Adobe Pushes Emergency Flash Player Security Fix

← Back to Stories (view on slashdot.org)

Adobe Pushes Emergency Flash Player Security Fix

Posted by samzenpus on Wednesday September 21, 2011 @09:33AM from the slap-on-the-patch dept.

wiredmikey writes "As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability."

56 comments

Min score:

Reason:

Sort:

This has never happened before! by savanik · 2011-09-21 09:37 · Score: 4, Funny

The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!
1. Re:This has never happened before! by Device666 · 2011-09-21 09:39 · Score: 1
  
  Oh really, please check your email...
2. Re:This has never happened before! by Anonymous Coward · 2011-09-21 09:44 · Score: 0
  
  Not sure if trolling or just stupid. Probably stupid considering this is slashdot.
3. Re:This has never happened before! by ejtttje · 2011-09-21 10:19 · Score: 1
  
  Apparently people don't know a good troll when they see it :)
4. Re:This has never happened before! by Anonymous Coward · 2011-09-21 10:23 · Score: 0
  
  The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!
  What is the use case for Flash ?
  Ad banners ? ROTFL
  Video ? No, with HTML5 video already in place.
  Games ? Nothing Canvas can't fix.
  Websites ? People should run away like hell from websites that are flash only.
  Adobe will never ever willingly abandon Flash.
  Change has to come from users, even if it means in the short medium term not playing flash games, or seeing a lol cat video on vimeo etc...But users generally are stupid, they would sell their own mother for a video or 5 minutes at a flash game. And this is what they win. I say let them be infected every day; at a certain point they will learn the lesson. Throw Adobe Flash in the e-toilet.
5. Re:This has never happened before! by Anonymous Coward · 2011-09-21 13:23 · Score: 0
  
  Not sure if trolling or just stupid. Probably stupid considering this is slashdot.
  Not sure if trolling or just stupid. Probably trolling considering your 2nd sentence.
6. Re:This has never happened before! by Anonymous Coward · 2011-09-21 13:40 · Score: 0
  
  Porn, you moron.
7. Re:This has never happened before! by Dr+Herbert+West · 2011-09-21 13:45 · Score: 1
  
  Wish I had mod points left, so I could mod you "dimwit". What, exactly, does canvas "fix"?
  
  Go ahead and build me a game or an app that is more complicated than minesweeper or a tip calculator that can run seamlessly on multiple browsers. Or tell a client that their product slideshow will have nice transitions sometimes, in some browsers, maybe. But don't use it on IE6, or firefox. But IE9 will work, after service pack XX.
  
  Do some actual production work once in a while, with a client that isn't your mom, before posting your bullshit. Devs don't set standards-- the clients do. And like it or not, they've been conditioned to want the experience that Flash has made standard.
8. Re:This has never happened before! by hairyfeet · 2011-09-21 13:46 · Score: 0
  
  Oh please! like we haven't had like a bazillion browser bugs these past couple of years? And WHICH HTML V5, the H.264 HTML V5 or the Theora one or the WebM one?
  And it amazes me how geeks here will sacrifice pretty much anything on the alter of cross compatibility with Linux. Have you TRIED HTML V5? try it on an older office machine or a new single core netbook, its a slideshow! And even on machines that it actually runs it sucks major resources. great way to kill batteries dead but most mobile users wouldn't be happy about that. compare to flash where even the 1.8GHz Sempron I use as a nettop and test bed for software for low power machines runs SD flash just beautifully. Hell I could add a $40 GPU and even go High Def.
  So while I'm all for cross compatibility I don't want it if its gonna suck, which from what I've seen so far HTML V5 is gonna suck the big wet titty. there is just too much politics and too many with an agenda messing with it. Maybe in a decade they'll have the kinks worked out and the politics behind them it'll be good, but by then H.26x will be patent free so who will care.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:This has never happened before! by AftanGustur · 2011-09-21 17:26 · Score: 1
  
  The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!
  Exactly, Microsoft removing flash support in the upcoming version of IE will bring us back years in terms of security.
  
