Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit (securityweek.com)

← Back to Stories (view on slashdot.org)

Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit (securityweek.com)

Posted by BeauHD on Thursday April 7, 2016 @09:51PM from the quick-before-it's-too-late dept.

wiredmikey writes: Adobe released a Flash Player update on Thursday night to patch a zero-day vulnerability that has been leveraged by cybercriminals to deliver malware via the Magnitude exploit kit. The vulnerability [CVE-2016-1019], a memory corruption that can be exploited for remote code execution, was discovered after, on April 2, security researcher Kafeine of Proofpoint noticed a change in the Magnitude exploit kit. The sample was then investigated by FireEye, which determined that Magnitude EK had been exploiting a previously unknown vulnerability in Flash Player."Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability," Proofpoint said in a blog post.

69 comments

Min score:

Reason:

Sort:

Armor old new armor! by Anonymous Coward · 2016-04-07 21:55 · Score: 1

New old pierce weapon armor!! âoeOld armor only âoeâoe armor! Cyber armor WEAPON,â said Armor!
1. Re:Armor old new armor! by Anonymous Coward · 2016-04-07 23:54 · Score: 0
  
  Please stop posting from you iMac; your embarassing yourself with Apple's astandard character encoding.
  CAP === 'aerate'
2. Re:Armor old new armor! by halivar · 2016-04-08 00:47 · Score: 1
  
  The only thing "astandard" here is the site that only handles US-ASCII characters in 2016. It's not defensible.
3. Re:Armor old new armor! by U2xhc2hkb3QgU3Vja3M · 2016-04-08 00:54 · Score: 1
  
  I'm on a Mac and I also see accented characters all over the place.
4. Re: Armor old new armor! by Anonymous Coward · 2016-04-08 04:23 · Score: 0
  
  Talk about vendor lock in. Macs don't even support macs.
5. Re:Armor old new armor! by KGIII · 2016-04-08 06:43 · Score: 1
  
  Is that true? ½ ¼ ¥ € £ © ® etc... I thought those were early Unicode. It does make sense, though.
  
  --
  "So long and thanks for all the fish."
6. Re:Armor old new armor! by halivar · 2016-04-08 07:10 · Score: 1
  
  Nope! Those are all high ASCII.
7. Re: Armor old new armor! by Anonymous Coward · 2016-04-08 07:59 · Score: 0
  
  Macs don't even support Zero-Day Exploits.
  "Magnitude", as always, is a _Windows_ exploit.
  "Wear your Mac!" (During WWII, GI slang for rubber Condoms was "Macintoshes", in reference to the Scottish rubber-protected Overcoats popular overseas.)
8. Re:Armor old new armor! by KGIII · 2016-04-09 12:47 · Score: 1
  
  Thanks! I wasn't sure which ones where which. There's a slew of 'em that pass through the filters. I do believe they'll be fixing Unicode in the stories but not adding the full list to the comments. At least something along those lines. (I've been paying attention to the various comments made by our new overlords. They've specifically referenced fixing them in stories but not in any other context.)
  
  --
  "So long and thanks for all the fish."
Site improvement idea by Anonymous Coward · 2016-04-07 22:00 · Score: 0

Just create an "Adobe exploit" entry in the top menu and do away with the front-page articles.
1. Re:Site improvement idea by Anonymous Coward · 2016-04-08 00:34 · Score: 0
  
  Make it a "No Adobe Exploit Today" entry. That would save everyone a lot of time.
2. Re:Site improvement idea by halivar · 2016-04-08 00:49 · Score: 2
  
  "SAFETY IS OUR GOAL: It has been [ 2 ] days since our last Adobe Flash 0-day exploit."
3. Re:Site improvement idea by U2xhc2hkb3QgU3Vja3M · 2016-04-08 00:56 · Score: 1
  
  Much more simple to add a permanent banner that says "Security warning: uninstall Flash from your computer".
so the smart guys by Anonymous Coward · 2016-04-07 22:10 · Score: 0

Are on the right side?? Man, this is boring, almost like in all those movies.
You were warned by Gravis+Zero · 2016-04-07 22:44 · Score: 1, Troll

You have been warned repeatedly that you Flash and Java plugins/addons/extensions are insecure and that you should uninstall them. Therefore, if you still have Flash or Java installed and you get compromised because of it, you only have yourself to blame.

