Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Patches One Flash Zero Day, Another Still Unfixed

Posted by timothy on from the cross-platform dept.

Trailrunner7 writes Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn't being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.

12 of 49 comments (clear)

  1. Is there a world record for the most insecure code by Anonymous Coward · · Score: 4, Funny

    Adobe seems to be trying hard to get it.

  2. Zero day by phantomfive · · Score: 2
    Sometimes I wonder what people think a "zero day" exploit means. If there is a patch, it's not a zero-day exploit. From the (of course, always wrong) wiki:

    Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.

    Zero-day vulnerabilities make hackers happy because the users don't know about it, and thus can't prevent exploitation. Once the vulnerability is made public, you can block access to that port, or disable the functionality, or avoid exploitation in other ways. It is no longer a zero-day vulnerability.

    IF the vuln was made public 5 days ago, then it's a five-day vuln. If the vuln was made public 10 days ago, then it's a ten-day vuln. Once it's patched, it's no longer a vulnerability. That is where the name 'zero-day' comes from.

    --
    "First they came for the slanderers and i said nothing."
  3. oh goodie.. by Virtucon · · Score: 4, Interesting

    Another chance to block the installation of McAfee Security Scan Plus. Will someone please rid me of this nuisance crapware?!?

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:oh goodie.. by Anonymous Coward · · Score: 5, Informative

      Bookmark this:
      https://www.adobe.com/products/flashplayer/distribution3.html

  4. Fricking US-CERT by monkeyzoo · · Score: 2

    You know, I subscribed to US-CERT alerts to get notified about this kind of thing, but thank goodness I also browse Slashdot from time to time.
    The US-CERT alert for this critical patch probably won't arrive for another couple days or so.

  5. Re:Is there a world record for the most insecure c by phantomfive · · Score: 2

    Probably postfix sendmail. Adobe is catching up.

    --
    "First they came for the slanderers and i said nothing."
  6. ClickToFlash for me, thanks. by jeffb+(2.718) · · Score: 2

    There's some Flash content I still want to view. But I want to look at content, not fight to focus my attention away from screaming, flashing, pulsing, squirming ads on every side. If you want me to run your program, make it worth my while. Especially when the platform on which you want me to run it might let it infect my machine.

    Static ads are still fine. I don't much care if you track me and focus them. I'll even click through them occasionally. But I won't let you run down my battery and my brain with animations. I don't care if your marketing macaques say they get more clicks. I've made my choice. I'll never see them.

    1. Re:ClickToFlash for me, thanks. by Anrego · · Score: 2

      I've used the flashblock plugin on firefox for a long damn time, but I'm finding it has stopped working properly on a lot of websites, including just recently youtube. I'm guessing this is due to some javascript shenanigans, but haven't had time to investigate.

    2. Re:ClickToFlash for me, thanks. by Anonymous Coward · · Score: 2, Informative

      It's due to a transparent overlay they added recently which prevents you from clicking the play button (https://www.mozdev.org/bugs/show_bug.cgi?id=25936).

    3. Re:ClickToFlash for me, thanks. by steveg · · Score: 2

      Thank you for this. I had disabled Flashblock, and my web experience had gotten annoying. Hoping the Greasemonkey script in that bug report will let me re-enable it.

      --
      Ignorance killed the cat. Curiosity was framed.
    4. Re:ClickToFlash for me, thanks. by TrollstonButterbeans · · Score: 2

      I switched from "FlashBlock" to "Flash Control" https://addons.mozilla.org/en-... Because of the problem you indicated.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    5. Re:ClickToFlash for me, thanks. by myowntrueself · · Score: 2

      Adblock Plus... Install it, love it... no more crazy flashing ads.

      ...Install Ghostery because privacy... Install NoScript because many reasons... Realize Adblock Plus is now useless.... Deinstall it.

      http://lifehacker.com/ad-block...

      --
      In the free world the media isn't government run; the government is media run.