Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Zero-Day Flash Bug Affects Windows, OS X, and Linux Computers

Posted by Soulskill on from the you-can-count-on-flash dept.

An anonymous reader writes "Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux. 'While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.' Adobe has reportedly patched the bug for all platforms. Researchers first detected the bug from attacks performed on seven Syrian computers. The attacks seem to have been hosted on the Syrian Ministry of Justice website, which has led to speculation that these are state-sponsored vulnerability exploits. This speculation is further supported by evidence that one of the exploits was 'designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.'"

21 of 178 comments (clear)

  1. Long story short by Anonymous Coward · · Score: 5, Insightful

    flash is equally bad on all platforms web guys please stop using it.

    1. Re:Long story short by powerlord · · Score: 5, Funny

      flash is equally bad on all platforms web guys please stop using it.

      Hey ... look at the upside, feature parity across Windows, OSX and Linux ... even for bugs and exploits.

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
    2. Re:Long story short by popo · · Score: 2, Insightful

      Yawn... "another HTML5 is almost there" post. Technology is either here or it's vapor. .. And it's not here.

      --
      ------ The best brain training is now totally free : )
    3. Re:Long story short by gstoddart · · Score: 2

      So, it's the least terrible solution (which is debatable) so therefore it's good?

      Sorry, but Flash has been a giant security hole for about as long as it has existed.

      You want to play casual games in Flash, that's your choice.

      But I've been happily avoiding Flash for a decade or so, and have yet to find a single website I cared enough about to install Flash. Occasionally I need to use it for work, which means a very specific machine, running IE -- which is only used for these kinds of garbage that HR thinks I'm required to use.

      If I hit a page which gives me nothing but "You need Flash to run this site", all it's ever going to see from me is the back button.

      --
      Lost at C:>. Found at C.
    4. Re:Long story short by fuzzyfuzzyfungus · · Score: 4, Funny

      flash is equally bad on all platforms web guys please stop using it.

      Will nothing please you whiners? The Adobe Exploit Runtime offers simultaneous support across Windows, OSX, and Linux for a cutting edge vulnerability, and do we hear even a whisper of credit?

    5. Re:Long story short by perpenso · · Score: 3, Interesting

      Right. And the only reason that the "desktop class" A7 isn't running Flash is because it's a threat to Apple's business model.

      Actually it was considered a massive security hole. This article seems to validate that opinion. Yeah, I know, there was ample evidence for that opinion back in the day too.

    6. Re:Long story short by Dixie_Flatline · · Score: 4, Insightful

      One of the best things Steve Jobs ever did for the security of computing around the world is slowly crush Flash under his heel.

      It's bad.
      It's always been bad. Apparently, it will always be bad.

      Just let it die. It's a CPU and memory hog (another good reason not to use it on mobile; the CPUs these days can handle it, but it's bad for battery life) and it's a massive security hole. Why in the world should it get a pass? Someone at Adobe should've nuked it from orbit years ago.

  2. I have it disabled. by Antony+T+Curtis · · Score: 4, Interesting

    I deliberately do not install Flash on my computers _and_ I deliberately choose to not install any of the third-party work-alikes.

    If the content owner only publishes content in a SWF, it is not worth my bother to look at it. Okay, I can't view video clips in Facebook, but if it is an embedded youtube video, usually I can view it just fine by going to youtube's website.

    --
    No sig. Move along - nothing to see here.
  3. Seriously: why doesn't Flash just die? by dsinc · · Score: 4, Insightful

    I'm not a Flash developer, so I'm asking very seriously: is there a compelling reason to keep using Flash in 2014? For the past several years, the only notable things associated with this technology have been major security holes.

    1. Re:Seriously: why doesn't Flash just die? by Kardos · · Score: 2

      It is dying. Things don't die instantly in the software world, they just decline.

  4. Ahem. by peatbakke · · Score: 5, Funny

    http://i.imgur.com/TNz9k9G.jpg

    1. Re:Ahem. by tgetzoya · · Score: 2

      I want to give you all the points.

  5. Uninstall Flash! by chihowa · · Score: 4, Interesting

    I just reinstalled my OS a few weeks ago and never reinstalled flash. Despite a profuse amount of websurfing and watching videos here and there, I haven't needed flash yet.

    Fewer annoying, moving, sound-producing site navigation controls, better battery life on my laptop when watching videos, and fewer horrible security vulnerabilities to worry about! Dumping Flash is something I should have done long ago!