--
Anons need not reply. Questions end with a question mark.
1. Re: You were warned by Anonymous Coward · 2016-04-07 22:55 · Score: 0
  
  Well you can blame the tons of websites that refuse to use sane, modern technology too.
  Or at least I will because I recognize the fact that most people don't have any clue what you're talking about when you say flash or java or even plugins.
2. Re:You were warned by Anonymous Coward · 2016-04-07 22:55 · Score: 0
  
  That would make sense if the people who need to use Flash and Java had an alternative. But generally they haven't.
3. Re:You were warned by GrumpySteen · 2016-04-07 23:26 · Score: 5, Interesting
  
  You have been warned repeatedly that cars are dangerous. Therefore, if you still get in a car and you get hurt or killed by a drunk driver, you only have yourself to blame.
  Yeah, no. Blaming the victim doesn't accomplish anything other than making sure that nothing changes and nothing gets better.
  Until companies are actually held liable for the damage that their insecure software causes, they will keep creating insecure software because it's cheaper and more profitable than taking the time to make it secure.
4. Re:You were warned by wbr1 · 2016-04-07 23:42 · Score: 1
  
  Look at parents sig. He wants to hold victims accountable but not himself. Typical entitled attitude. Move along.
  
  --
  Silence is a state of mime.
5. Re:You were warned by Anonymous Coward · 2016-04-07 23:42 · Score: 2, Informative
  
  Bingo. I installed Windows 8 shortly after it came out and I purposely avoided installing Java because I knew there were huge security issues with it. That meant giving up VisualRoute, but I lived with it. As I live in China, I sometimes rely on using a proxy server to access parts of the internet I enjoy (facebook, youtube, mamedev). Previously I was using a free service called SoftEither VPN. It worked, rarely, but it was often very slow. A worker showed me a paid service called Lightning VPN. It was awesome. Very fast and reliable. Connected everyrtime. So, I use it now too, but it requires Java. So, I bit the bullet and installed Java. So, you want people to quit using Java and Flash? Well, some of us want too, but don't have the luxury of making those choices.
6. Re:You were warned by Anonymous Coward · 2016-04-07 23:54 · Score: 0
  
  You have been warned repeatedly that you Flash and Java plugins/addons/extensions are insecure and that you should uninstall them. Therefore, if you still have Flash or Java installed and you get compromised because of it, you only have yourself to blame.
  This does not look good for Home Star Runner.
7. Re:You were warned by ChunderDownunder · 2016-04-07 23:56 · Score: 1
  
  Nice in theory.
  In the real world people still available themselves of content that they rely on served only via Flash.
  Which is why I use Firefox as my main browser and Chrome for those sites that require it.
8. Re:You were warned by Anonymous Coward · 2016-04-08 00:09 · Score: 0
  
  Windows out of the box supports PPTP, L2TP/IPSec and SSTP. There are thousands of VPN providers, try one that supports one of these protocols so you don't need their proprietary installer and client. Since most your use comprises of web services you might be able to get away with just a plain SOCKS proxy service, every modern web browser supports. So no, you are not required to install Java if you look a bit further.
9. Re:You were warned by Dutch+Gun · 2016-04-08 00:16 · Score: 2
  
  At the very least, people really need to enable click-to-play for Flash. That would tend to prevent nearly all of these sorts of exploits, but when you still find an occasional Flash video or content, you can still play it. Of course, still better if you can completely do without Flash at all, which is increasingly easy these days with HTML5 being embraced by more sites.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
10. Re:You were warned by Bengie · 2016-04-08 00:24 · Score: 1
  
  You have been warned repeatedly that [your] Internet connection is insecure and that you should not use it. Therefore, if you still have the Internet and you get compromised because of it, you only have yourself to blame.
  
