Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Pushes Emergency Flash Player Security Fix

Posted by samzenpus on from the slap-on-the-patch dept.

wiredmikey writes "As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability."

36 of 56 comments (clear)

  1. This has never happened before! by savanik · · Score: 4, Funny

    The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

    1. Re:This has never happened before! by Device666 · · Score: 1

      Oh really, please check your email...

    2. Re:This has never happened before! by ejtttje · · Score: 1

      Apparently people don't know a good troll when they see it :)

    3. Re:This has never happened before! by Dr+Herbert+West · · Score: 1

      Wish I had mod points left, so I could mod you "dimwit". What, exactly, does canvas "fix"?

      Go ahead and build me a game or an app that is more complicated than minesweeper or a tip calculator that can run seamlessly on multiple browsers. Or tell a client that their product slideshow will have nice transitions sometimes, in some browsers, maybe. But don't use it on IE6, or firefox. But IE9 will work, after service pack XX.

      Do some actual production work once in a while, with a client that isn't your mom, before posting your bullshit. Devs don't set standards-- the clients do. And like it or not, they've been conditioned to want the experience that Flash has made standard.

    4. Re:This has never happened before! by AftanGustur · · Score: 1

      The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

      Exactly, Microsoft removing flash support in the upcoming version of IE will bring us back years in terms of security.

      --
      echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
    5. Re:This has never happened before! by tinkerton · · Score: 1

      people shouldn't continually lump trolling together with parody, sarcasm, irony, tongue in cheek, or just stand up comedy.

    6. Re:This has never happened before! by hesaigo999ca · · Score: 1

      That is the f*cking understatement of the century!!!
      I hate flash, yet people still want to use it, I do not understand....foxit atleast, if not other pdf viewers. Adobe just has no clue when it comes to secuirty, they are great at buying up the competition and repackaging the software for the image industry, not for security, so why allow your browser to have access to it, we really do not need to have flash websites....period!

  2. Re:Meanwhile by Kifoth · · Score: 2

    Oh. Really? ;)

  3. Re:Adobe used to mean something.... by 0123456 · · Score: 2

    Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.

    Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.

  4. Re:Meanwhile by Synerg1y · · Score: 2

    All you have to worry about is...
    http://www.pcmag.com/article2/0,2817,2368269,00.asp

    This one took about a week...
    http://www.slashgear.com/apples-mac-os-x-security-update-2011-005-blocks-stolen-diginotar-certificates-09178410/

    Maybe u can just go to slashd0t.org instead if you set up your internal certs proper if your on a mac :) .

    Coming soon, can you set up local certs on a mac? rats... google returned a hit...
    https://discussions.apple.com/thread/2734627?start=0&tstart=0
    even better :)

  5. Paged media and vector animation by tepples · · Score: 1

    PDF should not be a distribution method for online documentation or viewing in web browsers, it should be available as a tertiary format FOR PRINTING ONLY

    Web browser developers have treated CSS paged media as a mere afterthought. What's the best practice to distribute paged media such as slide presentations for on-screen viewing?

    Flash should not be the default video player. But it is.

    I agree for pixel-based video, not so much for vector-based cartoons, at least until 2014 when Windows XP dies (taking IE <= 8 with it) and until browsers' SVG renderers become much faster.

    1. Re:Paged media and vector animation by tepples · · Score: 1

      Put everything on one page and have the user the PgDn key or the scroll wheel.

      So how does the author of such a page set the PgDn key or the scroll wheel to advance the scroll position by exactly the height of one slide?

  6. JEEEBUSS CHRIST!!!! by MightyMartian · · Score: 1

    Flash is truly become one big pile of steaming crap! I used to be against Apple, but frankly I think it should be made unlawful and Adobe fined a trillion dollars for every security incident involving that piece of garbage.