  --
  echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
10. Re:This has never happened before! by tinkerton · 2011-09-21 23:50 · Score: 1
  
  people shouldn't continually lump trolling together with parody, sarcasm, irony, tongue in cheek, or just stand up comedy.
11. Re:This has never happened before! by hesaigo999ca · 2011-09-22 01:56 · Score: 1
  
  That is the f*cking understatement of the century!!!
  I hate flash, yet people still want to use it, I do not understand....foxit atleast, if not other pdf viewers. Adobe just has no clue when it comes to secuirty, they are great at buying up the competition and repackaging the software for the image industry, not for security, so why allow your browser to have access to it, we really do not need to have flash websites....period!
Adobe used to mean something.... by Anonymous Coward · 2011-09-21 09:39 · Score: 0

Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.
PDF should not be a distribution method for online documentation or viewing in web browsers, it should be available as a tertiary format FOR PRINTING ONLY, after html and plain text. But it is.
Flash should not be the default video player. But it is.
Haet :(.
1. Re:Adobe used to mean something.... by 0123456 · 2011-09-21 09:44 · Score: 2
  
  Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.
  Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.
2. Re:Adobe used to mean something.... by Anonymous Coward · 2011-09-21 09:54 · Score: 3, Interesting
  
  Nation-State Attackers Are Adobe's Biggest Worry: [A]dobe has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it's at a point where the company's main adversaries are state-sponsored actors. Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. [HSEC-1.2; Date: 20 September 2011; Source: http://threatpost.com/en_us/blogs/nation-state-attackers-are-adobes-biggest-worry-092011%5D
3. Re:Adobe used to mean something.... by Nerdfest · 2011-09-21 10:53 · Score: 1
  
  It's sad that we need something like this, but I'm glad it exists. There's an RSS feed from the Adobe Product Security Incident Response Team.
4. Re:Adobe used to mean something.... by Kjella · 2011-09-21 13:58 · Score: 1
  
  Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.
  Heh, I learned that already in childhood playing Sierra games. Save early, save often and keep your old savegames. Of course that was by design, maybe they were just trying to prepare people for work life? It has certainly saved my ass a few times...
  
  --
  Live today, because you never know what tomorrow brings
Re:Meanwhile by Kifoth · 2011-09-21 09:42 · Score: 2

Oh. Really? ;)
Re:Meanwhile by Synerg1y · 2011-09-21 09:44 · Score: 2

All you have to worry about is...
http://www.pcmag.com/article2/0,2817,2368269,00.asp
This one took about a week...
http://www.slashgear.com/apples-mac-os-x-security-update-2011-005-blocks-stolen-diginotar-certificates-09178410/
Maybe u can just go to slashd0t.org instead if you set up your internal certs proper if your on a mac :) .
Coming soon, can you set up local certs on a mac? rats... google returned a hit...
https://discussions.apple.com/thread/2734627?start=0&tstart=0
even better :)
Update Flash, now with FREE trojan! by Anonymous Coward · 2011-09-21 09:46 · Score: 0, Insightful

What worries me more is that the download page of Flash has the "Yes, install Google Chrome - optional" already selected for you. Users searching for the big large download button will not even see it. Chrome (or at least how Google pushes it) behaves more and more like a trojan!
1. Re:Update Flash, now with FREE trojan! by fuzzyfuzzyfungus · 2011-09-21 09:53 · Score: 1
  
  They change their bundleware push every few weeks to months, it seems to vary a bit. Chrome is a recent addition, some McAffee shit was before that, I think the bing toolbar may have shown up once or twice...
  
  It's atrociously unprofessional on Adobe's part, very 90's .bomb affiliate sleazeware; but it isn't a google-specific thing(though Google is getting themselves rather dirty by association, particularly when they have google.com from which to offer things, which is a pedestal that few can hope to aspire to...
Paged media and vector animation by tepples · 2011-09-21 09:48 · Score: 1

PDF should not be a distribution method for online documentation or viewing in web browsers, it should be available as a tertiary format FOR PRINTING ONLY
Web browser developers have treated CSS paged media as a mere afterthought. What's the best practice to distribute paged media such as slide presentations for on-screen viewing?

