Weekly Edition
Return to the Security pageRecent Features
| |||||||||||||
Severe Adobe Flash vulnerability
For those of you using the Adobe Flash player (including on Linux or
Android), and, possibly, Adobe Reader users as well: the company has announced
a "critical" vulnerability which, evidently, is being actively exploited.
"We are in the process of finalizing a fix for the issue and expect
to provide an update for Adobe Flash Player for Windows, Macintosh, Linux,
Solaris, and Android operating systems during the week of September 27,
2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows,
Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh
during the week of October 4, 2010." Even people who cannot do
without this software might want to consider taking it off their systems
until the update comes out.
(Log in to post comments)
Severe Adobe Flash vulnerability Posted Sep 14, 2010 14:24 UTC (Tue) by ssam (subscriber, #46587) [Link]
this is why i have 2 firefox profiles, and only use the one with flash installed when needed.
flash block is a half solution. but it still advertises that you have flash installed, so some websites will give you a flash version, not an HTML versions. also web developers look at their stats and see that 99% of users have flash installed, and so keep using it.
Severe Adobe Flash vulnerability Posted Sep 14, 2010 15:22 UTC (Tue) by drinian (guest, #51119) [Link]
FWIW, in recent versions of Firefox it's possible to enable or disable plugins without a restart, under "Tools -> Add-Ons."
This is good, since my distro, at least, packages the Adobe Reader Firefox plugin in the main Adobe Reader package, and that's a big security hole, memory hog, proprietary blob, etc. as well.
Severe Adobe Flash vulnerability Posted Sep 15, 2010 12:48 UTC (Wed) by sorpigal (subscriber, #36106) [Link] Can plugin support still be detected if javascript is disabled? I believe the answer is "No," which would mean that noscript solves the other half of the problem for you.
Severe Adobe Flash vulnerability Posted Sep 14, 2010 14:52 UTC (Tue) by danielpf (subscriber, #4723) [Link]
A few more of these alerts and people will start thinking Steve Jobs may have been right after all.
Severe Adobe Flash vulnerability Posted Sep 14, 2010 15:16 UTC (Tue) by ewan (subscriber, #5533) [Link]
Did anyone really think he was wrong? His central claim seems to be that Flash is a nasty, buggy, insecure, crash-prone CPU hog. There are many things that one can reasonably disagree with Steve Jobs about, but that really isn't one of them.
Yes, but so is iOS... Posted Sep 14, 2010 16:27 UTC (Tue) by khim (subscriber, #9252) [Link] Well, jailbreakers show that iOS is also buggy, insecure piece of code - yet somehow it's not banned on iPhone...
Yes, but so is iOS... Posted Sep 14, 2010 19:29 UTC (Tue) by elanthis (guest, #6227) [Link]
Last I checked, the insecurities with the jailbroken iOS were that the jailbreaking software was retarded and just left things like a passwordless root account on the device.
That's like saying that my truck is unsafe after i remove the airbags and seatbelts and replace the breaks with plastic.
Yes, but so is iOS... Posted Sep 14, 2010 19:38 UTC (Tue) by foom (subscriber, #14868) [Link]
That was not the point. The point is that the very fact that you *can* jailbreak an iphone means that it has a serious security vulnerability. The fact that every single time Apple fixes one hole, the jailbreakers rather quickly find another one is a rather damning indictment of the overall security of iOS...
And at least two of the vulnerabilities exploited by the jailbreak tools to run code bypassing the signature checks have been *remote root exploits*. The others have required USB access to the device to exploit it, at least...
(BTW: the jailbreaking software doesn't install remote access by default, but if you, the user of a jailbroken phone, want to install a server which allows people to login to your phone, and don't change Apple's default root password, you can...it doesn't try to prevent you)
Yes, but so is iOS... Posted Sep 14, 2010 20:10 UTC (Tue) by Kamilion (subscriber, #42576) [Link]
*sigh* It comes down to 'If Man can make it, Man can break it'.
