WingNews logo WingNews GitHub [2]
top | item 1406299

New Adobe Flash 0day, have a nice weekend

149 points| datd00d | 16 years ago |adobe.com | reply

70 comments

order
[+] ihodes|16 years ago|reply
Shouldn't a fix come out with that announcement?

If they're offering a temporary fix, shouldn't they at least push that temp fix as an update, and fully update the issue later? This leaves the non-technically inclined out in the cold, and informs those who may not know of the exploit of its existence.

Just something as simple as removing authplay.dll for Acrobat and Reader, and even upgrading the current version of Flash Player to the 10.1 beta, just temporarily… anything other than just announcing it and not patching it at all.

I don't know if this is a standard way of dealing with zero day exploits, but it sure doesn't seem like a good way.

[+] dminor|16 years ago|reply
Since it's already in the wild, better to let people know so they can use the workaround.
[+] yock|16 years ago|reply
An inadequately-tested update is going to carry some risk of causing its own harm. If this Flash update is indeed not-ready-for-prime-time (heck, they may even know of specific issues) then it becomes irresponsible to push it out to all users. You've essentially traded a known problem for an unknown problem, as well as complicated the process by which the original problem is resolved.
[+] tomlin|16 years ago|reply
It would be nice to know we're not just beating up on them because it's trendy and perhaps hold them accountable on the same level as other software companies.

It's possible that they were in the right by announcing an issue, rather than ignoring it.

[+] zppx|16 years ago|reply
Since it's a 0day I think it would require ninja coders to test, go to the code and fix it in the same day, for complex and legacy code (I think Adobe software falls into these categories), from my experience watching security related lists I can say that generally you publish a measure to mitigate the vulnerability and maybe a workaround before publishing a stable fix.

Securing and maintaining software up-to-date in a non-intrusive way is hard in a way that works for all (ie, personal computers and large networks of computers), I think it is also a good business opportunity.

[+] ja27|16 years ago|reply
It was a good reminder for me to disable Flash and PDF (and 30 other plugins) in Chrome. I use Chrome for almost all my browsing, but if I need Flash or something else on a specific site, I can open it in IE or Firefox.

Maybe someday Chrome will have a plugin "whitelist" for sites so I can only allow Flash on the sites I want to.

[+] pan69|16 years ago|reply
I believe its Adobe policy to only announce security issues if a fix is available. At least, that's how the policy was a few years back. I assume it's still the same.
[+] natch|16 years ago|reply
Perfect headline. It straddles the ambiguity between the two possible meanings: the sarcastic one, about IT personnel scrambling to put fixes in place over their 'nice' weekend, and the non-sarcastic one, addressed to hackers who could have some fun with this.

In any case, Adobe, the timing has exactly the level of thoughtfulness we have come to expect from the Flash team. The only way you could have done more damage would be to have done it last week when the US had a long weekend, or some other even longer holiday.

[+] tptacek|16 years ago|reply
It is unlikely that anybody at Adobe controlled the timing of this release.
[+] pan69|16 years ago|reply
I've seen Adobe do quite a few security announcements over the years but I've never actually seen any of the exploits in action or explained. I'm really curious how serious these exploits really are and if they are actually practical (or more theoretical). Any references greatly appreciated.
[+] jsz0|16 years ago|reply
They're practical. The biggest one I can remember was attacking WoW players by posting links to forums to sites with Flash banner ads that utilized an exploit to install a key logger and some other nasty stuff. The classic fake Flash update tactic is wildly successful also which of course isn't a Flash problem but just a side effect of users expecting to install/update browser plugins and becoming oblivious to the risks.
[+] tptacek|16 years ago|reply
Visit any web page anywhere that has content controlled by an attacker, have a backdoor transparently installed on your system. Is there more you want to know?
[+] JoachimSchipper|16 years ago|reply
Did anybody else read "The Flash Player 10.1 Release Candidate (...) does not appear to be vulnerable" as "we ran the exploit and it didn't work"?
[+] jmount|16 years ago|reply
More as "we thought the last one didn't have this flaw- but we are tired of being wrong."
[+] gmlk|16 years ago|reply
Yesterday I removed flash from my Mac Internet Plugins folder.

I can't say I'm missing it. Nearly all website work, a lot of ads are gone. Strangely, html5/h.264 is often the fall back for flash, I really would wish they did that the other wise around.