Flash should not be the default video player. But it is.
I agree for pixel-based video, not so much for vector-based cartoons, at least until 2014 when Windows XP dies (taking IE <= 8 with it) and until browsers' SVG renderers become much faster.
1. Re:Paged media and vector animation by Anonymous Coward · 2011-09-21 10:22 · Score: 0
  
  What's the best practice to distribute paged media such as slide presentations for on-screen viewing?
  #include <rant.h>
  Put everything on one page and have the user the PgDn key or the scroll wheel. The web is not print. Fuck slideshows, fuck "after the jump", fuck "page 2" consisting of nothing more than one sentence of text and the author's byline, and fuck webmasters whoring for ad banner impressions.
2. Re:Paged media and vector animation by Anonymous Coward · 2011-09-21 10:35 · Score: 0
  
  No, I think he meant literal slide presentations (e.g. at conferences), which are then made available on the web. Typical PDF viewers permit _both_ viewing a stream of pages, and a single page at a time, making it suitable for both delivering and browsing presentations; it's currently the best format I know for these, and there's really not much improvement needed. It's just the overuse of it for web-native content that _wants_ to be scrolled through on a long page, but is imprisoned in pages for no good reason.
  The "slideshows" on various news sites and blogs, which are created specifically for the web, but use (in this case artificial) division into "pages" to satisfy an ad whore or a weak-minded scroll-averse "designer" -- those I totally agree with you on... but they're generally not PDFs anyway.
3. Re:Paged media and vector animation by tepples · 2011-09-21 10:41 · Score: 1
  
  Put everything on one page and have the user the PgDn key or the scroll wheel.
  So how does the author of such a page set the PgDn key or the scroll wheel to advance the scroll position by exactly the height of one slide?
4. Re:Paged media and vector animation by Anonymous Coward · 2011-09-21 11:33 · Score: 0
  
  Whoops...
  s/$just the overuse.*$\./\1 that I hate./
5. Re:Paged media and vector animation by Anonymous Coward · 2011-09-21 15:12 · Score: 0
  
  The same way that author guarantees that my 1024x600 netbook and my 1280x1024 desktop both show exactly one slide per screen -- quit being such a fucking control freak and let me read the document in the way that I'm most comfortable.
  It's a lot less time-consuming (and less aggravating!) to adjust my scrolling to fit different heights than it is to enable Flash and click "page forward", then wait 30 seconds for the next section to render.
6. Re:Paged media and vector animation by Anonymous Coward · 2011-09-21 16:44 · Score: 0
  
  So... are you a troll, or an idiot?
  Tepples listed one good use for PDFs (natively paginated documents, such as IRL slideshows/presentations), and one begrudging use for Flash (Homestar Runner); some AC (I assume you) replied to the PDF use suggesting we pretend pages don't exist for those, instead of (the status quo) loading them in a PDF viewer that almost invariably supports both continuous scrolling and single-page viewing.
  Unless someone is using a PDF viewer implemented in Flash *shudder*, Flash has nothing to do with it, and if they are, that's a fault specific to them -- I don't approve, you don't approve, and nothing tepples has said indicates he approves, so it's either a total red herring (troll) or a facepalmingly stupid misunderstanding (idiot).
JEEEBUSS CHRIST!!!! by MightyMartian · 2011-09-21 09:50 · Score: 1

Flash is truly become one big pile of steaming crap! I used to be against Apple, but frankly I think it should be made unlawful and Adobe fined a trillion dollars for every security incident involving that piece of garbage.
Fucking hell, all of this so we can watch some fucking videos on the Internet and be annoyed by idiotic ads. Somebody, please, wipe Adobe out. They have become, through their sheer stupidity and incompetence, a force for online evil.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
1. Re:JEEEBUSS CHRIST!!!! by Eravnrekaree · 2011-09-21 15:35 · Score: 1
  
  I would partly blame Firefox (!) however as well. Why would I say such a thing? Firefox fails to offer some means to block the loading of the flash plugin selectively, I would like for instance to by default block it and then opt in to allow certain pages to use flash. This should be integrated into a general security zones feature where you can create a security zone with this and settings for other things like javascript, to be enabled or disabled for the sites you have added to the zone. Firefox lacks the most basic tools to even manage flash adn so helps make the problem worse. And dont say it should be an add-on, because add-ons THEMSELVES are an inventiona to trojabs!
2. Re:JEEEBUSS CHRIST!!!! by Anonymous Coward · 2011-09-21 16:39 · Score: 0
  
  Are you just trolling? Firefox has the best of all of those things by far, bar none. Oh but it takes an add-on? What's the point of that claim? Flash is an add-on functionally.
3. Re:JEEEBUSS CHRIST!!!! by hawkinspeter · 2011-09-21 20:58 · Score: 1
  
  Haven't you heard of noscript or flashblock plugins for firefox?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
How do I...? by mr_lizard13 · 2011-09-21 10:08 · Score: 2

How do I get this vital security update for my iPhone?

