · Score: 1
  
  So it does exactly what Chromium does? Updates specific plugins, disables known vulnerable plugins, and makes plugin instances click-enabled?
  Before Google added native vulnerability checking they had an extension for that: https://chrome.google.com/webstore/detail/pgkcfihepeihdlfphbndagmompiakeci.
10. Re:WTF adobe by ColdWetDog · 2011-06-15 13:03 · Score: 1
  
  mod parent up, Adobe needs to get with the times and provide an auto-updater, even Java provides this!
  Actually Adobe does have an update demon for Creative Suite (at least on OS X). It's actually rather benign, it just sits there and gives you the number of patches it thinks you need. Doesn't beep, squeak or bounce up and down. The problem though, is as 'ol Qzukk points out a few comments above this. You end up with a half dozen little programs bothering you at random times. Do Not Want.
  
  --
  Faster! Faster! Faster would be better!
11. Re:WTF adobe by kirbysuperstar · 2011-06-15 13:05 · Score: 1
  
  Even Adobe Reader provides this.
12. Re:WTF adobe by Mashiki · 2011-06-15 13:06 · Score: 1
  
  Too bad that pushing 90% of the web these days uses it including for full site design.
  
  --
  Om, nomnomnom...
13. Re:WTF adobe by RussellSHarris · 2011-06-15 13:16 · Score: 2
  
  Yeah, because it never occurred to anybody that the Windows Task Scheduler could be used to schedule checks for updates for computers that never get rebooted...
14. Re:WTF adobe by dgatwood · 2011-06-15 13:45 · Score: 3, Insightful
  
  Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.
  YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
15. Re:WTF adobe by Xtravar · 2011-06-15 14:23 · Score: 1
  
  Apple does it just fine with the AppStore...
  
  --
  Buckle your ROFL belt, we're in for some LOLs.
16. Re:WTF adobe by mikestew · 2011-06-15 14:34 · Score: 2
  
  I don't even have Flash installed on the two machines I mainly use, and view a lot of pages on the Flash-incapable iPad and iPhone. The only place I notice the lack of Flash is YouTube and Hulu. YouTube is fine on iOS, and there's a Hulu app for iOS and Mac OS X. Sure, once in a while a site doesn't render. As I used to say about RealPlayer, there's nothing on the web I need to see so badly that I'm willing to install Flash.
17. Re:WTF adobe by Anonymous Coward · 2011-06-15 14:53 · Score: 1
  
  For you firefox folk out there
  http://www.mozilla.com/en-US/plugincheck/
  Works decently...
18. Re:WTF adobe by Nimey · 2011-06-15 15:05 · Score: 1
  
  Oh, wait. Google does that.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
19. Re:WTF adobe by monkyyy · 2011-06-15 15:59 · Score: 1
  
  the same reason to use windows, games
  and the same reasons to muti-boot as well; to disable it for most the time
  
  --
  warning pointless sig
20. Re:WTF adobe by Billly+Gates · 2011-06-15 16:06 · Score: 1
  
  "YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.
  "
  The issue is IE 6/7. Since Asian and corporate users refuse to upgrade the webmasters are under pressure to make a site that looks great for IE 6 that will work 5 years from now with Chrome 25. Flash is the substitute. I really hope when XP finally dies that corporations will upgrade to Windows 8 with IE 10 so developers can finally leave flash behind. There are sites too that use more flash if it detects IE 6 or IE 7.
  
  --
  http://saveie6.com/
21. Re:WTF adobe by Billly+Gates · 2011-06-15 16:10 · Score: 1
  
  "Apple does it just fine with the AppStore..."
  Apple does not have corporate users who hate to upgrade unless things are tested first ... whichever year they decide to do it. It is a liability because it is called Windows Update and therefore is part of Windows according to the lawyers. Not to mention Sarbines Oxley requires documentation for unathorized software upgrades or installs and useless annoying crap.
  With the Apple Store the user assumes responsibility. No such arrangement on Windows as Offices would refuse to use it otherwise.
  
  --
  http://saveie6.com/
22. Re:WTF adobe by Danieljury3 · 2011-06-15 16:11 · Score: 1
  
  Someone should make a virus that uses vulnerability's in IE 6/7 to gain access to a machine to uninstall IE 6/7. Might be the only way to make some of them upgrade.
23. Re:WTF adobe by dgatwood · 2011-06-15 16:32 · Score: 1
  
  Since Asian and corporate users refuse to upgrade the webmasters are under pressure to make a site that looks great for IE 6 that will work 5 years from now with Chrome 25. Flash is the substitute.
  And then their sites won't work on iPhone, iPod Touch, or iPad. In general, pandering to people running outdated browsers on an outdated OS on outdated hardware while ignoring people with the disposable income to buy modern gadgets is generally bad for sales. Just saying. :-)
  
  There are sites too that use more flash if it detects IE 6 or IE 7.
  See, since I don't run IE6 or IE7, I don't really care about those. They don't affect me, and if they affect you, this might be a good time for you to click on over to your choice of Google, Apple, or FireFox and download a better browser. :-D
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
24. Re:WTF adobe by tlhIngan · 2011-06-15 17:11 · Score: 2
  
  Apple does not have corporate users who hate to upgrade unless things are tested first ... whichever year they decide to do it. It is a liability because it is called Windows Update and therefore is part of Windows according to the lawyers. Not to mention Sarbines Oxley requires documentation for unathorized software upgrades or installs and useless annoying crap.
  With the Apple Store the user assumes responsibility. No such arrangement on Windows as Offices would refuse to use it otherwise.
  Actually, it's because the iOS App Store (and likely the Mac App Store) requires apps to be self-contained. The only dependencies on apps allowed are what comes with a completely clean install of the OS. So as a first-pass test, all you need to do is run your app, because unless you jailbreak, you're reasonably assured that it's just your app running.
  If you update your PDF viewer on iOS, iOS will launch the PDF viewer itself and it's running in its own little sandbox when a webbrowser requests it.
  Microsoft Office, etc. install stuff all over the place and many hidden dependencies can result - apps using fonts, DLLs, APIs and other things without realizing they're not provided with Windows, just that so many people use those programs that it's assumed it's there and very strange things happen when they aren't.
  So in general, updating an iOS app will update the files associated with just that app, and since the app is self-contained, there is no way there can be hidden library dependencies or API dependencies. But Windows and Office have so many components added to them that strange dependencies develop. Heck, I had one program require OpenSSL under Windows, and it worked, despite my never installing the OpenSSL DLLs. Instead, it seemed Windows pulled the OpenSSL DLLs from the WiFi driver's installation directory and used those. Tell me if that isn't a disaster waiting to happen.
25. Re:WTF adobe by smash · 2011-06-15 17:51 · Score: 1
  
  If you're running IE6, you're insecure anyway. If you're running IE7, you should upgrade to IE8 (or even better, IE9), as basically anything that works in 7 works in 8/9.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
26. Re:WTF adobe by hedwards · 2011-06-15 18:02 · Score: 1
  
  It's a force of habit from when Windows used to come with that auto Reboot feature. You know the one that was that pretty blue color.
27. Re:WTF adobe by Serious+Callers+Only · 2011-06-15 18:39 · Score: 1
  
  Every time I turn on my computer, another update... just do it silently already if it's such a problem otherwise I'm going to uninstall.
  I already have. You won't miss much, and I doubt it'll stay the standard container format for web video much longer.
28. Re:WTF adobe by networkzombie · 2011-06-15 18:42 · Score: 1
  
  Also, read the restrictions for the appstore. My eleven year old niece is not allowed to use the appstore, but she can use Windows update.
29. Re:WTF adobe by Alex+Belits · 2011-06-15 19:03 · Score: 1
  
  No, that's supposed to be a nag screen.
  
