Adobe Patches One Flash Zero Day, Another Still Unfixed

← Back to Stories (view on slashdot.org)

Adobe Patches One Flash Zero Day, Another Still Unfixed

Posted by timothy on Thursday January 22, 2015 @06:03AM from the cross-platform dept.

Trailrunner7 writes Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn't being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.

49 comments

Min score:

Reason:

Sort:

I am good to go by Anonymous Coward · 2015-01-22 06:13 · Score: 0

Adobe 9 and CS4 have no patches. Safe! Phew!
Is there a world record for the most insecure code by Anonymous Coward · 2015-01-22 06:13 · Score: 4, Funny

Adobe seems to be trying hard to get it.
Why use Flash? by Anonymous Coward · 2015-01-22 06:13 · Score: 1

Seriously, it's not needed anymore. No one should use it or have it installed.
1. Re:Why use Flash? by Anonymous Coward · 2015-01-22 08:09 · Score: 0
  
  YouTube works without Flash, therefore Flash is not needed at all.
  Anything else that uses Flash is better served with an app.
2. Re:Why use Flash? by mythosaz · 2015-01-22 08:43 · Score: 1
  
  Anything else that uses Flash is better served with an app.
  While that might be true, everything that uses flash hasn't been converted to an app just quite yet.
3. Re:Why use Flash? by Anonymous Coward · 2015-01-22 09:09 · Score: 0
  
  Flash only works fine on Windows. Meanwhile, HTML5 is hardware-accelerated on my computer but Flash is not.
4. Re:Why use Flash? by jeffmflanagan · 2015-01-22 09:27 · Score: 1
  
  So install Windows
  /ducks.
5. Re:Why use Flash? by narcc · 2015-01-22 12:27 · Score: 1
  
  That would be ... a massive step backward. Computing like it's 1994.
  
  --
  Required reading for internet skeptics
6. Re:Why use Flash? by macs4all · 2015-01-23 09:15 · Score: 1
  
  That would be ... a massive step backward. Computing like it's 1994.
  My 2013 MBP came without Flash Installed; and to be perfectly honest, while I have, on about one or two occasions, been tempted to install it, ultimately, there has been nothing so far that I MUST have to the point that I have pulled that trigger.
  
  Unless you have a work-requirement to run some sort of Flash app; it just isn't worth the security risk anymore.
  
  One thing that DOES frost me, though, is browsing to a site that works FINE without Flash on iOS (and I presume Android); but which simply REFUSES to open in OS X, unless it sees that Flash is available (no "Open Non-Flash Site", or anything. Just GTFO). That's just lazy and rude. If you, as the site Developer, have worked out a way to avoid Flash on your site, why, oh, why would you REQUIRE it on ANY Platform?
7. Re:Why use Flash? by narcc · 2015-01-23 09:45 · Score: 1
  
  Unless you have a work-requirement
  Or children. Everything from games to stuff for school seems to require flash.
  
  it just isn't worth the security risk anymore.
  It's still better, security wise, than installing an app for every little thing. That was really my whole point.
  I'll agree with the AC here, we finally have an opportunity with HTML5 to abandon Flash. It'll take a while, but we can get there eventually. It's cool (on slashdot) to put-down HTML5, but it's the best opportunity to ditch Flash that we've ever had.
  
  --
  Required reading for internet skeptics
Zero day by phantomfive · 2015-01-22 06:15 · Score: 2

Sometimes I wonder what people think a "zero day" exploit means. If there is a patch, it's not a zero-day exploit. From the (of course, always wrong) wiki:

Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.
Zero-day vulnerabilities make hackers happy because the users don't know about it, and thus can't prevent exploitation. Once the vulnerability is made public, you can block access to that port, or disable the functionality, or avoid exploitation in other ways. It is no longer a zero-day vulnerability.

IF the vuln was made public 5 days ago, then it's a five-day vuln. If the vuln was made public 10 days ago, then it's a ten-day vuln. Once it's patched, it's no longer a vulnerability. That is where the name 'zero-day' comes from.

--
"First they came for the slanderers and i said nothing."
1. Re:Zero day by radarskiy · 2015-01-22 09:22 · Score: 1
  
  Back in my day, "zero day" meant that an exploit was known at the time the exploitable version was released, and we liked it!
oh goodie.. by Virtucon · 2015-01-22 06:18 · Score: 4, Interesting

Another chance to block the installation of McAfee Security Scan Plus. Will someone please rid me of this nuisance crapware?!?