    Fucking hell, all of this so we can watch some fucking videos on the Internet and be annoyed by idiotic ads. Somebody, please, wipe Adobe out. They have become, through their sheer stupidity and incompetence, a force for online evil.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:JEEEBUSS CHRIST!!!! by Eravnrekaree · · Score: 1

      I would partly blame Firefox (!) however as well. Why would I say such a thing? Firefox fails to offer some means to block the loading of the flash plugin selectively, I would like for instance to by default block it and then opt in to allow certain pages to use flash. This should be integrated into a general security zones feature where you can create a security zone with this and settings for other things like javascript, to be enabled or disabled for the sites you have added to the zone. Firefox lacks the most basic tools to even manage flash adn so helps make the problem worse. And dont say it should be an add-on, because add-ons THEMSELVES are an inventiona to trojabs!

    2. Re:JEEEBUSS CHRIST!!!! by hawkinspeter · · Score: 1

      Haven't you heard of noscript or flashblock plugins for firefox?

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  7. Re:Update Flash, now with FREE trojan! by fuzzyfuzzyfungus · · Score: 1

    They change their bundleware push every few weeks to months, it seems to vary a bit. Chrome is a recent addition, some McAffee shit was before that, I think the bing toolbar may have shown up once or twice...

    It's atrociously unprofessional on Adobe's part, very 90's .bomb affiliate sleazeware; but it isn't a google-specific thing(though Google is getting themselves rather dirty by association, particularly when they have google.com from which to offer things, which is a pedestal that few can hope to aspire to...

  8. Re:Adobe used to mean something.... by Anonymous Coward · · Score: 3, Interesting

    Nation-State Attackers Are Adobe's Biggest Worry: [A]dobe has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it's at a point where the company's main adversaries are state-sponsored actors. Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. [HSEC-1.2; Date: 20 September 2011; Source: http://threatpost.com/en_us/blogs/nation-state-attackers-are-adobes-biggest-worry-092011%5D

  9. How do I...? by mr_lizard13 · · Score: 2

    How do I get this vital security update for my iPhone?

    --
    "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
  10. Cross-site Scripting FAQ by mrkitty · · Score: 1

    Cross-site Scripting FAQ http://www.cgisecurity.com/xss-faq.html

    --
    Believe me, if I started murdering people, there would be none of you left.
  11. Re:Adobe used to mean something.... by Nerdfest · · Score: 1

    It's sad that we need something like this, but I'm glad it exists. There's an RSS feed from the Adobe Product Security Incident Response Team.

  12. I'm seriously not trolling by Ralph+Spoilsport · · Score: 1

    when I say I don't care because to me Flash is DEAD. Ever since HTML 5 started congealing, I've seen no reason to bother with Flash outside of simple animations. Which is where it started. And should have stayed, but with MM Director dying a slow and deserved death in the mid 90s, they had to find new work for the engineers....

    --
    Shoes for Industry. Shoes for the Dead.
  13. Slim version by MrL0G1C · · Score: 3, Informative

    Nice quickly installing slim version, no junk and no download manager etc required:

    IE
    http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    Firefox etc
    http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    1. Re:Slim version by whoami9801 · · Score: 1

      You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?

    2. Re:Slim version by David_W · · Score: 3, Informative

      You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?

      Funny, I just went looking for such a beast, being sick of fighting with their usual installer...

  14. 64 bit? by jbeaupre · · Score: 1

    Does this also affect the 64 bit version 11? Just curious since they haven't updated it for 2 weeks.

    --
    The world is made by those who show up for the job.
  15. just goes to show... by Gravis+Zero · · Score: 1

    the more features you add to a program the more likely it is to be exploited. it also doesn't help to be closed source.

    --
    Anons need not reply. Questions end with a question mark.
  16. So? by jensend · · Score: 1

    Is every security update now front page-worthy news? Maybe it's been a slow news day or something, but Flash security patches aren't exactly a rare occurrence. Might as well have an article "SUN COMES UP AGAIN TODAY!"

  17. Re:Adobe used to mean something.... by Kjella · · Score: 1

    Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.

    Heh, I learned that already in childhood playing Sierra games. Save early, save often and keep your old savegames. Of course that was by design, maybe they were just trying to prepare people for work life? It has certainly saved my ass a few times...

