Adobe Warns of New Critical Flash Security Flaw

| News

Adobe issued a warning to Flash Player users that it has discovered another critical security flaw in its multimedia playback platform. The flaw impacts Flash Player for Mac, Windows, Linux Solaris and Android users and could potentially allow an attacker to gain control over the victim’s system.

Flash Security FlawThere’s a new Flash Player security flaw in town

According to Adobe Security Advisory ASPA11-02, the flaw impacts Flash Player 10.2.153.1 and earlier for Mac, Windows, Linux and Solaris users, version 10.2.154.25 for Google Chrome users, and 10.2.156.12 for Google Android OS users. The flaw is also present in Adobe Acrobat and Adobe Reader 10.x and 9.x.

Hackers can potentially gain access to user’s systems thanks to a flaw in the version of Authplay.dll that ships with the versions of Flash Player and Acrobat that are susceptible to the attack. So far, it appears that attacks that are currently in the wild are using specially crafted Flash SWF files embedded in Microsoft Word documents and are targeting only Windows users.

Adobe is working on a patch for the security flaw, but hasn’t said when the Flash Player update will be available. The patch for Acrobat and Adobe Reader users will be released as part of the company’s regularly scheduled quarterly security update set for June 14.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

Sigh!

Layal Gebrane

We have to wait for June 14th for the Update? Until then our Macs would be slaughtered :S… Thanks ADOBE you rock… Losers, Steve Jobs was right to mess you up with not allowing flash into the iPad.

nytesky

Luckily I don’t use Windows and I don’t use Word and I rarely use Flash thanks to Click To Flash.

Nemo

Oh God, not again.  How much does this cost every time that individual users and IT have to turn off Flash, until Adobe patches it?

Lee Dronick

How much does this cost every time that individual users and IT have to turn off Flash, until Adobe patches it?

Also the advertisers whose advert is not being viewed and those all Flash websites that are not being visited.

LarryR

I want a bumpersticker that says, “Flush Flash.”

cRizzo

sadly… I see a bunch of Flash adverts to the right of this topic.  :(

Lee Dronick

sadly? I see a bunch of Flash adverts to the right of this topic.

I am pretty certain that they are not Flash. Adverts pay for free sites such as this one.

Anyway ClickToFlash is your friend.

test

I’m not surprised. I want that bumpersticker!


Why do we need to wait until JUNE?
OMFG anonymous will se this press release and slaughter all those users! QUICK SWITCH TO GNASH!

joe

If you see a flash advert on this page you should 1) make sure your account is not an admin 2)Block javascript with either noscript addon for firefox or chrome’s content blocking.

Bosco (Brad Hutchings)

Just remember that to jailbreak your iOS device, you rely on an unpatched security hole, much like this Flash issue, to crash the device and gain root access. In any sufficiently complex piece of software, there are an endless supply of these things waiting to be discovered. It’s unavoidable, but usually fixable. Prompt disclosure and repair quickness commensurate with risk are the optimal policy.

I’m sure you’ll find Flash Player patched before the end of next week.

jameskatt

See why Flash sucks big time????

This is why Flash should NEVER go on the iPhone.

Dummy

Well I’m already playing it safe, I use IE for Intranet sites and Firefox with flash disabled for Internet sites.  Eventually Silverlight will start having more of the same issues too.

here2serve

No such file as Authplay.dll on a Linux system. I doubt Authplay.dll is on MAC. So what can actually happen on a Linux/MAC system?

Nemo

Bosco:  You are being disingenuous.  You know that the means used to jailbreak an iOS device requires that the user intentionally installing the jailbreaking software on the device to modify his iPhone.  That’s not a security vulnerability in the iOS, because, as you well know, no OS has a security model that can be designed or is designed to prevent installation of software by an authorized user, nor has such installation ever been deemed to be a security vulnerability, even when a user is duped into installing a malware bearing Trojan.

The latest vulnerability in Flash, however, like the seemingly infinite series of its predecessors, is a drive-by vulnerability, that is, by simply going to a compromised website, a user’s computing device is infected without his knowledge and without his being able to do anything to prevent the infection, other than either disabling Flash, which is my favorite option, or simply playing a game of chance in an effort to avoid any infected website.  That type of drive-by vulnerability is a security vulnerability and has always been regarded as such, because it happens without the user doing anything to install the malware. 

So your statement, supra, that Flash’s latest security vulnerability is just like jailbreaking the iPhone and like other security vulnerabilities in any complex OS is utterly false, and you know it.

Adobe’s problems with Flash are that Flash was never designed with security in mind and that Adobe has loaded Flash with more and more features to the point that it has become a kind of quasi operating system.  Adobe has designed Flash in an effort to usurp the operating systems that its runs on, in an effort to become the de facto platform for animation, video, and graphics and, in so doing, reduce the underlying operating system to irrelevance, at least for those functions.  The result has been a piece of software that is bloated, is full of realized and potential security vulnerabilities, is buggy in the extreme, consumes too much energy on all devices, limits the ability of developers to fully exploit the capabilities of the underlying operating system, and is a performance sapping piece of crap.  That is the nature of Flash, and there is no remedy for it but to end it.

