Slashdot Mirror
New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
People use Word documents to send freaking pictures around, because they don't know they can paste into Paint. They don't know how to send weblinks either, so they paste it into Word and send it on.
A successful API design takes a mixture of software design and pedagogy.
Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content
Why?
Probably because of Windows sandboxing Flash through low-integrity mode. Even if you get to exploit a Flash vulnerability and execute your shell code on Windows, the code is still severely restricted in what it can do. Code executing inside of a low-integrity process can still not infect a system as write-ups (writing or interacting with a higher integrity object/process) are denied.
They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).
No, infecting with a Macro is more difficult since the last several versions of Word. Word will not automatically run macros and also has an internet-origin policy whereby documents received through Outlook or other email clients or downloaded using a browser is tainted with the "internet zone". You have to dismiss several warnings to run macros from such a document. But if Word will run Flash content (show the animation) and a vulnerability can be exploited, shell code can run as a user.
That is, until Word 2010 which *also* runs in low-integrity when viewing content tainted with the internet zone. Since Word 2010 the shell code will still be confined to the low-integrity sandbox.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Actually no. Although the term shares its origin with the ethnonym "Deutsch", in the local dialect of English spoken there, it's "Pennsylvania Dutch". Not idiots. Just not speaking your idiolect.
Installation was fantastic. When Flash was new under Macromedia, I remember it being only 300K, and it installed immediately without a reboot or restarting the browser. Java at the time weighed in at (I believe) over 12MB and required a reboot. So did most other media players.
Games. Casual gaming on the PC owes itself almost entirely to Flash. Java sucked, and the alternative was to download and install an EXE, which could do just about anything to your PC. Flash made it possible to run games instantly, directly, without an install, on both PC and Mac. It was the Steam of the day, and worked when everything else failed miserably.
Cartoons. Doing stuff in vectors reduced bandwidth a thousand fold. Say what you want about HTML5 and movie codecs, but if you want to do vector animation, Flash is still your only option.
Educational apps. Ever been to a tech site where they have some kind of visual interactive application to show how the technology works? Java should have dominated in this area, but installing Java was painful, the download was huge, and at one time, Java applets couldn't play audio, because that was considered a security violation. Yes, in an attempt to crack down on the annoying audio and MIDI craze, Java banned all audio in applets for a while. No wonder tech sites dumped Java and went to Flash for their presentations.
Say what you will of closed-source, proprietary media players, but all things that tried to compete with Flash have royally sucked. Flash is most definitely useful, and will continue to exist until HTML stops being garbage (which may take another 10 years or so -- if ever).