back to article Google patches Flash bug before Adobe

Google has already released an update for its Chrome browser that fixes a critical vulnerability in Adobe's Flash Player that's under attack. Users of the animation software on other browsers and operating systems will have to wait until next week for the same patch. Chrome was able to beat the rest of the pack thanks to …

COMMENTS

This topic is closed for new posts.
  1. Kyoraki

    Here's a brilliant idea-

    Don't open shady looking attachments from your E-mail inbox kids.

    1. Ilgaz

      True

      Your kind makes people to setup a page with the flash exploit, mask it with url shortener, put link to some xxx looking mail sent to your address and exploit your computer saying "what did you say?" while erasing all data.

      Must be glad I am not a black hat.

      Flash vulnerability means, it can be run embedded from any web page to infect poor non techie users. Got it? They even put them in Ads!

      1. Tom 13

        Actually, his solution would solve the problem.

        Mail admins where I worked always tried to train users to save attachments to disk before opening them. This gives the AV software a chance to scan the file before it is opened. As an Outlook shop, it also solves the problem of maroons opening the attached document, editing the crap out of it, saving it, but not as a new file, and then losing all of their changes when they DIDN'T save the email from which they edited the document.

        As for your Black Hat alternative, that wouldn't hit me either. I don't open dodgy emails for XXX pics either. So you need a REAL drive-by exploit to nail me. On Windows there are plenty of them out there and I've been nailed by some. Worst one was from an MSN banner ad because I forgot to change the default page to Google before starting IE6 to run MS updates to patch the newly built XP SP3 system. On the upside, since it was brand-spanking new, there was no data loss and the decision to delete partitions and start fresh was easy.

    2. foo_bar_baz
      Grenade

      Here's a brilliant idea for you

      Read. Think. Don't post.

      * Malware Installed by LiveJournal Ad

      http://it.slashdot.org/story/06/06/24/1420251/Malware-Installed-by-LiveJournal-Ad

      * Major Ad Networks Found Serving Malicious Ads

      https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210

      * Google Text Ads For Known Malware Sites

      http://tech.slashdot.org/story/08/11/14/1352221/Google-Text-Ads-For-Known-Malware-Sites

      * Hackers Use Banner Ads on Major Sites to Hijack Your PC

      http://www.wired.com/techbiz/media/news/2007/11/doubleclick

      * Malware Rising - Attacks Increasing Through Malicious Online Advertising

      http://www.securityweek.com/malware-rising-attacks-increasing-through-malicious-online-advertising

      etc.

  2. Anonymous Coward
    WTF?

    WTF really

    1 week extra left vulnerable to test the other combinations? Who are they kidding?

    Is this Google's new strategy, get people to use their browser by sneakingly convincing the buggiest plugin in history to delay security patches for other platforms?

  3. AlexS
    FAIL

    Fix?

    "Google patches Flash bug before Adobe"

    "Google has already released an update for its Chrome browser that fixes a critical vulnerability in Adobe's Flash Player that's under attack".

    --->

    I think you mean "does a work around"... not "fixes" or patches Flash - unless you are saying that Adobe is hacking or forking Adobe's very own source code?

    1. G2
      FAIL

      reading comprehension fail

      reading comprehension fail, google chrome really uses a patched flash plugin, not a work-around.

      http://www.adobe.com/software/flash/about/

      in firefox: You have version 10,2,152,32 installed

      in chrome: You have version 10,2,154,25 installed

      The table below contains the latest Flash Player version information. Adobe recommends that all Flash Player users upgrade to the most recent version of the player through the Player Download Center to take advantage of security updates.

      Platform Browser Player version

      Windows Internet Explorer (and other browsers that support Internet Explorer ActiveX controls and plug-ins) 10.2.152.32

      Windows Firefox, Mozilla, Netscape, Opera (and other plugin-based browsers) 10.2.152.32

    2. Oninoshiko
      FAIL

      counter-fail.

      I thought I would go ahead and share the fine article with you:

      "Chrome was able to beat the rest of the pack thanks to ongoing collaboration with Adobe that allows Google advanced access to updated builds of Flash, Adobe spokeswoman Wiebke Lips said. "

      Let my try to use small words for you. Google gets a release of flash from adobe which has a fix but is not yet completely tested in all browsers by adobe. google, not needing to test in any browser but Crome, is able to verify the patch faster then Adobe is, and therefor release sooner. It is an Adobe-written fix, not a fork.

    3. Anonymous Coward
      Anonymous Coward

      If you read the article

      it says Google had access to a pre-release version of that-particular-bug-fixed Flash

    4. Anonymous Coward
      Anonymous Coward

      I dunno

      maybe the content of the article makes that a bit clearer. If only I had time to read it...

    5. jarvis
      FAIL

      Trigger happy commenting....