    --
    Live today, because you never know what tomorrow brings
  18. Getting the New Version by DERoss · · Score: 2

    For those few (like me) who use SeaMonkey with "Advertise Firefox compatibility" disabled, the download site for Flash is broken. You wind up in a loop without ever getting the download. Either enable "Advertise Firefox compatibility" or spoof Firefox in some other way. Then, before trying the download site, remove all Adobe cookies. Yes, it's another case of invalid UA sniffing.

    When you finally download, you get a stub installer, not a complete installer. This is true for everyone, including users of IE and Firefox. To download the complete installer, see http://forums.adobe.com/thread/889580?tstart=0.

    I'm not sure why I pursued this so vigorously. Normally, I browse the Web with Flash disabled.

  19. Re:Now With self-deleting installer! by qubezz · · Score: 1

    These people at Adobe are getting unbelievable. Now, the way that you could previously have gotten an offline installer (choose different OS/different browser), foists you a web downloader instead of a full installer, and guess what? You run it, and it deletes itself! Besides foisting Google Toolbar on you (or McAfee Antivirus crapware if you are downloading Firefox flash), this is about as slimeball as it gets.

  20. Does this effect Flash 11 beta? by Bandwidth_ · · Score: 1

    Does this effect the Flash 11 beta?

    1. Re:Does this effect Flash 11 beta? by operator_error · · Score: 1

      Adobe released Flash 11 yesterday, so no need to use the beta anymore; and I'm assuming the security issue was addressed or the release wouldn't be happening.

      http://apple.slashdot.org/story/11/09/21/1559246/Adobe-Releases-Flash-11-and-AIR-3

      TFA specifically calls out Flash 10.3 though, not v11. Also the Flash 11 beta on Linux doesn't mention the new release at all. I am using Ubuntu and using the Flash Preferences (in System > Preferences), I am not informed of any actual new release. Maybe because I am in Europe and Adobe's CDN hasn't woken up yet? (ha ha). I clicked the Advanced tab, and then Updates > Check Now. My browser opens a page at adobe.com which tells me:

      You have version 11,0,1,98 installed

      Actually, I have Beta 2 installed from at least a week ago, not the Sept. 21 release.

      Go Adobe! Go!

    2. Re:Does this effect Flash 11 beta? by operator_error · · Score: 2

      Oh man, I hate replying to my own ./ post, but *that* ./ article headline and summary are completely false. If your read all the waaaay down to the bottom of TFA, on the linked-to slashdot piece, it says "Flash Player 11 and AIR 3 would be publicly available in early October, Adobe said in a statement." So no v11 Release happened at all.

      Adobe specifically states "Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android.". Hope this info helps.

      https://www.adobe.com/support/security/bulletins/apsb11-26.html

  21. Re:Meanwhile by atisss · · Score: 1

    My browsers aren't either.
    Only couple of cases when I do click on flashblock is - in youtube or vimeo when they don't have html5 support

  22. Useless security fix without an effective updater by Quick+Reply · · Score: 1

    It doesn't matter how quickly Adobe push out security updates, their updater is ineffective because it has too many manual steps, when it should be able to be completely automated like Windows Update is.

    Most users that I have seen simply click "Cancel" every time they start up their computer and the updater comes up, because they don't know what it is, and have been tought not to install software that they don't know.

  23. PowerPointitis, margins, and FlashPaper by tepples · · Score: 1
    Thank you for recognizing my point.

    Tepples listed one good use for PDFs (natively paginated documents, such as IRL slideshows/presentations)

    The impression I got from the top-level post was that documents SHOULD NOT* be natively paginated and SHOULD be authored for scrollable media. Slideshows/presentations allegedly lead to PowerPoint syndrome.

    a PDF viewer that almost invariably supports both continuous scrolling and single-page viewing.

    In theory, yes. But in practice, people still distribute PDFs with two-column layouts intended for printing. And even with one-column layouts, continuous scrolling still leaves a two inch gap between the text at the bottom of one page and the text at the top of the next.

    Unless someone is using a PDF viewer implemented in Flash *shudder*

    That was FlashPaper, Macromedia's competitor to Acrobat before Adobe bought Macromedia. Nowadays, even though PDF technology has nothing to do with Flash technology, they're associated in people's minds under the banner of "Adobe products".

    * In the sense of RFC 2119.