New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."

Are there non-malicious uses?

[fuzzyfuzzyfungus]

I realize that implementing embedded flash objects in Office documents was probably something that mostly happened because Microsoft wanted OLE to make embedding arbitrary stuff in arbitrary stuff happen(unlike Adobe's sick fetish for inserting horrible things into PDFs, which is their own damn fault); but do Flash embeds in Office documents actually occur, in the wild, as something people would actually do and distribute, for anything other than malicious purposes? I honestly can't remember ever having seen a single one, ever.

And replace it with what?

[popo]

And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?

There's a reason Flash is the world's most popular online multimedia platform. It's not without issues, but it is lacking a worthy contender.

Re:And replace it with what?

[Billly+Gates]

Yep. HTML 5 can offer hardware acceleration on pretty much any mobile device.

The reason for flash was that Java was an ugly POS and people did not want to wiat a full minute for their ugly applets to load while flash was all nice and pretty and loaded instantly.

Flash also exists because of IE. Old IE I may add as IE 9 and IE 10 got their act together and support the HTML 5 video tags. When IE 10 comes out for Windows 7 and XP goes EOL we will see a shift in websites catering to HTML 5 users making flash obsolete for all but the conservative businesses.

Re:And replace it with what?

[amicusNYCL]

Can you tell us what that is?

Like he said, it doesn't have a viable feature-comparable alternative.

For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

Cool story. Meanwhile, even here in 2013, our company started in 1996 is still selling new Flash-based learning courses to companies and government agencies worldwide, and they're still ordering new ones. It's easy for the artists to work in, the code to run the courses hasn't need to be patched or updated in several years, and the major time expense is still having people write the actual instructional content.

Re:And replace it with what?

[gstoddart]

I block Flash ads as well, but it's completely myopic to suggest that they don't provide "value" for website owners.

Yeah, but is it of value to users? It isn't for me, and I'm not here to provide value for website owners. As a user, requirement for flash means the back button.

Flash is used for adverts because it works. Deal with it.

Flash gets blocked/not even installed by me an other users because it's crap. Deal with it.

I'm not going to allow Flash ads for any reason -- and if the only thing of value is for ads, that pretty much is what I already thought.

For video, I've yet to see a HTML5 player that works as well as Flash

Maybe it's my age showing, but the number of times I feel like I want to watch a video on the internet is vanishingly small. As in, I have no idea the last time I cared enough to watch a video on the internet. Same for games.

I don't give a rats ass if other people want to run Flash -- run wild, it's your computer. But I'd be hard pressed to name a single thing that has ever made me think "gee, I've been missing out by not having Flash".

Re:And replace it with what?

[westlake]

For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

You're entitled to your opinion.

But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design comes vividly to mind with games like Samorost, Machinarium, and Botanicula.

Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.

My report: 6 months without using Flash

[hessian]

Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.

There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue.

One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.)

Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.

The most amazing this is that browser crashes have dropped to near zero, either one or zero during this time. Most of what I thought was FF and Opera being buggy was in fact Flash being buggy.

There's not yet enough content switched to HTML5 from Flash to navigate everything, but during my 6 months without Flash, I've noticed that more firms are going away from the Flash-only navigation school of design.

YMMV. For me, life without Flash has been better, although I do miss out on some things.

Re:Huh?

[_xeno_]

As far as I can tell, the Flash updater only bothers to check for an update when the computer first boots.

Because everyone here constantly reboots their computer, right? I mean, it's not like most computers have sleep modes, and that most people just leave the OS running so they don't have to wait for it to boot. Clearly everyone constantly reboots their computer, once per day, to allow the Adobe Flash Updater to check for updates.

Windows secure, OS X not so much.

[benjymouse]

We see here how the Windows platform has been battle hardened to the point where the attackers have to resort to lower-yield secondary attacks. Head-on attacking Flash on Windows does not get the attacker very far because of the security advancements such as Mandatory Integrity Control (MIC). That's why the attackers try to exploit it in contexts where MIC does not prevent system infection, such as through older versions of Microsoft Word through emails.

OS X is still wide open to such head-on attacks when a vulnerability exists, especially Firefox because Mozilla has steadfastly refused to put in place a proper sandboxing barrier. Even Safari has some sandboxing in the latest version of OS X.

Firefox not. A vulnerability in Firefox or one of its plugins means significant risk of successful exploits.

Flash on Windows executes in a low-integrity process. Even if a Flash vulnerability is exploitable and shellcode gets to execute in the Flash host process, it still cannot write anywhere or interact with higher integrity objects because of mandatory integrity control (MIC) which was introduced with Vista.

The upshot: Attackers have to try secondary routes on Windows where the conversion rates are much, much lower. And this specific attack vector will not work on Word (or other Office applications) since Word 2010. Since the 2010 versions, internet downloaded documents are also opened in low-integrity mode, meaning that even here the shellcode would be similarly restricted.