Slashdot Mirror
Adobe Flash Remote Code Execution Flaw Exploited In the Wild
An anonymous reader writes "Adobe has released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux, and OS X, the exploitation of which can result in an attacker gaining remote control of the victims' systems. The flaw is being actively exploited in the wild, but apart from crediting its discovery to researchers Alexander Polyakov and Anton Ivanov of Kaspersky Labs, no details about the ongoing attack has been shared."
They even updated the explicitly unsupported NPAPI GNU/Linux version.
A security flaw in Flash? Really? How surprising.
How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?
Adobe Flash has been a security hole for at least 10 years now.
That people still use it (or install it) boggles the mind.
I won't even install it on my machines.
Lost at C:>. Found at C.
+ standard user account and stop using XP.
Common sense folks.
Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.
Chrome is nice in that its flash in Pepper has extra protection as well.
I recommend flashblock. I can still watch videos on youtube. I just need to click on it.
Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.
I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.
Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.
http://saveie6.com/
Looks like it's already out for Ubuntu
to check and see your version:
http://www.adobe.com/software/...
Not even sure it would help not knowing how this exploit works, but I've tended to disable all plugins from running on page load, rather on demand when I click. Similar to NoScript/FlashBlock addons. You can then whitelist the sites that you want to allow have flash on load. http://lifehacker.com/5685352/... Wonder what percentage of exploits center around Flash / Acrobat. Thanks Adobe! If your not tricking me into installing unwanted toolbars your exposing my computer to malicious twats.
It seems like just a few months ago... http://tech.slashdot.org/story...
"They even updated the explicitly unsupported NPAPI GNU/Linux version. "
Afraid of pissing off one of the GNU zealots?
Let's just stop bagging on Adobe... At the least they are taking ownership of the issues they have
Are they? Have they run the Flash codebase through any of the half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities? Are they being proactive at all?
It's closed source, so we don't know, but perhaps a third-party could certify their efforts and we really could become Adobe supporters.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No software in common use today is mathematically proven to be correct; therefore, all software is buggy.
The most likely place for bugs is in error handling code, because no matter how many tests you write it is impossible to simulate every possible error condition.
We hope that everyone walking into a store doesn't steal something. Only a tiny minority do but a much larger number could get away with it.
The same goes for software. Any halfway decent programmer can find bugs in error handlers. If he chooses to be a whore, then he uses that skill to make money for criminal gangs or in some cases for anti-malware companies. Programmers who are not whores write actual new and useful software, and usually get paid enough that they can lead fairly happy lives. But it always helps to program defensively. Make your error handling just a bit better than the next piece of software. It will never be perfect. But as a society we count on the fact that nearly all people don't try to use whatever particular knowledge they've acquired to screw you over. Programmers are especially moral. We could bring society to its knees if we wanted to, but we prefer to make the world better.
I don't blame Adobe for the bugs. Millions of people are using this software and probably a dozen or two as I put it whores are in league with criminal gangs trying to sell you boner pills and the like. This handful of people aren't the ones finding new classes of exploits. That is a good function of security researchers. These people are instead likely just exploiting old, known, and quite ordinary bugs.
Recommending any proprietary software to do any task is recommending a security hole. It's trivially easy for any proprietor to include code that spies on you, as computer programmers have long known and Edward Snowden has shown us again. No amount of experience running proprietary software will tell you what you need to know to fix its problems, share your fixes with others, hire others you have good reason to trust to fix problems on your behalf, or even allow someone you have good reason to trust to inspect the program to see if anything needs to be fixed (they're forbidden to do this work for the same reason you are). Picking one proprietary anti-virus program over another, picking one proprietary browser over another, or picking any proprietary program over another proprietary variant of the same kind of program is merely choosing your master. You cannot arrive at a trustworthy solution in this way.
Instead you should choose free (libre) software for your OS, your firmware (via Coreboot), and for all the software you run atop that system. Eschew services that require you to adopt non-free software and gain more control over your computer. The Free Software Foundation's Respects Your Freedom recently added a computer that meets these criteria. We should help them and help free software hackers write more free software to do the jobs we need to be done.
Digital Citizen
Are the browsers providing sufficient sandboxing, or is the situation the same as its been for the last 10 years? Does this flash vulnerability require another vulnerability in the browser ecosystem that has already been blocked in current versions?
Interesting. I just checked: the Flash bundled with my Chrome is the older version (but it's sandboxed to some extent). So then I opened up Firefox and checked the plugin version, and discovered it was already at the newest patched version. I don't recall any update, so I guess the Flash Player plugin updated itself in the background without me noticing, and actually managed to do that faster than Chrome did. Impressive!
