If they're offering a temporary fix, shouldn't they at least push that temp fix as an update, and fully update the issue later? This leaves the non-technically inclined out in the cold, and informs those who may not know of the exploit of its existence.
Just something as simple as removing authplay.dll for Acrobat and Reader, and even upgrading the current version of Flash Player to the 10.1 beta, just temporarily… anything other than just announcing it and not patching it at all.
I don't know if this is a standard way of dealing with zero day exploits, but it sure doesn't seem like a good way.
An inadequately-tested update is going to carry some risk of causing its own harm. If this Flash update is indeed not-ready-for-prime-time (heck, they may even know of specific issues) then it becomes irresponsible to push it out to all users. You've essentially traded a known problem for an unknown problem, as well as complicated the process by which the original problem is resolved.
It would be nice to know we're not just beating up on them because it's trendy and perhaps hold them accountable on the same level as other software companies.
It's possible that they were in the right by announcing an issue, rather than ignoring it.
Since it's a 0day I think it would require ninja coders to test, go to the code and fix it in the same day, for complex and legacy code (I think Adobe software falls into these categories), from my experience watching security related lists I can say that generally you publish a measure to mitigate the vulnerability and maybe a workaround before publishing a stable fix.
Securing and maintaining software up-to-date in a non-intrusive way is hard in a way that works for all (ie, personal computers and large networks of computers), I think it is also a good business opportunity.
It was a good reminder for me to disable Flash and PDF (and 30 other plugins) in Chrome. I use Chrome for almost all my browsing, but if I need Flash or something else on a specific site, I can open it in IE or Firefox.
Maybe someday Chrome will have a plugin "whitelist" for sites so I can only allow Flash on the sites I want to.
I believe its Adobe policy to only announce security issues if a fix is available. At least, that's how the policy was a few years back. I assume it's still the same.
It's most vendor's policy, but it usually goes out the window when reports of exploitation surface. If you're hearing about the attacks, it's real, it's bad, and there's no point to choreography anymore.
So, 10.0.45.2 is vulnerable. Oh look, that's the only available version of the 64-bit Linux plugin, because they don't do 64-bit builds along with their 32-bit builds:
Perfect headline. It straddles the ambiguity between the two possible meanings: the sarcastic one, about IT personnel scrambling to put fixes in place over their 'nice' weekend, and the non-sarcastic one, addressed to hackers who could have some fun with this.
In any case, Adobe, the timing has exactly the level of thoughtfulness we have come to expect from the Flash team. The only way you could have done more damage would be to have done it last week when the US had a long weekend, or some other even longer holiday.
I've seen Adobe do quite a few security announcements over the years but I've never actually seen any of the exploits in action or explained. I'm really curious how serious these exploits really are and if they are actually practical (or more theoretical). Any references greatly appreciated.
They're practical. The biggest one I can remember was attacking WoW players by posting links to forums to sites with Flash banner ads that utilized an exploit to install a key logger and some other nasty stuff. The classic fake Flash update tactic is wildly successful also which of course isn't a Flash problem but just a side effect of users expecting to install/update browser plugins and becoming oblivious to the risks.
Visit any web page anywhere that has content controlled by an attacker, have a backdoor transparently installed on your system. Is there more you want to know?
Yesterday I removed flash from my Mac Internet Plugins folder.
I can't say I'm missing it. Nearly all website work, a lot of ads are gone. Strangely, html5/h.264 is often the fall back for flash, I really would wish they did that the other wise around.
That made me curious so I removed Flash from /Library/Internet\ Plug-Ins/ and rebooted. I'm unable to play video on either Vimeo or YouTube so I'll be sticking with Click to Flash for the moment.
Thanks for the links — I'd just expected the sites to fallback. For anyone else who's tempted to try this out, unless I missed it there is also no 'Switch to HTML5 player' link for channels on Vimeo.
Adobe has desensitized me to updating their software, since every time I open Acrobat it asks me to download a new version. It's like the boy who cried wolf, but since this sounds serious maybe I'll get over this mental hurdle.
Actually, every time you open Acrobat it's had a new security issue. At least, it's that way for me (though Windows is not my primary OS, so I don't open Acrobat that often).