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:oh goodie.. by Anonymous Coward · 2015-01-22 08:47 · Score: 5, Informative
  
  Bookmark this:
  https://www.adobe.com/products/flashplayer/distribution3.html
2. Re:oh goodie.. by Anonymous Coward · 2015-01-22 09:40 · Score: 0
  
  Sure! How about the Ask Toolbar instead - is that better?
3. Re:oh goodie.. by antdude · 2015-01-22 13:01 · Score: 1
  
  http://www.adobe.com/products/...
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Fricking US-CERT by monkeyzoo · 2015-01-22 06:21 · Score: 2

You know, I subscribed to US-CERT alerts to get notified about this kind of thing, but thank goodness I also browse Slashdot from time to time.
The US-CERT alert for this critical patch probably won't arrive for another couple days or so.
1. Re:Fricking US-CERT by Enfixed · 2015-01-22 07:31 · Score: 1
  
  News from US-CERT comes after SlashDot.... that is broken. :)
  
  --
  Sigs are bad for you...
Re:Is there a world record for the most insecure c by phantomfive · 2015-01-22 06:23 · Score: 2

Probably postfix sendmail. Adobe is catching up.

--
"First they came for the slanderers and i said nothing."
Re: Is there a world record for the most insecure by Billly+Gates · 2015-01-22 06:29 · Score: 1

Java by far.
Oracle waited for a year to pit in a patch for +100 exploits!! Yes you should be arrested for running that in your browser.

--
http://saveie6.com/
How about the flash integrated into chrome? by phayes · 2015-01-22 06:30 · Score: 1

Can anyone tell us if that's vulnerable (& on what platforms)?
I don't have flash installed but I do have chrome (with it's integrated flash) for those sites that just cannot keep up with the times. Yes, I use flashcontrol to autoexecute only whitelisted sites, but you never know...

--
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
1. Re: How about the flash integrated into chrome? by Anonymous Coward · 2015-01-22 07:39 · Score: 0
  
  Chrome runs flash in a sandbox, but it's still adobe flash. They'll need an undisclosed chrome sandbox bypass, so you're safer, but such things have been found before.
2. Re:How about the flash integrated into chrome? by hermitdev · 2015-01-22 08:47 · Score: 1
  
  You can browse to "chrome://plugins" and explicitly disable the built-in flash.
3. Re:How about the flash integrated into chrome? by phayes · 2015-01-22 10:49 · Score: 1
  
  Thanks but if I use a locked down browser for the few sites left, it's because I cannot avoid flash for some sites. Turning off flash isn't an option.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
4. Re:How about the flash integrated into chrome? by ChunderDownunder · 2015-01-22 13:49 · Score: 1
  
  I use firefox for general browsing and paste the URL into Chrome for the remainder of sites that need flash (or choke Firefox's HTML5 video implementation)
  Bottom line, Flash is still an attack vector but at least I know I'm conciously invoking it each time rather than relying on the vagaries of a blocker or click-to-play.
5. Re:How about the flash integrated into chrome? by phayes · 2015-01-22 19:11 · Score: 1
  
  Yeah, but you're no safer than I am. I only surf with chrome to sites that I've white listed.
  It'd be nice to know whether or not chrome's flash is vulnerable or not.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
ClickToFlash for me, thanks. by jeffb+(2.718) · 2015-01-22 06:35 · Score: 2

There's some Flash content I still want to view. But I want to look at content, not fight to focus my attention away from screaming, flashing, pulsing, squirming ads on every side. If you want me to run your program, make it worth my while. Especially when the platform on which you want me to run it might let it infect my machine.
Static ads are still fine. I don't much care if you track me and focus them. I'll even click through them occasionally. But I won't let you run down my battery and my brain with animations. I don't care if your marketing macaques say they get more clicks. I've made my choice. I'll never see them.
1. Re:ClickToFlash for me, thanks. by Anrego · 2015-01-22 06:52 · Score: 2
  
  I've used the flashblock plugin on firefox for a long damn time, but I'm finding it has stopped working properly on a lot of websites, including just recently youtube. I'm guessing this is due to some javascript shenanigans, but haven't had time to investigate.
2. Re:ClickToFlash for me, thanks. by Anonymous Coward · 2015-01-22 06:58 · Score: 2, Informative
  
  It's due to a transparent overlay they added recently which prevents you from clicking the play button (https://www.mozdev.org/bugs/show_bug.cgi?id=25936).
3. Re:ClickToFlash for me, thanks. by steveg · 2015-01-22 07:15 · Score: 2
  
  Thank you for this. I had disabled Flashblock, and my web experience had gotten annoying. Hoping the Greasemonkey script in that bug report will let me re-enable it.
  