If you couldn't jailbreak it via software, someone would find a hardware jailbreak. Look at the PS3; nobody bothered breaking it's security for four years. It's not that it couldn't be done, it's that nobody but the game pirates had *a reason* to get further into the system. As soon as Sony 'locked it down' all of a sudden now there's a challenge, and things like PSJailbreak and PSGroove popped up within months. The PSP's security was broken at the Japanese launch which got the hacker's foot in the door.
You cannot stop a hacker with his eye on the target; you can only slow him down. Sometimes you can grind them to a halt.
Where's all the money? DarkAlex & Geohot's pockets? Or Sony's Security team's paychecks? My bet would be on the latter.
Get you fights straight, please... Posted Sep 15, 2010 8:06 UTC (Wed) by khim (subscriber, #9252) [Link] From that lax beginning, the PSP never had a chance; too many people surfed the internals and knew how the system worked by firmware 2.0's release to prevent additional incursions and custom firmware from appearing. Well, that's certainly true. But there are different truth too: most PSPs sold in 2009 and all sold in 2010 (PSP 3000 with firmware 5.05+ and PSPGo) can not be jailbroken. That's year and half - not too shoddy. Compare with iPhone 4. As soon as Sony 'locked it down' all of a sudden now there's a challenge, and things like PSJailbreak and PSGroove popped up within months. The timing is somewhat different: first Geohot publishes pretty useless exploit, then Sony locks down the console, but the real jailbreak comes not from these efforts but from leaked manuals and service software. It's not yet clear when PS3 with firmware 3.42 will be jailbroken again - and it's possible that 3.42 will be what 5.05 was for PSP. PSP, PS3 and XBox360 have pretty damn tight security (even if all three are jailbroken... to one degree or another) while Wii, iPhone and Android (it's somewhat better then Wii and iPhone but nowhere near the leaders) have pretty lax security. To ban the Flash from Apple's Store because it's buggy and security hazard is hypocrisy. Where's all the money? DarkAlex & Geohot's pockets? Or Sony's Security team's paychecks? My bet would be on the latter. Well, I guess at least some of the money are in the pockets of the guy who "lost" service manuals... or may be he was just careless?
Yes, but so is iOS... Posted Sep 15, 2010 0:08 UTC (Wed) by rloomans (guest, #759) [Link] (BTW: the jailbreaking software doesn't install remote access by default, but if you, the user of a jailbroken phone, want to install a server which allows people to login to your phone, and don't change Apple's default root password, you can...it doesn't try to prevent you) My gripe is that the jailbreaking software doesn't at least allow you to change the password during the break. MobileTerminal wasn't working and my iPhone got wormed between the time I installed OpenSSH and ssh'd in to change the password. Took me a while to figure out why it was that I couldn't ssh in *sigh*. Tip for jailbreakers: turn off your telco network until you change the password.
Yes, but so is iOS... Posted Sep 14, 2010 19:58 UTC (Tue) by Kamilion (subscriber, #42576) [Link]
Actually, the root password is 'alpine'. So it's technically not passwordless, it's just that everyone knows the iOS stock root password is 'alpine'. Same end result though.
Besides; you'd have to install openssh or dropbear to accept incoming connections with those credentials.
Yes, but so is iOS... Posted Sep 14, 2010 22:37 UTC (Tue) by jmm82 (guest, #59425) [Link]
I have an Android phone(with Flash) and a Ipad(without Flash) After using the flash on Android I realize why Jobs didn't let it on the Ipad and that is because it hardly works at all on an embedded device, well at least not on my droid2(512 meg ram and 1 ghz arm). Also, most the good flash apps have an equivalent IOS app which is often better.
I am not an advocate of Apple's licensing policies or $$ of products, but for the most part IOS is a pretty good operating system. I wish the same could be said about Flash since it is still very prevalent on the web. Linux distros have constantly struggled to make Flash work and sadly it is still a necessity for most desktops. Hopefully, in 5 years html5 will make this conversation obsolete.
Severe Adobe Flash vulnerability Posted Sep 14, 2010 21:41 UTC (Tue) by leoc (subscriber, #39773) [Link] If Steve Jobs actually believed that, why is Flash still promoted by Apple and shipped with every copy of OS X?