  We need to get rid of dependencies before we can get rid of them. Not everyone wants to browses the Internet with Lynx.
11. Re:You were warned by Anonymous Coward · 2016-04-08 00:27 · Score: 0
  
  OpenVPN is the only way to go.
12. Re:You were warned by Anonymous Coward · 2016-04-08 00:58 · Score: 0
  
  Encourage people to replace Chrome with Chromium. Same shit sans-flash support. Sites still relying on flash driven content in 2016 deserve to lose all visitors.
13. Re:You were warned by gstoddart · 2016-04-08 01:42 · Score: 3, Interesting
  
  Funny, I use the back button for sites requiring Flash.
  The only things I truly need Flash for are work related training, which periodically requires I re-enable it. But I won't even run my work browser with it enabled.
  No way in hell I'd ever consider running Flash by default ... the idea of letting random websites let random third parties run arbitrary code is so utterly moronic as to defy belief.
  To me Flash is primarily an ad platform. If there are useful sites requiring Flash to work, I'm afraid I've never seen them, or don't consider them useful. I don't use video on the intertubes, because I don't care.
  It seems like Flash has had at least one major security exploit every month for over 15 years, which tells me the entire platform and its security model are so defective that it has to be in the "don't trust by default" category.
  I have no interest in letting advertisers, or anybody else, have access to anything which runs arbitrary code on my machine just because I visited a web page.
  
  --
  Lost at C:>. Found at C.
14. Re:You were warned by ChunderDownunder · 2016-04-08 02:27 · Score: 1
  
  Well in my case it's my university lessons.
  That and the local tv stations that repeat programs online, where I'll load one of their movies when there's nothing on.
  But for general usage, no. Which is why I don't have the Flash for Firefox but Chrome ships with its own internal copy when I do need it.
15. Re:You were warned by Solandri · 2016-04-08 02:43 · Score: 3, Interesting
  
  Macromedia never asked for Flash to become the de facto web standard for multimedia on web pages. All they wanted to do was make a tool which allowed artists to stream animated video using less bandwidth than real video - very important in the early days of the Internet when people were connecting over dialup on 56 kbps modems. So rather than transmit ever frame, it'll let you transmit the spirtes of the animated characters and a background image, and scroll the background image as the sprites move around. Being an artist's tool, they added lots of features to help with the creation of animation. The features have gotten good enough that Flash is still being used for this purpose by animators making TV shows.
  
  Flash became widely adopted on the web because the W3C dragged their feet for 15 years. Users wanted multimedia in web pages. Web designers wanted multimedia in web pages. A bunch of W3C people with sticks up their asses decided there shouldn't be multimedia in web pages (probably traumatized by the way the blink tag was abused), and refused to update the HTML standard to allow it (until HTML 5 was standardized a couple years ago). So web designers looked around for the next best thing, and hey! There's this thing called Flash. It's originally meant for creating animated videos, but it's flexible enough for us to add scripted multimedia to our web pages. Let's use that instead!
  
  The situation is analogous to users wanting hammers, and stores wanting to sell hammers, but the government refusing to pass safety standards which would allow the sale of hammers. Then people realize they can buy rocks from a decorative landscaping store and use them as hammers. Soon everyone is using rocks as hammers, except that being rocks they frequently break and injure the user. Do you really think the rock-selling company should be liable for damage caused by people using their product in a manner in which it wasn't intended?
16. Re:You were warned by Anonymous Coward · 2016-04-08 02:46 · Score: 0
  
  You have been warned repeatedly that cars are dangerous. Therefore, if you still get in a car and you get hurt or killed by a drunk driver, you only have yourself to blame.
  You don't happen to work for the City of New York, do you?
17. Re:You were warned by Archangel+Michael · 2016-04-08 02:50 · Score: 1
  
  You do realize that the very first slave owner in America was ... black, right?
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more. We are 150 years from slavery in the US, but people like you keep acting like it was last week.
  At some point, you're going to have to realize that the problem isn't slavery, it is attitude. But I guess it is always easier to blame others for your own shortcomings.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
18. Re:You were warned by Anonymous Coward · 2016-04-08 03:00 · Score: 0
  
