Adobe has issued an out-of-band fix to address what the company warns is an actively-targeted vulnerability in its Flash media plug-in. The company said that the Flash 18.104.22.168 update would address a remote code execution vulnerability present in the Windows, OS X, and Linux versions of Flash Player. Users running Chrome and …
I am in western Canada. I seen notes of this out of band update a couple of hours ago on another site. On a Windows box, I just updated Firefox, Thunderbird and plugins (maybe 20 minutes ago). The Firefox check for updates did not say there was an update for Flash available.
I also run Debian machines, and it will be a while before those filter through. But, I just did an apt-get update and checked the list of things that are updateable, and nothing flash is there yet.
Just checked on my Linux box and found an update for flash.
Thanks to Steve Jobs, I have always been afraid of anything Adobe.
I wonder how many machines being used to watch the Super Bowl got bit by the NSA (or better) .
If you watch Super Bowl you deserve what you get!
>Thanks to Steve Jobs, I have always been afraid of anything Adobe.
Indeed, everybody was pissed they couldn't watch Flash video on their iDevices at the time but the guy really did the world a service.
I have been aggressively hating Flash ever since realizing back in ~2003 (?) that the most trivial Flash ad on a web page would usually suck up 2/3 of my laptop's battery power (and make it loud and hot to boot), not to mention the incessant security blunders and horrible update process. I still don't understand how my laptop can happily play a Blu-ray rip and be at around 20% CPU utilization but as soon as I play a crappy-quality Flash streaming video it maxes out an entire core...
Thanks to Steve Jobs, I have always been afraid of anything Adobe. I wonder how many machines being used to watch the Super Bowl got bit by the NSA (or better) .
Thanks to Steve Jobs, I have always1 been afraid to watch the Super Bowl.
1Where "always" means "since 1984".
Had this update in our repository within five minutes of receiving this particular advisory.
Have to say though... considering that Patch Tuesday is a week away this must've been pretty damned urgent for Adobe to release an out-of-cycle patch. Most of the time we'd be waiting another week. Or two. Or three.
Re: Aaand... updated.
Microsoft have updated it out of cycle too. Very unusual for them.
Adobe in wet weather = latticework of sticks.
"Users running Chrome and Internet Explorer will automatically download the update through their browsers, while other users can obtain the fix through Adobe's Download Center."
Does their auto updater (accessed through the control panel) not work then?
Re: auto update?
"Does their auto updater (accessed through the control panel) not work then?"
Depends on your definition of 'work'. If you mean automatically launches itself at startup telling you there's a new version of Flash despite setting update checks to 'never', then no it does not work. I live in hope that some day Adobe will release an updater that simply does what you tell it to do.
The question is, do they class the Linux update as less critical because it's less vulnerable in this case or just because they couldn't care less about supporting Linux?
Re: Linux Support
"do they class the Linux update as less critical because it's less vulnerable in this case"
No - it's just as simple to exploit Flash under Linux. That there are hardly any desktop Linux users and currently no specific targeted exploit is the reason the risk is lower.
Re: Linux Support
No - it's just as simple to exploit Flash under Linux.
Is it easy to say, or easy to do?
Have you written it for this one already so we, Linux desktop users, aka ghosts, could all try? E.g., on this system LMDE, with the kernel being 3.12.9-custom+, x86_64 GNU/Linux .
Thanks in advance.
Re: Linux Support
To exploit the latest and greatest underlying OS as well as Flash, you would need an appropriate 0day - which would be availble for the appropriate fee in the right places. There are holes like this in Linux all the time: For instance this one last week: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0038.html
@ac: ignorance is a good weapon
grep -i CONFIG_X86_X32 /boot/config-$(uname -r)
# CONFIG_X86_X32 is not set
I specifically gave you the name of my distro that ship their Debian kernels as most of other ones happen to be immune to this. And, btw, Canonical shipped the fix right the same day it was announced. So, dear AC, you have to admit that it's not as straightforward as you suggested, given the heterogeneity of the Linux population (which is almost non-existent according you , or whichever AC was there above)
However, it was said by the original AC to be a piece of cake to get an exploit utilizing some Linux kernel vulnerability through this flashplayer one. In this regards, a working exploit (at least for some distros) should be provided/linked to, or a few similar ones that existed in the past.
Re: @ac: ignorance is a good weapon
That vulnerability was just an example that they arrive all the time. The Linux kernel alone has about 700+ previous known security holes and new ones are always being found. As above for the right fee, I am sure a new one would be found that would work on your specific version...
Out-of-band Flash update?
Flash updates seem to come about twice a week, about as frequently as Adobe Reader updates.
How easy it is to hate Adobe...
Adobe on Linux
The version of Adobe my Saucy Salamander is reporting it has is 22.214.171.1245. The one on Adobe's site says it is 126.96.36.1996.
So I guess they weren't kidding when they said they would still provide security backports for Flash on Linux...
Non issue at Debian
This morning, there were updates for Windows, and if one runs the update-flashplugin-nonfree program on Debian, it does download and install something. But there are no notes in the security, users or flash mailing lists, and nothing in the bug reports.
At least they can autodetect and provide the 64-bit version for Linux when you go to download it.
That's better than Mozilla where you have to scrabble around their FTP site to find the 64-bit versions of Firefox and Thunderbird.
just make flash-plugin obsolete
A resource hog and vulnerability magnet should be avoided at any cost. For youtube pretty much any decent video can be used (10 times more efficiently) sometimes with help of youtube-dl, e.g.:
1) mplayer $(youtube-dl -g link-to-youtube-video)
2) vlc link-to-youtube-video
3) totem link-to-youtube-video
and so forth...
On some other sites it might be possible to find the video source by examining the html source. Then use flvstreamer or a player of your choice. In more intricate situations to resort to tcpdump (you still have to run flashplayer for a few seconds to "sniff" the source of the video).
What about my trusty Playbook, TouchPad and Xoom?
Or any other of the other billion Android devices still in circulation which were shipped with Flash which is no longer updated?
Will also have to check if my Surface (WinRT) prompts for the autoupdate. My Chromebook did indeed. Did BB10 owners get the update too? Is this stuff sandboxed so we need not to worry?
PS: The Playbook is still being sold as 'new' in quite a few places. They might have to eventually go on to negative price to get rid of them all. How many of them did the poor sods at BB make?
- The owner of the 1001 (mostly dead) platforms
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Lollipop unwrapped: Chromium WebView will update via Google Play
- Ad-borne Cryptowall ransomware is set to claim FRESH VICTIMS