LWN: Comments on "Severe Adobe Flash vulnerability"

Severe Adobe Flash vulnerability

NikLi — Thu, 23 Sep 2010 07:46:26 +0000

I don't want to beat a dead horse but it seems that the argument still stands: For 99% of people, internet access (and Web 2.0) means that your computer is going to be pwned sooner or later...

And don't give me that "Adobe devs are working on it". Devs are working on it for the last 5 years i've been following this section and it surely doesn't seem like from next month there will stop being multiple vulnerabilities to Web 2.0 products.

It seems like "open computer" is the ticket to be able to use the web2.0 goodies. Even "Good Google" still obfuscates and changes the youtube APIs monthly so one is forced to use the full stack. Fun times...

Severe Adobe Flash vulnerability

dkk — Thu, 16 Sep 2010 05:05:18 +0000

I have been running the old 64bit beta 10 (reporting itself as 10.0.45.2) despite it supposedly being vulnerable to several security issues with no replacement available.

Installing the above 64bit version reports itself as:
"You have version 10,2,161,22 installed"

Win... I guess?

Severe Adobe Flash vulnerability

rqosa — Wed, 15 Sep 2010 22:33:14 +0000

> the outdated 64-bit version

Actually, it appears that they put out a new plugin for 64-bit Linux just a short time ago. It doesn't seem to say anything about whether the vulnerability is fixed in this one, though…

Severe Adobe Flash vulnerability

Darkmere — Wed, 15 Sep 2010 18:44:52 +0000

http://labs.adobe.com/downloads/flashplayer10.html Seems to have updated their 64-bit player for all platforms just today?

Severe Adobe Flash vulnerability

aparsons — Wed, 15 Sep 2010 14:13:04 +0000

nspluginwrapper and the 32-bit version work fine together. It's better than running the outdated 64-bit version that has known vulnerabilities.

What Consequences for Android?

kentborg — Wed, 15 Sep 2010 14:11:40 +0000

> There have been a number of kernel vulnerabilities
> reported over the last few months. Are you sure that
> the kernel on your Android phone has been patched for
> all of them?

Good point. (And reminiscent of an argument I have heard from Brad Spengler.)

But *otherwise* wouldn't the Android design make this far less damaging than the relatively anything-goes case of running Flash on a more conventional installation of Linux?

-kb

What Consequences for Anfroid?

corbet — Wed, 15 Sep 2010 13:59:15 +0000

There have been a number of kernel vulnerabilities reported over the last few months. Are you sure that the kernel on your Android phone has been patched for all of them? I'm not. As a result, I have a hard time seeing why I'd want that player on my phone regardless of how much faith I might have in the higher-level access control mechanisms.

What Consequences for Anfroid?

kentborg — Wed, 15 Sep 2010 13:41:38 +0000

How bad a risk is this for Android? I have Flash Player 10.1.92.10 installed on my Nexus One and when I look at the required permissions...there are none. It can't access my contacts info, make phone calls, send SMS, nor even access the internet.

Hmmm. How does it work if it can't access the internet? I suspect that the web browser that sees the page with Flash content passes the content to the Flash Player, and while running under a different UID Flash might be cracked, but what can it do in that circumstance?

I guess it can put up UI elements and maybe trick the user into revealing sensitive information, but then what? (Could it then pass that information back out to the internet via the web browser?)

How much does Android's security infrastructure limit the damage from such a bug?

-kb

Severe Adobe Flash vulnerability

sorpigal — Wed, 15 Sep 2010 12:48:30 +0000

Can plugin support still be detected if javascript is disabled? I believe the answer is "No," which would mean that noscript solves the other half of the problem for you.

Severe Adobe Flash vulnerability

arekm — Wed, 15 Sep 2010 10:09:28 +0000

Heh, great, another hole in my 64bit Linux flash plugin... and no other (working) alternative available :/

Get you fights straight, please...

khim — Wed, 15 Sep 2010 08:06:12 +0000

From that lax beginning, the PSP never had a chance; too many people surfed the internals and knew how the system worked by firmware 2.0's release to prevent additional incursions and custom firmware from appearing.

Well, that's certainly true. But there are different truth too: most PSPs sold in 2009 and all sold in 2010 (PSP 3000 with firmware 5.05+ and PSPGo) can not be jailbroken. That's year and half - not too shoddy. Compare with iPhone 4.

As soon as Sony 'locked it down' all of a sudden now there's a challenge, and things like PSJailbreak and PSGroove popped up within months.

The timing is somewhat different: first Geohot publishes pretty useless exploit, then Sony locks down the console, but the real jailbreak comes not from these efforts but from leaked manuals and service software. It's not yet clear when PS3 with firmware 3.42 will be jailbroken again - and it's possible that 3.42 will be what 5.05 was for PSP.

PSP, PS3 and XBox360 have pretty damn tight security (even if all three are jailbroken... to one degree or another) while Wii, iPhone and Android (it's somewhat better then Wii and iPhone but nowhere near the leaders) have pretty lax security. To ban the Flash from Apple's Store because it's buggy and security hazard is hypocrisy.

Where's all the money? DarkAlex & Geohot's pockets? Or Sony's Security team's paychecks? My bet would be on the latter.

Well, I guess at least some of the money are in the pockets of the guy who "lost" service manuals... or may be he was just careless?