--
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
1. Re:How do I...? by Anonymous Coward · 2011-09-21 11:06 · Score: 0
  
  How do I get this vital security update for my iPhone?
  From the same place that I can get this vital security update for my Nokia 3310.
  
  Ha ha! Only jesting.... one great joke deserves another- yes, I spotted your little point, and we can both be smug that neither of our phones needs this security update because they don't run Flash. I have a small flat lump of concrete in my garden that doesn't suffer from that vulnerability for the same reason.
  
  In fact, my lump of concrete is *entirely* secure from hacker attacks, so it *must* be better than an Android phone that runs that nasty Flash stuff!
2. Re:How do I...? by Anonymous Coward · 2011-09-21 11:48 · Score: 0
  
  I'm just going to keep the joke going because my Windows, Linux, and Android operating systems all shipped with Flash and I'm not sure how they got there or how to update.
  Stupidity is a choice.
Cross-site Scripting FAQ by mrkitty · 2011-09-21 10:30 · Score: 1

Cross-site Scripting FAQ http://www.cgisecurity.com/xss-faq.html

--
Believe me, if I started murdering people, there would be none of you left.
Figures by Nimey · 2011-09-21 10:41 · Score: 0

I just got done making a new install image for work today.

--
Hail Eris, full of mischief...

E pluribus sanguinem
I'm seriously not trolling by Ralph+Spoilsport · 2011-09-21 11:19 · Score: 1

when I say I don't care because to me Flash is DEAD. Ever since HTML 5 started congealing, I've seen no reason to bother with Flash outside of simple animations. Which is where it started. And should have stayed, but with MM Director dying a slow and deserved death in the mid 90s, they had to find new work for the engineers....

--
Shoes for Industry. Shoes for the Dead.
1. Re:I'm seriously not trolling by Anonymous Coward · 2011-09-21 12:21 · Score: 0
  
  Apple had a huge hand in this change as well. By completely shutting out Flash on their mobile platform, they've forced developers to use alternate techniques if they want their sites to work on all devices. Supporting HTML5 and Flash video on your site brings you one step closer to getting rid of Flash completely. We just have to wait for IE8 to die now... see you guys in 10 years.
Slim version by MrL0G1C · 2011-09-21 11:50 · Score: 3, Informative

Nice quickly installing slim version, no junk and no download manager etc required:
IE
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
Firefox etc
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

--
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
1. Re:Slim version by whoami9801 · 2011-09-21 14:43 · Score: 1
  
  You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?
2. Re:Slim version by David_W · 2011-09-21 14:59 · Score: 3, Informative
  You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?
  Funny, I just went looking for such a beast, being sick of fighting with their usual installer...
  
  Page o' links
  Direct to MSI: Plugin style, ActiveX style
64 bit? by jbeaupre · 2011-09-21 12:35 · Score: 1

Does this also affect the 64 bit version 11? Just curious since they haven't updated it for 2 weeks.

--
The world is made by those who show up for the job.
just goes to show... by Gravis+Zero · 2011-09-21 13:38 · Score: 1

the more features you add to a program the more likely it is to be exploited. it also doesn't help to be closed source.

--
Anons need not reply. Questions end with a question mark.
So? by jensend · 2011-09-21 13:51 · Score: 1

Is every security update now front page-worthy news? Maybe it's been a slow news day or something, but Flash security patches aren't exactly a rare occurrence. Might as well have an article "SUN COMES UP AGAIN TODAY!"
I was wondering that myself by Anonymous Coward · 2011-09-21 13:51 · Score: 0

I use the 64-bit FLASH 11 betas for FireFox & IE9 here. Good question, hope we get answers!
APK
Getting the New Version by DERoss · 2011-09-21 14:37 · Score: 2

For those few (like me) who use SeaMonkey with "Advertise Firefox compatibility" disabled, the download site for Flash is broken. You wind up in a loop without ever getting the download. Either enable "Advertise Firefox compatibility" or spoof Firefox in some other way. Then, before trying the download site, remove all Adobe cookies. Yes, it's another case of invalid UA sniffing.
When you finally download, you get a stub installer, not a complete installer. This is true for everyone, including users of IE and Firefox. To download the complete installer, see http://forums.adobe.com/thread/889580?tstart=0.
I'm not sure why I pursued this so vigorously. Normally, I browse the Web with Flash disabled.
Re:Now With self-deleting installer! by qubezz · 2011-09-21 14:48 · Score: 1