Is Flash -designed- to be impossible to sandbox? Cannot the browser vendors force adobe to bend and setup their plugin to be easier to sandbox? I don't understand why this is still a problem after all these years.
Complete FUD.
Yes by default it lets some non intrusive ads with a good security record. Follow the link above and it will disable all ads. I will let some in that I know that are safe to make sure websites get their bills paid. Just not ones that blast commercials and install malware.
http://saveie6.com/
> Let's just stop bagging on Adobe...
1. When I have to work around some bullshit because the image editor I paid for (b)locks me from even viewing what it thinks are high resolution scans of money ... Adobe can fuck off.
* https://www.google.com/search?...
* http://en.wikipedia.org/wiki/E...
* http://www.rulesforuse.org/pub...
2. When they start charging "rent" for software as a service ... Adobe can fuck off.
* Source: http://news.cnet.com/8301-1001...
Translation: We're going to gouge customers whether they like it or not. $ucker$!
So no, we'll stop bagging on Adobe's crap once they stop being dicks not before.
Just keep in mind Flash is a target due to its ubiquity. The same applies to (desktop) Windows, IE and Android. That's not to say these products are without flaw. After all, they're software - of course they have flaws. It's just there's far more people looking for these flaws than in, say, OSX.
No colour or religion ever stopped the bullet from a gun
There’s a word for that, and “proactive” isn’t the word. Close, but off by three letters.
I certainly can’t prove they haven’t taken these steps, but considering Microsoft made a BigThing years ago when they sent all their developers to security school and focused on Windows security (for what that was worth), you’d think Adobe might also want to highlight the fact if they had taken some significant active step to secure Flash. Given the number of “outside 3rd parties” who seem to have little trouble finding exploitable bugs in Flash without the source, you’d think the folks with the source might be able to do a bit better.
I regard Flash (and other plugins) at about the same level I do firewall vendors. The browser itself is (relatively) immune to running executable code from the outside (yes, there have been bugs, but in terms of numbers they’re comparatively few). Plugins like Flash circumvent much of the security model by allowing executable code (albeit bytecode) to be downloaded and run by untrusted third parties with little chance for the user to decide whether to run it or not.
Adobe markets Flash as way to allow dynamic code to execute in a safe & secure manner. Publishing software that’s sole intent is to allow remote code execution should hold Adobe to a much higher standard to make sure that the holes they’ve opened are done in a controlled and secure way. They don’t have a great track record living up to that responsibility.
It's pretty obvious that Flash has become one of those legacy products where there are only two guys in the entire company that know their way around the codebase. Both have developed chronic alcoholism from maintaining this disaster of a product for so long.
We need an alternative to Flash. An open source alternative which can be forked and maintained by anyone for years and years to come. Something without royalties, patents trademarks and is free to use and modify by whoever wants to and can be implemented into the browser without fear of imprisonment, death or legal embroilment.
Join the Slashcott! Feb 10 thru Feb 17!
here.
Basically by default it filters the bad ads. However you can filter all ads if you wish and that option is there. I like this method as to reward SOME advertisement if done properly to support websites.
Also the bad guys can simply get another host so your hostfile will always be out of date.
http://saveie6.com/
All the other software companies have fixed all of their security flaws. What is wrong with Adobe. If it wasn't for Flash the internet would be 100% secure.
I assume the sarcasm tags are not needed.
No, but how many of those critical security flaws allows an attacker to remote control my machine? In this day and age, this shouldn't be happening considering with what we know now, yet it does and the same problems still exist today as it did 10-15 years ago.
No, you don't have to install the bloatware - the browser includes the bloatware!
It's really a shame that Adobe didn't try to create a more open flash platform (the player and spec)... When Adobe bought Macromedia, I'd really hoped that flash would become a package bundle+manifest for SVG + JavaScript/ActionScript and a couple of other files in a zip archive. Flex was a pretty decent toolset, and Flash itself a decent content creation tool for animation, and simple interactive applications and simulations. It's still widely used for training materials, and it takes 3-5x the effort to get similar results with HTML5 still...
If adobe had stepped up here and opened the specification itself, and continued to make the tooling they would still make just as much money, and the browsers could have integrated far better, less buggy support.
Michael J. Ryan - tracker1.info
Slashdot has taken the obvious next step and adopted Flash as the new interface for beta.slashdot.org! Adobe, the Industry leader of web technologies, hailed Dice Holdings, Inc. on their commitment to innovation and is in works with Dice to create a premium Dice Toolbar [TM] to further enhance the two companies' browsing authority.
plug that same URL into, for example, an iPhone and an iPad and the desired content ALWAYS loads.
