back to article New attacks exploit vuln in (fully-patched) Adobe Flash

Online criminals are targeting a previously unknown vulnerability in the latest versions of Adobe's ubiquitous Flash Player that allows them to take complete control of end users' computers, security researchers warn. Although the exploit can be triggered using malicious PDF files opened by Adobe's Reader application, a more …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Jobs Halo

    So...

    ...do I need to be worried if I'm using Opera on OS X in a non-admin account? The story (and the linked articles) were a bit unclear.

    (btw, I'm not trolling, I genuinely would like to know)

  2. vincent himpe

    simple solution

    uninstall flash. problem solved.

  3. Mark 65

    Details

    The article says it works for firefox as well, but for all OSes? Linux, OSX etc as the article and references weren't specific? Or is this a windows issue?

  4. Anonymous Coward
    Flame

    @vincent himpe

    Uninstalling all internet browsers would work, too. Hell, if you want to be really secure, you could uninstall the OS!

    Sorry, I just love these sanctimonious suggestions from people who don't actually have to use computers to get -work- done. Just because you spend your days adjusting your suspenders, combing your beard, and recompiling your kernel, doesn't mean other people don't have lives and - gasp - jobs! - which require them to use web sites that have flash components.

    Grr.

  5. Anonymous Coward
    Thumb Down

    yay for flash

    Is it just me or is flash like voluntarily installing a "kick me" sign on your computer?

    @David W

    In all honesty, I don't know of any important sites that require flash to function (off the top of my head: 2 sites advertising a computer game, and one belonging to a real estate agency).

  6. Dillon Pyron
    Pirate

    This and that on this and that

    I'm still doing my own research on the exposure level to non Windblows platforms. Browser doesn't matter, since it's a Flash vuln.

    I use Noscript and choose the sites I'll allow Flash from. Yeah, as David points out, it sucks sometimes. But I'm paranoid.

    Non admin? Well, I would hope your safe, since that's the whole concept.

    Yet another "we can be trusted because we've promised to be safe" Charlie Foxtrots.

  7. asdf
    FAIL

    Adobe sucks almost as much as lame web devs

    Adobe may be the worse major software house out there. Their software is horribly bloated, massively overpriced, very crash prone, and obviously very insecure. I avoid their crap whenever possible (Foxit Pro, etc.). It just sucks the psuedo web programmers (lets be honest web graphic designers, nothing more) out there made them a juggernaut that can safely ignore their users. Not even Microsoft can get away with the crap Adobe pulls.

  8. Anonymous Coward
    Stop

    Firefox users

    Firefox users can use the Flashblock add in.

  9. mmiied

    @Anonymous Coward 04:37

    "In all honesty, I don't know of any important sites that require flash to function (off the top of my head: 2 sites advertising a computer game, and one belonging to a real estate agency)."

    or the web sites everybody in my company uses including our own (on I was not involved in righting it) it may be bad but pepol who work in bissness NEED these type of program or will tell the head of IT they need these programs so we have to install them it is not an option

  10. Anonymous Coward
    Flame

    programming snobs (@asdf)

    My current project is a game built in ActionScript 3, which is completely object/event-based. I'm using OOP concepts such as inheritance and interfaces. I'm also using techniques to optimise performance such as direct manipulation of bitmap data. So far I'm buried in a few thousand lines of code spread over a couple of dozen classes. I work in a text editor, only jumping into the Flash IDE for the occasional timeline animation (most of the animation is coded). People are enjoying playing the game in it's current state, and it's for a real client, not some bedroom project.

    Of course I understand that many other readers will be working in heavier programming environments than I currently do (and I have worked in more collaborative environments too). I certainly don't think I'm anything special. But I have to ask as you seem to know - in what way am I a 'web graphic designer'?

    (Not) sorry, but I've been working in this field for about 10 years and in my experience the people who are most snobbish about programming tend to be the people with least talent. Often they are bitter because they have a computer science degree or similar, and they know all about Java and other really useful things like Fortran and Smalltalk. They think they are owed some respect for this but they are often mediocre in what they produce. Clients (who always seem to want me to go back and work for them again) frequently tell me how hard it is to find a developer (YES thats what they call me whether you like it or not, a developer) who just gets the job done and doesn't fall apart the moment they take a step out of their comfort zone. Their lists of contractors mainly have big black Xs next to them, and these are major central London clients I'm talking about.