  Why is parent post listed as "Troll"? Nothing said in that post is incorrect and it is on topic. It isn't inflammatory or extraneous. It fits no definition of "Troll".
19. Re:You were warned by Anonymous Coward · 2016-04-08 03:09 · Score: 0
  
  If you park your sports car in a high crime area and it gets stolen then the thief is a criminal. You should prosecute him to the fullest extent of the law. You can rest easy at night knowing that you are a law abiding citizen who did nothing wrong.
  You are also retarded but hey - you are still right so you have that going for you.
20. Re:You were warned by cheesybagel · 2016-04-08 03:40 · Score: 1
  
  Flash was abused all the time. People used it to design websites that took forever to load with animations and other useless crap, claiming it was leading edge tech, even if the only thing you wanted to get out of the site was a text list. There were perfectly valid uses for it, but it took a long time to standardize the technology in way that would fit with prior W3C standards. Initially the main concern was with the scalable vector graphics and animation. It was initially planned to do it with SVG and Javascript. The specs came out fine. But since Adobe bought Macromedia (Adobe being one of the main proponents behind SVG) they lost interest in SVG on the Web. So the artist tools never materialized on time. As for video, I think browsers have had a video tag or an object tag since like forever. But the problem was always that the W3C did not want patent royalties in any part of the spec including video and audio codecs. So you had a video tag but you didn't know which video formats the browser supported. Macromedia paid MPEG-4 royalties for every Flash plugin that was installed.
21. Re:You were warned by arth1 · 2016-04-08 03:48 · Score: 1
  
  Indeed. Even my ZyXEL "Unified Security Gateway" uses both Flash and Java.
22. Re:You were warned by Anonymous Coward · 2016-04-08 06:32 · Score: 0
  
  Actually, asshole, I've looked quite a bit farther than you ever have, given that I've been behind the GFW for over six years. Most services, including TOR and OpenVPN, don't work.
23. Re:You were warned by Anonymous Coward · 2016-04-08 06:54 · Score: 0
  
  Flash is used in a lot more AJAX related cases then actual animation. I'm fairly surprised this keeps getting brought up every time flash exploits are found. It's not possible to go completely without flash. Some of the largest media sites on the Internet right now _require_ it for chat and their video - I'm not talking about Youtube. Chaturbate, MFC, etc and until very recently even Twitch.
24. Re:You were warned by Anonymous Coward · 2016-04-08 09:48 · Score: 0
  
  citation please .
25. Re:You were warned by Anonymous Coward · 2016-04-08 09:52 · Score: 0
  
  is it Whitey or whitey ?
26. Re:You were warned by Anonymous Coward · 2016-04-08 10:04 · Score: 0
  
  But I guess it is always easier to blame others for your own shortcomings.
  Such introspection is uncommon.
27. Re:You were warned by Anonymous Coward · 2016-04-08 15:20 · Score: 0
  
  You do realize that the very first slave owner in America was ... black, right?
  This is demonstrably, incorrect.
  I realize that no comes to /. to learn about American History.
  However, assuming that by "America", you mean the British colonies
  of North America, and not the Spanish or Portugese colonies of the New World,
  history records that John Punch , on
  July 9, 1640 in the Virginia colony, became the first person documented to have been
  sentenced to "slavery for life". His owner, was Virginia planter Hugh Gwyn,
  "a wealthy landowner, a justice, and a member of the House of Burgesses",
  and was not black.
  Another good reference for this information is "Africans in America" , by
  Charles Johnson, Patricia Smith et al., 1998
  
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more.
  This statement may be true if by "here", you mean people who
  frequent /. Otherwise it is not true. Even if it is true for you, you
  certainly should have an awareness of the idea that the last Civil War widow
  who received a pension died not too long ago, whether that was in 2004
  or in 2008 . If those couples or similar couples had children, and if
  the Civil War Veteran had owned slaves, then you should at least be able to deduce
  that it is possible for someone to be alive today that knew someone that had been a slave or had owned slaves.
  I have relatives alive today who are in their 80s and 90s, whose grandfather or grandmother
  was born a slave in the United States. Of course, these relatives were young children when
  they met their grandparents. Yet, I would contend that they are alive and knew someone that
  had been a slave in the US. Granted, they do not frequent /., and so may not technically meet your
  definition of "here".
  