Even if Windows is your primary OS, there's no reason for the typical user to have to run Adobe Reader on a regular basis. Just use a nice lightweight viewer like PDF-XChange, Sumatra, or Foxit instead.
Windows is my primary OS, and I don't even have Adobe Reader installed.
I've found Sumatra to render extremely slowly when zoomed in past 100%, particularly on PDFs with high-res images and/or vector images. Are the other non-Adobe readers better at this?
Are you sure about the uninstallation part? I was able to install 10.1 without uninstalling anything. Took about 10 seconds. And http://www.adobe.com/software/flash/about/ tells me "You have version 10,1,53,64 installed".
10.1 has had 7 release candidate releases so far. Been running them for a while and they don't seem anymore crashy than 10.0 and the GPU acceleration is nice.
Also it would be a great time to upgrade Firefox to the 3.6.4 release candidate for those using Firefox. Plugin process separation... yummo.
Honestly it seems much more like a statement of the facts so you can make a choice. I'd rather also know the RC is unaffected than ONLY know that the current version is vulnerable. Obviously an RC release is not a long term fix, but this is a breaking bug.
I used foxitreader as well, until they had that feature that they would execute whatever command on your computer and you couldn't disable it... (and you could do this, or at least add a warning in adobe's reader)
Chromium + Flash + Linux vulnerable as well?
How does one
a) even know what version of flash is embedded in Chromium
b) other than constantly killing the flash process how does one disable flash in Chromium
Generally, to determine flash version, you're forced to the macromedia website to view a version test .swf .
After finding out about this 'sploit, I looked in vain for the authplay.dll . It turns out I had a newer build that wasn't listed as vulnerable (and I couldn't find the file itself, where does it usually reside?).
Sorry for my ignorance, but is there still no way to watch YouTube and other videos without Flash? I thought some browsers would ship with suitable codecs and be able to play them directly?
great, now we need to use the Release Candidate to be safe ? probably we get another features (aka remote exploits) using RC and not a stable version. btw, adobe really released a stable version of flash ? someday ?
And read the fine print regarding 10.1 RC: "The Flash Player 10.1 Release Candidate available at ... does not APPEAR to be vulnerable." Very different than "Here's a fix."
I wish your comment was a fact. But Apple is a business and they have business interests when it comes to these outsider platforms.
My understanding is that Apple doesnt allow Java ,Silverlight , Qt or any of those, because these platforms could gradually in-signify the need for a walled garden of apps. App Store is a real cash cow with a lot of potential and Apple clearly doesnt want to purge it off(and that is a good business move.)
IMHO, the same even applies to html5. Apple runs huge campaigns and invests in Safari development to make sure that webkit could gradually insignify the need for a plugin to run interactive content. But try running most of these html5 apps on an iphone/ipad.The rendering framerate is very low and is almost not usable. While native apps run real good, the discrimination against webkit could be that Apple is purposefully delaying the iDevice users' dependency on web apps .
I believe Apple's all-control policy is more of a business move than a security related one
>App Store is a real cash cow with a lot of potential and Apple clearly doesnt want to purge it off
What evidence do you have to back up your claim? If it were true that Apple is making a profit from the App Store, then wouldn't there exist an opportunity for Android Marketplace to undercut Apple's App Store?
When it comes to smartphones, Google cares only about marketshare. More Android apps guarantees more Google searches, and therefore more opportunities to serve advertising. One factor preventing Google from attaining more marketshare is the huge range of quality apps that exists for the iPhone. If it were true that a 30% cut of app revenue enabled Google to make a significant profit, wouldn't they reduce their cut in an effort to try and attract more developers?
>The rendering framerate is very low and is almost not usable.
This problem will disappear in a couple of years as mobile processors become faster and JS engines improve.
I understand the business move, but I never understood the "cash cow" reasoning. Most apps appear to be in the $2.99 to $.99 range. The 60 cents Apple gains from a $1.99 app barely covers credit card fees (for multiple currencies), bandwidth fees, bank fees to send money to developer, and paying salaries for all those app reviewers.
Occam's Razor suggests that they want to build "only the best apps" so the way to do that is to "completely control the build toolchain". Has nothing to do with "cash cow" conspiracy theories.
