

New Adobe Flash 0day, have a nice weekend - datd00d
http://www.adobe.com/support/security/advisories/apsa10-01.html

======
ihodes
Shouldn't a fix come out _with_ that announcement?

If they're offering a temporary fix, shouldn't they at least push that temp
fix as an update, and fully update the issue later? This leaves the non-
technically inclined out in the cold, and informs those who may not know of
the exploit of its existence.

Just something as simple as removing authplay.dll for Acrobat and Reader, and
even upgrading the current version of Flash Player to the 10.1 beta, just
temporarily… anything other than just announcing it and not patching it at
_all_.

I don't know if this is a standard way of dealing with zero day exploits, but
it sure doesn't seem like a good way.

~~~
ja27
It was a good reminder for me to disable Flash and PDF (and 30 other plugins)
in Chrome. I use Chrome for almost all my browsing, but if I need Flash or
something else on a specific site, I can open it in IE or Firefox.

Maybe someday Chrome will have a plugin "whitelist" for sites so I can only
allow Flash on the sites I want to.

~~~
CrazedGeek
Flashblock?
[https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoi...](https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoiabjplobcaignabnl?hl=en)

------
logic
So, 10.0.45.2 is vulnerable. Oh look, that's the only available version of the
64-bit Linux plugin, because they don't do 64-bit builds along with their
32-bit builds:

<http://labs.adobe.com/technologies/flashplayer10/64bit.html>

------
natch
Perfect headline. It straddles the ambiguity between the two possible
meanings: the sarcastic one, about IT personnel scrambling to put fixes in
place over their 'nice' weekend, and the non-sarcastic one, addressed to
hackers who could have some fun with this.

In any case, Adobe, the timing has exactly the level of thoughtfulness we have
come to expect from the Flash team. The only way you could have done more
damage would be to have done it last week when the US had a long weekend, or
some other even longer holiday.

~~~
tptacek
It is unlikely that anybody at Adobe controlled the timing of this release.

~~~
natch
Sucks for them. They should get their code base under control. Or their web
site, if that's what you meant.

------
pan69
I've seen Adobe do quite a few security announcements over the years but I've
never actually seen any of the exploits in action or explained. I'm really
curious how serious these exploits really are and if they are actually
practical (or more theoretical). Any references greatly appreciated.

~~~
mukyu
[http://chargen.matasano.com/chargen/2007/7/3/this-new-
vulner...](http://chargen.matasano.com/chargen/2007/7/3/this-new-
vulnerability-dowds-inhuman-flash-exploit.html)

------
JoachimSchipper
Did anybody else read "The Flash Player 10.1 Release Candidate (...) does not
appear to be vulnerable" as "we ran the exploit and it didn't work"?

~~~
jmount
More as "we thought the last one didn't have this flaw- but we are tired of
being wrong."

------
gmlk
Yesterday I removed flash from my Mac Internet Plugins folder.

I can't say I'm missing it. Nearly all website work, a lot of ads are gone.
Strangely, html5/h.264 is often the fall back for flash, I really would wish
they did that the other wise around.

~~~
andrewtj
That made me curious so I removed Flash from /Library/Internet\ Plug-Ins/ and
rebooted. I'm unable to play video on either Vimeo or YouTube so I'll be
sticking with Click to Flash for the moment.

~~~
tuacker
Youtube: <http://www.youtube.com/html5>

Vimeo: Right below the description, see: <http://imgur.com/yuf4R>

Obviously not an automatic fallback but I guess that's because it is still in
'beta'.

Youtube videos with ads won't work, or embedded ones (I think the same goes
for embedded vimeo vids)

~~~
andrewtj
Thanks for the links — I'd just expected the sites to fallback. For anyone
else who's tempted to try this out, unless I missed it there is also no
'Switch to HTML5 player' link for channels on Vimeo.

------
rmorrison
Adobe has desensitized me to updating their software, since every time I open
Acrobat it asks me to download a new version. It's like the boy who cried
wolf, but since this sounds serious maybe I'll get over this mental hurdle.

~~~
JoachimSchipper
Actually, every time you open Acrobat it's had a new security issue. At least,
it's that way for me (though Windows is not my primary OS, so I don't open
Acrobat that often).

~~~
Niten
Even if Windows _is_ your primary OS, there's no reason for the typical user
to have to run Adobe Reader on a regular basis. Just use a nice lightweight
viewer like PDF-XChange, Sumatra, or Foxit instead.

Windows is my primary OS, and I don't even have Adobe Reader installed.

~~~
nitrogen
I've found Sumatra to render _extremely_ slowly when zoomed in past 100%,
particularly on PDFs with high-res images and/or vector images. Are the other
non-Adobe readers better at this?

------
jared314
The Linux 64-bit version needs some love. It has not been updated since Feb.

