Slashdot Mirror
Adobe Patches Second Flash Zero-Day In 9 Days
CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."
The best solution to the crapware known as "Flash Player" (on Adobe's own site no less): http://kb2.adobe.com/cps/141/tn_14157.html
http://www.youtube.com/watch?v=H47ow4_Cmk0
And also, why is the update process tied to system startup? My main desktop rarely reboots, which means I get these updates only weeks after I needed them, or after taking special action because I saw a story like this one.
http://secunia.com/vulnerability_scanning/personal "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.
Affected software versions
There aint no pancake so thin it doesn't have two sides.
Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version from 7 months ago?
Actually, it's tied to the login process, logging out and back in triggers the updater. As for why, I'm guessing that it's because there's no central repository that can be checked periodically, and people whine and moan about having a half dozen executables sitting around and doing nothing but checking for updates. I've got computers at work that have programs in the background for Java updates, InstallShield (several programs use this), Apple's updater, Adobe's updaters and Google's updater, all on top of Windows Update whenever it runs.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...
Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.
As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.
The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.
Yeah, because it never occurred to anybody that the Windows Task Scheduler could be used to schedule checks for updates for computers that never get rebooted...
Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.
YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I don't even have Flash installed on the two machines I mainly use, and view a lot of pages on the Flash-incapable iPad and iPhone. The only place I notice the lack of Flash is YouTube and Hulu. YouTube is fine on iOS, and there's a Hulu app for iOS and Mac OS X. Sure, once in a while a site doesn't render. As I used to say about RealPlayer, there's nothing on the web I need to see so badly that I'm willing to install Flash.
Strangely I decided not to read the EULA before applying the second patch in 2 days. Ok, i didn't read it for the first patch in 2 days either. I hope this doesn't make me liable for...anything.
shutdown-p basically nailed it but I want to dig a bit deeper.
There is no such thing as absolute security. There is no software available to end-users that is 100% secure (there may be very special case scenarios but they're not mainstream). Because of this, security is primarily a risk management problem.
So when you decide to take a patch, you have to weigh the risks of taking the patch (it might break some LOB app) against the risk of *not* taking the patch (you might get hacked).
We make these choices every single day when we get patches from vendors. Sysadmins (who have to keep entire corporations alive) are very risk averse (deploying a patch which shuts down the accounting department is likely to be a career-limiting-move) and that means that they want to make sure that every patch is tested before they deploy it.
So when they see a patch, they need to weight the risks. There is *no* debate that the bad guys reverse engineer patches. They do. That means that once a patch is deployed, the risks of *not* taking it skyrocket.
If you release patches once every few days, that means that sysadmins are constantly putting their line of business apps at risk.
Somewhat off-topic: Every once in a while, someone at work asks about the benefits of moving some internal server from its traditional port to a new port (for instance moving the SMTP server from port 25 to port 9998). The purists always respond with "that's just security by obscurity", to which the pragmatists respond "yeah, but it works to remove certain classes of threats. It won't stop a dedicated attacker who's actively probing your ports, but for most automated attacks, it can be highly effective".
So yeah, a little "security by obscurity" helps.
But the inference you are making is not well supported. Google's response to getting hacked was to institute a ban on MS machines. Apparently, Google lacks the resources to manage MS machines properly, which isn't exactly surprising.
Dust off the Senate.gov and others, and you may find the same root cause. Not unsolvable; just the solutions are unworkable. Ditch them and demand something better. Its not like there is a shortage of choice.
Actually, it's because the iOS App Store (and likely the Mac App Store) requires apps to be self-contained. The only dependencies on apps allowed are what comes with a completely clean install of the OS. So as a first-pass test, all you need to do is run your app, because unless you jailbreak, you're reasonably assured that it's just your app running.
If you update your PDF viewer on iOS, iOS will launch the PDF viewer itself and it's running in its own little sandbox when a webbrowser requests it.
Microsoft Office, etc. install stuff all over the place and many hidden dependencies can result - apps using fonts, DLLs, APIs and other things without realizing they're not provided with Windows, just that so many people use those programs that it's assumed it's there and very strange things happen when they aren't.
So in general, updating an iOS app will update the files associated with just that app, and since the app is self-contained, there is no way there can be hidden library dependencies or API dependencies. But Windows and Office have so many components added to them that strange dependencies develop. Heck, I had one program require OpenSSL under Windows, and it worked, despite my never installing the OpenSSL DLLs. Instead, it seemed Windows pulled the OpenSSL DLLs from the WiFi driver's installation directory and used those. Tell me if that isn't a disaster waiting to happen.