> The 60 cents Apple gains from a $1.99 app barely covers credit card fees (for multiple currencies), bandwidth fees, bank fees to send money to developer, and paying salaries for all those app reviewers.
I'm not quite sure what the relevancy of this is, unless you're actually such a rabid Apple hater that you automatically see any mention of Adobe flaws as an argument for Apple or somesuch.
Lots of software has security problems. It's pretty rare that any of them show up on the front page of HN. They just tend to blend into background noise as "not interesting" unless it's particularly interesting to the community for some reason. Given that one of Job's major points for not allowing Flash on iDevices was the security of the platform, the only conclusion one can draw for having a security notice show up on the front page is that there are a lot of Adobe haters out there.
Within one sentence (and with absolutely no commentary or statements from me in any way) you successfully made the connection between Adobe and Apple. This connection is obvious and I shouldn't really have to explain it -- in other words, it's painfully obvious why a security bulletin for Flash has shown up on the front page of HN and why I've never seen one for an Apple product despite fairly wide ranging security concerns in the community about Apple products.
"Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash."
Before Jobs explicitly banned Flash from the platform, the only thing I ever remember seeing on HN regarding flash was that it performed a bit poorly under Apple's operating systems because Apple wouldn't provide the necessary APIs that would allow Adobe to make it as performant as it is under Windows (and the occasional comment regarding the Linux port that like most software ported to Linux, it was a few generations behind the times). But these complaints are pretty much the same for lots of cross platform software and generally blended into the background noise, even canvas runs poorly on most systems! One thing I don't ever recall hearing about on HN was any commentary about Flash as insecure. That all changed with "Thoughts on Flash".
Before Thoughts on Flash, I bet there was never an Adobe Flash related security posting on the front page of HN. Yet Flash has had its share of security issues, the same as anything. Which is what my link was meant to demonstrate.
In other words, it's essentially a non-issue.
My point in posting one of a million links regarding Apple security problems is that Apple is also not free from issues with its platform. Yet these never make it to the front page of HN. More importantly, Apple is rather poor at self-reporting security problems, yet here we are bashing Adobe for doing the responsible thing and reporting the problem themselves.
It's actually an interesting example of social dynamics, demonstrating how people will follow the direction a chosen leader and orient their opinions regarding their own safety to be in line with what that leader says rather than an objective review of the actual situation. People often follow leaders as a proxy for doing their own thinking. I've just demonstrated why this is dangerous. Jobs doesn't want to bring attention to the security issues of his own platforms and has tried, successfully, to direct natural concerns for that to somebody else. It's a masterful piece of political manipulation. Most politicians would sell a limb to have this kind of mind share.
My link provided no commentary, no judgment, no counter-statements, no Apple bashing or Apple praise, in fact no statements of any kind.
Yet the fact that that link is providing uncomfortable information contrary to that provided by Jobs has caused it to be annihilated by downvotes (meta-comment: pg has obviously changed something in the karma scoring because it only shows -4, but my account is down -9 since yesterday and that's the only change I can find, either the karma math is screwy, or he's experimenting with some social engineering of his own and counting all downvotes but only showing -4 no matter what. I find this interesting since, if that were true, people have continued to downvote a link to unwanted counter information even though it already stands at -4).
I actually cannot find a statement from Jobs regarding platform security other than "Thoughts on Flash". Even in response to things like this http://www.theinquirer.net/inquirer/news/1495591/security-ex.... Considering that Jobs is among the more chatty CEOs of a major corporation, this omission is rather perplexing. This leads to the obvious conclusion that Jobs has taken the opportunity to call out Flash security as a red herring, to turn our attention away from the problems on his own platform. And, as is demonstrated here by bashing on Adobe for flash security, bashing on people who point out apple security, people have bought his play -- hook, line and sinker.
I provoked the response I expected to get based on the history of how the dynamics of the situations has occurred. A swarm of downvotes for a link regarding Apple security problems flies directly in the face of what Jobs has said. It's a shame he had to put "Thoughts on Flash" out there. I found his comments on Flash at D8 far more coherent and sensible and without the obvious manipulative language he used in "Thoughts". What I find a shame is how easily and gullible people who follow Jobs have been regarding the entire issue -- people who are otherwise very smart and very bright.
edit I'm actually down -10 on my karma now. I guess pg does count all downvotes even if -4 is all that's displayed.