------
datd00d
The fix is to install 10.1 RC, and delete/rename/ACL authplay.dll.

I wont comment on the whole "use our RC release" as a mitigation path in
production env's....

~~~
blocke
10.1 has had 7 release candidate releases so far. Been running them for a
while and they don't seem anymore crashy than 10.0 and the GPU acceleration is
nice.

Also it would be a great time to upgrade Firefox to the 3.6.4 release
candidate for those using Firefox. Plugin process separation... yummo.

[http://blog.mozilla.com/blog/2010/06/01/firefox-3-6-4-releas...](http://blog.mozilla.com/blog/2010/06/01/firefox-3-6-4-release-
candidate-available-for-download-and-testing/)

------
gojomo
They suggest addressing the Flash vulnerability by installing the prerelease
10.1 version, which "does not appear to be vulnerable".

But the first step of installing 10.1 (on Windows and MacOS) is to run an
uninstaller, also available on the download page:

<http://labs.adobe.com/downloads/flashplayer10.html>

Perhaps the prudent should stop after that uninstall step, for safety from
other future exploits, as well.

~~~
endtime
Are you sure about the uninstallation part? I was able to install 10.1 without
uninstalling anything. Took about 10 seconds. And
<http://www.adobe.com/software/flash/about/> tells me "You have version
10,1,53,64 installed".

~~~
gojomo
The preview version's Release Notes say to run the uninstaller first, but
perhaps it's not necessary.

------
seanlinmt
I don't use Adobe Reader anymore. Foxit Reader,
<http://www.foxitsoftware.com/pdf/reader/>, is way smaller and faster. And
it's not by Adobe. :)

~~~
kwyjibo
I used foxitreader as well, until they had that feature that they would
execute whatever command on your computer and you couldn't disable it... (and
you could do this, or at least add a warning in adobe's reader)

------
boskone
Chromium + Flash + Linux vulnerable as well? How does one a) even know what
version of flash is embedded in Chromium b) other than constantly killing the
flash process how does one disable flash in Chromium

Chromium v6.0.417.0

~~~
PidGin128
Generally, to determine flash version, you're forced to the macromedia website
to view a version test .swf .

After finding out about this 'sploit, I looked in vain for the authplay.dll .
It turns out I had a newer build that wasn't listed as vulnerable (and I
couldn't find the file itself, where does it usually reside?).

------
Tichy
Sorry for my ignorance, but is there still no way to watch YouTube and other
videos without Flash? I thought some browsers would ship with suitable codecs
and be able to play them directly?

~~~
tuacker
Visit <http://www.youtube.com/html5> and join the beta. It won't work for all
videos though and not at all for embedded videos.

------
mikeytown2
Link to 10.1 RC7
[http://labs.adobe.com/downloads/flashplayer10.html#flashplay...](http://labs.adobe.com/downloads/flashplayer10.html#flashplayer10)

------
adamdecaf
I will have a nice weekend, for I don't even have flash on this laptop
(Linux). :)

</sarcasm>

------
againstyou
great, now we need to use the Release Candidate to be safe ? probably we get
another features (aka remote exploits) using RC and not a stable version. btw,
adobe really released a stable version of flash ? someday ?

------
gojomo
Adobe Reader and Acrobat on MacOSX also include a file named _authplay.dll_?

(Any chance Apple's 'Preview' PDF-reading capabilities are similarly
vulnerable?)

~~~
DrewHintz
Apple's 'Preview' PDF viewer has lots of security vulnerabilities. Simple
fuzzing will quickly find plenty of 0day.

~~~
sans-serif
That's a bold claim waiting to be backed up.

~~~
mish
I think the poster was referring to Charlie Miller's CSW 2010 presentation,
where he finds a number of trivial, exploitable vulnerabilities in Preview.
You can see the slide deck here:
[http://securityevaluators.com/files/slides/cmiller_CSW_2010....](http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt)

------
stalker
I think they must put an alert in the download page.

------
ck2
Well that's ONE way to get everyone onto 10.1

------
bobbyi
Another reason to be running 10.1

------
TheKid
And read the fine print regarding 10.1 RC: "The Flash Player 10.1 Release
Candidate available at ... does not APPEAR to be vulnerable." Very different
than "Here's a fix."

(Snarky comment removed.)

~~~
drivebyacct
No, no it does not sum up why there's no Flash on the iPhone. Thanks for
playing though. Enjoy your consolation prize.

------
elblanco
and?

[http://www.engadget.com/2010/03/19/charlie-miller-to-
reveal-...](http://www.engadget.com/2010/03/19/charlie-miller-to-
reveal-20-zero-day-security-holes-in-mac-os-x/)

~~~
ptomato
I'm not quite sure what the relevancy of this is, unless you're actually such
a rabid Apple hater that you automatically see any mention of Adobe flaws as
an argument for Apple or somesuch.

