Feeds

back to article Adobe squashes TWO critical Flash vulnerabilities with emergency patches

Adobe published a critical Flash Player update on Tuesday to fix three exploits, two of which are under active attack by hackers. Two of the three vulnerabilities are being used by nefarious folk, Adobe said, and one of these two explicitly targets the Firefox browser. Adobe introduced the Flash Player sandbox a year ago to …

COMMENTS

This topic is closed for new posts.
Silver badge

Morons

> 2013

> buffer overflow vulnerability

"Yeah, our QA hasn't gotten into this static checking thing yet, uh, uh...."

0
0
Silver badge
Stop

Remember those old "Get a Mac" commercials?

FTFA - "Adobe classified the update with a priority rating of 1 (do it now if you value your computer) for Windows and Macintosh systems, and 3 (install at your discretion) for Linux kit."

When will the press finally acknowledge that Mac is not "safe by design", and in fact is performing no better from a security perspective than Windows? In fact, Win 8 appears to be more secure than Mac.

1
4
Bronze badge

Re: Remember those old "Get a Mac" commercials?

Macs *are* safer than PCs if you don't use dodgy software like Flash. And even if you do, Apple move with lightning speed to make sure that Safari can't use an out-of-date Flash plug-in.

I got down voted last week for saying the world would be a better place without Flash. I'm happy to repeat that here, and not at all fussed that I have it blocked on my machine.

6
0
Bronze badge

Re: Remember those old "Get a Mac" commercials?

"I got down voted last week for saying the world would be a better place without Flash."

Shame then that the browser developers are bickering about what to replace it with then, at least as far as video codecs are concerned. Nice to know they have their own interests at heart, not ours...

Also,

"Macs *are* safer than PCs if you don't use dodgy software like Flash."

could easily be re-written as "PCs *are* safer than Macs if you don't..."

3
2
Childcatcher

Re: Remember those old "Get a Mac" commercials?

Fixed it for you

PCs *are* safer than Mac PCs if you don't use dodgy software like Flash, Windows, MS Office, Linux, OSX, Open office, Autocad, firefox, safari, chrome etc etc., never use email or ever comnnect to the internet.

In fact, in order to keep your 'puter totally safe, don't ever take it out of the box....

1
1
Trollface

Re: Remember those old "Get a Mac" commercials?

Perhaps you'd be better off criticizing the Mac platform when it isn't mentioned *after* Windows in a vulnerability list and for a problem that is entirely the fault of a third-party anyway.

I'm not saying the Mac is invulnerable, just that obvious troll is obvious.

0
0
Anonymous Coward

Re: Remember those old "Get a Mac" commercials?

Personally I have never bought that "Mac is safe" line. SafeR, yes, but no platform is 100% safe - it just takes a lot less effort to keep it clean (no weekly GB sized patches, for instance). Having said that, MS has finally started to clean up - Win 7 is a lot better in that respect. This is why I do have a virus checker on the Mac, I like facts.

Looking back over the last couple of months, it appears avoiding Adobe and Microsoft products is a good way to cut down on risk - by installing those you end up with Windows levels of patching, and then there is that Java issue which is a mess pretty much shared between Windows and OSX.

Adobe gets in my book quite a raft of extra minus points for supplying a download agent instead of the real program, which means that you cannot properly virus check what it installs - you can only do that after the fact - and their "we ask you to accept our license but we will make it as difficult as possible for you to actually read it" approach to license statements. As a matter of fact, it is quite possible that this would fail under UK law.

Thankfully I don't need Photoshop, but the BBC using Adobe Air for its iPlayer was NOT a welcome idea.

0
0
Anonymous Coward

Re: Remember those old "Get a Mac" commercials?

Windows has always been more secure than Macs ever since the release of OS-X if you look at the relative numbers of security vulnerabilities...

0
2
Anonymous Coward

Re: Remember those old "Get a Mac" commercials?

You mean like Mac OS-X having over 1700 known security vulnerabilities, versus only about 450 for say Windows XP?

0
3
Silver badge

Re: Remember those old "Get a Mac" commercials?

>"Apple move with lightning speed to make sure that Safari can't use an out-of-date Flash plug-in."

But, Apple moves with glacial speed to address Java vulnerabilities. Flash is a small issue compared to the half-million-Mac botnet of systems that were compromised through the Java rootkit.

1
0
Anonymous Coward

Re: Remember those old "Get a Mac" commercials?

Actually Apple doesn't and I have been using Flash 10 and Firefox on Safari until today when it was squashed. Adobe upgraded to 11 saying it would work on all Apple Intel machines! It does not !

You cannot 'avoid' flash as most media use it all the time

0
0

This post has been deleted by a moderator

Silver badge

Re: Flash?

No - saviour of the universe!

An alternate one, at least to here...

1
0
Gold badge

Re: Flash?

Flash - ahaaa .. :)

0
0
Silver badge

Re: Flash?

He'll save every one of us!

