Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Remote Code Execution Flaw Exploited In the Wild

Posted by Unknown on from the malware-disguised-as-boring-game dept.

An anonymous reader writes "Adobe has released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux, and OS X, the exploitation of which can result in an attacker gaining remote control of the victims' systems. The flaw is being actively exploited in the wild, but apart from crediting its discovery to researchers Alexander Polyakov and Anton Ivanov of Kaspersky Labs, no details about the ongoing attack has been shared." They even updated the explicitly unsupported NPAPI GNU/Linux version.

24 of 187 comments (clear)

  1. Shocking by sunderland56 · · Score: 5, Funny

    A security flaw in Flash? Really? How surprising.

    1. Re:Shocking by tbuddy · · Score: 4, Informative

      You really can't compare it to other plugins. It's such a far leader in being the worst that it is like comparing stepping on an ant to the holocaust.

      I don't think Adobe could really just decide not to fix this and ignore the researchers who brought it up. Hardly something to praise.

    2. Re:Shocking by ColdWetDog · · Score: 3, Funny

      Godwin in one, two -- three posts!

      A winner!

      --
      Faster! Faster! Faster would be better!
    3. Re: Shocking by nnull · · Score: 2

      Don't forget to install McAfee bundled with your flash update! Because that will help you!

  2. Not much longer? by HetMes · · Score: 3, Insightful

    How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?

    1. Re:Not much longer? by gtirloni · · Score: 2

      A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

      --
      none
    2. Re:Not much longer? by gtirloni · · Score: 2

      Look at IE6 declining curve... Flash will probably be worse than that.

      --
      none
    3. Re:Not much longer? by Billly+Gates · · Score: 2

      Thank your corporate IT masters for using IE 8.

      As long as IE 8 is still supported webmasters will refuse to let flash die. Since they support IE 8 it gives no incentive to the corps for leaving IE 8 and it is a cycle all over again where IE 8 is the IE 6 of this freaking decade.

      Also 5 years ago is when youtube first supported HTML 5 h.264 videos. Still to this day 50% of the videos wont work without flash. Sigh. Worse if you try to go in without it a big red banner saying "FLASH NEEDED". Ignorant computer users will see this and click the link without testing videos first. They do not know what h2.64 or HTML 5 is. Just that youtube says you need flash etc.

      --
      http://saveie6.com/
    4. Re:Not much longer? by Chris+Mattern · · Score: 5, Funny

      A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

      Yet more arguments against having Flash, then.

    5. Re:Not much longer? by pixelpusher220 · · Score: 2

      Yet more arguments against having Flash, then.

      Quite a...wait for it....Zynger! :)

      --
      People in cars cause accidents....accidents in cars cause people :-D
    6. Re:Not much longer? by Chris+Mattern · · Score: 5, Funny

      Why do we necessarily need flash right now?

      Because he'll save every one of us!

    7. Re:Not much longer? by MisterSquid · · Score: 2

      A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

      This is simply untrue. This is the experience if you have Flash unavailable on a desktop browser but plug that same URL into, for example, an iPhone and an iPad and the desired content ALWAYS loads.

      The failure to deliver HTML5-compliant content on YouTube to desktop browsers is a strategy on Google's part and has nothing to do with the availability of HTML5 content.

      --
      blog
  3. For crying out loud ... by gstoddart · · Score: 2

    Adobe Flash has been a security hole for at least 10 years now.

    That people still use it (or install it) boggles the mind.

    I won't even install it on my machines.

    --
    Lost at C:>. Found at C.
    1. Re:For crying out loud ... by Anonymous Coward · · Score: 2, Interesting

      But iDevices couldn't view "the whole web" (though Android can't either now) because Apple wouldn't let this exploit vector on iOS. Seems Steve Jobs really was pretty smart to tell Adobe to fuck off with their bloated malware

    2. Re:For crying out loud ... by Anrego · · Score: 4, Interesting

      Agree.

      I'm a long time apple hater, but when I read that letter regarding flash, I was nodding the whole time.

      Flash is a pile of junk, and if they are going to go all walled garden, flash seems a great thing to keep out of said garden.

    3. Re:For crying out loud ... by DougOtto · · Score: 2

      That's a convienent position to take but sometimes you don't have a choice. VMware, for example, requires flash for their web client while at the same time removing functionality from their thick client. I can either take a philosophical stand or I can do my job.

      --
      Solving Unix problems since 1989...
    4. Re:For crying out loud ... by TheloniousToady · · Score: 2

      Seems Steve Jobs really was pretty smart to tell Adobe to [expletive] off with their bloated malware

      Or, maybe he was just smarting from Adobe's prior treatment of Apple, as Walter Isaacson and others have reported.