~~~
elblanco
Lots of software has security problems. It's pretty rare that any of them show
up on the front page of HN. They just tend to blend into background noise as
"not interesting" unless it's particularly interesting to the community for
some reason. Given that one of Job's major points for not allowing Flash on
iDevices was the security of the platform, the only conclusion one can draw
for having a security notice show up on the front page is that there are a lot
of Adobe haters out there.

Within one sentence (and with absolutely no commentary or statements from me
in any way) you successfully made the connection between Adobe and Apple. This
connection is obvious and I shouldn't really have to explain it -- in other
words, it's painfully obvious why a security bulletin for Flash has shown up
on the front page of HN and why I've never seen one for an Apple product
despite fairly wide ranging security concerns in the community about Apple
products.

Here's Jobs on the topic.

<https://www.apple.com/hotnews/thoughts-on-flash/>

"Symantec recently highlighted Flash for having one of the worst _security_
records in 2009. We also know first hand that Flash is the number one reason
Macs crash. We have been working with Adobe to fix these problems, but they
have persisted for several years now. We don’t want to reduce the reliability
and _security_ of our iPhones, iPods and iPads by adding Flash."

Before Jobs explicitly banned Flash from the platform, the only thing I ever
remember seeing on HN regarding flash was that it performed a bit poorly under
Apple's operating systems because Apple wouldn't provide the necessary APIs
that would allow Adobe to make it as performant as it is under Windows (and
the occasional comment regarding the Linux port that like most software ported
to Linux, it was a few generations behind the times). But these complaints are
pretty much the same for lots of cross platform software and generally blended
into the background noise, even canvas runs poorly on most systems! One thing
I don't ever recall hearing about on HN was _any_ commentary about Flash as
insecure. That all changed with "Thoughts on Flash".

Before _Thoughts on Flash_ , I bet there was never an Adobe Flash related
security posting on the front page of HN. Yet Flash has had its share of
security issues, the same as anything. Which is what my link was meant to
demonstrate.

In other words, it's essentially a non-issue.

My point in posting one of a million links regarding Apple security problems
is that Apple is also not free from issues with its platform. Yet these
_never_ make it to the front page of HN. More importantly, Apple is rather
poor at self-reporting security problems, yet here we are bashing Adobe for
doing the responsible thing and reporting the problem themselves.

It's actually an interesting example of social dynamics, demonstrating how
people will follow the direction a chosen leader and orient their opinions
regarding their own safety to be in line with what that leader says rather
than an objective review of the actual situation. People often follow leaders
as a proxy for doing their own thinking. I've just demonstrated why this is
dangerous. Jobs doesn't want to bring attention to the security issues of his
own platforms and has tried, successfully, to direct natural concerns for that
to somebody else. It's a masterful piece of political manipulation. Most
politicians would sell a limb to have this kind of mind share.

My link provided no commentary, no judgment, no counter-statements, no Apple
bashing or Apple praise, in fact no statements of any kind.

Yet the fact that that link is providing uncomfortable information contrary to
that provided by Jobs has caused it to be annihilated by downvotes (meta-
comment: pg has obviously changed something in the karma scoring because it
only shows -4, but my account is down -9 since yesterday and that's the only
change I can find, either the karma math is screwy, or he's experimenting with
some social engineering of his own and counting all downvotes but only showing
-4 no matter what. I find this interesting since, if that were true, people
have continued to downvote a link to unwanted counter information even though
it already stands at -4).

I actually cannot find a statement from Jobs regarding platform security
_other_ than "Thoughts on Flash". Even in response to things like this
[http://www.theinquirer.net/inquirer/news/1495591/security-
ex...](http://www.theinquirer.net/inquirer/news/1495591/security-experts-mock-
mac-security). Considering that Jobs is among the more chatty CEOs of a major
corporation, this omission is rather perplexing. This leads to the obvious
conclusion that Jobs has taken the opportunity to call out Flash security as a
red herring, to turn our attention away from the problems on his own platform.
And, as is demonstrated here by bashing on Adobe for flash security, bashing
on people who point out apple security, people have bought his play -- hook,
line and sinker.

I provoked the response I expected to get based on the history of how the
dynamics of the situations has occurred. A swarm of downvotes for a link
regarding Apple security problems flies directly in the face of what Jobs has
said. It's a shame he had to put "Thoughts on Flash" out there. I found his
comments on Flash at D8 far more coherent and sensible and without the obvious
manipulative language he used in "Thoughts". What I find a shame is how easily
and gullible people who follow Jobs have been regarding the entire issue --
people who are otherwise very smart and very bright.

 _edit_ I'm actually down -10 on my karma now. I guess pg _does_ count all
downvotes even if -4 is all that's displayed.