    Meanwhile the few coders who have genuinely stood out over the years are the people who get the job done using whatever tool suits best, often self-taught, often humble, and with no desire to try to put themselves above anyone else because they are secure in their abilities. Maladjusted tits wearing trenchcoats and black sabbath t-shirts who think they are better than everyone else are ten-a-penny.

    I do agree with your comments about Adobe though, in my opinion they should concentrate more on fixing bugs in new versions and less on adding features/bloat. Although I love the clean methods of working in AS3 the mentality has really changed since Adobe steamrollered Macromedia out of the way.

    Sorry for the massive rant but I do my best to do a good job and be responsible about what I produce, and ignorant comments such as yours get my back up sometimes.

  11. Ben Tasker
    Paris Hilton

    @David W.

    If your life requires you to use flash I'd be very worried! Sure requirements of your job might, but your life???

    If you can't live without flash then this poses far more of an issue for you than it does us - obviously. There are various firefox addons that you could use, just block everything except those sites that you need for work, and hope that those sites aren't hit (fingers crossed!).

    Re: OS, whether it's Windows only or not, pretty nasty one considering how ubiquitous Flash is, but the effects _should_ be limited if you are not running as an admin user. Your files could still get hosed though.

    Paris because thats a Flash I'd like to see!

  12. Anonymous Coward
    Grenade

    Another day...

    ....Another Adobe hole....

    Silverlight looks better option each time.....

  13. Cameron Colley

    @vincent himpe

    Yeah, great idea, uninstall the application that allows me to watch BBC iPlayer and other online videos from the machine I bought to, amongst other things, watch BBC iPlayer and online videos.

    Granted, might be a good idea to uninstall it on my work PC but, then, I wouldn't be able to use some of the functionality on our intranet.

  14. N2

    @ asdf

    Im not trolling, but I agree, they seem to have people by the bollox & charge what ever they like for some of their stuff.

  15. Chris 191
    Joke

    Yah boo sucks

    I'm OK, I only use the excellent Silverlight! Security through obscurity...

  16. Anonymous Coward
    Anonymous Coward

    Re: yay for flash

    finance.google.com, finance.yahoo.com, timetotrade.eu

    Basically, any site that does real-time charting.

  17. Ryan 22
    Linux

    Non Admin?

    I've never understood why people think being "non admin" will protect them. Is your data accessible by only the computer admin, or is it accessible by your user? If it is accessible by your user, it can be stolen / deleted by a non admin exploit.

  18. Anonymous Coward
    Thumb Up

    Nicely said son

    asdf:

    +1

  19. Steve McPolin
    WTF?

    hamster on a wheel

    Every media technology has been plagued with this sort of failure. Originally, it was just desktops; which could be re/booted/installed/cycled without too many tears. Some of this dodgy technology is making its way into areas where technology may be expected to actually work; and I don't see it turning out well.

    Is there something so intrinsically difficult about drawing pictures that even basic engineering cannot be applied?

  20. mrmr
    FAIL

    Re:Adobe sucks almost as much as lame web devs

    I checked the foxit web-site and got a 'This site requires macromedia Flash 8+' message.

    Ironic

  21. Anonymous Coward
    FAIL

    @David W.

    > "Sorry, I just love these sanctimonious suggestions from people who don't actually have to use computers to get -work- done. Just because you ... bla bla bla... unwarranted self-importance ... bla bla bla ... holier than thou bla bla bla. "

    You're pretty sanctimonious yourself there. Just because you need flash on a couple of websites you use during the working day doesn't mean you need to allow it everywhere at all times. Use NoScript/FlashBlock and whitelist just the one or two sites that you need.

  22. Rev. Ignatius Killfile
    WTF?

    OMG! SWF? WTF?

    Seems a lot of web designers are using Flash to produce animated banners and the such like for advertising. Great eye candy, but wouldn't the creative use of animated GIFs be more apropos?

    Sledgehammer and nut spring to mind.

  23. Anonymous Coward
    Anonymous Coward

    Determining version

    Does the flash player automatically update itself? I don't even know how to find out which versions I've got running in Firefox and IE.

  24. Joe 3
    Thumb Up

    @ Mark 149

    Well said. It's all about giving the client a good quality end product, and Flash has enabled true web-based applications long before web 2.0. Sure, graphic designers do abuse Flash so they can offer websites to their print clients, but in the hands of a real programmer it's a great tool. The idea that users should run only Firefox without Javascript and Flash is some crazy fantasy, while those of us who make a living from this stuff have to live in the real world!

