Adobe warns of attacks exploiting critical Flash flaw Adobe has promised to update its Flash media player to patch a critical vulnerability that is being exploited in targeted attacks to install malware on end user machines. The attacks are being launched using emails that attach a Microsoft Word document that contains a booby-trapped Flash file, according to a blog post published …
This post has been deleted by its author
"it's time for Microsoft to quickly figure out how to let users disable SWF content from all Office documents"
Actually, it is time to ask ourselves why we are using productivity software that has the *ability* to embed things like Flash inside text documents in the first place.
What is the use case for Word+Flash exactly?
Smartphones won't be affected (obviously, they don't run Office) - however, there is no mention if Office on the Mac is vulnerable.
Flash. Is it really worth it any more ? HTML5 - will it be any safer ?
I watched one of the Feynman lectures via Silverlight last night (Project Tuva) - whatever happened to Silverlight ?
"In both cases, the attackers embedded the malicious SWF file in a Microsoft Office document, presumably because a security sandbox recently added to Windows versions of the document viewer prevents the attackers from executing code on would-be victim's computers".
I read this and I thought that someone should get a grip. The vast majority of Windows users are quite happily running Flash several versions (or years) behind the latest one.
This post has been deleted by its author
I don't remember seeing any headlines or articles recently that don't mention "critical vulnerability" shortly after "Adobe".
Oh and Adobe, I do so love having to regularly download a 100Mb files to open a glorified text message. You make Microsoft code seem svelte and minimalistic. Foxit for me.
Why are people automatically granting unknown attachments execute rights?
Oh, wait. This is Windows. Having everything ready to run and wide open to be exploited is normal.
This may explain why the *nix are not affected.
Even on Windows one can drop the permits to just "Read". Why is this not the default state for all attachments (no macros, no Flash etc permitted to run). If the user wants something to run, they can explicitly grant execute rights in the very few cases where it should be required.
And 2 months to fix something that is actively being exploited? That, frankly, is pathetic and that is why people should not be using Flash or Adobe need to release the code to the community. You can bet that the legion of geeks with too much time on their hands would have a patch ready in a few days (or sooner).
Oh, and they might be able to get Flash to be slightly less shit.
Umm, it doesn't affect *nix because the shell code is designed for a Win environ ^^
As to rights - the exact same issue exists in *nix. The Word doc does not have execute rights - it's data! However the shell executes winword.exe when you open the Word doc. The problem is that data can end up being treated as code (in the Flash player though, not in Word).
It's not even that simple to fix thanks to the abomination that is C++. You can mark pages as code or data and intentionally break 1000s of apps to make people fix the problem, however as pointers are stored in data, there is still the possibility of munging a pointer after some jiggery-pokery (a la ASLR by-passing) and still ending up with arbitary code execution.
It'd be *much* more difficult, but to say it would be impossible is foolish.
The patch time is pretty poor, but this isn't the usual case of "Bob quietly lets Adobe know of a 0-day in Feb. In May Adobe release a patch and tell everyone about it, crediting Bob with the discovery". Adobe have no head start, so their 2-3 month patch process unfortunately starts after the exploit is being actively used in the wild, which makes it all the more noticable.
There's clearly a reason it takes 2-3 months. It could be that they are sitting on their ****es, or, they might have a few million lines of code to check to make sure they don't introduce any additional "features" in the new patch (they save that for the "bells and whistles" team).
I'm no Adobe apologist (their stuff is awful both in terms of usability and security) but to be surprised that :
#1 there are lots of exploits in an extremely large and complex code base that is not publicly scrutinised; and
#2 it should take so long to create and test a patch for that code base
is crazy.
If I'm dealing with a vendor I'm not likely to have their name in my address book, and I'm likely to want whatever document is attached. The problem is hooking the applications directly to the kernel of the OS, which is a MS SOP from their start. It should have been done away with when they released 95. They claimed they were killing it when the released NT. Then they claimed it again when they released Vista. Somehow I doubt they have.
MS are so keen on this cliche - along with "Tight integration" but somehow can't see that it's at the root of most PC security problems. They're not called Trojan Horses for 'nowt, and every time MS invents another risky file-embedding technology, they create another opportunity for something nasty to get onto your computer by a totally-unexpected route.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
