back to article Adobe rushes out emergency fix for critical bug in Flash

Adobe Systems has issued an emergency update for its ubiquitous Flash Player that fixes a critical security vulnerability that attackers are actively exploiting to hack end user machines. Code exploiting the universal XSS, or cross-site scripting, bug “is being exploited in the wild in active targeted attacks designed to trick …

COMMENTS

This topic is closed for new posts.
  1. Charles E
    FAIL

    Adobe shafts the Mac again

    I note that the upgrade for MacOS X only supports Intel CPUs, running the installer says "PowerPC processors are no longer supported." This is stupid since there are millions of PPC Macs and leaving them vulnerable is just going to poison the entire Flash environment.

    I guess Jobs was right, Flash Considered Harmful.

    1. James Turner

      They're only following in Apple's steps. You had noticed that as soon as Lion released, Apple stopped bothering with any more updates for Leopard? The last PPC-compatible version...

    2. Sean Baggaley 1
      FAIL

      Obsolete Technology Is Obsolete Shock!

      PPC Macs are, according to most sources, just a tiny fraction of the consumer market. (Incidentally, before anyone raises their hand and mentions PPC Mac minis being used as servers: anyone you're not supposed to be running Flash on a server in the first damned place!)

      Apple announced their shift to Intel in 2005, and had stopped making PPC Macs in less than a year—that's nearly six years ago now, given that we're closer to the end of 2011 now than its beginning.

      No computer company offers an "unlimited, lifetime support" guarantee with their products. Not one. Once that warranty is up, you're on your own. This has always been the case. Why people persist in being so surprised by this escapes me. You paid 'em for exactly what you got. You did NOT pay them for an eternity of free support. That costs a hell of a lot more money.

      1. Anonymous Coward
        Anonymous Coward

        Why should Adobe be providing updates for PPC when Apple don't?

        MS are still bashing out updates for XP which is a decade old. Apple OTOH don't feel they need to provide updates for kit that is half that age.

        I think there is an obligation on companies to provide updates for software that is still in common use. That applies to Apple as much as anybody else, you can't complain about Adobe without complaining doubly about Apple.

  2. Globe199

    I'd be a wealthy man if I had a nickel for every Flash update.

  3. Anonymous Coward
    FAIL

    Shock Horror

    Another Adobe Flash security issue/ bug- who saw that one coming!

    1. Anonymous Coward
      Anonymous Coward

      Unity, Silverlight, Quicktime, MediaPlayer, Skype

      All plug-ins are vulnerable to attacks. Flash Player's penetration rate and install base has lead to it being a massive target, but it is a fantasy to imagine that alternatives such as Unity player, or Silverlight are immune! - iOS's Flash-free run time is under attack from Skype vulnerabilities, Silverlight has remote code execution vulnerabilities, etc, etc.

      Adobe are not as fast as Google at patching bugs, granted, but the sheer number of Flash releases shows that they do get it done.

      Flash bashing is easy, but t'would be no different if you had a 99% penetration rate with any other plugin.

      1. asdf
        FAIL

        I call BS

        Don't try and tell me Adobe's bloatware is no worse than any other plugin. It is the absolute worse and its the worse because they thought it a good idea to outsource long ago. 45 meg for a pdf viewer really is normal for a plugin oh no wait its not. Foxit pro shows what adobe should be doing.

  4. nyelvmark
    Thumb Down

    The drawback of ubiquity.

    If you want to be completely secure, write your own OS and all your own applications. Don't share them with anybody else. You can still be hacked, but it will take a hacker longer to crack your system than it took you to write it, and she will only be able to access your machine without writing code to crack other connected systems. If there are no connected systems, it's a losing proposition for the hacker unless your machine contains the answer to life, the universe and everything. This is "security through obscurity" at its best.

    You can compromise a little, of course: Use an obscure build of Linux as your OS, use Opera as your browser (currently the safest, because how many hackers will target 1% of the market? Sadly, it's also the buggiest - at least on my Vista machine).

    You can, of course, disable Adobe Flash on your machine. Or you could simply disconnect your internet connection.

    1. Anonymous Coward
      Anonymous Coward

      solution

      As a solution to a bug, 'writing your own operating system' is a bit extreme, and chances are you would be more susceptible to attacks on your one-man effort than on something that has been evolved and tested in the wild.

      Far easier just to disable questionable plugins, and keep an eye on security issues.

  5. johnwerneken

    flash must die

    another reason why

  6. Lars Silver badge
    Flame

    Adobe is like Microsoft, all the software was written when the internet was a nice place (newer invent the wheel again) and now the bean counters will prevent anything being rewritten from scratch as that costs money. Nor will they do anything to find vulnerabilities bye them selves as that costs money too, and the "bad guys" will do it for nothing.