[+] andrewtj|16 years ago|reply
That made me curious so I removed Flash from /Library/Internet\ Plug-Ins/ and rebooted. I'm unable to play video on either Vimeo or YouTube so I'll be sticking with Click to Flash for the moment.
[+] rmorrison|16 years ago|reply
Adobe has desensitized me to updating their software, since every time I open Acrobat it asks me to download a new version. It's like the boy who cried wolf, but since this sounds serious maybe I'll get over this mental hurdle.
[+] JoachimSchipper|16 years ago|reply
Actually, every time you open Acrobat it's had a new security issue. At least, it's that way for me (though Windows is not my primary OS, so I don't open Acrobat that often).
[+] jared314|16 years ago|reply
The Linux 64-bit version needs some love. It has not been updated since Feb.
[+] datd00d|16 years ago|reply
The fix is to install 10.1 RC, and delete/rename/ACL authplay.dll.

I wont comment on the whole "use our RC release" as a mitigation path in production env's....

[+] blocke|16 years ago|reply
10.1 has had 7 release candidate releases so far. Been running them for a while and they don't seem anymore crashy than 10.0 and the GPU acceleration is nice.

Also it would be a great time to upgrade Firefox to the 3.6.4 release candidate for those using Firefox. Plugin process separation... yummo.

http://blog.mozilla.com/blog/2010/06/01/firefox-3-6-4-releas...

[+] sliverstorm|16 years ago|reply
Honestly it seems much more like a statement of the facts so you can make a choice. I'd rather also know the RC is unaffected than ONLY know that the current version is vulnerable. Obviously an RC release is not a long term fix, but this is a breaking bug.
[+] gojomo|16 years ago|reply
They suggest addressing the Flash vulnerability by installing the prerelease 10.1 version, which "does not appear to be vulnerable".

But the first step of installing 10.1 (on Windows and MacOS) is to run an uninstaller, also available on the download page:

http://labs.adobe.com/downloads/flashplayer10.html

Perhaps the prudent should stop after that uninstall step, for safety from other future exploits, as well.

[+] Tichy|16 years ago|reply
Also, I couldn't find any other way to uninstall Flash on OS X to begin with.
[+] endtime|16 years ago|reply
Are you sure about the uninstallation part? I was able to install 10.1 without uninstalling anything. Took about 10 seconds. And http://www.adobe.com/software/flash/about/ tells me "You have version 10,1,53,64 installed".
[+] seanlinmt|16 years ago|reply
I don't use Adobe Reader anymore. Foxit Reader, http://www.foxitsoftware.com/pdf/reader/, is way smaller and faster. And it's not by Adobe. :)
[+] kwyjibo|16 years ago|reply
I used foxitreader as well, until they had that feature that they would execute whatever command on your computer and you couldn't disable it... (and you could do this, or at least add a warning in adobe's reader)
[+] boskone|16 years ago|reply
Chromium + Flash + Linux vulnerable as well? How does one a) even know what version of flash is embedded in Chromium b) other than constantly killing the flash process how does one disable flash in Chromium

Chromium v6.0.417.0

[+] PidGin128|16 years ago|reply
Generally, to determine flash version, you're forced to the macromedia website to view a version test .swf .

After finding out about this 'sploit, I looked in vain for the authplay.dll . It turns out I had a newer build that wasn't listed as vulnerable (and I couldn't find the file itself, where does it usually reside?).

[+] Bakes|16 years ago|reply
The bug is between Acrobat Reader and Flash, not Flash and any browser. It's not a problem for you to worry about.
[+] Tichy|16 years ago|reply
Sorry for my ignorance, but is there still no way to watch YouTube and other videos without Flash? I thought some browsers would ship with suitable codecs and be able to play them directly?
[+] adamdecaf|16 years ago|reply
I will have a nice weekend, for I don't even have flash on this laptop (Linux). :)

</sarcasm>

[+] againstyou|16 years ago|reply
great, now we need to use the Release Candidate to be safe ? probably we get another features (aka remote exploits) using RC and not a stable version. btw, adobe really released a stable version of flash ? someday ?
[+] gojomo|16 years ago|reply
Adobe Reader and Acrobat on MacOSX also include a file named authplay.dll?

(Any chance Apple's 'Preview' PDF-reading capabilities are similarly vulnerable?)

[+] bradleyland|16 years ago|reply
Apple's Preview app uses it's own PDF interpreter, so it is unaffected.
[+] DrewHintz|16 years ago|reply
Apple's 'Preview' PDF viewer has lots of security vulnerabilities. Simple fuzzing will quickly find plenty of 0day.
[+] stalker|16 years ago|reply
I think they must put an alert in the download page.
[+] ck2|16 years ago|reply
Well that's ONE way to get everyone onto 10.1
[+] bobbyi|16 years ago|reply
Another reason to be running 10.1