  We are 150 years from slavery in the US, but people like you keep acting like it was last week.
  You are free to make that argument. However, by preceding your argument with statements
  that are false, you make it less compelling.
28. Re:You were warned by Anonymous Coward · 2016-04-08 15:40 · Score: 0
  
  You do realize that the very first slave owner in America was ... black, right?
  This is demonstrably, incorrect.
  I realize that no comes to /. to learn about American History.
  However, assuming that by "America", you mean the British colonies
  of North America, and not the Spanish or Portugese colonies of the New World,
  history records that John Punch , on
  July 9, 1640 in the Virginia colony, became the first person documented to have been
  sentenced to "slavery for life". His owner, was Virginia planter Hugh Gwyn,
  "a wealthy landowner, a justice, and a member of the House of Burgesses",
  and was not black.
  Another good reference for this information is "Africans in America" , by
  Charles Johnson, Patricia Smith et al., 1998
  
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more.
  This statement may be true if by "here", you mean people who
  frequent /. Otherwise it is not true. Even if it is true for you, you
  certainly should have an awareness of the idea that the last Civil War widow
  who received a pension died not too long ago, whether that was in 2004
  or in 2008 . If those couples or similar couples had children, and if
  the Civil War Veteran had owned slaves, then you should at least be able to deduce
  that it is possible for someone to be alive today that knew someone that had been a slave or had owned slaves.
  I have relatives alive today who are in their 80s and 90s, whose grandfather or grandmother
  was born a slave in the United States. Of course, these relatives were young children when
  they met their grandparents. Yet, I would contend that they are alive and knew someone that
  had been a slave in the US. Granted, they do not frequent /., and so may not technically meet your
  definition of "here".
  
  We are 150 years from slavery in the US, but people like you keep acting like it was last week.
  You are free to make that argument. However, by preceding your argument with statements
  that are false, you make it less compelling.
29. Re:You were warned by Archangel+Michael · 2016-04-11 05:02 · Score: 1
  
  http://www.thegatewaypundit.co...
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
30. Re:You were warned by Archangel+Michael · 2016-04-11 05:21 · Score: 1
  
  http://www.thegatewaypundit.co...
  
  There is nobody here that owned slaves, knows anyone that was or owned slaves, probably several more generations more.
  
  I have relatives alive today who are in their 80s and 90s, whose grandfather or grandmother
  was born a slave in the United States.
  If you're going to be pedantic, at least do it according to the criteria i setup. "Here" being slashdot. and "several more generations" would definitely qualify as making your cases, if your case was against my initial statement, rather than the "probably", which would acknowledge the possibility of edge case scenario you described. My dad's father may have known owners or former slaves. I don't know, because I don't remember him. My dad, was born at a time when there were former slaves and slave owners, but I am pretty sure he didn't know any. And I am kind of young for my "generation", my dad being in his 40's when I was born.
  Suffice it to say, my statements aren't false, they were emphasizing a real point. You being pedantic doesn't negate accuracy. Most people here are several generations removed from slavery. Again, quit pretending it was yesterday. With each subsequent generation that follows, the further we are removed.
  At some point, you're going to have to realize that the problem isn't slavery, it is attitude. And from yours, I can tell you're not yet there. Nobody you know was a slave, or owned a slave. Your kids are likely to have the exact same experience. Are you passing your excuses on to them?
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Virtual Machine = Flash Condom by Anonymous Coward · 2016-04-07 22:47 · Score: 0

Uninstall Flash on your PC and install it in a VM with a snapshot that has a browser already open. If you encounter a website that requires flash, just open your virtual machine and paste the address. When you're done, reset the VM's snapshot to before you visited the website.
p.s. Make sure you disable bi-directional clipboard and drag-drop operations, and ffs don't mount any local folders in the VM.
1. Re:Virtual Machine = Flash Condom by Anonymous Coward · 2016-04-07 22:59 · Score: 0
  
  and while drinking my morning cup of coffee while visiting several website requiring flash with your time and labor intensive approach it's bedtime.
2. Re:Virtual Machine = Flash Condom by Anonymous Coward · 2016-04-07 23:34 · Score: 0
  