  --
  Ignorance killed the cat. Curiosity was framed.
4. Re:ClickToFlash for me, thanks. by Enfixed · 2015-01-22 07:33 · Score: 1
  
  Adblock Plus... Install it, love it... no more crazy flashing ads.
  
  --
  Sigs are bad for you...
5. Re:ClickToFlash for me, thanks. by fisted · 2015-01-22 07:52 · Score: 1
  
  Adblock Plus... Install it, love it... no more crazy flashing ads.
  ...Install Ghostery because privacy... Install NoScript because many reasons... Realize Adblock Plus is now useless.... Deinstall it.
  
  --
  CLI paste? paste.pr0.tips!
6. Re:ClickToFlash for me, thanks. by Anonymous Coward · 2015-01-22 08:05 · Score: 0
  
  You can enable click-to-play in firefox and chrome.
7. Re:ClickToFlash for me, thanks. by TrollstonButterbeans · 2015-01-22 08:21 · Score: 2
  
  I switched from "FlashBlock" to "Flash Control" https://addons.mozilla.org/en-... Because of the problem you indicated.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
8. Re:ClickToFlash for me, thanks. by myowntrueself · 2015-01-22 08:33 · Score: 2
  
  Adblock Plus... Install it, love it... no more crazy flashing ads.
  ...Install Ghostery because privacy... Install NoScript because many reasons... Realize Adblock Plus is now useless.... Deinstall it.
  http://lifehacker.com/ad-block...
  
  --
  In the free world the media isn't government run; the government is media run.
9. Re:ClickToFlash for me, thanks. by Anonymous Coward · 2015-01-22 09:30 · Score: 0
  
  I disable all ads, since they're a common vector for malware, and subscribe to sites I find worthwhile so they can still pay the bills.
  
  Anyone who allows flash ads to run on their PC is asking for malware. Unfortunately most people are not aware of this.
10. Re:ClickToFlash for me, thanks. by Anonymous Coward · 2015-01-22 16:30 · Score: 0
  
  "It's due to a transparent overlay they added recently which prevents you from clicking the play button"
  You can use adblock plus and the element hiding helper to get rid of that overlay and allow flashblock to work
11. Re:ClickToFlash for me, thanks. by Enfixed · 2015-01-31 04:15 · Score: 1
  
  ....unplug internet because afraid... Adblock does its job and does it well, I don't see ads. Do I care if they sell some info about my browsing, no. We've left the age where NoScript is relevant, I don't want to have to allow every other website I visit just because I'm paranoid.
  
  --
  Sigs are bad for you...
12. Re:ClickToFlash for me, thanks. by fisted · 2015-02-01 04:43 · Score: 1
  
  ...re-plug internet because porn.
  What you say about NoScript isn't quite true. Yes, every other site needs to explicitly have their scripts allowed, or whitelisted, but that does not mean having to allow 3rd party scripts.
  
  For instance, on this page on /., there are scripts from slashdot.org, fsdn.com, googletagservices.com, googleadservices.com, google-analytics.com, ooyala.com and rpxnow.com.
  Only the first two are required to make the site usable.
  
  --
  CLI paste? paste.pr0.tips!
Re: Is there a world record for the most insecure by Anonymous Coward · 2015-01-22 06:40 · Score: 0

Sendmail I can understand, but postfix?
Re:Is there a world record for the most insecure c by Anrego · 2015-01-22 06:49 · Score: 1

Postfix? I thought postfix was pretty solid.
Re:Is there a world record for the most insecure c by phantomfive · 2015-01-22 07:11 · Score: 1

Yeah you're right, I was braindead this morning when I posted that.

--
"First they came for the slanderers and i said nothing."
Have they fixed the memory leak yet? by packrat0x · 2015-01-22 07:38 · Score: 1

Releases starting somewhere in the 11.3's and onwards are still consuming all available memory. Without THAT fix I'll stick with 11.2 and flashblock the items I don't want.

--
227-3517
Re:Systemd needs one too. by Anonymous Coward · 2015-01-22 07:47 · Score: 0

Just to clarify: I've modded you down not because I think you're wrong, but simply because a systemd flamewar in here would be off topic.
Re:sh1t by ArcadeMan · 2015-01-22 09:12 · Score: 1

I'm beginning to think that all links to goat.cx are actually encrypted messages.

--
Get free satoshi (Bitcoin) and Dogecoins
Re: by kurkosdr · 2015-01-23 11:06 · Score: 1

What it means "investigating"? An exploit kit exist, they can download it and see how it works and have people working on it round the clock. The fact there is no commitment on when the bug is going to be fixed is absurd.