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    1. Re:Uninstall Flash! by Arkh89 · · Score: 2

      If your bank is pushing the use of Flash, you *SERIOUSLY* need to consider changing from establishment.

    2. Re:Uninstall Flash! by Kjella · · Score: 2

      Or just set it to "click to run", that way a redirect to a malicious website will do nothing, a compromised banner ad will do nothing so they'd have to compromise actual flash content on a site you use. For bonus points you don't see flash ads. And if it gets too annoying to do a single click extra, you can always set up an exception for that site.

      Personally what I miss the most these days is a setting to really block everything from opening up a new tab/window, no matter what link I clicked. Despite having popup-protection the scummy sites always find a way to open a new tab/window when you click a link, I'd like to just disable it. Either right-click, open in new tab/window or create a new tab (Ctrl-T/Ctrl-N) should be the absolutely only way. The rest you can block like a popup.

      --
      Live today, because you never know what tomorrow brings
  6. Parent SHOULD NOT be modded flamebait by NotDrWho · · Score: 3, Informative

    As unpopular as it is to say here on HTML-5-worshiping Slashdot, it's true. Flash can still do a lot of things that are either impossible on other platforms, or which suck on other platforms. Try implementing the average Flash game in HTML 5 (can't do it at all) or Java (can do it, but it will bring your system to a crawl) sometime.

    Don't shoot the messenger just because you wish the message weren't true.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Parent SHOULD NOT be modded flamebait by paskie · · Score: 2

      I just, like many others, wish someone would actually fucking *elaborate* on *concrete* *technical* hurdles of HTML5. We are not denying there are none, but just saying "you are clueless if you need to ask" is not going to help your position. We don't want to argue with you but we want you to actually explain yourselves. Gee, this thread is so frustrating.

      --
      It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
  7. Cookie Clicker by tepples · · Score: 2

    Cookie Clicker is perfectly playable with Flash Player turned off.

    1. Re:Cookie Clicker by mythosaz · · Score: 3, Interesting

      What sort of monster links people to Cookie Clicker without so much as a warning!

      [I have 2M HC's.]

  8. SWF: 20 fps; SVG: 5 fps by tepples · · Score: 3, Informative

    I just, like many others, wish someone would actually fucking *elaborate* on *concrete* *technical* hurdles of HTML5.

    HTML5 has no guaranteed audio or video codec. Some browsers support only free codecs from Xiph and On2, others only patented codecs from Dolby and MPEG-LA. HTML5 implementations in use provide no consistent way for the application to request access to the camera and microphone. Neither IE nor Safari implements the Stream API at all, and Firefox and Chrome implement prefixed (that is, proprietary) versions of it. And on my laptop in Firefox 28, this particle system runs at 20 fps in Flash, 9 fps in HTML5 Canvas, and 5 fps in SVG. Unlike HTML5 JavaScript, ActionScript has static typing and class-style inheritance, and some developers prefer those. Finally, copies of old versions of Flash for making vector animations are sold on the secondary market; Edge Animate is available only on a rental basis through Creative Cloud. I'd be interested to see what workarounds you recommend for these.

  9. Because nothing does a good job replacing it yet by Sycraft-fu · · Score: 2

    There is a non-trivial demand for highly interactive stuff on the web. You may not be interested in that, but many people are and thus many developers are. Well, only Flash really does anything approaching a competent job of that. If you want to make something like a game, that runs on all the major browsers and all the major platforms, Flash can do that. Anything else, it is a crap shoot.

    For example I remember when the HTML5 Angry Birds came out. Ok, interesting, I'd like to see that. In Chrome, it works more or less flawlessly, since that's what it was made for. It did seem to randomly 'asplode a couple times though. Firefox was nice and stable and everything seemed to work, but slow. The framerate was noticeably jerky. IE worked solid and was smooth as could be... but had no sound.

    This is all on Windows, never mind how things would be on OS-X. Not precisely something that gives a lot of confidence in HTML5.

    Also there is the simple matter of time. You might be able to make an HTML5 game work as well as a Flash one, if you spent enough time making a port for each browser on each platform. Thing is, that takes a lot of developer time and thus money. You target Flash just once, and it works.

    Also the tools for Flash can make development, particularly the graphics and animation part, quite easy.

    So if something comes along that does a good job replacing it, something that is well supported by browsers and you really can do easy development in, then sure I expect people will start using it.