 _edit 2_ this poor comment was similarly in negative territory as well,
further reinforcing my point. <http://news.ycombinator.com/item?id=1406477>

~~~
ptomato
"Yet the fact that that link is providing uncomfortable information contrary
to that provided by Jobs has caused it to be annihilated by downvotes"

No, I think it was mostly the irrelevancy that got you downvoted.

"you successfully made the connection between Adobe and Apple."

Umm, what you posted was a link to something about Apple, so yeah, I think I
could be justified in believing that was the connection you were trying to
make.

"I bet there was never an Adobe Flash related security posting on the front
page of HN."

<http://news.ycombinator.com/item?id=164725>
<http://news.ycombinator.com/item?id=1105508>
<http://news.ycombinator.com/item?id=801713>
<http://news.ycombinator.com/item?id=164725>

"Apple is also not free from issues with its platform. Yet these never make it
to the front page of HN."

<http://news.ycombinator.com/item?id=876334>
<http://news.ycombinator.com/item?id=684743>

"It's pretty rare that any of them show up on the front page of HN."

<http://news.ycombinator.com/item?id=1129882>
<http://news.ycombinator.com/item?id=692036>
<http://news.ycombinator.com/item?id=690592>
<http://news.ycombinator.com/item?id=872533>
<http://news.ycombinator.com/item?id=709869>
<http://news.ycombinator.com/item?id=393009>

"the only conclusion one can draw for having a security notice show up on the
front page is that there are a lot of Adobe haters out there."

The _only_ conclusion? Really? Some people might be interested because it is
an unfixed vulnerability actively being exploited in software that's on 95% of
PCs. Just a thought.

"Apple wouldn't provide the necessary APIs"

You're certainly not approaching this from a standpoint of hating Apple, if
_that's_ the interpretation you put on the abysmal performance of Flash on OS
X for many many years. I should note that Silverlight has always had stellar
performance relative to Flash on any Mac I've used them on.

"unwanted counter information"

Or again, complete irrelevancy.

~~~
elblanco
I was going to post a protracted point for point response, but decided I
wasn't in the mood for yet another lengthy internet battle with an obvious
zealot which will probably end up in a Godwin law violation or a comparison of
digital phalli or some such.

You've made some good points, some bad, I disagree with most, agree with
others (and learned a few things from your response, thanks for the
corrections). You've successfully demonstrated using a search engine for
finding archived posts without demonstrating that those posts reached the
front page. Well done.

It's obvious that Adobe is a sorry pitiful place that produces slipshod
software that blights the Internet and our computers with its presence -- from
the 150 slider widgets in Photoshop to Flash. This has been true for a decade
or more. You'll get no argument from me.

However, Apple also has a lot to answer for. Just because its principle
computing platform isn't terribly popular, so it's less likely to be a target,
doesn't make it more secure ("we're secure because nobody uses us!" is not a
terribly good selling point). The sec community has long standing grievances
with the slow pace of security patches Apple puts out. Jobs has likewise
generally remained silent on this matter.

You may continue feeling slighted by even the slightest of finger-pointing at
Apple even if it's not intended as Apple bashing. A strong and vibrant Apple,
as a viable competitor, is good for several industries. Hanging off of every
word Steve Jobs says as perfect and without flaw is not.

Enjoy the rest of the weekend.

~~~
ptomato
"...lengthy internet battle with an obvious zealot which will probably end up
in a Godwin law violation or a comparison of digital phalli or some such."

There should probably be some law about those who attempt to preemptively
invoke Godwin's law.

"You've successfully demonstrated using a search engine for finding archived
posts without demonstrating that those posts reached the front page."

Up until fairly recently in the history of HN, at least, pretty much any post
with point count > 10 has been on the front page. Looking at the front page
currently there's a couple at 3 or 6. I think most of the examples I linked
were 20+ which means they were almost certainly on the front page for a while.

"Apple also has a lot to answer for."

You're the one who keeps trying to make this be about Apple. It's not, it's
about a Flash exploit. Trying to force the relationship says far more then you
then anything else.

"You may continue feeling slighted by even the slightest of finger-pointing at
Apple even if it's not intended as Apple bashing."

I'm not slighted, I'm just pointing out that you're not really communicating
in a relevant manner to the thread.

"Hanging off of every word Steve Jobs says as perfect and without flaw is
not."

I agree with some things Apple does and not others. (No Flash on iPad/iPhone:
agree, Adobe has yet to demonstrate the capability for Flash to run in a good
manner on mobile devices, and if either of those were waiting for that neither
would have been released yet. 3.3.1: sticks in my craw, even though I have a
sneaking suspicion it may be best for the _platform_ certainly not best for
developers. App Store as only distribution channel: Again, good for the
_platform_ and endusers, not for developers, sideloading should be allowed.)
Certainly the HN community as a whole, I'd say, has a few more vocal critics
of Apple of late than vocal supporters.