    5. Re:For crying out loud ... by mlts · · Score: 2

      If I -have- to use Flash, I fire up a VM that has a normal (no admin access) user account and run it under a sandboxed Web browser. That way, if/when an exploit happens, it would have to be a very good one to get out of the sandbox and a full context as a user, get Administrator rights, then bash the hypervisor to get out of that.

      Not 100%, but it is easy to use, and when done, a closing of the VM rolls all changes back.

  4. flashblock, ghostry, adblock, noscript, etc by Billly+Gates · · Score: 2

    + standard user account and stop using XP.

    Common sense folks.

    Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.

    Chrome is nice in that its flash in Pepper has extra protection as well.
    I recommend flashblock. I can still watch videos on youtube. I just need to click on it.

    Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.

    I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.

    Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.

    --
    http://saveie6.com/
  5. Re:Ghostery & Adblock = Inferior + 'souled-out by Billly+Gates · · Score: 2

    Complete FUD.

    Yes by default it lets some non intrusive ads with a good security record. Follow the link above and it will disable all ads. I will let some in that I know that are safe to make sure websites get their bills paid. Just not ones that blast commercials and install malware.

    --
    http://saveie6.com/
  6. Re:Adblock doing FAR LESS & worse by Billly+Gates · · Score: 2

    here.

    Basically by default it filters the bad ads. However you can filter all ads if you wish and that option is there. I like this method as to reward SOME advertisement if done properly to support websites.

    Also the bad guys can simply get another host so your hostfile will always be out of date.

    --
    http://saveie6.com/
  7. Re:PC editors by linuxrocks123 · · Score: 2

    It's simply a wrong comment. The NPAPI version of Flash is _NOT_ unsupported. 11.2 is the last version that will be made available as an NPAPI Linux plugin, but Adobe plans to keep fixing security issues in the 11.2 version plugin indefinitely.

    ---linuxrocks123

    --
    vi ~/.emacs # I'm probably going to Hell for this.
  8. Adobe Flash now rendering beta.slashdot.org! by tokiko · · Score: 2

    Slashdot has taken the obvious next step and adopted Flash as the new interface for beta.slashdot.org! Adobe, the Industry leader of web technologies, hailed Dice Holdings, Inc. on their commitment to innovation and is in works with Dice to create a premium Dice Toolbar [TM] to further enhance the two companies' browsing authority.

  9. Re:Devil's avocado by hairyfeet · · Score: 3, Insightful

    The real bitch and a half is because everybody in the press (including many here sadly) were busy kissing Steve Jobs' ass we have NO alternative, none at all.

    HTML V5 is a proprietary as hell clusterfuck, which of course was the point as Jobs didn't want anything like Flash games competing with his crappstore (and he was damned smart for doing that, as games make more money than anything else by something like 8 to 1) with H.26x being a boat anchor performance wise compared to Flash. Seriously try out any video in Flash+ VP6 and compare it to HTML V5 H.26x and disable hardware acceleration (which is a bandaid designed to cover up how big a pig H.26x is) and look at the numbers yourself. I can tell you that I can run SD DVD quality video all day long on a 2003 Sempron or 2011 middle of the road smartphone in flash but H.26x? Anything less than a Pentium D or a dual core smartphone its a slideshow. And this isn't even getting into the fact that the shit Jobs feared like games and animation is beyond pathetic in H.26x precisely because Jobs didn't want anything that could compete, why isn't anybody bitching about this?

    Is Flash buggy? Sure is, do we have an alternative, something capable of giving us everything Flash did while having better security and performance? NO WE DO NOT and the simple fact that several years after Jobs first pulled that shit we STILL don't have an actual functional replacement should PISS PEOPLE OFF and rightly so! At least with Flash it ran nearly everywhere on everything, that is until St Steve killed the thing by saying "Thou shalt not be on iPad" and what did it get us? A fucking mess, with some sites working on some phones but not others, too God damned many proprietary "apps" to bring you content simply because without flash there isn't any other way to do the things Flash did, its a giant fucking mess...but Apple is making bank which was the whole damned point. Sigh, can we start over and this time NOT let a corp with a giant conflict of interest call the shots, please?

    BTW how many of you are planning to split when they force us onto that shitstain that is /. beta? I don't know about you but if I wanting another tweeting twits for shits I'd be on Reddit. The thing is a mess, it looks like shit, hard to follow flow, comments even more broken, obviously designed for pads (which I bet my last buck is less than 3% of the daily readership of this site) it is the windows 8 of the web!

    --
    ACs don't waste your time replying, your posts are never seen by me.