Not always. When I navigate to some YouTube videos on my first-generation Nexus 7 tablet, sometimes I get "The content owner has not made this video available on mobile. Add to playlist to watch it later on a PC." This is even more common on Vimeo.
So which is worse, the virus exploiting Flash security hole, or McFee anti-virus which they try to trick you into installing when you update Flash?
The most popular casual games for iOS are not Flash (unless you count AIR). Nor are the most popular casual games for Android.
Man, and about those third-party gate crashers. Mind if I bring a friend? How about a friend of a friend? How about a friend of a friend of a friend of a friend? Don't worry, he won't do drugs [...] Does anyone who ever attended high school think this is a good security model?
PGP fans seem to think so, and they call it the "web of trust".
I've seen 3D engines in Flash running on machines for which get.webgl.org displays only "Hmm. While your browser seems to support WebGL, it is disabled or unavailable. If possible, please ensure that you are running the latest drivers for your video card." The latest versions of Internet Explorer and Safari don't support cameras at all without Flash, and it's prefix hell on every other browser, meaning each web application has to be written once using "-moz" prefix for Firefox and once using "-webkit" prefix for Chrome.
If you're referring to the use of "GNU/Linux" rather than just "Linux", I would guess the use of "GNU/Linux" was intended to contrast desktop Linux, for which this fix was released, with Android, for which support had been terminated even earlier.
However I don't see anyone switching to the Harvard Architecture anytime soon
Modern processors already run a "modified Harvard architecture" with separate instruction and data caches. A purist would not even allow code to be copied from storage into RAM. A strict W^X policy, such as that implemented in iOS, would ban any JIT engine. And besides, executing code from the stack or heap is old and busted; a newer practice is return-oriented programming, which uses the "return from subroutine" instruction as a threaded code interpreter. All code in a return-oriented program runs from executable memory, just in a different order.
There is formal verification, which allows assertions to be proven about a program, but it is generally deemed too expensive to use with commercial off-the-shelf software.
It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linux AppArmor, SELinux, etc.) might be able to contain an exploit within Flash, limiting it to a user account or a directory; but that would take some careful crafting in terms of OS sandbox configuration.
Then I guess exploits like these are the operating system publisher's fault for not exposing an API that lets a web browser program create and configure a suitable jail for its plug-ins.
2) Start Cookie Clicker, play for a while, hire a couple grandmas, open the menu, and click "Export save". What you see is a JavaScript prompt box, which your web application can create using code like the following. Try it now by copying it into your browser's JavaScript console:
window.prompt("Copy this and paste it somewhere safe","Nobody desires pain for the sake of pain, but people endure it as part of seeking pleasure.");
One limit is that a prompt box does not support newlines; you'll need a custom lightbox for that.
3) Cookie-clicking games have already moved to HTML5.
Other uses of Flash Player include:
4) 3D graphics in web browsers that don't implement WebGL, like Safari and IE pre-11, or on machines whose video card driver is incompatible with the WebGL implementation of the installed browser, like Firefox on Linux on an Atom N450 laptop
5) Camera access in web browsers that don't implement the Stream API, like Safari and IE
[Availability of mobile games] doesn't change anything when people are on their PC
The Android SDK includes a device emulator that lets the user use a mouse to generate touch events. But more importantly, any 2D Flash game can be recreated in HTML5 unless a developer expects a lot of players stuck on IE 8 with no privileges to install Chromium or Firefox, and with Windows XP becoming officially insecure in 61 days, that's set to decline rapidly. Cookie Clicker is HTML5, as are most of the incremental games inspired by it.
or don't have a large screen tablet with keyboard and mouse accessories (many games categories are not suitable for mobile screen, or touch).
It doesn't have to be a full alphabetic keyboard accessory; it can also be a clip-on Bluetooth gamepad. Some clip to the bottom, making a phone look like a Game Boy Advance SP or an Xperia Play. Others clip to the sides, making the phone look like an original Game Boy Advance or a PlayStation Vita. The gamepad can substitute for the keyboard in genres other than interactive fiction, and the touch screen can substitute for the mouse much as it does in Metroid Prime Hunters for Nintendo DS.
Flash web games, which importantly also are mostly free while the good iOS/Android ones are mostly paid or free versions that is not the full game.
I imagine that the iOS web games tend to be paid more often because owners of iPhone and iPad devices tend to be more affluent and thus more willing to pay for entertainment. In addition, Apple always launches the iTunes Store in a country before selling iOS devices there, unlike Android which launched in several countries with only free apps available. But anyway, how do Flash and HTML5 game developers feed themselves? If ads, then there are ads in Android games too.
Is that you, Steve Gibson?