
New Flash zero-day exploit that allows system takeover - ck2
http://blogs.adobe.com/psirt/2011/03/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-01.html
======
potatolicious
This may be confirmation bias, and admittedly no software is without
vulnerability, but is it just me or do we see these updates for Flash moreso
than just about any other internet-facing client?

Is Flash really that bad or is everyone else just bad at reporting zero-day
exploits publicly?

~~~
zdw
Flash really is that bad:

[http://en.wikipedia.org/wiki/Adobe_Flash#Flash_client_securi...](http://en.wikipedia.org/wiki/Adobe_Flash#Flash_client_security)

Also "Zero Day Exploits" generally mean that the exploit was released to 3rd
parties before it was given to the company whose software was being exploited.

~~~
levigross
I think 0-day means something a little different
<http://en.wikipedia.org/wiki/Zero-day_attack>

~~~
chc
That Wikipedia article appears to give the same definition. What difference
are you trying to call attention to?

~~~
ck2
They are correct (it's zero-day) in that the vulnerability is announced, yet
Adobe says it's going to be a week (the 21st) before they release a fix.

Vulnerability known before the vendor can release a fix is "zero-day".

------
code_duck
Browsing on iOS made me finally realize how unimportant Flash is to me. I've
since disabled it on every computer I use.

~~~
danilocampos
I actually had the reverse chronology. I discovered how using ClickToFlash
gave me significantly better battery life on my MBP, along with faster page
loads and zero mysterious pinwheels. ClickToFlash has a better price-
performance ratio than upgrading to an SSD – and I love my SSD.

So when I got an iPad, I was especially mystified at why anyone should
complain about this garbage being missing.

edit: Useful links.

Go grab ClickToFlash (Safari, OS X):

<http://clicktoflash.com/>

Or the Safari extension for Mac or Windows:

<http://hoyois.github.com/safariextensions/clicktoflash/>

Or the Firefox equivalent:

<https://addons.mozilla.org/en-US/firefox/addon/flashblock/>

~~~
zdw
rentzsch's clicktoflash is actually considerably out of date at this point.

The new, Safari-extensionized version that is mentioned second is much better
and updated frequently. (this link:
<http://hoyois.github.com/safariextensions/clicktoflash/>)

(mathematical stickler: seeing as ClickToFlash is free, it's price/performance
ratio is always zero)

~~~
danilocampos
Haw, quite so. Still, even if the SSD were given to you for free, and we
measured cost in installation time, the cost in time to install each one
versus the resulting gains would be tremendously in favor of ClickToFlash, so
awful is Flash.

------
agl
Chrome already updated:
[http://googlechromereleases.blogspot.com/2011/03/stable-
and-...](http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-
channel-updates_15.html)

------
0x0
Someone put up a partial decompile here: [http://bugix-
security.blogspot.com/2011/03/cve-2011-0609-ado...](http://bugix-
security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html)

------
FooBarWidget
I thought Chrome sandboxes all plugins. How do Flash vulnerabilities - or any
plugin vulnerability - affect Chrome, in particular on OS X?

~~~
nupark
Chrome can not sandbox all plugins without some effort. Only recently did they
add support for sandboxing Flash to the stable Chrome release, and even then,
only on Windows:

[http://googlechromereleases.blogspot.com/2011/03/chrome-
stab...](http://googlechromereleases.blogspot.com/2011/03/chrome-stable-
release.html)

~~~
FooBarWidget
Where can I get accurate information on how sandboxing works on OS X, what it
exactly does, what its limits are, and which vulnerabilities it does and
doesn't protect against?

------
jarin
FlashBlock: it's not just for keeping your browser from crashing, saving your
RAM, conserving battery life, and/or keeping your computer from locking up!

------
michaelpinto
Adobe reminds me of Apple in the 90s at the low point

~~~
amalcon
They remind me more of Microsoft at Apple's 90s low point. Their software is
everywhere, and it's full of security problems as a side effect of how there
was little consideration for security in the original design.

Microsoft has only recently caught up with its insecure legacy. That suggests
that we have another 15 years before Flash becomes stable software.

------
null_ptr
What's the purpose of being able to inject Flash files into Excel documents
again?

~~~
icegreentea
Like it or not, at many big companies, word docs and excel spreadsheets (and
powerpoints...) get abused in incredible ways. You'll somehow end up
distributing a training document in an excel spreadsheet, and then some not-
so-tech-savy manager will come up with the brilliant idea of including VIDEOS
in the training documents... and then it begins.

Simply put, Microsoft and Adobe will cram as much crap into their fileformats
(pdfs...) as they think random middle managers in large corporations want (and
sadly actually use...).

I've seen such things done. It hurts to get a word doc that's just full of
embedded jpgs from a scan of a printed out pdf that was originally a
website...

------
sukuriant
Why did the security advisory mention attacks against Adobe Reader when the
announcement was about Flash?

~~~
trotsky
acrobat/reader content can easily come with embedded flash objects, this is a
common way flash vulnerabilities are exploited.