  --
  Contrary to the popular belief, there indeed is no God.
30. Re:WTF adobe by ArsenneLupin · 2011-06-15 19:20 · Score: 1
  
  Too bad that pushing 90% of the web these days uses it including for full site design.
  But honestly, who needs those 90% of crap sites? And if some needed site slips in along with all the trash, there's e-mail, there's phone, and there's competitors.
  If more people did the civic thing, and actually call the relevant companies when there is a problem, it wouldn't be such a huge issue.
31. Re:WTF adobe by ArsenneLupin · 2011-06-15 19:22 · Score: 1
  
  And, what's more, there's the Flashblock Add-on, which lets you re-enable flash on a case-by-case basis for the rare occasion where you need it, and where the culprit won't listen to its customers.
32. Re:WTF adobe by datapharmer · 2011-06-15 20:44 · Score: 1
  
  they do offer this if you run windows server update services (wsus). It is called system center updates publisher (scup). Saves a lot of time and hassle for windows domain admins. adobe, hp, dell, and many other big vendors are compatible. It doesn't cover every piece of software under the sun, but it covers most of the ones likely to cause havoc due to 0 day exploits.
  
  --
  Get a web developer
33. Re:WTF adobe by datapharmer · 2011-06-15 20:47 · Score: 1
  
  which means that all your apps don't get patched until windows says it is ok. That's a great idea.
  
  --
  Get a web developer
34. Re:WTF adobe by Neil+Boekend · 2011-06-15 21:12 · Score: 1
  
  You should also push firefox to these machines. Replace ie with the FF installer. Let FF take the IE settings by default. Otherwise you have a machine without the possibility to download a browser.
  
  --
  Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
35. Re:WTF adobe by Lennie · 2011-06-15 21:48 · Score: 1
  
  That is why you upload your content on the site several times or use a service which does the conversion for you (like the Internet Archive or vid.ly: http://hacks.mozilla.org/2011/01/simple-html5-video-encoding-with-vid-ly-interview-first-impressions-and-invite-code/ ).
  So ones for HTML5-video and one fallback for Flash.
  That way, when HTML5-video does not work a fallback is available.
  This is just like everything else in webdevelopment, if a older browser doesn't support a new feature. You add a fallback or leave it out (like some many animation which isn't really needed).
  
  --
  New things are always on the horizon
36. Re:WTF adobe by Lennie · 2011-06-15 21:57 · Score: 1
  
  He was talking about Asia and Windows XP, you can't upgrade to IE9. There is no IE9 for Windows XP.
  You can however 'upgrade' to Firefox, Chrome, Opera.
  (No I specifically do not mention Safari in that list because Safari uses the Windows libraries and thus does not support SNI)
  
  --
  New things are always on the horizon
37. Re:WTF adobe by icebraining · 2011-06-15 22:17 · Score: 1
  
  No, you have a single installer that connects to multiple repositories, one for each company if necessary. Just like with apt(itude).
  
  --
  Dilbert RSS feed
38. Re:WTF adobe by ais523 · 2011-06-15 23:48 · Score: 1
  
  You can just download a browser via FTP (the ftp command-line tool comes with Windows). That's often how I get Firefox on new Windows installations.
  
  --
  (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
39. Re:WTF adobe by Lennie · 2011-06-16 00:06 · Score: 1
  
  No I mean if they need flash to support old browsers than use a new browser. :-)
  
  --
  New things are always on the horizon
40. Re:WTF adobe by Neil+Boekend · 2011-06-16 00:39 · Score: 1
  
  But you can't expect some redneck (who isn't smart enough to have upgraded by now) to do that from memory.
  
  --
  Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
41. Re:WTF adobe by jc42 · 2011-06-16 07:30 · Score: 1
  
  ... no one wants html5 apart from a small bunch of talentless creeps that want us all to return to the bad old days of "this website is best viewed with [insert browser here]" ...
  Not sure what you're getting at here. I've "converted" most of my web pages to HTML5, by replacing that old, crufty first line with "<!doctype html>", tested them against lots of browsers, and I've never found a problem.
  Lest you think I'm just joking, well I am, obviously, but there's also a serious side to this. As far as I can tell, most of the supposed conversions to HTML5 consist of little more than rewriting the doctype line. Or adding it, in many cases. Then trusting the browsers to figure out how to handle each tag in the file.
  And actually, I have found that my few pages that use <canvas> don't work too well in IE6. So far nobody has complained about that, perhaps because IE6 users don't look at those pages or can't figure out that something's missing. OTOH, I've found that my canvas tags seem to work ok in a number of browser versionss that supposedly don't support HTML5, which makes the situation even more murky. Maybe the browser makers really have all been upgrading to HTML5 all along, but don't want to admit it in public until it has become socially acceptable in the reactionary crowd. Or they are sneaking it in past their bosses' determination that HTML5 isn't needed.
  Anyway, I've found that looking things up in the HMTL5 docs and using that sort of HTML seems to be a pretty good strategy. I've found that the results work, in some sense of "work", in all the browsers that I have available, including (to my surprise) the browsers on a number of smartphones.
  Maybe this is the 90s speaking, though. The impetus to HTML5 did start way back then, and a lot of implementers took the approach of trying to accept any markup that was documented anywhere and do something sensible with it. So maybe it's not surprising that it seems to work better than one might expect.
  I think HTML5 is sneaking in through the back door. Eventually people will discover that their sites have converted to HTML5 without anyone making an official decision to do so.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Out of band? by Anonymous Coward · 2011-06-15 12:12 · Score: 1

Adobe last issued an 'out-of-band' emergency update...
What is with all these software companies trying to schedule their patches? I don't buy the whole "it helps IT people roll out updates" argument. If a patch interferes with some sysadmin's precious schedule, he can just roll it out later (after half his machines are infected).
1. Re:Out of band? by LO0G · 2011-06-15 13:05 · Score: 4, Informative
  
  Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.
  As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.
  The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.
2. Re:Out of band? by Anonymous Coward · 2011-06-15 13:24 · Score: 1
  
  Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.
  As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.
  Sorry, but this reeks of Security Through Obscurity. Every minute that a company has a patch and refuses to release it, they're making things worse for everyone.
3. Re:Out of band? by shutdown+-p+now · 2011-06-15 13:58 · Score: 1
  
  "Security through obscurity" is not a universally bad thing. Only on Slashdot it's considered some kind of final, unrefutable argument in any security-related discussions.
4. Re:Out of band? by jd2112 · 2011-06-15 13:59 · Score: 1
  
  Spoken like someone who has never been responsible for keeping thousands of computers running mission critical applications. When money is involved (lost business, idle workers, etc.) the risk of deploying patches without going through proper testing cycles can be much greater than the risk posed by malware. If you have ever had a thousand workers idle because a patch caused a mission critical app to fail you would understand.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
5. Re:Out of band? by HTH+NE1 · 2011-06-15 15:35 · Score: 1
  
  "Out-of-band" isn't even the correct term. If it was out-of-band, it would be pushed through an alternate channel or medium parallel to the usual release, like mailing the keys you need to decrypt the downloaded patches through postal mail, or like how CSS can be served independently from the HTML document as opposed to inline presentation HTML tags.
  What it is is "out-of-schedule" or simply "unscheduled". Some PHB heard of the existing term "out-of-band" and decided that that's what this would be called without understanding, knowing, or even caring about the established meaning.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
6. Re:Out of band? by 10101001+10101001 · 2011-06-15 15:48 · Score: 1
  
  As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.
  That doesn't really make sense, though. If what you say is true and it's the patch itself that is used to make the exploit, it doesn't matter if you release the patch on day 1 or day 10. It'll still be patch day + 6 hours before an exploit is in the wild. The real issue, actually, is not telling IT folks about the exploit (not necessarily details but enough to know to not use the product or to use a work around to limit/block the exploit) before the patch is released. Presuming that it takes days between announcing there's an exploit and releasing the patch, that should give IT folks the time to mitigate the risk and then deal with the patch when it comes. All a vendor having a time table does is allow them to group many exploits together to allow them to pretend the amount of exploits that exist are smaller than there are. IT folk, having to deal with multiple vendors with multiple patch day schedules, have to develop their own schedule for accepting patches, testing them, and applying them, anyways, so I don't really see how it helps them.
  
  The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.
  Which still means telling IT folk about the exploit and not waiting for the patch to actually be made. As much as the exploit might be the wild, that doesn't mean every black hat has enough information about the exploit to use it. Hence, releasing the patch to everyone still has a lot of the above mentioned +6 hour risk.
  
  --
  Eurohacker European paranoia, gun rights, and h
7. Re:Out of band? by LO0G · 2011-06-15 16:03 · Score: 2
  
  shutdown-p basically nailed it but I want to dig a bit deeper.
  There is no such thing as absolute security. There is no software available to end-users that is 100% secure (there may be very special case scenarios but they're not mainstream). Because of this, security is primarily a risk management problem.
  So when you decide to take a patch, you have to weigh the risks of taking the patch (it might break some LOB app) against the risk of *not* taking the patch (you might get hacked).
  We make these choices every single day when we get patches from vendors. Sysadmins (who have to keep entire corporations alive) are very risk averse (deploying a patch which shuts down the accounting department is likely to be a career-limiting-move) and that means that they want to make sure that every patch is tested before they deploy it.
  So when they see a patch, they need to weight the risks. There is *no* debate that the bad guys reverse engineer patches. They do. That means that once a patch is deployed, the risks of *not* taking it skyrocket.
  If you release patches once every few days, that means that sysadmins are constantly putting their line of business apps at risk.
  Somewhat off-topic: Every once in a while, someone at work asks about the benefits of moving some internal server from its traditional port to a new port (for instance moving the SMTP server from port 25 to port 9998). The purists always respond with "that's just security by obscurity", to which the pragmatists respond "yeah, but it works to remove certain classes of threats. It won't stop a dedicated attacker who's actively probing your ports, but for most automated attacks, it can be highly effective".
  So yeah, a little "security by obscurity" helps.
8. Re:Out of band? by dgatwood · 2011-06-15 16:09 · Score: 1
  
  In this case, maybe; in general, no.
  The reason you might be right in this case is that Flash is just so d**n buggy. I don't know how bad it is on Windows, but on Mac OS X, back before I added Click2Flash (and later, ClickToFlash), it used to be the #1 most common cause of Safari crashes on my machine by fully an order of magnitude over all other causes combined. When you realize that the odds are good that every single one of those crashes is an exploitable security hole, it's a wonder they don't have a zero-day a day.
  Because it is so buggy, everybody assumes it is an easy target, and they go looking for exploitable holes. This greatly increases the odds of zero-day exploits. Were Flash not a train wreck, most theoretically exploitable holes would not be known until patch time, and it would be very beneficial to schedule patch releases. As it stands, scheduling patches is of only moderate utility because patching the holes in Flash is like to trying to plug the holes in a colander, one at a time.
  In general, however, when you have to upgrade tens of thousands of machines at a company, you need to be able to count on scheduling that work ahead of time. It's a major undertaking, and if you can schedule it ahead of time, you minimize the chances that someone will disassemble the patch, come up with a working exploit, deploy that exploit with a bunch of prewritten attack code in a Flash advertisement on some major ad network, and infect half of your machines before you are able to get them patched.
  And this is why my machine has been running a Flash blocker for several years even though nobody has targeted Mac OS X through Flash yet. Just think of Flash blockers as a condom for your network browsing experience, and always practice safe web.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
9. Re:Out of band? by LO0G · 2011-06-15 16:11 · Score: 1
  
  There are two possible reactions to telling the IT guys about the exploit: (1) you give them enough information to harden their systems proactively (adobe flash scripting has a problem when dealing with flibberjabber elements) or (2) you give them vague information (there's a bug in flash somewhere).
  The first is probably enough to give the bad guys enough of a clue for them to figure out the vulnerability and you've just created a 0day. The second isn't enough information for the IT guy to figure out how to protect their systems.
  If there was a way for a vendor to tell only their customers about an upcoming issue, without letting the bad guys know, that's another thing. It's exactly why Microsoft created the MAPP which lets antimalware firms know about upcoming patches before they're released.
10. Re:Out of band? by dgatwood · 2011-06-15 16:26 · Score: 1
  The real issue, actually, is not telling IT folks about the exploit (not necessarily details but enough to know to not use the product or to use a work around to limit/block the exploit) before the patch is released.
  You're kidding, right? Are there really any IT admins who still don't know that from a security perspective, Flash is a giant sieve? :-)
  Seriously, any IT admin that doesn't (at minimum) install a Flash blocker on every machine is missing a security hole so big you could drive an Abrams through it.
  