Not just flash.. Posted Sep 14, 2010 16:43 UTC (Tue) by jg (subscriber, #17537) [Link]
But Adobe Reader and Acrobat too, according to the announcement.
Thankfully, I don't use Adobe Reader these days, as evince fills my needs.
But on other platforms, Reader is also heavily used.
Severe Adobe Flash vulnerability Posted Sep 15, 2010 10:09 UTC (Wed) by arekm (subscriber, #4846) [Link]
Heh, great, another hole in my 64bit Linux flash plugin... and no other (working) alternative available :/
Severe Adobe Flash vulnerability Posted Sep 15, 2010 14:13 UTC (Wed) by aparsons (subscriber, #59147) [Link]
nspluginwrapper and the 32-bit version work fine together. It's better than running the outdated 64-bit version that has known vulnerabilities.
Severe Adobe Flash vulnerability Posted Sep 15, 2010 22:33 UTC (Wed) by rqosa (subscriber, #24136) [Link] > the outdated 64-bit version Actually, it appears that they put out a new plugin for 64-bit Linux just a short time ago. It doesn't seem to say anything about whether the vulnerability is fixed in this one, though…
What Consequences for Anfroid? Posted Sep 15, 2010 13:41 UTC (Wed) by kentborg (guest, #70128) [Link]
How bad a risk is this for Android? I have Flash Player 10.1.92.10 installed on my Nexus One and when I look at the required permissions...there are none. It can't access my contacts info, make phone calls, send SMS, nor even access the internet.
Hmmm. How does it work if it can't access the internet? I suspect that the web browser that sees the page with Flash content passes the content to the Flash Player, and while running under a different UID Flash might be cracked, but what can it do in that circumstance?
I guess it can put up UI elements and maybe trick the user into revealing sensitive information, but then what? (Could it then pass that information back out to the internet via the web browser?)
How much does Android's security infrastructure limit the damage from such a bug?
-kb
What Consequences for Anfroid? Posted Sep 15, 2010 13:59 UTC (Wed) by corbet (editor, #1) [Link] There have been a number of kernel vulnerabilities reported over the last few months. Are you sure that the kernel on your Android phone has been patched for all of them? I'm not. As a result, I have a hard time seeing why I'd want that player on my phone regardless of how much faith I might have in the higher-level access control mechanisms.
What Consequences for Android? Posted Sep 15, 2010 14:11 UTC (Wed) by kentborg (guest, #70128) [Link]
> There have been a number of kernel vulnerabilities
> reported over the last few months. Are you sure that > the kernel on your Android phone has been patched for > all of them?
Good point. (And reminiscent of an argument I have heard from Brad Spengler.)
But *otherwise* wouldn't the Android design make this far less damaging than the relatively anything-goes case of running Flash on a more conventional installation of Linux?
-kb
Severe Adobe Flash vulnerability Posted Sep 15, 2010 18:44 UTC (Wed) by Darkmere (subscriber, #53695) [Link]
http://labs.adobe.com/downloads/flashplayer10.html Seems to have updated their 64-bit player for all platforms just today?
Severe Adobe Flash vulnerability Posted Sep 16, 2010 5:05 UTC (Thu) by dkk (subscriber, #50184) [Link]
I have been running the old 64bit beta 10 (reporting itself as 10.0.45.2) despite it supposedly being vulnerable to several security issues with no replacement available.
Installing the above 64bit version reports itself as:
Win... I guess?
Severe Adobe Flash vulnerability Posted Sep 23, 2010 7:46 UTC (Thu) by NikLi (guest, #66938) [Link]
I don't want to beat a dead horse but it seems that the argument still stands: For 99% of people, internet access (and Web 2.0) means that your computer is going to be pwned sooner or later...
And don't give me that "Adobe devs are working on it". Devs are working on it for the last 5 years i've been following this section and it surely doesn't seem like from next month there will stop being multiple vulnerabilities to Web 2.0 products.
It seems like "open computer" is the ticket to be able to use the web2.0 goodies. Even "Good Google" still obfuscates and changes the youtube APIs monthly so one is forced to use the full stack. Fun times...
|
|||||||||||||