User topics

Article topics

Log in Sign up

Adobe rushes out patch for all-platform Flash vuln

Adobe has fixed a potentially serious cross-platform security bug in its Flash Player software with an out-of-sequence security update. A series of patches for different platforms, published on Sunday, tackles a cross-site scripting vulnerability in Flash. Adobe Flash Player version 10.3.181.16 – and earlier across a range of …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 6th June 2011 15:49 GMT Anonymous Coward

Fecking flash

how many fecking "updates" do I need in a month. I've lost count of the number of times I have logged into a PC to be greeted with that fecking message about an update being ready.

Even the not-at-all-PC-aware Mrs has noticed that "This Flash thing always needs updating".

8 1
1. Monday 6th June 2011 17:27 GMT BristolBachelor
  
  Fecking fecking flash
  
  And just to make it even better, you seem to need administrator rights to update it (at least on IE); Yeah!!!
  
  Also fecking, why isn't it fecking dead yet? It's lasting longer than fecking SCO group :(
  
  2 0
2. Monday 6th June 2011 17:27 GMT The BigYin
  
  I see no issue
  
  Regular updates mean a secure system. The more the better.
  
  Just let your package manager handle the updates for your OS and installed apps, authenticate once, all done. You don't even need to reboot unless the kernel changes.
  
  5 6
  1. Monday 6th June 2011 22:05 GMT peter 45
    
    Eh?
    
    "Regular updates mean a secure system. The more the better."
    
    Let me just correct that for you.
    
    "Regular updates mean an insecure system. The more updates, the more insecure it is".
    
    0 2
    1. Thursday 9th June 2011 12:37 GMT The BigYin
      
      @peter 45
      
      No system is 100% secure. None. So a system will always starts out with, say W problems. Over time X more are found for any given time period t. So the total number of faults is W + Xt. This number grows with t.
      
      Fixes, Y, for those problems are released. So the total number of faults is now W + t(X - Y).
      
      Ah, but wait, those fixes may introduce some other issues, Z, so the total number of faults is W + t(X -Y +Z) where Z is some fraction of Y...say f, so Y is fY
      
      W + t(X -Y + fY) which si W + t(X -Y(1-f))
      
      So long as Y(1-f) > Z then a patched system actually gets more secure as time goes on rather than an un-patched one, because more are holes are getting plugged than are being discovered/created.
      
      Just because Windows makes keeping a system up to date a raging pile of ball-ache does not make a highly patched system a bad thing. So long as those patches fix more problems than they cause.
      
      0 1
      1. Friday 17th June 2011 16:15 GMT peter 45
        
        Load of round dangles
        
        Cannot fault maths. Assumptions and logic on which maths is based is utter tosh.
        
        To test the logic, test an extreme example. Plug in numbers for code that contains some vulns, and plug in the numbers for code containing nil vulns. According to your logic, because the perfect code is never patched (which of course it would never need to be), it is the more vulnerable system.
        
        0 0
      2. Saturday 18th June 2011 07:45 GMT peter 45
        
        PS Logic break here
        
        In case you did not spot it.
        
        "a patched system actually gets more secure as time goes on rather than an un-patched one"
        
        It itself a true statement, but based on the assumption that you are comparing code with the same (approx) number of vulns at the outset.
        
        0 0
  2. Tuesday 7th June 2011 10:31 GMT Anonymous Coward
    
    Windows :(
    
    Most people are still using Windows, remember. That means ten or so resource hogging bespoke-written app updaters all starting up and lurking in the system tray, popping up heavily skinned windows at random intervals demanding an update, then proceeding to install Yahoo! toolbar because you missed a checkbox somewhere along the multi-screen update-confirmation-and-license-agreement process. After a couple of reboots (Stage 1/3... stage 2/3... stage 3/3). Or just failing because they they can't write to Program Files like they expect.
    
    1 0
3. Monday 6th June 2011 18:03 GMT xenny
  
  eltiT
  
  Use Chrome, and uninstall all the standalone flash players. The Chrome automatic updater is discrete, and you need never worry about flash patching again.
  
  0 0
Monday 6th June 2011 16:02 GMT Oninoshiko

Damnit

I just got done writing up the package for OpenIndiana, not I have to redo it -_-.

