
“Adobe is aware of a report that CVE-2016-1010 is being actively exploited” - zorpner
https://blogs.adobe.com/psirt/?p=1327
======
jtokoph
I'm a bit confused about the title of this post. The actual title of the blog
post is "Security Updates Available for Adobe Flash Player (APSB16-08)". The
current HN link text is “Adobe is aware of a report that CVE-2016-1010 is
being actively exploited”.

I can't help but think that the HN post has that title to give the impression
that Adobe knows about an issue and isn't fixing it. But isn't this blog post
an announcement about patches that have be deployed for people to install and
Adobe included that line to emphasize the importance of the patch?

~~~
dvfjsdhgfv
I think the intention here is to make people realize they should have disabled
Flash a long time ago and use it only for a limited number of critical
whitelisted websites (like banking sites built on Air). If you do otherwise,
you're increasing the risk of being a victim of a malicious attack.

~~~
enzanki_ars
Out of curiosity, what bank do you know of that uses Air? That seems like a
bank that someone should never use if they value security.

~~~
dvfjsdhgfv
[https://www.adobe.com/showcase/casestudies/raiffeisen/casest...](https://www.adobe.com/showcase/casestudies/raiffeisen/casestudy.pdf)

Marketed by Adobe as a "success story" \- the customers are a bit less happy.

------
abhv
Adobe's attitude towards security is mediocre, possibly irresponsible. They
know that Flash is being phased out, so they invest no effort. For 2014--15,
they relied on Google Project Zero to find and sometimes even fix their
security flaws.

~~~
melling
"Thoughts on Flash" is almost 6 years old.

[http://www.apple.com/hotnews/thoughts-on-
flash/](http://www.apple.com/hotnews/thoughts-on-flash/)

Adobe is a business. They need to move on too. When companies like Microsoft
or Adobe, for example, let users hang on for too long to legacy software, it
hurts everyone.

~~~
icebraining
Nobody is asking them to build new features, just fix security issues. And
Flash is still a supported platform by their designing tools like Animate.

~~~
Ajedi32
Adobe Animate isn't a new tool, fyi. It used to be called "Adobe Flash
Professional". They renamed it in order to distance it from Flash.

------
simonmales
Completely disabled Flash in my main browser (Firefox) a couple months ago.
The occasional video player doesn't have a HTML5 fallback, but otherwise it's
all good.

~~~
esnard
Note to Chrome users: Chrome comes with a bundled version of Flash, so it's
not because you didn't install it that Flash isn't installed.

------
suneilp
Is there a site which lists details of these CVE security issues? The closest
thing I could find via google is cve.mitre.org but CVE-2016-1010 is "reserved"
for future usage.

~~~
fulafel
In this case Adobe is mentioning only the "registration number" of the
vulnerability to avoid revealing publically what the actual vulnerability is.
Don't you feel safer already?

------
paulddraper
You mean open a PDF with _Abobe_ software?

------
orbitingpluto
I am failing to download the signed key in Debian Linux when running update-
flashplugin-nonfree from the flashplugin-nonfree package. (Key not maintained
by Adobe...)

Meanwhile I just noticed that my Windows Firefox plugins for Reader DC are not
2015.010.20060 but .20056. I leave these completely disabled at all times
anyway.

And nothing annoys me more than having to download the self-deleting
autodownloader in Windows.

What a total waste of time for something I rarely use these days...

------
jorgecurio
Adobe exploits are still a thing. I regularly get emails from silicon valley
investors asking for me to open their pdf file which contains their
propsal...I chuckle everytime at that line, THERES SIMPLY NO WAY IM GOING TO
OPEN A PDF or visit a site with Flash turned on in 2016.

~~~
zanny
Is the PDF format itself broken, or just the awful Adobe Reader? There are
dozens of PDF reader implementations, including all the major browsers. I
cannot imagine they are all exploitable in the same way.

~~~
ajross
Early PDF was quite sane. It was the Postscript imaging model turned into a
binary bytecode format with almost all the programmability features removed.

Later on it got wonky (though never even close to the extent to which Flash
did!) with all the hypertextification features. But basic PDF is actually one
of the Great File Formats in computer history.

~~~
icebraining
The sane version is the one defined as the PDF/A ISO standard. Stuff like
pulling remote resources, embedding executable code, etc are all forbidden.

[https://en.wikipedia.org/wiki/PDF/A](https://en.wikipedia.org/wiki/PDF/A)

~~~
ajross
I didn't realize that this standard existed. Thanks for the link, that's very
helpful to know. I've always viewed "modern PDF" as an ad hoc thing defined by
the intersection of whatever was supported by the popular free renderers.