  Or you could just disable every plugin, set flash as click-to-play, use an adblocker and enable http://www.youtube.com/html5
âoe by Anonymous Coward · 2016-04-08 00:02 · Score: 0

âoe... and sometimes Ý.
Heart broken ... by gstoddart · 2016-04-08 00:30 · Score: 1

Not a zero day exploit in Flash. Why, I'm utterly traumatized by this, my faith in humanity has been utterly ruined, why I ... oh, fuck it ...
Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.
And, having been largely Flash free for at least 15 of those years, all I can say is "enjoy your quality software, suckers".
Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I honestly don't know why people keep trusting it, because it really has been a terrible security risk forever, and disabling it is usually the first thing I do in a browser.

--
Lost at C:>. Found at C.
1. Re:Heart broken ... by Catiline · 2016-04-08 01:35 · Score: 1
  
  Honestly, the only thing which has cumulatively had more security holes than Flash is Windows. I honestly don't know why people keep trusting it, because it really has been a terrible security risk forever, and disabling it is usually the first thing I do in a browser.
  I expect a large portion of the Slashdot commentariat also have "disable Windows" as the first thing on their to-do list.
  
  --
  Do you like Japanese imports?
2. Re:Heart broken ... by Marginal+Coward · 2016-04-08 02:37 · Score: 1
  
  Yawn, yet another zero day exploit in a steaming turd of a technology which has been an endless series of security holes for almost 20 years now.
  Just curious: why is that? Is there something inherently insecure about the design of Flash? Or, is Adobe simply negligent? Or, is this a ploy to coax users into accidentally installing adware each time they update?
  (Please don't just answer "all of the above" - I'm looking for details here, especially if there is something inherently insecure about the design of Flash.)
3. Re:Heart broken ... by Marginal+Coward · 2016-04-08 02:41 · Score: 1
  
  I like your term "commentariat" - very clever. To that, we might add "curserati" and maybe even "conspirocracy."
4. Re:Heart broken ... by ole_timer · 2016-04-08 03:41 · Score: 1
  
  Flash (and PDF) have the .data segment that executes. That's all you need to know. Bad. For the real geeky look at how the flate directive works.
  
  --
  nothing to see here - move along
5. Re:Heart broken ... by ole_timer · 2016-04-08 03:43 · Score: 1
  
  for the truly geeky look at jit spraying, it has its own Wikipedia page.
  
  --
  nothing to see here - move along
eBay by ArchieBunker · 2016-04-08 00:33 · Score: 1

This might explain why I was getting all kinds of malware warnings while browsing eBay last night. Flash is so bad that Chrome started not playing it by default.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:eBay by Anonymous Coward · 2016-04-08 00:56 · Score: 0
  
  Uninstall Flash. It's primarily used for ad banners these days; often hosted on hacked ad servers throwing up malvertisements like the kind you got. Your CPU load will be substantially reduced, and pages will load a lot faster! Seriously, rip that shit out!
Unicode support is not needed here. by Anonymous Coward · 2016-04-08 01:36 · Score: 0, Troll

There's no reason to support Unicode on a site like this. It primary targets an English audience. Anything worth expressing here can be expressed using ASCII.
The last thing Slashdot needs is spam in Russian and Chinese, or stupid Japanese-style kaomoji emoticons, or idiotic emoji characters all over, or people drawing stupid shit with other Unicode characters.
Yeah, maybe Unicode is useful if your audience is primary Chinese-speaking, but that's not the case here. Unicode would be far more harmful than helpful.
Besides, there are a lot of other more important things to deal with first. Like fixing the goddamn moderation and metamoderation systems. I have to constantly browse at -1 because the best content here ends up incorrectly modded down. The broken metamoderation system obviously isn't helping fix this problem, either. Shit, at this point I'd rather see the Slashdot devs spend their time and effort removing the moderation and metamoderation systems completely, rather than dicking around with Unicode support.
or perhaps by Anonymous Coward · 2016-04-08 01:43 · Score: 0

