
Zero-day Flash exploit on all platforms, fix two weeks out - vl
http://www.adobe.com/support/security/advisories/apsa10-03.html
======
bl4k
the best thing I have done recently is to disable all plugins, including
flash:

<http://imgur.com/mCfqQ.png>

YouTube HTML5 support is good, and for any other video you can directly
download. Browser runs a lot faster, web pages load faster, and I don't miss
flash ads at all.

I also disabled flash on my parents' computer, and my brothers, and enabled
YouTube HTML5 for them. They haven't noticed it yet. It is only a matter of
time before more corporate networks uninstall/block all flash, especially with
the bad reputation it has with security.

Flash is already dead to me, I can't wait until it is dead for everybody else
as well

~~~
agazso
Use Flashblock or something similar. By default Flash objects are turned off,
but you can click on them to enable.

Firefox: <https://addons.mozilla.org/en-US/firefox/addon/433/>

Chrome:
[https://chrome.google.com/extensions/detail/cdngiadmnkhgemki...](https://chrome.google.com/extensions/detail/cdngiadmnkhgemkimkhiilgffbjijcie)

~~~
bl4k
As I mentioned below, I had Flashblock, and used it for a while until I
noticed that Flash is still in memory and Flashblock is just some JS that
hides flash elements.

Killing everything is much better.

~~~
bgentry
I used the following FlashBlock for Chrome, and using resource tracker I could
see that no SWFs were downloaded on a YouTube page until _after_ I temporarily
enabled Flash on that page.

[https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoi...](https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoiabjplobcaignabnl)

Is that good enough proof that the SWF is not put into memory?

Also, the FlashBlockBlock page here does not load when I have the extension
enabled: <https://woofle.net/flashblockblock/>

------
colonelxc
Finally, something that works on flash in linux!

I jest, but flash is the perfect target if you want to hit multiple OS's.
Doesn't mean the malware authors will actually develop exploits/malcode for
multiple OS's though.

~~~
jakevoytko
Viruses that target multiple machines may not be as ridiculous as they sound.
At least one researcher has a proof-of-concept that works on multiple
platforms: <http://www.wired.com/science/discoveries/news/2001/03/42672>

As an aside, the alpha releases for Flash on Linux are surprisingly stable.
The "gray rectangle" problem appears to be solved, which was the worst part of
Flash on Linux in years past. Video streaming works well, but animations
flicker and tear, so most online games are still unplayable.

~~~
TallGuyShort
Thanks for that link - I'm enjoying the article.

I'm surprised to be reading so much talk about Flash not working very well on
Linux. I'm using Fedora 13 (previously Ubuntu) on an extremely low-performance
machine, and I haven't seen any problems in a very long time (at least a
year). Video's, games, etc... all seem to work fine, and I generally pay a lot
of attention to the Flash player because I'm a flex developer. The only time I
struggle is when I watch HD video, but that's to be expected on my machine
even if I'm watching a DVD.

~~~
pmjordan
Yeah, I haven't encountered much in the way of compatibility problems since
10.0 was released. (I'm on OpenSUSE x86-64.) It does have a habit of crashing
and/or freezing for some time, I get the impression the latter is connected to
sound (ALSA). Modern browsers survive the former quite well, luckily, and
everything but Firefox recovers from the latter quickly, too.

One thing that seems to reliably fail is full-screen video, though.

------
swombat
To be fair, these things happen to many other platforms. Adobe's no exception.
Two weeks seems a bit on the slow side from our hacker point of view, but it
is in line with what you tend to get from large corporations (and actually
fairly responsive... this would be a good response time for, say, Internet
Explorer - and Flash has more installs on a much wider variety of OSes and
hardware than IE).

Let's not all gang up on Adobe just because they're, well, just as bad as
everyone else.

~~~
drinian
Please enumerate some of these "other platforms."

Cannot cite IE (too obvious), or Reader (also Adobe).

~~~
swombat
Apple: [http://www.engadget.com/2009/07/02/apple-patching-nasty-
ipho...](http://www.engadget.com/2009/07/02/apple-patching-nasty-iphone-sms-
vulnerability/) ("fix by the end of this month")

Google: <http://seclists.org/webappsec/2006/q1/66> (6+ months)

I'm sure you can find more of them by searching for them (as I just did).

~~~
tptacek
It would be a more interesting challenge to name a vendor who isn't routinely
issuing security advisories. I can't think of any.

------
sjtgraham
Safari OS X users, may I recommend ClickToFlash for the time being.

<http://clicktoflash.com/>

~~~
frou_dh
Great recommendation, but I'd say the torch has been passed to the bona fide
Safari extension of the same name:

[http://www.math.northwestern.edu/~hoyois/safariextensions/cl...](http://www.math.northwestern.edu/~hoyois/safariextensions/clicktoflash/)

~~~
isani
One benefit that the original ClickToFlash has compared to the extension is
that it works with web content embedded in applications other than Safari.

------
shib71
Their openness about the vulnerability is refreshing. But I assume they're
only publicising the vulnerability because of the people already exploiting
it.

~~~
rbanffy
> But I assume they're only publicising the vulnerability because of the
> people already exploiting it.

That and someone notified them it exists.

Were it only a vulnerability they could deny knowing, they would keep silent
about it.