  All a vendor having a time table does is allow them to group many exploits together to allow them to pretend the amount of exploits that exist are smaller than there are.
  Very, very wrong. It has lots of benefits:
  
  Fewer patches mean each patch likely to be more thoroughly tested because it wasn't rushed out the door.
  Fewer patches mean IT admins have time to test them all before rolling them out.
  Even with all the testing in the world, patches are going to break at least a few machines. Therefore, fewer patches = fewer hosed machines.
  As someone else noted, the release + 6 hours problem occurring once per week instead of once per day means that crackers creating exploits have only one seventh the number of opportunities to break into your machines.
  In short, the only reason you should ever release an unscheduled security patch is if you know that the vulnerability is already being exploited in the wild. Mind you, I'm not saying that you should sit on security fixes for two or three months, but releasing non-zero-day security fixes in an unscheduled fashion would be just as reckless and irresponsible as not immediately releasing a patch for a zero-day.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:Out of band? by hedwards · 2011-06-15 18:04 · Score: 1
  
  This is the type of security by obscurity that's bad. Security by obscurity as part of a balanced approach isn't problematic, but failing to release patches because of this sort of silliness is just irresponsible. You hold off on releasing a patch because people might reverse engineer it rather than having to use the already known exploit. The companies releasing these patches are rarely the first party to discover them, typically the find out about them after somebody exploits them.
12. Re:Out of band? by hedwards · 2011-06-15 18:05 · Score: 1
  
  I'm going to have to call BS. QA doesn't always take a predictable amount of time to complete. Sometimes it takes longer and sometimes it takes less time. Delaying security patches to home users because corporate users ask for it is completely unacceptable.
13. Re:Out of band? by Alex+Belits · 2011-06-15 19:11 · Score: 1
  
  Yessss! Because impact of a gaping security hole is less than of a non-working punch the monkey banner!
  
  --
  Contrary to the popular belief, there indeed is no God.
14. Re:Out of band? by 10101001+10101001 · 2011-06-16 04:25 · Score: 1
  
  To make a probably bad analogy, software patches/exploits is like avoiding pregnancy. To adequately protect yourself, your best bets are to not use exploitable software at all or to take proper countermeasures before an exploit is likely to be deployed against you. Waiting on patches, scheduled or unscheduled, as some sort of salvation is attempting to race the clock to abort any possible ongoing attack.
  To that end, the best protection if you want to actually use software is to actually known about the existence of exploits in software and deploy countermeasures then, not to have a patch dropped on your doorstep be it on day 1 or day 10 and only then work to deal with it as quickly as possible. That was my main point. It wasn't about the manageability of 1 vs 10 patches. Because at that level, there should already be a process in place that makes the above more a point of the degree of tedium in testing and deploying patches, not one of security. As a question of tedium, I think IT folks would best prefer software that just wasn't exploitable in the first place, although I can see month patch release as a compromise.
  
  --
  Eurohacker European paranoia, gun rights, and h
15. Re:Out of band? by 10101001+10101001 · 2011-06-16 04:30 · Score: 1
  
  There are two possible reactions to telling the IT guys about the exploit: (1) you give them enough information to harden their systems proactively (adobe flash scripting has a problem when dealing with flibberjabber elements) or (2) you give them vague information (there's a bug in flash somewhere).
  The first is probably enough to give the bad guys enough of a clue for them to figure out the vulnerability and you've just created a 0day. The second isn't enough information for the IT guy to figure out how to protect their systems.
  
  I don't know. The second one seems to be enough information for most IT guys. It means either blocking external flash (except possibly through trusted partners) through all avenues including web and email or blocking flash outright. Yes, for some companies that doesn't provide enough granularity, but for the vast majority it's enough.
  
  --
  Eurohacker European paranoia, gun rights, and h
16. Re:Out of band? by jd2112 · 2011-06-16 15:53 · Score: 1
  
  The job of IT is to keep the environment running. Unless there is a major virus update the risk of a patch causing an outage is usually greater than the (short term) risk of malware. I've experienced both mad scrambles to get a patch deployed and also mad scrambles to roll back a patch that caused a production outage. Trust me, a production outage ALWAYS a bigger deal than a virus outbreak.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
17. Re:Out of band? by Alex+Belits · 2011-06-16 19:53 · Score: 1
  
  Production outage caused by Flash version change? Your production software relies on Flash, and breaks over upgrades?
  
  --
  Contrary to the popular belief, there indeed is no God.
18. Re:Out of band? by jd2112 · 2011-06-17 11:33 · Score: 1
  
  I've seen it happen. Fortunately it wasn't too important of a web site. When we found out what had happened my reaction was "I know better than to do that and I've never coded a line of Flash in my life!" A dirty little secret of Enterprise application development (both internally and externally) is a lot of it is done by novice developers. It seems that they hand them a copy of "language For Dummies" and let them loose on the code base. Because of this you never know what kind of bizarre shortcut some developer might have used could cause who knows what kind of issues when the slightest thing changes...
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
19. Re:Out of band? by Alex+Belits · 2011-06-19 03:17 · Score: 1
  
  I am sure, the problems prevented by noticing that application is not just a piece of shit but an extreme piece of shit, are far greater than effect of it breaking it for the time it takes to roll back Flash installation.
  
  --
  Contrary to the popular belief, there indeed is no God.
queue the comments... by Anonymous Coward · 2011-06-15 12:14 · Score: 1

about how it's not a zero-day if they knew about it
(and about how I don't know the difference between cue and queue)
1. Re:queue the comments... by Alex+Belits · 2011-06-15 19:18 · Score: 1
  
  Zero-day exploit is an exploit used or released before the vulnerability is published (or if not published, a fixed version or patch is released).
  First-day exploit is an exploit used or released within a day after vulnerability is published, etc.
  
  --
  Contrary to the popular belief, there indeed is no God.
Should be Free and Clear Soon? by selex · 2011-06-15 12:14 · Score: 1

At the rate they are finding bugs and patching them, Adobe Flash should be the most well written and perfect piece of software soon right? Selex
1. Re:Should be Free and Clear Soon? by Shikaku · 2011-06-15 12:19 · Score: 2
  
  http://www.youtube.com/watch?v=H47ow4_Cmk0
2. Re:Should be Free and Clear Soon? by thsths · 2011-06-15 19:45 · Score: 1
  
  It seems to me that the rate at which they fix bugs is ever increasing, maybe even exponentially.
  That means that either
  a) they introduce new bugs faster than the fix old ones (also exponentially growing),
  b) there is an infinite number of bugs in Flash,
  c) most of the fix do not actually fix the bug in question, or
  d) they will run out of bugs to fix soon!
  Now you can venture a guess as to what is actually happening.
3. Re:Should be Free and Clear Soon? by Lennie · 2011-06-15 22:04 · Score: 1
  
  e) it is crap old spagetti code which depends on third-party libraries which was created at a time when security wasn't all that high on the list of priorities.
  Just like Adobe PDF (Reader):
  http://www.youtube.com/watch?v=54XYqsf4JEY
  
  --
  New things are always on the horizon
Affected software versions by farnsworth · 2011-06-15 12:31 · Score: 4, Informative
Since it didn't say in the summary:

Affected software versions
- Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.3.185.23 and earlier versions for Android
--
There aint no pancake so thin it doesn't have two sides.
1. Re:Affected software versions by Anonymous Coward · 2011-06-15 13:29 · Score: 1
  
  There aint no pancake so thin it doesn't have two sides.
  A Moebius pancake?
2. Re:Affected software versions by Billly+Gates · 2011-06-15 16:13 · Score: 1
  
  Great maybe my Andriod phone will get an update oh after it has been rooted by 2012. AT&T is refusing to update it, probably because they want me to buy a new phone.
  