They got what they wanted , didn't get greedy and walked way?
Interesting evolution of malware by 140Mandak262Jamuna · 2016-04-08 02:06 · Score: 4, Interesting

When malware were named viruses and borrowed terminology from biology and germ theory of diseases, initially (I mean back in early 1990s) it was kind of funny almost snark. But the the behavior of the malware evolved very similar to the way biological viruses evolve, and the comparison and terminology became increasingly relevant. Bio viruses reduce their own lethality [*1] to improve their own chances of survival and propagation. Even the original C-brain floppy disk virus of 1988 waited for 50 copies being made before it would take adverse action. Keeping a few weapons in the reserve, not attacking all possible hosts etc are all things bio viruses do too.
So where would it go? Some viruses reduced their lethality a lot and helped their hosts survive better so that these viruses could also survive better. At some point they benefit they added was so much, they were more symbiotes rather than a pathogen. Some eventually gave up all attempts find new host or propagation and became totally dependent on their hosts. The mitochondria in each of our cells that is actually the powerhouse that generates energy for the organisms, was once a free living bacteria [*2]. The gut bacteria of so many animals are totally dependent on their host. Some of the viruses got spliced into our DNA itself! There are genes from viruses in our DNA happily churning out proteins for us!
Malware authors can not claim copyright, nor can they enforce any intellectual property rights on their creation. There is nothing to stop OS developers from picking up useful bits of algorithms and code from these viruses and using it in legitimate code. Very interesting to think about what could happen. Of course, the biota is still full of harmful viruses and bacteria. So not all viruses will be tamed. But there is some potential to harvest these viruses for any good code/algorithm/logic they might have in them.
[*1] no no no, I am not saying these viruses are sentient and they deliberately did X to achieve Y. Some viruses did X, that was beneficial due to Y, and they survived better than the ones that did not do X, thus eventually only the viruses that did X are the only ones still alive. Anthropomorphizing and attributing purpose to an evolutionary process is simply a shorthand used by biologists. Read Daniel Dennett, he explains it far better than I do.
[*2] Endosymbiosis.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Time to pirate exploit kits by Anonymous Coward · 2016-04-08 02:37 · Score: 0

It's time for people to start "pirating" exploit kits and spreading em far and wide as 0-day releases.
Wide availability of the exploit code will force vendors to fix their shit promptly and also piss off the exploit kit developers.
Is Adobe paid to include vulnerabilities? by Futurepower(R) · 2016-04-08 04:24 · Score: 1

How can there be so many defects in Flash? Is Adobe paid to include vulnerabilities? If so, who pays? Secret government agencies? One of the many stories: The NSA hacks other countries by buying millions of dollars worth of computer vulnerabilities.

Is Adobe badly managed?

"Honestly, the only thing which has cumulatively had more security holes than Flash is Windows."

Is Microsoft paid to include vulnerabilities? Or is it bad management? "Monkey Boy" can't run a technology company?
Can viruses be cited as prior art? by 140Mandak262Jamuna · 2016-04-08 05:15 · Score: 1

Wondering the intellectual property ramifications of the virus code. USPTO says once something is published, we need to file within one year for patent. After one year published work can not be patented. Our lawyers force us to use complex #IF_PATENT_PENDING / #ENDIF constructs to keep patentable code away from daily builds and release builds. Even if there is no pathway for the code to be executed, the lawyers claim it does not matter. Inactive, unusable algorithms that were built and shipped would count. So they say.
So if there is an interesting, innovative, novel device in some virus, will it be counted as prior art? The security researchers who see this code first hand might try to patent it, of course. Now USPTO has moved from first-to-invent to first-to-file. So they might even get the patent, but only if they do it within one year since it was released. Has anyone cited some work in a virus to argue challenge a patent claim as not-novel, covered by prior art?

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So, just a vulnerability, then? by Chalnoth · 2016-04-08 07:40 · Score: 1

Every vulnerability is zero-day until a patch comes out addressing it.