Nemo

Dear here2serve:  Adobe’s press release says that Mac, Windows, Linux, and Solaris are vulnerable to this latest security fault in Flash.  Flash is Adobe’s software, and as such, Adobe’s expertise on Flash is presumed to exceed all others, so let’s take their word when the say that all of the operating systems, supra, are vulnerable.

Lee Dronick

I doubt Authplay.dll is on MAC. So what can actually happen on a Linux/MAC system?

It is Mac, not MAC, even Linux has a MAC.

Bosco (Brad Hutchings)

So your statement, supra, that Flash?s latest security vulnerability is just like jailbreaking the iPhone and like other security vulnerabilities in any complex OS is utterly false, and you know it.

Not if your premises and reasoning are in error, which they are grin. Jailbreaks on iOS use known, unrepaired vulnerabilities in either apps or the OS to gain root access so that they can copy files and install their workarounds. Why? Because there are no straightforward, easy, sanctioned, or safe ways to gain root access. Perhaps you remember a recent jailbreak where all the user had to do was visit a website in mobile Safari? I don’t remember Apple telling all iPhone users to stop using their browsers until the problem was fixed. That problem could very well have been used to install nefarious software or steal users data rather than free their phones from Apple’s petty tyrannies. Even the USB variety of jailbreaks expose ways that hackers could get control of your iPhone should they convince you to plug it into their computer or even your own computer running their software.

So far as security problems go, in practice, those ongoing iPhone vulnerabilities don’t put many people at risk, so long as users update regularly. Similarly, Flash vulnerabilities don’t put many at risk, so long as users update regularly.

If you or anyone expects that any person or company can ship software on the scale of an OS, a browser, or a mutlimedia plugin that is free of vulnerabilities, you just don’t understand what software is or how these vulnerabilities creep in. Over the past 20 years of the Internet age, what good developers have figured out is that disclosure, including warnings about what they believe to be the theoretic bounds of risk, is both the most pragmatic and most responsible policy, followed by timely fixes with urgency commensurate with actual risk and which are robust enough to fix the problem. Adobe is consistently excellent in this regard.

And I might add, the emergence of Flash as the default mobile API is going to cause acres and acres of heartburn here. I recommend this video as shock therapy to understand why. I recommend Pepcid AC (or store branded alternatives) for heartburn prevention.

Nemo

Nope:  My premises are correct, as is proved by your example.  The example that you cite was a security vulnerability, as are the ceaseless series of vulnerabilities in Flash.  Apple acknowledge that vulnerability and fixed it.  The other jailbreaking techniques for the iPhone require, unlike the instant Flash vulnerability and all the other Flash vulnerabilities that preceded it, that the user intentionally or, in the case of a Trojan, inadvertently install the malware.  Installation by the user is not a security vulnerability, whereas drive-by installation of malware, such as is true for the current and prior Flash vulnerabilities, is a security vulnerability.  The proof is that an OS’s maker is expected to fix drive-by, self installing vulnerabilities, while vendors don’t fix and no one expects them to fix malware problems that require and are caused by the user installing the malware.

Once again, you, Bosco, know all of this and are now simply arguing in bad faith.

Bosco (Brad Hutchings)

Nemo, read up on how jailbreaking works. Here’s a recent entry from the history of exploits:

March 13, 2011—Comex posts a tweet about finding an exploit in the new iPad 2. Also posted a picture of it running Cydia.

With any of these exploits that are installed via PC, intention is not needed. The device simply needs to be plugged into a computer via USB. With the last jailbreakme.com exploit, the device simply needed to visit a web page. The jailbreak developers use the exploit for a noble purpose. Rogue developers wouldn’t have to show such restraint.

The point is that just as Adobe will continue to discover Flash exploits, Apple will continue to discover iOS exploits. Everyone, Apple included, lives in a glass house because that is the nature of software as it gets to that size. If an exploit can be used to jailbreak, it can damned well be used to steal user information.

emozion

I am sick and tired of this Flash crap. I just removed it from my system, let’s see how long I can go without?

iphonzie

The Adobe Security Advisory states that they…

expect to make available an update for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, and Solaris on Friday, April 15, 2011

So, Flash update for non-mobile devices tomorrow, Acrobat in June.

No word on Android Flash fix. Does anybody even know how Joe Blow who bought a random HTC phone from the local Verizon sales guy will get the update?

Bosco (Brad Hutchings)

Does anybody even know how Joe Blow who bought a random HTC phone from the local Verizon sales guy will get the update?

Yes, somebody knows. In fact, about 1.5x as many people who have an iPhone know. They get a notification in the notification bar just like they do for texts, email, alarms, new high scores, and all sorts of other stuff. The notification tells them there is an update available to Adobe Flash and AIR runtime available through Android Marketplace. Many will have Flash on auto update and it will just do it without bothering them.

Does that answer your question?

iphonzie

Does that answer your question?

Yes. The answer is “at least 1”. I truly doubt that “1.5x as many people who have an iPhone know” - only a fraction of Android users even know what Flash is.

Also, try Googling:
not compatible with the Android Market

Good to know many Android users will have access to this critical security patch whenever Adobe gets around to fixing it, though.

Log-in to comment