New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."

Re:And replace it with what?

[Billly+Gates]

Yep. HTML 5 can offer hardware acceleration on pretty much any mobile device.

The reason for flash was that Java was an ugly POS and people did not want to wiat a full minute for their ugly applets to load while flash was all nice and pretty and loaded instantly.

Flash also exists because of IE. Old IE I may add as IE 9 and IE 10 got their act together and support the HTML 5 video tags. When IE 10 comes out for Windows 7 and XP goes EOL we will see a shift in websites catering to HTML 5 users making flash obsolete for all but the conservative businesses.

My report: 6 months without using Flash

[hessian]

Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.

There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue.

One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.)

Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.

The most amazing this is that browser crashes have dropped to near zero, either one or zero during this time. Most of what I thought was FF and Opera being buggy was in fact Flash being buggy.

There's not yet enough content switched to HTML5 from Flash to navigate everything, but during my 6 months without Flash, I've noticed that more firms are going away from the Flash-only navigation school of design.

YMMV. For me, life without Flash has been better, although I do miss out on some things.

Re:And replace it with what?

[westlake]

For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

You're entitled to your opinion.

But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design comes vividly to mind with games like Samorost, Machinarium, and Botanicula.

Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.

Windows secure, OS X not so much.

[benjymouse]

We see here how the Windows platform has been battle hardened to the point where the attackers have to resort to lower-yield secondary attacks. Head-on attacking Flash on Windows does not get the attacker very far because of the security advancements such as Mandatory Integrity Control (MIC). That's why the attackers try to exploit it in contexts where MIC does not prevent system infection, such as through older versions of Microsoft Word through emails.

OS X is still wide open to such head-on attacks when a vulnerability exists, especially Firefox because Mozilla has steadfastly refused to put in place a proper sandboxing barrier. Even Safari has some sandboxing in the latest version of OS X.

Firefox not. A vulnerability in Firefox or one of its plugins means significant risk of successful exploits.

Flash on Windows executes in a low-integrity process. Even if a Flash vulnerability is exploitable and shellcode gets to execute in the Flash host process, it still cannot write anywhere or interact with higher integrity objects because of mandatory integrity control (MIC) which was introduced with Vista.

The upshot: Attackers have to try secondary routes on Windows where the conversion rates are much, much lower. And this specific attack vector will not work on Word (or other Office applications) since Word 2010. Since the 2010 versions, internet downloaded documents are also opened in low-integrity mode, meaning that even here the shellcode would be similarly restricted.