0 0
Monday 6th June 2011 17:27 GMT Tim Hale 1

Already?!

I built a new PC yesterday, installed Flash and it's already out of date? I appreciate a rapid response to vulnerabilities but can't they just write a decent version? Again, I know things move on and new attacks are coming all the time but seriously, Flash is the swiss cheese of software. They need to get their act together. Of course, as long as people 'rely' on it and it's seen as being vital, they've got little incentive to improve things. Now, if enough people started saying they weren't going to install Flash because of it's shortcomings they might do something.

2 0
Monday 6th June 2011 17:28 GMT Anonymous Coward

Sources of exploits

I always thought Flash was the biggest source of exploits too until I saw Microsoft's Security Intelligence Report [1] (Figure 6), which indicates that Java exploits are much more common (by at least an order of magnitude).

[1] - http://www.microsoft.com/security/sir/

1 1
1. Tuesday 7th June 2011 08:52 GMT Paul Crawford
  
  @Sources of exploits
  
  Interesting report, but part of me is a trifle suspicious of MS reporting on their own problems. I would be more interested in reading 3rd party assessments.
  
  I guess the other aspect is there are probably far more PCs with Flash installed than Java, so more targets? Also a favourite has been that other piece of crap, the Adobe Reader & its PDF browser plug-in.
  
  Back to today's rand - why can't Adobe sort of their software? It must be only a fraction of the code base size of Windows, and yet they make MS look like the golden boy of security by comparison.
  
  0 0
Monday 6th June 2011 19:39 GMT Version 1.0

Interesting?

Maybe this is why the wife's PC has just gotten two fresh copies of Malware Defender in two days? The last one after she opened a page on the Daily Mail ... and I'd only just finished cleaning the Damn thing last night.

And this on a fully patched version of XP while running the current release of Firefox and SpyBot Defender - all updated last night.

1 1
1. Tuesday 7th June 2011 00:19 GMT heyrick
  
  Hey, if it weans her off The Mail...
  
  ...then that's a good thing, right?
  
  1 0
  1. Tuesday 7th June 2011 15:23 GMT Version 1.0
    
    upgrading wifes web site habits
    
    She's now reading FARK - I view this as an improvement.
    
    0 1
Monday 6th June 2011 22:00 GMT J. R. Hartley

Jeeeeez

I long for the day when I can uninstall every fucking Adobe program for good.

2 1
Monday 6th June 2011 22:03 GMT Anonymous Coward

DAMN!

come on html5, get yourself in here!!

0 0
1. Tuesday 7th June 2011 08:47 GMT Anonymous Coward
  
  Oh really?
  
  And how many times did you update your browser in the last month or two?
  
  0 0
Tuesday 7th June 2011 08:35 GMT Anonymous Coward

Painting the Forth Bridge

I've just finished updating the 4500 machines I manage, just to find another update.......

Oh goody.......

0 0

This topic is closed for new posts.

Other stories you might like

Delinea Secret Server customers should apply latest patches

Updated Attackers could nab an org's most sensitive keys if left unaddressed

Patches 15 Apr 2024 | 3

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Patch Tuesday Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Security 10 Apr 2024 | 22

Adobe will fork over cash for clips to train text-to-video AI

Not touching copyrighted material with a barge pole

AI + ML 12 Apr 2024 | 2

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Security 15 Apr 2024 | 49

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Security 17 Apr 2024 | 3

Micron says it's first to QLC NAND with over 200 layers

Enhanced data density and speed upgrades, though challenges in endurance remain

Storage 16 Apr 2024 | 5

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

BatBadBut hits Erlang, Go, Python, Ruby as well

Patches 10 Apr 2024 | 56

Hotel check-in terminal bug spews out access codes for guest rooms

Attacks could be completed in seconds, compromising customer safety

Research 5 Apr 2024 | 31

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat

Security 4 Apr 2024 | 19

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

Applications 26 Mar 2024 | 29

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Updated Vendor takes hardline approach to patch disclosure to new levels

Patches 28 Mar 2024 | 14

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

One might say this is a wurst case scenario

Patches 28 Mar 2024 | 44

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024