Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Patches Second Flash Zero-Day In 9 Days

Posted by samzenpus on from the protect-ya-neck dept.

CWmike writes "For the second time in nine days, Adobe has patched a critical vulnerability in Flash Player that hackers were already exploiting, Computerworld's Gregg Keizer reports. Adobe also updated Reader to quash 13 new bugs and several older ones the company had not gotten around to fixing. The memory corruption vulnerability in Flash Player could 'potentially allow an attacker to take control of the affected system,' Adobe said in an accompanying advisory. 'There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.' Adobe last issued an 'out-of-band' emergency update on June 5, when it fixed a critical flaw that attackers were exploiting to steal Gmail login credentials. Those attacks were different from the ones Google disclosed the week before, when it accused Chinese hackers of targeting specific individuals, including senior U.S. and South Korean government officials, anti-Chinese government activists and journalists. Google, which bundles Flash Player with Chrome, also updated its browser Tuesday to include the just-patched version of Flash."

7 of 178 comments (clear)

  1. Re:WTF adobe by PNutts · · Score: 5, Informative

    http://secunia.com/vulnerability_scanning/personal "The Secunia PSI is aFREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals. The only solution to block these kind of attacks is to apply security updates, commonly referred to as patches. Patches are offered free-of-charge by most software vendors, however, finding all these patches is a tedious and time consuming task. Secunia PSI automates this and alerts you when your programs and plug-ins require updating to stay secure." Set and forget.

  2. Affected software versions by farnsworth · · Score: 4, Informative
    Since it didn't say in the summary:

    Affected software versions

    • Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
    • Adobe Flash Player 10.3.185.23 and earlier versions for Android
    --

    There aint no pancake so thin it doesn't have two sides.

  3. And 64-bit Will Be Updated When? by hoeferbe · · Score: 4, Insightful

    Great. I'm glad they're patching security vulnerabilities in their 32-bit product. But why do 64-bit users have to use a vulnerable version from 7 months ago?

    1. Re:And 64-bit Will Be Updated When? by arth1 · · Score: 4, Informative

      Honest question: Why use an x64 browser?

      Speed, for one thing. For Windows, here is one benchmark that shows the rather significant difference. When on javascript heavy sites, having a 64-bit browser sure helps.

      For Linux, there are other considerations, like not having to install the whole 32-bit compatibility layer and libraries at all. Fedora, for example, won't install 32-bit support unless you explicitly tell it to. Being 64-bit only saves a lot of memory compared to being dual-stack.

      For example, we still put 32-bit Office on our x64 desktops for plug-in and other compatibility.

      The speed difference for large spreadsheets can be stupendous, in favour of 64-bit. Or running a text analysis on a book-sized document. I've ran 64-bit Office 2010 for quite a while, and haven't run into a single problem yet (well, 64-bit problem that is -- Office itself is another issue).

  4. ActiveX by slyborg · · Score: 3, Insightful

    Adobe has managed to reincarnate ActiveX in the form of Flash. Why is is this junk still being used? It's apparently got an attack surface the size of Jupiter...

  5. Re:Out of band? by LO0G · · Score: 4, Informative

    Before the patch is made, many of these exploits are not widely known. Sometimes they are, but normally they aren't.

    As I understand it, the risk is that once the patch is published, the bad guys reverse engineer the patch and publish exploits for those patches (usually within 6 hours). So if you delay patching after a patch is made, you put your machines at increased risk. So scheduling an update so that IT folks have time to react is a good thing.

    The one exception is when the exploit is published *before* the patch is published. In that case, it makes sense to push an out-of-band patch and to hell with the sysadmins schedule.

  6. Re:WTF adobe by dgatwood · · Score: 3, Insightful

    Really? I've been using the ClickToFlash Safari extension for a couple of years, and the Click2Flash Safari plug-in for a year or more before that, and (not counting Flash games) I can count the number of sites where I've had to load Flash content on one hand, give or take. I've only seen about two sites in three or four years that use Flash for the main navigation, and neither is a site that I visit regularly.

    YouTube content is generally usable with the HTML5 video tag, which pretty much eliminated the one site I regularly use that required Flash. I'm going to go out on a limb and say that 99% of the Flash content I encounter is advertising, and sites generally work correctly if the Flash content doesn't load, so I see no reason not to disable Flash.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.