0
0
FAIL

Uninstall

This was an excellent opportunity to uninstall Flash.

One can think of it as the ultimate Flash security patch.

4
0
Anonymous Coward

Crapware

Watch out for the Don't install crapware option. It's on the download page instead of in the installer.

1
0
Silver badge

Re: Crapware

That's this week. They'll move it next week.

0
0

Where the Sandbox?

Wasn't the Vista/Seven exclusive sandbox or protected mode supposed to mitigate exposures like this? The fact that they list the exploits on Mac, Linux who don't have protected mode means the sandbox should have done it job right?

1
0
Anonymous Coward

Unwanted prompts?

Are those the fixes that introduced the new prompts like "Do you want to let this content play"?

They've broken one of my semi-automated tools that checks hobby web sites for specific content changes. The VBA application uses Excel 2007 with an embedded WebBrowser object. When the flash prompt appears it usually won't respond to mouse clicks to tell it to "continue". The WebBroser object is then frozen - and Task Manager has to be used to abandon the Excel session. At that stage the page is only being loaded - not processed by the VBA.

Adobe should have included a preset option in the "Advanced" settings to always be "No" so the prompt wouldn't need to appear. Not sure if their list of permitted files has any effect on this - especially as it is difficult to determine which element on a page is causing the prompt. An alligator in the swamp that is most unwelcome.

0
1
Anonymous Coward

Re: Unwanted prompts?

I've had a word with Adobe on your behalf and they've agreed to role back immediately. They apologise profusely for the inconvenience caused to your obtuse hobby project

0
0
Anonymous Coward

Re: Unwanted prompts?

your obtuse hobby project

.. which, being based on VB and other Microsoft products, was pretty much hosed from inception..

5
0
Silver badge

Re: Unwanted prompts?

Control Panel > Flash > Advanced > Developer Tools > Change trusted locations.

0
0
Anonymous Coward

Re: Unwanted prompts?

".. which, being based on VB and other Microsoft products, was pretty much hosed from inception.."

Hmm - the Excel VBA suite of apps has been working very usefully for getting on for 15 years through several Office/OS migrations. That's pretty good for the constant flux of the IT world. My Apple II and mainframe apps have long since become incompatible museum pieces.

Any IT development is hostage to an unexpected side-effect of an apparently innocuous change elsewhere - even if you write all the code yourself.

A strategy has already been designed into the application to cope with sites whose processing fails to complete in some way. C'est la vie, c'est la guerre. Je suis content.

0
3
Silver badge

Flashblock?

Does anyone know for sure whether the Firefox Flashblock plug-in (which I use) is a generic fix for these problems in respect of any flash stuff that you don't actually choose to display? In other words does flashblock keep the flash data strictly away from the flash code until you click on the logo?

0
0
Go

Re: Flashblock?

It appears to me that this is the case. You could do some reverse engineering by looking at the process list. Or by looking at the source:

http://flashblock.mozdev.org/source.html

0
0
Bronze badge
Go

For those that would like a link to the full installer:

http://helpx.adobe.com/content/help/en/flash-player/kb/installation-problems-flash-player-windows.html#main-pars_header

That should make life slightly easier if you have many PCs to update.

0
0
FAIL

It would be nice if Adobe fixed some long-standing bugs

One that has been around since 2011 and has JUST decided to affect me is a bug where the audio of any flash video is automatically played at 100% which can be damaging to ones hearing. Pick another video and that is automatically played at 100%. There is no way to reduce the volume for subsequent videos without disabling protected mode.

Just in case anyone is wondering about Adobe and if they even intend to fix this bug:

https://bugbase.adobe.com/index.cfm?event=bug&id=3210127

The bug is listed as "Priority = 3-High", "State Closed", "Status Deferred".

Same bug in Firefox, IE, and Chrome.

0
0
Anonymous Coward

Re: It would be nice if Adobe fixed some long-standing bugs

I'm puzzled - does that mean that every app has the ability to affect the overall system sound volume? Ugh.

0
0
Gold badge

Re: It would be nice if Adobe fixed some long-standing bugs

I suspect that's "100% of the current system volume". Most players have a volume control that allows you to reduce or increase the volume of the audio within that limit as videos do not all have the same volume on them. Most also have the good grace to remember the setting last used when you fire them up.

I suspect that the sandboxing has rendered persistant setting difficult to achieve. Actually it should be impossible to achieve, as the very fact that the embedded player has stored something (its current volume setting) while in use on a page means that it has access outside the sandbox.

0
0
FAIL

Re: It would be nice if Adobe fixed some long-standing bugs

It is as if you go to Youtube (or anywhere else), load a video, and then slide the volume control on the Flash player to maximum. Every time. The most annoying part of this stupid bug is that it suddenly arrives of your PC. One minute everything plays OK then BANG (or other loud noise) every single flash video plays at maximum volume. Adobe have shelved the issue essentially saying it is not their problem and blaming the OS and browsers.

0
0
This topic is closed for new posts.