  25. Anonymous Coward
    Badgers

    @Ryan 22

    I understand that my own data can still be hosed when running a non-admin account, but any virus/trojan which is downloaded will not have the privileges to go messing with the system files (I'm smart enough to not enter my admin details willy-nilly). As such, no stealthy behind-my-back hidden-from-view installs.

    Also, although the vulnerability is in flash, it seemed to require an x86-based system for it to work properly. My main web-browsing machine is still an (ageing) PPC G4.

    The main reason for the non-admin account is the protection from admin->root privilege escalation exploits. However, my question was really about whether or not there are any viruses/trojans for OS X that run __without_user_interaction__ on a non-admin account and do any serious damage.

  26. Anonymous Coward
    Thumb Down

    whitelist wont work

    "You're pretty sanctimonious yourself there. Just because you need flash on a couple of websites you use during the working day doesn't mean you need to allow it everywhere at all times. Use NoScript/FlashBlock and whitelist just the one or two sites that you need."

    @AC: And as the article states, if one of your trusted websites gets compromised then you will be hit. NoScript/FlashBlock can't protect if a whitelisted site gets hijacked.

  27. Anonymous Coward
    FAIL

    Hate it!

    With the possible exception of providing a natty way of displaying videos, I have yet to see a useful application for flash. Why does anyone want to rely on a huge blob of cruddy Adobe code that brings the whole system to a grinding halt on frequent occasion just to have some useless blobs and pictures moving all over your browser? Pointless.

    Have Adobe EVER written anything that could be described as "good"? Acrobat is a SHOCKINGLY bad piece of software. Flash is not far behind.

  28. DZ-Jay

    @Joe 3

    I live in the real world. I've worked for over 15 years in low-level systems programming, at least 10 of which include "web development". Yes, that means JavaScript and ActionScript too. I can tell you the technology for web applications sucks, and most "web developers" are oblivious in ignoring the lessons of the past in other platforms, such as security, stability and scalability.

    When I go home and browse the web, which I do quite often, I disable JavaScript and Flash on my web browser, and enable them only on the seldom chance that it is required for a resource I /want/ to access. This is very rare.

    Not everything requires "rich media", and as a matter of fact, most resources on the web would do good to avoid them.

    -dZ.

  29. Anonymous Coward
    Anonymous Coward

    test cases?

    from the second link...

    <snip>

    Testing shows that the vulnerability is exploitable on Windows XP and Vista, but the dropped executables do not run on Vista if UAC is enabled. Also, because this vulnerability affects Flash, any software that uses Flash is potentially vulnerable to this issue.

    </snip>

    Not trolling, but I would really like to know if firefox on linux is vulnerable or not. Has anyone tested this?

  30. Doug
    Linux

    the root of the problem is the OS

    Wouldn't it be simpler to design on OS that is immune to defects in the applications that run on top of it.

  31. MinionZero
    Alert

    Time everyone learned to use plugins like NoScript

    NoScript is a pain to use, (having to manually enable each web site once to work), but the joy of being able to avoid so much brain washing from flash in their relentless annoying static noise like way to get my attention, (and so distract me), makes it worth the effort and it'll at least stop dodgy sites running flash... (I enable sites I visit often as I can trust them, but it at least blocks sudden surprise flash attacks).

    http://noscript.net/

    Plus its a good way to hold off from some web spying. I don't *choose* to let them spy on me and I don't *choose* to let sites I don't know and trust, then seek to annoy me by distracting my attention.

  32. CD001

    confused now...

    ----

    Meanwhile the few coders who have genuinely stood out over the years are the people who get the job done using whatever tool suits best, often self-taught, often humble, and with no desire to try to put themselves above anyone else because they are secure in their abilities. Maladjusted tits wearing trenchcoats and black sabbath t-shirts who think they are better than everyone else are ten-a-penny.

    ----

    Damnit, what happens if you're a self-taught, humble, maladjusted tit who wears a trenchcoat and Sabbath t-shirt (oki, more likely to be Ministry in my case)? Although, weirdly enough, I've found the "thinking you're better than everyone else" mentality applies to a certain amount of Goths/Metallers irrespective of their trade.

