Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Pushes Emergency Flash Player Security Fix

Posted by samzenpus on from the slap-on-the-patch dept.

wiredmikey writes "As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability."

10 of 56 comments (clear)

  1. This has never happened before! by savanik · · Score: 4, Funny

    The sooner we can get rid of Flash, the better. Bring on the HTML5, which will have no security vulnerabilities whatsoever!

  2. Re:Meanwhile by Kifoth · · Score: 2

    Oh. Really? ;)

  3. Re:Adobe used to mean something.... by 0123456 · · Score: 2

    Adobe used to mean something to the computing world. Now it is just the proponent of the worst jerry-rigged encapsulation methods and application platforms for malicious exploitation.

    Adobe was the company that trained me to press CTRL+S at least every two minutes so I wouldn't lose too much work the next time Premiere crashed, and to save to a new file every couple of hours so that I wouldn't lose too much when it corrupted the save.

  4. Re:Meanwhile by Synerg1y · · Score: 2

    All you have to worry about is...
    http://www.pcmag.com/article2/0,2817,2368269,00.asp

    This one took about a week...
    http://www.slashgear.com/apples-mac-os-x-security-update-2011-005-blocks-stolen-diginotar-certificates-09178410/

    Maybe u can just go to slashd0t.org instead if you set up your internal certs proper if your on a mac :) .

    Coming soon, can you set up local certs on a mac? rats... google returned a hit...
    https://discussions.apple.com/thread/2734627?start=0&tstart=0
    even better :)

  5. Re:Adobe used to mean something.... by Anonymous Coward · · Score: 3, Interesting

    Nation-State Attackers Are Adobe's Biggest Worry: [A]dobe has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it's at a point where the company's main adversaries are state-sponsored actors. Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. [HSEC-1.2; Date: 20 September 2011; Source: http://threatpost.com/en_us/blogs/nation-state-attackers-are-adobes-biggest-worry-092011%5D

  6. How do I...? by mr_lizard13 · · Score: 2

    How do I get this vital security update for my iPhone?

    --
    "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
  7. Slim version by MrL0G1C · · Score: 3, Informative

    Nice quickly installing slim version, no junk and no download manager etc required:

    IE
    http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

    Firefox etc
    http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    1. Re:Slim version by David_W · · Score: 3, Informative

      You sir are a gentleman and a scholar. You wouldn't happen to have an MSI would you?

      Funny, I just went looking for such a beast, being sick of fighting with their usual installer...

  8. Getting the New Version by DERoss · · Score: 2

    For those few (like me) who use SeaMonkey with "Advertise Firefox compatibility" disabled, the download site for Flash is broken. You wind up in a loop without ever getting the download. Either enable "Advertise Firefox compatibility" or spoof Firefox in some other way. Then, before trying the download site, remove all Adobe cookies. Yes, it's another case of invalid UA sniffing.

    When you finally download, you get a stub installer, not a complete installer. This is true for everyone, including users of IE and Firefox. To download the complete installer, see http://forums.adobe.com/thread/889580?tstart=0.

    I'm not sure why I pursued this so vigorously. Normally, I browse the Web with Flash disabled.

  9. Re:Does this effect Flash 11 beta? by operator_error · · Score: 2

    Oh man, I hate replying to my own ./ post, but *that* ./ article headline and summary are completely false. If your read all the waaaay down to the bottom of TFA, on the linked-to slashdot piece, it says "Flash Player 11 and AIR 3 would be publicly available in early October, Adobe said in a statement." So no v11 Release happened at all.

    Adobe specifically states "Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android.". Hope this info helps.

    https://www.adobe.com/support/security/bulletins/apsb11-26.html