"Yet the fact that that link is providing uncomfortable information contrary to that provided by Jobs has caused it to be annihilated by downvotes"
No, I think it was mostly the irrelevancy that got you downvoted.
"you successfully made the connection between Adobe and Apple."
Umm, what you posted was a link to something about Apple, so yeah, I think I could be justified in believing that was the connection you were trying to make.
"I bet there was never an Adobe Flash related security posting on the front page of HN."
"the only conclusion one can draw for having a security notice show up on the front page is that there are a lot of Adobe haters out there."
The only conclusion? Really? Some people might be interested because it is an unfixed vulnerability actively being exploited in software that's on 95% of PCs. Just a thought.
"Apple wouldn't provide the necessary APIs"
You're certainly not approaching this from a standpoint of hating Apple, if that's the interpretation you put on the abysmal performance of Flash on OS X for many many years. I should note that Silverlight has always had stellar performance relative to Flash on any Mac I've used them on.
I was going to post a protracted point for point response, but decided I wasn't in the mood for yet another lengthy internet battle with an obvious zealot which will probably end up in a Godwin law violation or a comparison of digital phalli or some such.
You've made some good points, some bad, I disagree with most, agree with others (and learned a few things from your response, thanks for the corrections). You've successfully demonstrated using a search engine for finding archived posts without demonstrating that those posts reached the front page. Well done.
It's obvious that Adobe is a sorry pitiful place that produces slipshod software that blights the Internet and our computers with its presence -- from the 150 slider widgets in Photoshop to Flash. This has been true for a decade or more. You'll get no argument from me.
However, Apple also has a lot to answer for. Just because its principle computing platform isn't terribly popular, so it's less likely to be a target, doesn't make it more secure ("we're secure because nobody uses us!" is not a terribly good selling point). The sec community has long standing grievances with the slow pace of security patches Apple puts out. Jobs has likewise generally remained silent on this matter.
You may continue feeling slighted by even the slightest of finger-pointing at Apple even if it's not intended as Apple bashing. A strong and vibrant Apple, as a viable competitor, is good for several industries. Hanging off of every word Steve Jobs says as perfect and without flaw is not.
"...lengthy internet battle with an obvious zealot which will probably end up in a Godwin law violation or a comparison of digital phalli or some such."
There should probably be some law about those who attempt to preemptively invoke Godwin's law.
"You've successfully demonstrated using a search engine for finding archived posts without demonstrating that those posts reached the front page."
Up until fairly recently in the history of HN, at least, pretty much any post with point count > 10 has been on the front page. Looking at the front page currently there's a couple at 3 or 6. I think most of the examples I linked were 20+ which means they were almost certainly on the front page for a while.
"Apple also has a lot to answer for."
You're the one who keeps trying to make this be about Apple. It's not, it's about a Flash exploit. Trying to force the relationship says far more then you then anything else.
"You may continue feeling slighted by even the slightest of finger-pointing at Apple even if it's not intended as Apple bashing."
I'm not slighted, I'm just pointing out that you're not really communicating in a relevant manner to the thread.
"Hanging off of every word Steve Jobs says as perfect and without flaw is not."
I agree with some things Apple does and not others. (No Flash on iPad/iPhone: agree, Adobe has yet to demonstrate the capability for Flash to run in a good manner on mobile devices, and if either of those were waiting for that neither would have been released yet. 3.3.1: sticks in my craw, even though I have a sneaking suspicion it may be best for the platform certainly not best for developers. App Store as only distribution channel: Again, good for the platform and endusers, not for developers, sideloading should be allowed.) Certainly the HN community as a whole, I'd say, has a few more vocal critics of Apple of late than vocal supporters.
If they're offering a temporary fix, shouldn't they at least push that temp fix as an update, and fully update the issue later? This leaves the non-technically inclined out in the cold, and informs those who may not know of the exploit of its existence.
Just something as simple as removing authplay.dll for Acrobat and Reader, and even upgrading the current version of Flash Player to the 10.1 beta, just temporarily… anything other than just announcing it and not patching it at all.
I don't know if this is a standard way of dealing with zero day exploits, but it sure doesn't seem like a good way.