    Otherwise I'm in agreement but then I'm also only a "web graphic designer" - who applies object oriented principles to JavaScript, ActionScript and PHP ... oh and can program in Java or C++ (to a certain extent) if the need arises. I've done a bit of VB in the past but I miss my curly braces too much ;)

    ----

    Seems a lot of web designers are using Flash to produce animated banners and the such like for advertising. Great eye candy, but wouldn't the creative use of animated GIFs be more apropos?

    ----

    Depends... if you want smooth animation running through a few sequences then using an .swf will keep the filesize down - although, granted, you do have the player overhead. An animated gif is, essentially, a whole load of individual images strung together in a sequence, which REALLY increases the filesize if you attempt to do anything like a smooth tween.

    You might also want multiple links in the same banner. e.g. "to request our catalogue - clicky, to see our products - clicky" and so on. There are times where Flash is the appropriate medium for banner ads and times when it's not.

    Besides, wouldn't you rather have flash banners? They're easier to selectively block than images. Yes, I still have to go back to making banners occasionally since I'm the only person in the company who knows how to use Flash.

  33. Anonymous Coward
    Anonymous Coward

    In-fallible precautions?

    With the Flashblock extension in Firefox set to universally disable Flash and the Tools > Flash Blocking in Internet Explorer setting enabled in SpywareBlaster - along with NoScript in FF; and Javascript turned off in Reader - and even in Foxit (?) if that's the one you use. Perhaps this is the way to protect against this one (without actually uninstalling Flash)?

  34. Ken Hagan Gold badge

    @Joe 3

    "The idea that users should run only Firefox without Javascript and Flash is some crazy fantasy, while those of us who make a living from this stuff have to live in the real world!"

    Er, and here in the real world millions of people are about to get their machines screwed over by this vulnerability. I won't claim to have done a scientific study, but it seems to me that Adobe (and not MS) are the main source of holes in the average corporate network. On that basis, restricting Flash access to the minimum number of users and the minimum number of external sites makes a lot of sense and should be easily justifiable to management when the YouTube fans start complaining.

  35. Chronos

    @ 1st AC

    It potentially affects all current (v9 and 10) Flash players for all OSen according to Adobe's SIRT:

    http://blogs.adobe.com/psirt

    What is dropped will most likely be platform specific, but there's nothing to stop skiddies detecting the OS and dropping OSX or Linux code. Note that Solaris users are left dangling for now. An advisory has also been issued:

    http://www.adobe.com/support/security/advisories/apsa09-03.html

  36. Bilgepipe
    Thumb Down

    Time to Uninstall

    I guess I was waiting for one reason to dump Flash, this is it. Bloated shite, only good for creating crappy movie sites, and now it's insecure too. Go and find the Javascript Quake demo to see what could be done without Flash even five years ago.

    With modern web standards improving all the time there is less and less reason to use Flash and it will become more and more irrelevant; good riddance.

  37. Chris Watson 2

    @Anonymous Coward

    You can check what version you're running here: http://www.adobe.com/uk/software/flash/about/

  38. Chronos
    Badgers

    @ Bilgepipe

    Yes, me too, and those going on about how stupid it is to ditch Flash may be well advised to re-evaluate just how important their little proprietary-tech-based sites are to the rest of us. News "Flash": Not very. The only time I rue blocking YouTube is when El Reg posts a video and, even then, the regret is transitory.

    Badgers. Well, it's early web2.0rhea, no?

  39. Mike Holden
    Unhappy

    Oracle

    Oracle's Metalink tech support web site is moving over to a flash-based system. It's not compulsory yet, but before too long you won't be able to log on without at least a recent version of Flash 9. We are forced to use IE at work, so I don't even have the benefit of NoScript to help me out.

  40. gollux
    FAIL

    When can we start giving Adobe a kick in the rocks...

    Too much Web 2.0 Alphaware depends on Flash for all sorts of garbage. The problem was reported a coon's age ago, and Adobe hasn't figured out yet that people have started to depend on their decrepit Flash reader not being a direct infection conduit?

  41. MarkOne
    Stop

    Opera users

    Don't need to install or rename files, they just need to:

    Tools, Preferences, Advanced, Content

    Untick the enabled Plugins.

    This will make them safe until the fix is posted.

  42. MarkOne

    And for Opera users..

    If you want to enable plugins for a specific site, F12, Edit Site Preferences, Content, Enable Plugins.

This topic is closed for new posts.

Other stories you might like