These people at Adobe are getting unbelievable. Now, the way that you could previously have gotten an offline installer (choose different OS/different browser), foists you a web downloader instead of a full installer, and guess what? You run it, and it deletes itself! Besides foisting Google Toolbar on you (or McAfee Antivirus crapware if you are downloading Firefox flash), this is about as slimeball as it gets.
Does this effect Flash 11 beta? by Bandwidth_ · 2011-09-21 14:52 · Score: 1

Does this effect the Flash 11 beta?
1. Re:Does this effect Flash 11 beta? by operator_error · 2011-09-21 18:47 · Score: 1
  
  Adobe released Flash 11 yesterday, so no need to use the beta anymore; and I'm assuming the security issue was addressed or the release wouldn't be happening.
  http://apple.slashdot.org/story/11/09/21/1559246/Adobe-Releases-Flash-11-and-AIR-3
  TFA specifically calls out Flash 10.3 though, not v11. Also the Flash 11 beta on Linux doesn't mention the new release at all. I am using Ubuntu and using the Flash Preferences (in System > Preferences), I am not informed of any actual new release. Maybe because I am in Europe and Adobe's CDN hasn't woken up yet? (ha ha). I clicked the Advanced tab, and then Updates > Check Now. My browser opens a page at adobe.com which tells me:
  
  You have version 11,0,1,98 installed
  Actually, I have Beta 2 installed from at least a week ago, not the Sept. 21 release.
  Go Adobe! Go!
2. Re:Does this effect Flash 11 beta? by operator_error · 2011-09-21 19:03 · Score: 2
  
  Oh man, I hate replying to my own ./ post, but *that* ./ article headline and summary are completely false. If your read all the waaaay down to the bottom of TFA, on the linked-to slashdot piece, it says "Flash Player 11 and AIR 3 would be publicly available in early October, Adobe said in a statement." So no v11 Release happened at all.
  Adobe specifically states "Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android.". Hope this info helps.
  https://www.adobe.com/support/security/bulletins/apsb11-26.html
Re:Meanwhile by atisss · 2011-09-21 21:43 · Score: 1

My browsers aren't either.
Only couple of cases when I do click on flashblock is - in youtube or vimeo when they don't have html5 support
Useless security fix without an effective updater by Quick+Reply · 2011-09-21 22:09 · Score: 1

It doesn't matter how quickly Adobe push out security updates, their updater is ineffective because it has too many manual steps, when it should be able to be completely automated like Windows Update is.
Most users that I have seen simply click "Cancel" every time they start up their computer and the updater comes up, because they don't know what it is, and have been tought not to install software that they don't know.
PowerPointitis, margins, and FlashPaper by tepples · 2011-09-21 23:41 · Score: 1

Thank you for recognizing my point.

Tepples listed one good use for PDFs (natively paginated documents, such as IRL slideshows/presentations)
The impression I got from the top-level post was that documents SHOULD NOT* be natively paginated and SHOULD be authored for scrollable media. Slideshows/presentations allegedly lead to PowerPoint syndrome.

a PDF viewer that almost invariably supports both continuous scrolling and single-page viewing.
In theory, yes. But in practice, people still distribute PDFs with two-column layouts intended for printing. And even with one-column layouts, continuous scrolling still leaves a two inch gap between the text at the bottom of one page and the text at the top of the next.

Unless someone is using a PDF viewer implemented in Flash *shudder*
That was FlashPaper, Macromedia's competitor to Acrobat before Adobe bought Macromedia. Nowadays, even though PDF technology has nothing to do with Flash technology, they're associated in people's minds under the banner of "Adobe products".
* In the sense of RFC 2119.
64-bit Flash Updated to 2 ver.# 11.0.1.152 by Anonymous Coward · 2011-10-05 06:16 · Score: 0

FINAL BUILD - Check your version here, first -> http://www.adobe.com/software/flash/about/
AND, then download the latest/greatest for whatever OS, browser, & "bitness" (lol, 32 or 64) you need, here:
http://get.adobe.com/flashplayer/otherversions/
* That's in regards to my other reply to you here, I was curious myself, since we both use the 64-bit build of FLASH PLAYER (& I kept you in mind is all)...
APK
P.S.=> Enjoy! So - Yes, the 64-bit one HAS BEEN UPDATED, & to the version # in my subject-line above also...
... apk