  --
  http://saveie6.com/
3. Re:Affected software versions by Alex+Belits · 2011-06-15 19:21 · Score: 1
  
  That kind of pancake would have to be made on a Moebius pan.
  
  --
  Contrary to the popular belief, there indeed is no God.
4. Re:Affected software versions by Zebedeu · 2011-06-15 23:46 · Score: 1
  
  The flash player is a separate download on the Android Market.
  I updated it this morning.
  Or is it different where you live?
5. Re:Affected software versions by psyclone · 2011-06-16 06:13 · Score: 1
  
  Thanks for the info. I have the same issue as the GP (but on Verizon). Viewing "My Apps" under the Market did not reveal an update. However, manually searching for flash player, then doing the update worked for me. (2.2 - froyo)
Perhaps one of the reasons by bryan1945 · 2011-06-15 12:33 · Score: 1

it's not in iOS? Besides the whole Apple-Adobe fighting & Apple pushing other standards.
Enjoy.

--
Vote monkeys into Congress. They are cheaper and more trustworthy.
1. Re:Perhaps one of the reasons by CharlyFoxtrot · 2011-06-15 13:39 · Score: 1
  
  Flash is the new RealPlayer. The sooner everyone uninstalls it the sooner it sinks into obscurity where it belongs.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
2. Re:Perhaps one of the reasons by dudpixel · 2011-06-15 15:18 · Score: 1
  
  For argument's sake - its not in android either.
  Users must explicitly download and install it (unless the manufacturer bundles it - which they shouldn't).
  Maybe adobe should be the one responsible for their software, so that Apple doesn't feel like they have to be. Its about time they (adobe) cleaned this crap up.
  
  --
  This seemed like a reasonable sig at the time.
Stating the obvious by 93+Escort+Wagon · 2011-06-15 12:34 · Score: 1

Gotta love FlashBlock.

--
#DeleteChrome
And 64-bit Will Be Updated When? by hoeferbe · 2011-06-15 12:38 · Score: 4, Insightful

Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version from 7 months ago?
1. Re:And 64-bit Will Be Updated When? by arth1 · 2011-06-15 13:10 · Score: 2
  
  Indeed.
  My Add-ons manager says I have:
  Adobe Acrobat 9.4.3.231
  Shockwave Flash 10.2.152.32
  When checking for updates, there are none.
  It's mid-2011, why should the focus be on 32-bit?
  Then again, a 64-bit version of Firefox would be nice too. Or perhaps not, given how much memory it eats. With it being a 32-bit app, at least it can't gobble up more than 2 GB per process...
2. Re:And 64-bit Will Be Updated When? by yoghurt · 2011-06-15 13:19 · Score: 1
  
  Why use an x64 browser?
  Because *everything* on my linux system is 64 bit. Why should I install *any* 32 bit?
  
  --
  Yoghurt
3. Re:And 64-bit Will Be Updated When? by larry+bagina · 2011-06-15 13:20 · Score: 1
  
  all those fancy new javascript engines that compile down to native code work much faster on x64 than on x86. Also, with firefox's memory leaks, 4 gigs isn't enough.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
4. Re:And 64-bit Will Be Updated When? by arth1 · 2011-06-15 13:35 · Score: 4, Informative
  
  Honest question: Why use an x64 browser?
  Speed, for one thing. For Windows, here is one benchmark that shows the rather significant difference. When on javascript heavy sites, having a 64-bit browser sure helps.
  For Linux, there are other considerations, like not having to install the whole 32-bit compatibility layer and libraries at all. Fedora, for example, won't install 32-bit support unless you explicitly tell it to. Being 64-bit only saves a lot of memory compared to being dual-stack.
  
  For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.
  The speed difference for large spreadsheets can be stupendous, in favour of 64-bit. Or running a text analysis on a book-sized document. I've ran 64-bit Office 2010 for quite a while, and haven't run into a single problem yet (well, 64-bit problem that is -- Office itself is another issue).
5. Re:And 64-bit Will Be Updated When? by pjbgravely · 2011-06-15 13:47 · Score: 1
  
  Yes the 64 bit version of Firefox seems to eat more memory. But on the other hand I haven't run 32 bit Firefox since version 1.5 so it may just be feature creep.
  
  --
  Star Trek, there maybe hope.
6. Re:And 64-bit Will Be Updated When? by Nimey · 2011-06-15 15:07 · Score: 1
  
  64-bit browsers tend not to be faster for some things, especially Javascript.
  Would that it were different, though.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
7. Re:And 64-bit Will Be Updated When? by Billly+Gates · 2011-06-15 16:17 · Score: 1
  
  Same here. All the benchmarks show Chrome using many times more memory than Firefox. It is time this rumor died.
  
  --
  http://saveie6.com/
8. Re:And 64-bit Will Be Updated When? by hedwards · 2011-06-15 18:08 · Score: 1
  
  The 64bit versions always use more memory, which is why you're often better off not using a 64bit version unless you've got a reason to do so.
9. Re:And 64-bit Will Be Updated When? by Alex+Belits · 2011-06-15 19:24 · Score: 1
  
  It's mid-2011, why should the focus be on 32-bit?
  It's Adobe.
  
  --
  Contrary to the popular belief, there indeed is no God.
10. Re:And 64-bit Will Be Updated When? by ace123 · 2011-06-15 20:21 · Score: 1
  
  Why use flash in an x64 browser?
  FTFY
  I don't have flash in my 64-bit chrome. I rarely even notice that I'm not using flash. When I really want to see something in flash, I pop open the 32-bit firefox installation I have, and paste the url in there. More often than not, Vimeo and YouTube's HTML5 players work fine. The only trouble comes with any videos that embed ads, or DRM-heavy video sites like Hulu. (Exchange Chrome with Firefox if you want)
  I've been using this solution for a while, and it's much better than having an old/vulnerable Flash version or being subjected to the horrors of the 32-bit world for my everyday browsing.
11. Re:And 64-bit Will Be Updated When? by Lennie · 2011-06-15 22:16 · Score: 1
  
  This says 64-bit is faster JavaScript than 32-bit:
  http://arewefastyet.com/
  
  --
  New things are always on the horizon
12. Re:And 64-bit Will Be Updated When? by Lennie · 2011-06-15 22:21 · Score: 1
  
  euh... unless you have enough memory available is also a good answer. :-)
  