      No, they really do mean that the Chrome update includes a fixed version of Flash. Adobe aren't

      quite hacking or forking Adobe's code, but they do have access to newer versions than the

      rest of us. You might want to try reading *all* of the article next time (or at least the second

      paragraph!).

  4. Anonymous Coward
    Anonymous Coward

    Wiebke Lips

    is a brilliant name

  5. Anonymous Coward
    Stop

    Uninstall Office ?

    Why the hell do you need flash running in Excel it's just a bloody spreadsheet, I assume LibreOffice does not allow the same attack vector ?

    Don't just blame Adobe on this one folks

    1. Ken Hagan Gold badge

      Flash in Excel

      Excel supports ActiveX controls, and I dare say there are thousands of legitimate uses for such extensibility. Flash is an ActiveX control. Ergo, Flash can run in Excel.

      You might as well ask why computers are able to run Flash. It's all software. It's flexible. Get used to it or find another job.

      1. Anonymous Coward
        Thumb Down

        Pardon ?

        Flexibility at the expense of security ?

        I think you should get another job (assuming you are a MCSE) and by the way flash is not an activeX control on linux or OSX.

        ActiveX is a botched security nightmare.

  6. Jan Hargreaves
    Paris Hilton

    double take

    Wiebke Lips.... where does this name come from? a german porn star actress?

  7. Anonymous Coward
    Gates Horns

    Delivery mechanism

    Why the hell is it possible to embed a Flash video in an Excel spreadsheet anyway? Because spreadsheets aren't exciting enough there has to be a way to animate those numbers?

    ^^ Oh no. That's why.

  8. heyrick Silver badge

    Does this imply...

    ...that Google pushed out the update with minimal testing?

    1. Anonymous Coward
      Anonymous Coward

      @Heyrick

      No.

  9. Ilgaz

    so...

    We must make sure newbies install Google spyware browser (with default settings) and lock themselves and private lives to Google not to be exploited by no-name spyware installed by flash vulnerability.

    Funny part is, I haven't heard any spyware that "reads" user private mail and makes sure it is never actually deleted.

    If both companies read this comment, here is why the entire planet hates you.

  10. A Non e-mouse Silver badge
    FAIL

    RTFA

    "ongoing collaboration with Adobe that allows Google advanced access to updated builds of Flash"

  11. This post has been deleted by its author

    1. This post has been deleted by its author

    2. Anonymous Coward
      Thumb Down

      @Frank

      Gnash is pretty much dead mate, at best they're flogging a dying horse [8 months since last update]......

      If Google with scores of hard-ass developers and billions in the bank are partnering with Adobe on Chrome integration that must tell you something.

  12. Tom Chiverton 1 Silver badge
    FAIL

    Umm

    "animation software" ? What is this, the Daily Mail ?

  13. JC 2

    @ Fix?

    No, it means that Adobe has already coded the patch for the flaw but will only release the patched version it to Google for deployment because Google helped test it while every other browser platform still needs more testing before Adobe will release it for the others.

  14. Tom 7

    Googles alrady fixed flash

    HTML5 - youube will do VP8 rather than flash. Wait a while...

    Sorted.

  15. asdf
    FAIL

    Perfect example

    Why the only version of flash you should ever allow on your computer is the one that comes with the latest Chrome and even then you should always run Chrome with the --safe-plugins flag to make sure its sandboxed. In general if you have any Adobe software (malware portals) on your system you are asking to join a botnet regardless of other safety precautions.

  16. Anonymous Coward
    Happy

    "They even put them in Ads!"

    I had heard that.

    I had also heard that reputable websites generally don't do (or serve) Flash adverts because (a) they have some respect for their readers (b) the prevalence of assorted Flash blockers and disablers means it's just so much wasted space for the website anyway.

    Or was I dreaming or under the influence?

  17. Maty

    yet again ..

    Adobe proves itself the Acquired Immunity Deficiency Syndrome of the internet.

    Roll on HTML 5 when this company and its crappy vuln-ridden products will be obsolete.

  18. ps2os2
    Grenade

    Vendors not fixing code

    I had a similar issue with CA about 20 years. I needed to be able to run one of CA's product's in a certain way and could not because they hadn't updated their software.

    It was at the time one of the few CA products that still shipped with source. I asked CA and they said in the best case 4-6 months. I was on deadline and couldn't wait for them so I went in and patched CA code to allow running their product (it was *LEGAL*). It took me say 3 days and the code was in one specific area so that made it extra easy. I tested it over the weekend and it worked. SO I called CA monday AM and told them I figured out the fix (they were getting a lot of pressure from other users). I told them to go to hell. It works and if you want to pay me I will have to have a contract made up. They figured i would give them it for free, HAHA!!

This topic is closed for new posts.

Other stories you might like