    Adobe and Microsoft will react to vulnerabilities, in their software, only if the noise is big enough, until then they will look the other way and just whistle.

    There will be patch after patch after patch.

  7. Disco-Legend-Zeke
    FAIL

    Flash Update...

    ...succeeded for IE, but when i tried to upgrade the chrome browser, which is running ...7 i get the following:

    "Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available. "

    1. Robert Carnegie Silver badge

      That's right...ish

      According to the story (now), Chrome already has been updated to fix this. So you need to update Chrome. Chrome has Flash integrated and not as a plug-in, although I assume somewhere you can switch it off from actually running. Also, they may have not updated the version number in their edition, although that would be quite stupid.

    2. John Gaunt

      Chrome May Already Be Updated on Your PC

      According to this, Google patched Flash in Chrome before Adobe released the Flash update:

      http://securitywatch.pcmag.com/google/288014-google-patches-flash-zero-day-bug-jumps-the-gun-on-adobe-again

      Or was that the point of your post?

      1. Robert Carnegie Silver badge

        I don't use it myself.

        On the page you provided, I see, "not everyone updates their Chrome version immediately, especially updates like this one which require that you restart the browser (and all running browser instances)."

        I didn't think that you had a choice, and so, puzzlingly, our fellow user ought to have had Chrome updated to the allegedly safe Flash version.

        My thought, if I were Adobe, would be not to allow this before my own release of plug-ins was ready - perhaps a matter of regression testing, that everything else still works - and instead oblige Google to release either Chrome with Flash disabled by default, or Chrome without Flash at all, if their users wanted to install that.

        But then, if Google leaves Flash out of Chrome once, they might not want to put it back in again.

        I'm assuming that Adobe writes, tests, and bug-fixes Flash, and Google only duct-tapes it into their browser. Like fitted-kitchen equipment that fits inside standard size cabinets, and, of course, is built by a refrigerator company or a washing machine company instead of a kitchen cabinet company.

  8. Solomon Grundy
    Meh

    AdobeFire

    Between my three homes I only have 11 Windows 7 machines and I will say that Adobe and Mozilla products cause me more downtime than power outages, network failures, hardware stoppages and drugs combined.

    OSS is "better" because they update more often. Closed/In-House products are better because they update to target "real" issues.

    The fact that most OSS if FREE makes the updates palatable. If I had to pay I'd actually be upset. FOSS or FREE closed source. Doesn't matter to my wallet.

    1. Anonymous Coward
      Anonymous Coward

      "Adobe and Mozilla products cause me more downtime than power outages"

      OK maybe there are some Adobe products that you can't cope without - Flash being one of them. However if Mozilla is causing you so much downtime why do you bother with their products? It's quite easy to manage without Mozilla you know.

  9. Anonymous Coward
    Anonymous Coward

    WTF? Processing Flash in emai?

    Not just Adobe fail, but general email fail. WTF does any email need to include Flash? Indeed I'd assert that any email containing Flash is better than 90% likely to be spam anyway.

    But one we went from text email to HTML email to the modern mess of "let's email the IntarWeb around" it becomes easier for this sort of dain-bramage to happen.

    1. Robert Carnegie Silver badge

      I think what it means is

      that you get a spam e-mail saying "Click this web link to see a video of Helen Mirren jogging in a bikini", and when you click the link, a web page opens containing Flash exploit code that eats your computer and secretly sells your house to a hacker in Nigeria. Or something. And the video is fake anyway.

    2. Anonymous Coward
      Anonymous Coward

      "WTF does any email need to include Flash?"

      It doesn't you numpty. The email contains a link, the recipient clicks the link which opens in a web browser where the flash is processed. There has been plenty of malware distributed this way over the years, it doesn't require that the email client processes the linked content just that the link can be opened from the email client.

    3. Solomon Grundy
      Meh

      "lets's email the Interwebs around" is how it was designed to work man. Easy sharing and all that. You can't really blame the people making their living from doing it for doing what we all want. They are just taking advantage of all the thing we all made happen. Most of the people reading this wanted this monster they created.

  10. Anonymous Coward
    Anonymous Coward

    And yet....

    Even though I have the official adobe apt repo enabled for just this situation, and even though the new version is available to download, Adobe's repository reckons that version 10.3.183.7 is good enough for me.

    Wankers.

  11. Anonymous Coward
    Anonymous Coward

    The problem with Flash updates is that it's too easy for people to click Don't Install so there will still be plenty of old and unsecured installs out there.

    1. Tree

      Multiple updates

      The problem with Flash updates is we need to download multiple files - one for each browser. The updates do not always work with that browser open or do not work with that other browser closed. Also, after the update, when you check your privacy settings, your camera can be remotely controlled even though you turned that off before. I hope that when HTML 5 comes out, it doesn't mess with my privacy like flash does.

This topic is closed for new posts.

Other stories you might like