Feeds

back to article New Flash vuln exploited (again). Adobe posts emergency fix (again)

Adobe has released an update to address critical flaws in its Flash Player software, one of which is being actively targeted in the wild. The company said that the Windows and Mac OS X builds of Flash Player 12.0.0.44 and earlier, and Flash Player 11.2.202.336 and earlier for Linux, must be upgraded to fix a trio of bugs. Adobe …

COMMENTS

This topic is closed for new posts.
Silver badge
Trollface

"Your technological terror is insignificant..."

Really, it's like an exhaust vent on a battle station.

3
0
Anonymous Coward

Re: "Your technological terror is insignificant..."

"Really, it's like an exhaust vent on a battle station."

Yep Just like the numerous sets of 'Highly Critical' holes in Chrome. Emmental Cheese (or Java) springs to mind....

The latest set of those are not patched yet: http://secunia.com/advisories/57028/

0
0
Bronze badge

Re: "Your technological terror is insignificant..."

And by definition it isn't terror if the USA or some other national government does it.

It is "shock and awe".

1
0
Bronze badge

Begs the question...

Will Flash ever be secure?

I guess it is trying to do many things and gets tripped up doing some of them. So, time will tell.

Also: Hey Adobe, we Linux people would like to be included in the 12.xxx series releases too. How about it?

7
0
Anonymous Coward

Re: Begs the question...

Will Flash ever be secure?

From what I've seen so far, I sincerely doubt the company is even capable of spelling the word "security". Anyway, it's a good argument to uninstall this stuff - I have it disabled anyway but for 2 sites I need, and I have just found alternatives for them :)

1
0
Anonymous Coward

Re: Begs the question...

What are you using AC?

0
0
Anonymous Coward

Re: Begs the question...

Ah, the duplicity of English, I should have been clearer: I have found replacements for the sites.

Finding a replacement for Flash is like creating a replacement OS for Windows: the job is incomplete until it is just as vulnerable..

1
0
Bronze badge
Joke

Re: Begs the question...

Adobe tried to spell "security" but it didn't look that great so they re-did it in Flash....

I can't work out how to add a "bad" to the icon....

0
0
Facepalm

Arbitrary code execution ..

'Adobe said today's update will "resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498)", fix "a memory leak vulnerability that could be used to defeat memory address layout randomization [ASLR] (CVE-2014-0499), and squash "a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502)."`

Does this mean that it's possible to deliberatly write an app that could defeat ASLR and exploit the stack to execute arbitrary code ..

1
0
Anonymous Coward

Re: Arbitrary code execution ..

"Does this mean that it's possible to deliberatly write an app that could defeat ASLR and exploit the stack to execute arbitrary code .."

Yes, that's not new. There are a number of known ways of attacking ASLR protected systems.

Microsoft have developed more advanced protection, but it's currently an optional install: http://www.microsoft.com/en-gb/download/details.aspx?id=41138

0
0

Chinese State espionage + Flash = Fail

Lets see...codes implies Chines speakers + considerable resources + foreign policy websites(not the usual money stealing banking scams). So basically Chinese state espionage. Combined with Flash equals fail.

2
0
Bronze badge

Re: Chinese State espionage + Flash = Fail

I took it to mean the NSA.

3
0
Bronze badge

Re: Chinese State espionage + Flash = Fail

I took it to mean a country with less expertise than the USA, UK and China.

0
0
Bronze badge
Facepalm

Adobe can't....do security.

I think flash vulnerabilities are now Adobe's trademark

3
0
Anonymous Coward

Users can mitigate this threat by uninstalling Flash, Shirley?

1
1

whitelist

Maybe thats what flash needs. It is possible in the registry for IE.

0
0

Re: whitelist

It wouldn't help that much. It would only serve to force attackers into targeting legit domains.

0
0
Gold badge

Paraphrasing Queen?

FLASH! Uh ooooh...

:)

0
0
Mushroom

BBC, sort yourself out

I only ever install Flash in order to access content on the BBC website (and block everywhere else) - if only the BBC would sort their shit out and offer me media content my browser (Firefox on Windows) natively supports I wouldn't need to install this Adobe crap at all!