------
acqq
Not just Flash -- it's an all-platforms Flash _and_ all-platforms Reader
vulnerability plus the Flash exploit for Windows in the wild!

I beleive we can soon expect Reader exploits too.

~~~
blasdel
The Reader exploits probably involve a PDF with embedded Flash.

Synergy!

------
drinian
I uninstalled Flash three months ago, and haven't encountered any serious
problems. I have Greasemonkey scripts to let me download video from most of
the YouTube-like sites.

~~~
zackattack
please share said scripts

~~~
drinian
I'm not a heavy video watcher, so --

YouTube: <http://userscripts.org/scripts/show/62634> Vimeo:
<http://userscripts.org/scripts/show/56677>

Neither of these scripts requires a third-party site.

------
gojomo
Note that running the Adobe Flash Player uninstaller may not disable Flash in
Google Chrome (which integrates a separate Flash). You need to use the
'chrome://plugins' manager to disable that Flash Player. See here for details:

[http://www.google.com/support/forum/p/Chrome/thread?tid=1095...](http://www.google.com/support/forum/p/Chrome/thread?tid=10957b373ce77aed&hl=en)

------
mhw
I upgraded Flash on my old laptop just yesterday. The pain and misdirection of
being pushed through installing the Adobe Download Manager extension, then
restarting the browser in order to actually update the plugin, seems like
enough of an obstacle to significantly slow down the roll-out of the eventual
fix.

~~~
prawn
Their forcing of the download manager app (painful trying to find an alternate
download to upgrade Flash) should be a key reason for people to abandon the
platform.

~~~
frou_dh
I think Java trying to install the Yahoo Toolbar beat that. So trashy, I
couldn't believe it.

~~~
JoeAltmaier
Yahoo toolbar crosses the line - its a virus now, or at least mal-ware.

------
Jach
Can anyone explain some motivations behind Adobe continuing to keep the flash
player closed source? The only reasonable thing I've heard before was about
movie codecs, is there anything else? The Flex SDK is open, they're not
exactly stellar on performance, several different SWF decoders work okay for
some narrow subset... I doubt there's much in there that's top secret or
thesis-worthy. Releasing it to the community would go a long way in improving
Adobe's standings as well as letting the community fix these (in say one week
rather than two) and work on 64-bit versions or performance...

~~~
aniket_ray
The VM is open source, the frameworks are open source. The language
specification is open.

The only thing closed are codecs (many of which are licensed from other
companies and can't be open sourced), DRM stuff and platform level code that
glues everything together. On the other hand, there are open source versions
of swf players that Adobe actively promote.

Unfortunately, community involvement (developers and early testers) in all
these projects have been low. My understanding is that people within Adobe
(and there are many who like Open Source) have no evidence that open sourcing
more stuff is any better for the player, since the community hardly gets
involved.

Adobe did launch a 64-bit Linux flash player on Labs. Most 64 bit users never
used it, sticking with the nspluginwrapper method instead.

I'm sure more community involvement with existing open source projects at
Adobe would pave the way for opening up of more stuff.

~~~
blasdel
They open sourced the parts that have been solid for years. What's always been
a huge problem is the runtime — the implementation of the standard library.
It's it's mostly the same across all platforms and more than just 'glue code',
it's what's actually using most of the CPU cycles when a Flash applet
executes, it's all native code, and it's not sandboxed at all by most
browsers.

------
wensing
Novice question--wouldn't getting exploited require that I visit a site of
ill-repute?

Or, alternatively, is there some cross-domain element that makes this a threat
even if I'm just seeing Flash-based ads on CNN.com?

~~~
someone_here
CNN could be using an ad provider that just happens to not have enough ads so
they outsourced to a few new ad networks and one accidentally let in a hacked
ad.

------
minalecs
No issue here.. Just use FlashBlock for chrome and firefox, and when theres
flash content you want to view, click the Flash icon to enable it. Theres
still a lot of flash content thats good out there. I think just enabling the
flash content you want to use, will solve a lot of the issues people have with
flash.

~~~
auxbuss
Yup, I've used the Flashblock Firefox plug-in for quite a while. It replaces
any Flash items with an icon that you can click to run the Flash. There's also
a right-click option to always enable flash for a site (whitelist).

Flashblock is a simple and effective way to manage Flash.

------
olalonde
Damn, that's how I got this annoying adware. I think it's time to bury Flash
for good.

~~~
wensing
Do you have evidence? (Correlation != causation)

~~~
olalonde
I'm pretty sure. Flash has been acting very weird lately (random UAC popups)
and it's the first time I get malware from the web in over 5 years. Flash is
the only plugin I use so unless there is also a 0-day in Chrome, Flash is the
most likely suspect.

------
Devilboy
If they've found it, is it still technically considered a 'zero-day' exploit?

~~~
Deestan
Apparently not: <http://en.wikipedia.org/wiki/Zero-day_attack>

> A "zero day" attack occurs on or before the first or "zeroth" day of
> developer awareness

------
DavidBishop
"This vulnerability (CVE-2010-2884) could cause a crash and potentially allow
an attacker to take control of the affected system. There are reports that
this vulnerability is being actively exploited in the wild..."

Oh no! What if it gets my iPhone! Oh, wait...

------
emehrkay
I dumped firefox when safari four came out. Then I moved to webkit nightly (im
still in love with the developer tools )