  --
  New things are always on the horizon
13. Re:And 64-bit Will Be Updated When? by AmiMoJo · 2011-06-15 23:44 · Score: 1
  
  Even us 32 bit users can't always upgrade. I don't have admin rights on my work laptop and it runs an ancient version of Reader 8. IT very slowly roll out updates now and then, but for now I am vulnerable.
  I can do Flash Player updates but they only happen when the machine is rebooted. I usually hibernate to preserve my environment from day to day so it might be a week or two until it happens, during which time I am vulnerable.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:And 64-bit Will Be Updated When? by arth1 · 2011-06-16 02:48 · Score: 1
  
  That's because Chrome runs a different process per tab, which FF won't do until the next version.
  If looking at memory for a single tab and the browser itself, Firefox is far more greedy.
  But really, both of them are hogs. You should be able to run a web browser in 12 MB of memory, not up to 2 GB.
15. Re:And 64-bit Will Be Updated When? by PlusFiveTroll · 2011-06-16 04:45 · Score: 1
  
  Just write an pdf exploit that grabs admin and install err, foxit or something patched a little less often then once a week.
16. Re:And 64-bit Will Be Updated When? by Nimey · 2011-06-16 10:51 · Score: 1
  
  Chrome's new V8 (or Crankshaft, one of the two) isn't ported to 64-bit yet, and 64-bit IE9 also has slower javascript.
  I saw nothing on that site about bitness at all.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
17. Re:And 64-bit Will Be Updated When? by Lennie · 2011-06-16 20:37 · Score: 1
  
  I'm fairly certain V8 is 64-bit support. Maybe Firefox and Chrome have no 64-bit build on Windows, but on Linux I've been using it for years.
  On the left is a menu which says 'machines'.
  
  --
  New things are always on the horizon
ActiveX by slyborg · 2011-06-15 12:43 · Score: 3, Insightful

Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...
1. Re:ActiveX by Anonymous Coward · 2011-06-15 13:19 · Score: 1
  
  Because many web-apps need ties directly to local resources; either for performance reasons or extended functionality. Flash and ActiveX provide developers what HTML and javascript cannot.
  As to why these aren't stand alone installed applications for security reasons? Because people would rather have portability and ease of access from any place in the world. You got a browser with Flash? Well, you task just got more convenient .
2. Re:ActiveX by wishfulThinking · 2011-06-15 16:26 · Score: 1, Interesting
  
  Good God, why all the hate on Flash? It's not a piece of crap at all... It does stuff that html/js/css hasn't been able to do, and still can't. So what if a company doesn't make all their products open source; some people gotta make a buck (protect what is rightfully theirs), and Adobe is not doing it in an evil way. Have all you flash haters not seen any javascript html exploits? XSS, dirty-cookie? Are there not a pissload of Sencha/JQuery Bugs? I've developed both Flash and html/js stuff they're both great. so why all the hate? 2011 html/css/javascript capabilities = 2003 Flash Capabilities
3. Re:ActiveX by Anonymous Coward · 2011-06-15 17:12 · Score: 1
  
  Flash sucks your entire CPU, gets exploited regularly, and sucks ass in general. That's why there's all the hate on flash. Your nick fits you.
4. Re:ActiveX by hedwards · 2011-06-15 18:11 · Score: 1
  
  Well, Flash isn't accessible and can't be made accessible. Anything that you convey using Flash also has to be conveyed in another fashion. Flash isn't available on all platforms that one might want to use, meaning that you're leaving some folks out. The performance is horrendous and the plug ins are frequently out of date and buggy. It's also a regular security nightmare and probably always will be as Adobe doesn't seem to be doing any better than Macromedia was previously.
  Time for it to die and be replaced by something that isn't complete crap.
5. Re:ActiveX by ArsenneLupin · 2011-06-15 19:26 · Score: 1
  
  Have all you flash haters not seen any javascript html exploits?
  I've got news for you: many have disabled javascript as well, just for that reason. And thanks to the Flashblock and NoScript extension, you can easily re-enable the offending elements on a case-by-case basis for the rare sites which can't be convinced to be respectful of their customers privacy and security.
6. Re:ActiveX by Anonymous Coward · 2011-06-15 20:12 · Score: 1
  
  Because the chances of successful exploitation are much higher with Flash. Because Flash kills performance. Because Flash hurts usability. Because they still don't have a proper x86_64 version. Because advertisers are abusing it. Because it's not a W3C recommendation. Because it has DRM. Because deleting cookies doesn't delete flash cookies. Because it hurt standards like SVG and SMIL. Because it doesn't work well (or at all) on mobile devices. Because there's no graceful degradation. Because the authoring tools cost big $$$. Because the authoring tools are Mac/Windows-only. Because swf files are near impossible to decompile, let alone modify. Because they can't be crawled.
  I can think of more, but I uninstalled it over 4 years ago.
7. Re:ActiveX by Dr.Syshalt · 2011-06-15 21:50 · Score: 1
  
  Because the chances of successful exploitation are much higher with Flash.
  Not unless you allow Flash in Flashblock. Everyone has a kind of Flashblock today - even Chrome.
  
  Because Flash kills performance.
  Nonsense. Flash performance is much better than performance of JS, doing the same task.
  
  Because Flash hurts usability.
  Oh, really? I thought it was bad designers/programmers who hurt usability. A well-designed RIA in Flex is much better than JS/CSS/HTML mess when it comes to usability. I don't even mention support.
  
  Because they still don't have a proper x86_64 version.
  Most PC games do not have 64bit versions. Should we hate them too?
  
  Because advertisers are abusing it.
  Again, how it it the problem of Flash? And again - flashblock is an easy answer. Just like NoScript is the answer to many JS abuses.
  
  Because it's not a W3C recommendation. Because it has DRM. Because deleting cookies doesn't delete flash cookies. Because it hurt standards like SVG and SMIL.
  OSMF does support SMIL - to a much better degree than any browser out there. You do know, what OSMF is, don't you?
  
  Because it doesn't work well (or at all) on mobile devices.
  Oh... right! Here is the reason - it's not Apple. Should I start hating Java/Scala/Python too since Jobs didn't bless them either?
  
  Because there's no graceful degradation. Because the authoring tools cost big $$$. Because the authoring tools are Mac/Windows-only.
  Again - a lie. There is Flex SDK for Linux. It's free (open source). You can use it with VIM - or with Intellij IDEA, if you prefer.
  
  Because swf files are near impossible to decompile, let alone modify.
  Ever tried decompiling minified/obfuscated JS? Or looking into the "source" of GMail, which is JS/HTMLCSS? If someone wants you to have sources - he will give you the _sources_. BTW, there are many SWF decompilers out there, if you really need one.
  
  Because they can't be crawled.
  So what? It's a problem of a webmaster - not yours, as a user. BTW, GWT and many other HTML/JS/CSS monsters are not exactly SEO-friendly by default either. Any AJAX/RIA application contradicts with SEO friendliness - you've got to find a way around, and they do exist. And again - GP question was not "what problems we have with Flash?". It was "why all the hate on Flash?". Everything has problems - just as CSS/JS/WebGL do. The more features it has, the more potential problems it can bring.
8. Re:ActiveX by Dr.Syshalt · 2011-06-15 22:04 · Score: 1
  
  Good God, why all the hate on Flash?
  