The BBC offer h264 to iDevices but everyone else has to put up with Flash. It's so arse about face - they should be offering h264 by default, with Flash being the fallback only if all else fails...

8
0

Infinite loop

while(adobe)

{

findbug();

fixbug();

}

0
0

Re: Infinite loop

void fixbug()

{

fixOldBug();

createNewBug();

}

1
0
Silver badge

Nobody is taking this seriously enough.

Things like this happen for one reason alone: Nobody but Adobe has the Source Code to the Flash player, and therefore nobody but Adobe can search for and repair vulnerabilities.

Nobody but Microsoft has the Source Code to Microsoft Office, but that hasn't stopped very many pirate copies of Office from being made. And even if having the Source Code to Flash player made it easier to give away copies, Adobe probably wouldn't miss the £0 they aren't getting each time.

What I'm getting at is, this whole business of denying people access to the Source Code is actually making things a lot worse than they need to be.

How long must we wait, before some Ministry of IT in some country passes a law demanding that software vendors must make available the Source Code to any product they want to sell or give away in that country?

1
3
Anonymous Coward

Re: Nobody is taking this seriously enough.

"Nobody but Microsoft has the Source Code to Microsoft Office"

A bit misleading - companies / governments, etc. can already view Microsoft source code on request.

1
0
Bronze badge

Re: Nobody is taking this seriously enough.

"Things like this happen for one reason alone: Nobody but Adobe has the Source Code to the Flash player, and therefore nobody but Adobe can search for and repair vulnerabilities."

If what you said was true there would never be vulnerabilities in Linux or Apache.

Open source is no magic bullet.

1
0
Anonymous Coward

Re: Nobody is taking this seriously enough.

Bullcrap, there's tons of vulnerabilities in open source.

1
0
Silver badge

Re: Nobody is taking this seriously enough.

Nobody ever said Open Source software was completely free of vulnerabilities. However, there are vulnerabilities, and there are vulnerabilities.

The vulnerabilities in Open Source software almost invariably get spotted by someone with honest intentions and fixed, before they get spotted by someone with dishonest intentions and used for mischief. (Which is hardly surprising, given the ratio by which honest people outnumber dishonest people.) Open Source vulnerabilities most often are disclosed to the public just after the patch that fixes them is committed. But a vulnerability in proprietary software might still get spotted, even without access to the Source code, by someone with dishonest intentions; and it might be exploited many times over before the vendor issues an update.

I agree that if people aren't regularly installing up-to-date versions of their software, then it doesn't matter what Source Code model is being followed. What I am saying is that if you remove the single point of failure by giving more people access to the Source Code, you end up with fewer exploitable vulnerabilities in the latest version.

Concealing Source Code from users benefits nobody, it ultimately harms users, and it's time somebody stamped on the practice good and hard.

0
0
Anonymous Coward

Re: Nobody is taking this seriously enough.

"The vulnerabilities in Open Source software almost invariably get spotted by someone with honest intentions and fixed, before they get spotted by someone with dishonest intentions and used for mischief"

Oh really? Perhaps you should tell Sony! Or the zillions of other people running Open Source web servers that constantly get attacked and defaced?

"Open Source vulnerabilities most often are disclosed to the public just after the patch that fixes them is committed."

Erm, so why has Microsoft Windows Server consistently had a shorter average time at risk than SUSE or RedHat Linux every year for the last decade?

0
0
Bronze badge

Hangonamo...

The article states that users, including Linux users, need to be patched, yet the vuln is decribed as only applying if "a PC must be running Microsoft Windows XP; Windows 7 and Oracle Java 1.6; or Windows 7 and Microsoft Office 2007 or 2010."

I've long held the suspicion that some "security patches" and other alerts are used purely to push users off products that companies no longer wish to support. I'm not saying that this is one such alert, but the above does strike me as a bit odd. Or have I misread?

1
0
Anonymous Coward

Re: Hangonamo...