Yes, but so is iOS...

rloomans — Wed, 15 Sep 2010 00:08:45 +0000

(BTW: the jailbreaking software doesn't install remote access by default, but if you, the user of a jailbroken phone, want to install a server which allows people to login to your phone, and don't change Apple's default root password, you can...it doesn't try to prevent you)

My gripe is that the jailbreaking software doesn't at least allow you to change the password during the break. MobileTerminal wasn't working and my iPhone got wormed between the time I installed OpenSSH and ssh'd in to change the password. Took me a while to figure out why it was that I couldn't ssh in *sigh*.

Tip for jailbreakers: turn off your telco network until you change the password.

Yes, but so is iOS...

jmm82 — Tue, 14 Sep 2010 22:37:22 +0000

I have an Android phone(with Flash) and a Ipad(without Flash) After using the flash on Android I realize why Jobs didn't let it on the Ipad and that is because it hardly works at all on an embedded device, well at least not on my droid2(512 meg ram and 1 ghz arm). Also, most the good flash apps have an equivalent IOS app which is often better.

I am not an advocate of Apple's licensing policies or $$ of products, but for the most part IOS is a pretty good operating system. I wish the same could be said about Flash since it is still very prevalent on the web. Linux distros have constantly struggled to make Flash work and sadly it is still a necessity for most desktops. Hopefully, in 5 years html5 will make this conversation obsolete.

Severe Adobe Flash vulnerability

leoc — Tue, 14 Sep 2010 21:41:47 +0000

If Steve Jobs actually believed that, why is Flash still promoted by Apple and shipped with every copy of OS X?

Yes, but so is iOS...

Kamilion — Tue, 14 Sep 2010 20:10:02 +0000

*sigh* It comes down to 'If Man can make it, Man can break it'.

If you couldn't jailbreak it via software, someone would find a hardware jailbreak. Look at the PS3; nobody bothered breaking it's security for four years. It's not that it couldn't be done, it's that nobody but the game pirates had *a reason* to get further into the system. As soon as Sony 'locked it down' all of a sudden now there's a challenge, and things like PSJailbreak and PSGroove popped up within months. The PSP's security was broken at the Japanese launch which got the hacker's foot in the door.
From that lax beginning, the PSP never had a chance; too many people surfed the internals and knew how the system worked by firmware 2.0's release to prevent additional incursions and custom firmware from appearing.

You cannot stop a hacker with his eye on the target; you can only slow him down. Sometimes you can grind them to a halt.
But the resources necessary for a large company to do so are a high cost compared to a 21 year old in his garage messing with GCC on a $800 laptop.

Where's all the money? DarkAlex & Geohot's pockets? Or Sony's Security team's paychecks? My bet would be on the latter.

Yes, but so is iOS...

Kamilion — Tue, 14 Sep 2010 19:58:52 +0000

Actually, the root password is 'alpine'. So it's technically not passwordless, it's just that everyone knows the iOS stock root password is 'alpine'. Same end result though.

Besides; you'd have to install openssh or dropbear to accept incoming connections with those credentials.

Yes, but so is iOS...

foom — Tue, 14 Sep 2010 19:38:49 +0000

That was not the point. The point is that the very fact that you *can* jailbreak an iphone means that it has a serious security vulnerability. The fact that every single time Apple fixes one hole, the jailbreakers rather quickly find another one is a rather damning indictment of the overall security of iOS...

And at least two of the vulnerabilities exploited by the jailbreak tools to run code bypassing the signature checks have been *remote root exploits*. The others have required USB access to the device to exploit it, at least...

(BTW: the jailbreaking software doesn't install remote access by default, but if you, the user of a jailbroken phone, want to install a server which allows people to login to your phone, and don't change Apple's default root password, you can...it doesn't try to prevent you)

Yes, but so is iOS...

elanthis — Tue, 14 Sep 2010 19:29:26 +0000

Last I checked, the insecurities with the jailbroken iOS were that the jailbreaking software was retarded and just left things like a passwordless root account on the device.

That's like saying that my truck is unsafe after i remove the airbags and seatbelts and replace the breaks with plastic.

Not just flash..

jg — Tue, 14 Sep 2010 16:43:59 +0000

But Adobe Reader and Acrobat too, according to the announcement.

Thankfully, I don't use Adobe Reader these days, as evince fills my needs.

But on other platforms, Reader is also heavily used.

Yes, but so is iOS...

khim — Tue, 14 Sep 2010 16:27:01 +0000

Well, jailbreakers show that iOS is also buggy, insecure piece of code - yet somehow it's not banned on iPhone...

Severe Adobe Flash vulnerability

drinian — Tue, 14 Sep 2010 15:22:23 +0000

FWIW, in recent versions of Firefox it's possible to enable or disable plugins without a restart, under "Tools -> Add-Ons."

This is good, since my distro, at least, packages the Adobe Reader Firefox plugin in the main Adobe Reader package, and that's a big security hole, memory hog, proprietary blob, etc. as well.

Severe Adobe Flash vulnerability

ewan — Tue, 14 Sep 2010 15:16:17 +0000

Did anyone really think he was wrong? His central claim seems to be that Flash is a nasty, buggy, insecure, crash-prone CPU hog. There are many things that one can reasonably disagree with Steve Jobs about, but that really isn't one of them.

Severe Adobe Flash vulnerability

danielpf — Tue, 14 Sep 2010 14:52:58 +0000

A few more of these alerts and people will start thinking Steve Jobs may have been right after all.

Severe Adobe Flash vulnerability

ssam — Tue, 14 Sep 2010 14:24:43 +0000

this is why i have 2 firefox profiles, and only use the one with flash installed when needed.

flash block is a half solution. but it still advertises that you have flash installed, so some websites will give you a flash version, not an HTML versions. also web developers look at their stats and see that 99% of users have flash installed, and so keep using it.