
"Your technological terror is insignificant..."
Really, it's like an exhaust vent on a battle station.
Adobe has released an update to address critical flaws in its Flash Player software, one of which is being actively targeted in the wild. The company said that the Windows and Mac OS X builds of Flash Player 12.0.0.44 and earlier, and Flash Player 11.2.202.336 and earlier for Linux, must be upgraded to fix a trio of bugs. …
"Really, it's like an exhaust vent on a battle station."
Yep Just like the numerous sets of 'Highly Critical' holes in Chrome. Emmental Cheese (or Java) springs to mind....
The latest set of those are not patched yet: http://secunia.com/advisories/57028/
Will Flash ever be secure?
From what I've seen so far, I sincerely doubt the company is even capable of spelling the word "security". Anyway, it's a good argument to uninstall this stuff - I have it disabled anyway but for 2 sites I need, and I have just found alternatives for them :)
'Adobe said today's update will "resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498)", fix "a memory leak vulnerability that could be used to defeat memory address layout randomization [ASLR] (CVE-2014-0499), and squash "a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502)."`
Does this mean that it's possible to deliberatly write an app that could defeat ASLR and exploit the stack to execute arbitrary code ..
"Does this mean that it's possible to deliberatly write an app that could defeat ASLR and exploit the stack to execute arbitrary code .."
Yes, that's not new. There are a number of known ways of attacking ASLR protected systems.
Microsoft have developed more advanced protection, but it's currently an optional install: http://www.microsoft.com/en-gb/download/details.aspx?id=41138
I only ever install Flash in order to access content on the BBC website (and block everywhere else) - if only the BBC would sort their shit out and offer me media content my browser (Firefox on Windows) natively supports I wouldn't need to install this Adobe crap at all!
The BBC offer h264 to iDevices but everyone else has to put up with Flash. It's so arse about face - they should be offering h264 by default, with Flash being the fallback only if all else fails...
Things like this happen for one reason alone: Nobody but Adobe has the Source Code to the Flash player, and therefore nobody but Adobe can search for and repair vulnerabilities.
Nobody but Microsoft has the Source Code to Microsoft Office, but that hasn't stopped very many pirate copies of Office from being made. And even if having the Source Code to Flash player made it easier to give away copies, Adobe probably wouldn't miss the £0 they aren't getting each time.
What I'm getting at is, this whole business of denying people access to the Source Code is actually making things a lot worse than they need to be.
How long must we wait, before some Ministry of IT in some country passes a law demanding that software vendors must make available the Source Code to any product they want to sell or give away in that country?
"Things like this happen for one reason alone: Nobody but Adobe has the Source Code to the Flash player, and therefore nobody but Adobe can search for and repair vulnerabilities."
If what you said was true there would never be vulnerabilities in Linux or Apache.
Open source is no magic bullet.
Nobody ever said Open Source software was completely free of vulnerabilities. However, there are vulnerabilities, and there are vulnerabilities.
The vulnerabilities in Open Source software almost invariably get spotted by someone with honest intentions and fixed, before they get spotted by someone with dishonest intentions and used for mischief. (Which is hardly surprising, given the ratio by which honest people outnumber dishonest people.) Open Source vulnerabilities most often are disclosed to the public just after the patch that fixes them is committed. But a vulnerability in proprietary software might still get spotted, even without access to the Source code, by someone with dishonest intentions; and it might be exploited many times over before the vendor issues an update.
I agree that if people aren't regularly installing up-to-date versions of their software, then it doesn't matter what Source Code model is being followed. What I am saying is that if you remove the single point of failure by giving more people access to the Source Code, you end up with fewer exploitable vulnerabilities in the latest version.
Concealing Source Code from users benefits nobody, it ultimately harms users, and it's time somebody stamped on the practice good and hard.
"The vulnerabilities in Open Source software almost invariably get spotted by someone with honest intentions and fixed, before they get spotted by someone with dishonest intentions and used for mischief"
Oh really? Perhaps you should tell Sony! Or the zillions of other people running Open Source web servers that constantly get attacked and defaced?
"Open Source vulnerabilities most often are disclosed to the public just after the patch that fixes them is committed."
Erm, so why has Microsoft Windows Server consistently had a shorter average time at risk than SUSE or RedHat Linux every year for the last decade?
The article states that users, including Linux users, need to be patched, yet the vuln is decribed as only applying if "a PC must be running Microsoft Windows XP; Windows 7 and Oracle Java 1.6; or Windows 7 and Microsoft Office 2007 or 2010."
I've long held the suspicion that some "security patches" and other alerts are used purely to push users off products that companies no longer wish to support. I'm not saying that this is one such alert, but the above does strike me as a bit odd. Or have I misread?
"The article states that users, including Linux users, need to be patched"
The active exploits target a subset of Windows users with older software installed. As Linux has a ~ 1% market share on the desktop you are 'probably' safe, but that doesn't mean that you shouldn't patch. Linux distributions do after all mostly have much higher vulnerability counts than current Windows versions. If someone wanted to find a way to hit you on Linux, they probably could...
Undoubtedly. Which is why big banks and governments mostly run Windows. Windows has been far more thoroughly tested for vulnerabilities than competing PC operating systems including full function open source operating systems for generalized computing.
You don't think a big bank could afford Apple? Of course they could. But banks and governments face the threat of custom written malware targeted just at them. It doesn't matter what malware is out there so much as how difficult it would be to write a new piece of malware.
This bug https://bugbase.adobe.com/index.cfm?event=selectBug&CFGRIDKEY=3161034 prevents all Linux/AMD (or more precisely, non SSE2 capable CPU) owners from installing these emergency updates, with all know consequences. Two years open, with numerous reports in other trackers (see Adobe bugbase comments), highest voted Linux related issue, but this is (still) their reaction:
---------8<----------
If bug is set as ToTrack or Closed as Defer, it means we have reproduced the problem, but unfortunately, it does not get high enough priority to address in our current release. ......
---------8<----------
Exploits are going to be happening more and more frequently as foreign spy agencies worldwide are forced to emulate what the NSA is doing (spying on friendly nations, their citizens and their companies) in order to maintain their own national security and national interests.
From the Fire Eye blog:
"This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.
This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term."
additionally name their updates so it's apparent just looking at the filename at what time of day (hh:mm:ss), in which time-zone, and on which date the update was released.
One downside to the ubiquity of Flash, for example, is that everyone is pretty much forced to update (either the software or their hardware) when large players (e.g. BBC) start delivering only what's been produced with the latest versions of the kit available. While this does contribute to people patching their systems, it also much more rapidly orphans what would otherwise by useful kit. IOW, it becomes an unintended impetus to turn-over cycles, particularly in the home.
Anyway, there's something disturbing about having to ensure that you've got the latest version of x other things in order to mitigate the threat. I do appreciate the need to update and patch and so on, and recommend doing so. When an ever-narrower collection of tools in your kit means a given threat is potentiated by the shallow gene pool there, it's time for drastic changes.
Year of the horsie brings good luck to Chinese Checkers. When these websites run flash, they are asking for trouble. Don't use flash or java if you want security! This type of site can be better without it, anyway. The Chinee know that Adobe is worse than the northbound end of the southbound horse.