  Because Adobe is losing the PR battle to Apple.
9. Re:ActiveX by Lennie · 2011-06-15 22:18 · Score: 1
  
  Not anymore.
  Maybe on IE6 or IE7, but no-one should be using those anyway.
  
  --
  New things are always on the horizon
10. Re:ActiveX by Attack+DAWWG · 2011-06-16 00:44 · Score: 1
  
  Because Adobe is losing the PR battle to Apple.
  Can we submit entries for the fucking stupidest Slashdot post of the month?
  I'd like to submit the post I'm replying to.
11. Re:ActiveX by Just+Some+Guy · 2011-06-16 02:59 · Score: 1
  
  Good God, why all the hate on Flash?
  Because of the seemingly endless stream of stories exactly like the one you're reading right now. Flash doesn't remove any of the vulnerabilities you describe; it adds to them. What's less secure: Firefox with "javascript html exploits? XSS, dirty-cookie? [...] Sencha/JQuery Bugs", or Firefox with all that plus Flash's exploit du jour?
  I'm glad you've found a way to make a living off it. Good for you! But I honestly couldn't care less if that ended tomorrow. My system's integrity is much more interesting to me than any Flash-heavy website I've ever seen, and I won't miss it for a moment when it finally goes away.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Adobe... Java.... Internet Explorer... by PenquinCoder · 2011-06-15 12:46 · Score: 1

What do all of these have in common??? They're the most used in-roads to exploits on a system.

Unfortunately, while we have educated users and created worthy (and better) compiteroes to Internet Explorer, the same has not been done for Adobe's Flash/PDF, or Java.

Seriously, how many more exploits and system owning do we need to do before we can be free of Adobe's so called 'Portable Document', and its CPU hogging, desktop crashing, bug ridden, crackers best wet dream, craptastic software???
1. Re:Adobe... Java.... Internet Explorer... by varargs · 2011-06-15 13:17 · Score: 1
  
  Yep. I just installed Chrome on a new Linux system. Immediately got the message "Flash out of date." So I went to Adobe web site, and they said Chrome users needn't worry, Flash is automatically updated. Right. I don't know this for a fact, but it seems to me that Flash is a good example of what you get when you farm out your software development to 3rd worlders. They apparently still haven't gotten 64 bit support right.
Tenable's Security Center requires Flash by Anonymous Coward · 2011-06-15 12:52 · Score: 1

Why don't I feel secure?
64-bit required for a browser by poppopret · 2011-06-15 13:15 · Score: 1

If you open enough browser windows and enough tabs in each window, you'll exceed what a 32-bit program can handle. Depending on the OS, 32-bit programs get 2 or 3 GB of address space. I've seen my browser using more than 4 GB.
Too many updates! by antdude · 2011-06-15 13:18 · Score: 1

MS had so many updates yesterday. On my 64-bit Acer OEM VIsta HPE SP2 (IE7) test PC had to get over 200 MB of updates from MS. Then, Adobe updates. Augh!!

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
1. Re:Too many updates! by TheRealQuestor · 2011-06-15 13:38 · Score: 1
  
  so you would rather them not fix it at all? I don't care about a 200 meg download [and oddly mine was less then 65M last night] but I do care if I am running an unpatched system.
  Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!
  So please mr. joe compnay, please keep fixing your horrible [or not so horrible] code.
  Now if the folks who do Java could figure out how to actually fix it so I don't get 5 calls a week about some malware that says their system is infected or their hard drive is failing, I'd be a happy camper. Poorer, but happier. Out of the last 20 or so incident calls I have had to go fix that involved malware, they have ALL been introduced to a fully patched and locked down system using some java crap. I would remove Java like the plague, which it is, if it weren't for them needing it for the damn medical and or finacial softwares they run.
  Freaking java should just die.
2. Re:Too many updates! by antdude · 2011-06-15 13:42 · Score: 1
  
  1. Don't release all the patches in the same day! I have to patch a bunch of computers manually: Linux/Debian, Windows, and Mac OS X.
  2. Companies should do a better job with their codes to avoid these security problems.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
3. Re:Too many updates! by 0123456 · 2011-06-15 15:46 · Score: 1
  
  Wait I also installed Ubuntu 11.04 last night and on bootup it had at least 100 megs of updates. and 11.04 only like what 28 days old or something. THAT's some patchin right there!
  Windows Update generally only updates the operating system and a few Microsoft apps. Ubuntu updates the operating system and thousands of applications (or whichever of those thousands you have installed).
  And the big problem with Windows Update is not the amount it downloads, but the fact that it constantly wants to reboot after installing an update and thrashes the disk like a two dollar whore while it's installing so I usually can't do anything else.
4. Re:Too many updates! by Billly+Gates · 2011-06-15 16:22 · Score: 1
  
  Are the latest Java JRE really that insecure? Java has prided itself as having the ultimate sandbox and I know finally someone compromised it last year.
  Reason I am asking is because I use Eclipse and do Android development. Is it save to use the latest releases of Java 6 64 bit?
  
  --
  http://saveie6.com/
5. Re:Too many updates! by TheRealQuestor · 2011-06-15 16:30 · Score: 1
  
  they are that bad.
6. Re:Too many updates! by Lennie · 2011-06-15 22:25 · Score: 1
  
  I think the trashing is:
  "creating system restore point" or whatever it is called.
  
  --
  New things are always on the horizon
7. Re:Too many updates! by Lennie · 2011-06-15 22:27 · Score: 1
  
  Easiest way ? Use Firefox and disable the Java-plugins.
  Hell, disable all plugins. Maybe enable flash with flashblock or other similair extension.
  
  --
  New things are always on the horizon
And still no new 64-bit releases by The+One+KEA · 2011-06-15 13:48 · Score: 1

I wonder if Adobe has just given up on its pure 64-bit users (on both Windows and Linux) and decided that they can rot. I haven't seen a new Flash Player Square release mentioned anywhere since the last release came out. What on earth is preventing these people from supporting their 64-bit plugin with security updates?