"The article states that users, including Linux users, need to be patched"

The active exploits target a subset of Windows users with older software installed. As Linux has a ~ 1% market share on the desktop you are 'probably' safe, but that doesn't mean that you shouldn't patch. Linux distributions do after all mostly have much higher vulnerability counts than current Windows versions. If someone wanted to find a way to hit you on Linux, they probably could...

1
1
Bronze badge

Re: Hangonamo...

Undoubtedly. Which is why big banks and governments mostly run Windows. Windows has been far more thoroughly tested for vulnerabilities than competing PC operating systems including full function open source operating systems for generalized computing.

You don't think a big bank could afford Apple? Of course they could. But banks and governments face the threat of custom written malware targeted just at them. It doesn't matter what malware is out there so much as how difficult it would be to write a new piece of malware.

2
0
Anonymous Coward

Re: Hangonamo...

"You don't think a big bank could afford Apple"

Apple OS-X now has over 2,000 known vulnerabilities, so perhaps that might not help anyway!

0
0
Anonymous Coward

Re: Hangonamo...

That'll be because OSX runs much the same sort of shell and daemons as Linux.

1
1
Anonymous Coward

Re: Hangonamo...

Actually OS-X is largely based on Open BSD, which is generally considered somewhat secure - unlike Linux.

You can therefore solely blame Apple for screwing it up so badly and managing to make quite so many holes in OS-X!

0
0
Anonymous Coward

Another emergency update we cannot install

This bug https://bugbase.adobe.com/index.cfm?event=selectBug&CFGRIDKEY=3161034 prevents all Linux/AMD (or more precisely, non SSE2 capable CPU) owners from installing these emergency updates, with all know consequences. Two years open, with numerous reports in other trackers (see Adobe bugbase comments), highest voted Linux related issue, but this is (still) their reaction:

---------8<----------

If bug is set as ToTrack or Closed as Defer, it means we have reproduced the problem, but unfortunately, it does not get high enough priority to address in our current release. ......

---------8<----------

0
0
Anonymous Coward

Re: Another emergency update we cannot install

"Linux related issue"

That's your problem right there. If it was more than 1% of Adobe's user base they might care...

1
0
Anonymous Coward

Re: Another emergency update we cannot install

I wouldn't worry too much about it. Flash is not just sick, it's dying. Just uninstall the crap.

0
0
Bronze badge

From Fire Eye "this actor has the tradecraft abilities and resources"

Exploits are going to be happening more and more frequently as foreign spy agencies worldwide are forced to emulate what the NSA is doing (spying on friendly nations, their citizens and their companies) in order to maintain their own national security and national interests.

From the Fire Eye blog:

"This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term."

1
0
Anonymous Coward

The sooner PDF and flash sod off the better.

0
0
Anonymous Coward

Just can't win

I recently installed Flash on my HTPC because Silverlight was a skipping, stuttering mess when playing Amazon's HD video streams. Too bad nobody can get their s*** together and make a product that fills this niche that isn't terrible.

0
0
Bronze badge

Adobe should be required to...

additionally name their updates so it's apparent just looking at the filename at what time of day (hh:mm:ss), in which time-zone, and on which date the update was released.

One downside to the ubiquity of Flash, for example, is that everyone is pretty much forced to update (either the software or their hardware) when large players (e.g. BBC) start delivering only what's been produced with the latest versions of the kit available. While this does contribute to people patching their systems, it also much more rapidly orphans what would otherwise by useful kit. IOW, it becomes an unintended impetus to turn-over cycles, particularly in the home.

Anyway, there's something disturbing about having to ensure that you've got the latest version of x other things in order to mitigate the threat. I do appreciate the need to update and patch and so on, and recommend doing so. When an ever-narrower collection of tools in your kit means a given threat is potentiated by the shallow gene pool there, it's time for drastic changes.

0
0

Flash as easy to crack open as a fortune cooke

Year of the horsie brings good luck to Chinese Checkers. When these websites run flash, they are asking for trouble. Don't use flash or java if you want security! This type of site can be better without it, anyway. The Chinee know that Adobe is worse than the northbound end of the southbound horse.

0
0
This topic is closed for new posts.