Adobe Warns of Flash, PDF Zero-Day Attacks 216
InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."
Re:Flash for the iPhone WHEN??? (Score:3, Informative)
Why do you think, "we FreeBSD-ers aren't getting Flash"?
I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox. (Of course, it is usually blocked by noscript and flashblock.) A few years ago that might have been difficult to get running, but now it is just ports.
If we really want Flash is another story...
Re:Zero-day? (Score:5, Informative)
Buzzword or not, "zero day" means a vulnerability that is already being exploited by the time it's published. If vulnerability is published but no exploit exists -> no zero day.
Regardless of what you think of reasons for using that "zero day" label, this is very relevant to end-users: zero day -> you're at risk, NOW. No zero day -> you're probably safe (for the time being, that is).
Re:Flash for the iPhone WHEN??? (Score:5, Informative)
Of course, it is usually blocked by noscript and flashblock.
This appears to be a SWF file being run by Adobe Reader or Acrobat. Browser based plugins aren't going to help when it's opened by a desktop application.
Re:Zero-day? (Score:3, Informative)
Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.
So if, for example, someone reported this to Adobe previously, and Adobe hadn't fixed it yet, then it isn't a zero day exploit. If Adobe only found out about the vulnerability because people were exploiting it, it was a zero day vulnerability.
Which might be what you were saying, but it didn't come out unambiguously that way. :)
Re:64-bit Linux (Score:3, Informative)
If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?
No versions have been fixed yet so all versions are still vulnerable ... this includes Linux 64-bit.
Re:64 bit Linux (Score:3, Informative)
Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.
Unlike Windows where there is _no_ 64-bit support.
In any case, I just checked adobe.com and no version seems to have been updated yet.
Re:Zero-day? (Score:1, Informative)
Wrong
Zero Day means freshly discovered exploit. Period.
It means brand new, not yesterday, just found today.
It started with zero day warez, which meant you could get them from IRC or the FTP site the day they were released, not later.
End users don't know shit about zero-day, it means nothing to them, as stated above its nothing more than a scary buzzword that they don't understand.
Newbies like yourself need to not tell people where these words came from when you weren't around when they were created.
There's a reason the post you responded to is rated 5 Informative and yours isn't. Your comments are especially interesting because the author of that post has a lower ID than you do so I'm not sure I'd be so quick to make claims on "newbies" status.
With that said, there is a source that disagrees with you: http://en.wikipedia.org/wiki/Zero-day_exploit
And get off my lawn.
Adobe Failed to Mention Mac Users Affected only if (Score:1, Informative)
Only Mac users with Adobe Reader set as the default PDF reader (like many Fed Macs) are affected. The fix is to revert back to factory settings with Preview as default, and only open trusted pdfs with Adobe Reader. (required for some gov't apps)
Re:Adobe link to Flash Player deemed "safe" (Score:3, Informative)
Damn, clicked Submit instead of Preview. Meant to add this from the advisory:
"Note:
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ [adobe.com] does not appear to be vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable."
Re:Look at the credits for Adobe Reader. (Score:3, Informative)
There were plenty of better alternative formats available, both editable and non-editable.
Such as?
The point of PDF wasn't about editable or not editable, which is probably why you think it was a solution in search of a problem.
The PDF format started out as a way to ensure complete display fidelity across display media and platforms. Unlike a word processor file, you did not have to worry about rendering differences, formatting inconsistencies, whether the destination system had the proper fonts or supported a given typographical control. These were the days before you could embed fonts in your .doc file and before hardware was powerful enough to piece together a Photoshop or Illustrator file on the fly.
It was a lightweight format for documents consisting of type and media files. Then Adobe started cramming everything under the sun into it, piling on code year after year in its ever-bloated Acrobat (a development model shared with almost all Adobe software). The fact that it was a finished display format meant that end-user editing was generally not possible with the viewer software. That wasn't the point of the design, it was just a consequence of the focus on display rather than creation--one that some people liked and one that others despised. Hence editable forms and the whole array of "interactive PDF" tools that got crammed into Acrobat.
PDF itself is still pretty lightweight and powerful, and it's extremely useful for compositing (OS X uses a very similar framework in its desktop compositor, hence the seamless PDF integration with Macs--and PDF rendering speed blowing the doors off anything Adobe has shipped in 15 years).
PDF is an ideal document format for ensuring everyone gets the same file in that you can make it once and show it everywhere. LaTeX is a tool for professionals, geeks, and typesetters. PDF is the only successful format for everyone.
Re:PDF files should not "execute" (Score:2, Informative)
Leaving out the "executable content" from PDFs does not shield you from exploits at all. Hostile input can still trigger all sorts of bad reactions including complete takeover. A bug can turn any simple viewer into executing the document.