--
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
1. Re:And still no new 64-bit releases by dgatwood · 2011-06-15 17:07 · Score: 1
  
  The x86_64 architecture has the ability to mark memory pages non-executable (NX) and so some forms of overrun exploits simply do not succeed.
  Sure, that prevents certain types of exploits against certain vulnerabilities, but it doesn't generally nullify a vulnerability entirely.
  A vulnerability is like having a glass window next to the door on your house. The NX bit is like bars on that window. It prevents you from trivially breaking the glass and reaching through to turn the lock, but it does not prevent you from breaking the glass, pointing a gun at someone on the other side, and ordering him or her to unlatch the bars so that you can reach in and unlock the door.
  In much the same way, an NX bit prevents you from injecting arbitrary code in some places, but doesn't necessarily prevent you from calling mprotect or whatever to make the writable page executable or to make some other executable page writable or whatever. This just means that you now have to exploit the vulnerability in a more complex fashion or exploit it more than once (e.g. once to return into the first line of mprotect after overwriting the parameters appropriately so that it makes the stack writable, and once to overwrite the stack with your code and jump into it). The exploit just becomes a somewhat more complicated trampoline design instead of a simpler chunk of code.
  All those techniques (NX, ASLR, etc.) make it harder to attack 64-bit processes, but even when combined, they are not a cure-all, and I'd be wary of any claim that they can completely nullify any particular security hole. It might be true in a few cases, but that's like buying expensive HDMI cables for your living room under the assumption that it will make the picture look better.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
How about an auto-updater that doesn't suck? by Nimey · 2011-06-15 15:04 · Score: 1

Something like the one Adobe Reader X uses, in point of fact, one that can be configured to automatically install updates in the background without administrator privileges.
If you're going to be so fucking useless as to need such frequent security updates, have mercy on us IT types and unfuck your auto-updater.

--
Hail Eris, full of mischief...

E pluribus sanguinem
1. Re:How about an auto-updater that doesn't suck? by Alex+Belits · 2011-06-15 19:33 · Score: 1
  
  You underestimate Adobe developers' ability to fuck up.
  Then they'll have security holes in the updater, and it will be holes in privileged application. Where is your permissions model now?
  
  --
  Contrary to the popular belief, there indeed is no God.
2nd in nine days by dave562 · 2011-06-15 15:39 · Score: 1

There must be some serious pressure on them if they are patching that frequently. It's not like Senate.gov or Google are getting hacked or anything. People are not really using the internet, and malicious files to go after anything pertinent, at places like Lockheed, or other RSA customers. None of those places would use Adobe Reader to open those RFPs or other thousands of forms sent to them by Uncle Sam, right?
Barn door, meet the horse's ass that has already run away from you.
I don't think that anyone has digitized my 1st grade crayon drawings yet. I think those are still safe.
That little checkbox by mph_sd · 2011-06-15 15:42 · Score: 2

Strangely I decided not to read the EULA before applying the second patch in 2 days. Ok, i didn't read it for the first patch in 2 days either. I hope this doesn't make me liable for...anything.
warm fuzzy, but no by mevets · 2011-06-15 16:14 · Score: 1

Adobe's holes are far beyond an easy fix. Funny how they have become the new Windows. It is, of course, because so many people use it, not because it is a pile of crap.
1. Re:warm fuzzy, but no by dgatwood · 2011-06-15 17:23 · Score: 1
  
  I'm assuming you're being sarcastic. If not, though, by that standard, we should have serious security holes on a near-daily basis in Notepad, Facebook, Google....
  This, of course, brings us to the obvious question: how many security holes does a single plug-in have to patch before we can take for granted that the code is one giant, steaming pile of dingo turds? Just curious. Maybe that should be a Slashdot poll....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Adobe deserves to be raked... by mevets · 2011-06-15 16:20 · Score: 2

But the inference you are making is not well supported. Google's response to getting hacked was to institute a ban on MS machines. Apparently, Google lacks the resources to manage MS machines properly, which isn't exactly surprising.
Dust off the Senate.gov and others, and you may find the same root cause. Not unsolvable; just the solutions are unworkable. Ditch them and demand something better. Its not like there is a shortage of choice.
1. Re:Adobe deserves to be raked... by dave562 · 2011-06-16 05:47 · Score: 1
  
  I was thinking about alternative choices as I was writing the original post. What can people realistically do? There are at least two or three other free PDF viewing utilities out there that I am aware of. What is to say that any of those are significantly more secure than Acrobat? For all their faults, at least Adobe has the resources to throw at a problem when something goes wrong. Can the same be said about PrimoPDF devs?
  I get the sense that Adobe has finally reached the tipping point. Their software has been exploited too many times, and in too many high profile incidents. They have to fix it now. The horse has left the barn, but at least going forward, they might end up with a secure product. A more or less bulletproof Acrobat is probably a good two to three years away. Adobe is still playing whack a mole and not fully investing in re-architecting the application to make it secure. They might not ever get there.
Mushroom mushroom by simplypeachy · 2011-06-15 18:13 · Score: 1

I wish they'd take that frigging great badger off that page, it's the most cringeworthy thing I suffer while updating client computers. Gives Mozilla a real professional and safety-concious persona.
Re:Again? Really? by Alex+Belits · 2011-06-15 19:19 · Score: 1

But how?

--
Contrary to the popular belief, there indeed is no God.
Re:Again? Really? by Lennie · 2011-06-15 22:10 · Score: 1

It is a free product and they don't really want to spend a lot of money on it ?

--
New things are always on the horizon
Re:Cant keep up by Lennie · 2011-06-15 22:29 · Score: 1

Use something like Flashblock and only allow the plugin for certain sites.
Done ?

--
New things are always on the horizon
agin, and again, and againa, and yet again by hesaigo999ca · 2011-06-16 01:03 · Score: 1

Ok, so who is going to come out with the joke of the day this time.....
It is almost like 1000 monkeys were in a room for a few years hitting the keyboard in order to produce these adobe products,
and now we are all finding out about it......
In all seriousness, the only thing i could see attributing to the fact that these programmers just don't check their code
is that they are all students, and maybe 1 or 2 senior programmers, and of which keeps changing regularly, so much so that the standards of coding
are barely followed, and no peer review on the code, and maybe not even a proper QC form being used to go through all the possible flaw situations.
Microsoft atleast has a gazillion products to review, and their teams are immense.....the office team barely speaks to the visual studio team, who barely speak to the sharepoint team, etc....so when bugs happen, it is almost understood based on the sheer volume of code and apps available from them...
but adobe has no such repertoire, especially being we are only talking about 2 major ones with all the flaws...flash and reader
Cool, when can I get Flash on my iPhone? by alcmaeon · 2011-06-16 02:47 · Score: 1

I really need a crippled and vulnerable mobile phone. Oh, Damn you Apple! Damn you Steve Jobs! You are so petty and narrow minded.
I wish they would just stop by kimvette · 2011-06-16 03:16 · Score: 1

I wish they would just stop it with this "zero day" buzzword already. Just say "vulnerability" or even "security hole." That way, articles will be less amateurish-sounding, as if they hired a script kiddie to write the copy.

--
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Adobe brand by ficuscr · 2011-06-16 04:01 · Score: 1

This reminds me why I've not installed flash on my Android phone. Between Flash and Acrobat, Adobe is squandering any remaining love I have for their brand.
Re:Again? Really? by thsths · 2011-06-16 20:14 · Score: 1

> It is a free product and they don't really want to spend a lot of money on it ?
That would be a good reason. Unfortunately Acrobat (the $$$ product) has even more security issues.