Zero-day Exploit Hits Flash, Acrobat

| News

Adobe is warning that a critical security flaw in Flash Player and Adobe Reader has been discovered that potentially impacts all platforms including Mac OS X. There aren’t any reports yet claiming Mac users are being targeted, although it appears the exploit has already made its way to Flash for Windows users.

The security hole could allow attackers to cause application crashes on victim’s computers, as well as take control of remote computers. So far hackers taking advantage of the exploit seem to be sticking with Flash since there aren’t any reports of Acrobat-based attacks yet.

According to Adobe’s security alert, Flash Player 10.1.82.76 and earlier for Mac OS X, Windows, Solaris and Linux are affected, along with Flash Player 10.1.92.10 for Android. Adobe Reader 9.3.4 for Mac OS X, Windows and Unix, and Acrobat 9.3.4 for Mac and Windows are also potentially susceptible to the exploit.

Mac users aren’t being targeted yet, but they can help protect themselves from potential attack by avoiding untrusted Web sites, and by using alternative PDF readers such as Preview or PDFpen.

Adobe plans to release a security update the week of October 4 to address the issue.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

16 Comments Leave Your Own

Tiger

Whew. My phone is safe! grin

Khaled

ruh-uh

MOSiX Man

You forgot to include the word ‘Again’, in the title of the article.

I’m sure glad that I use Preview, rather than the bloated Acrobat Reader, and that I use ClickToFlash to block out all of the Flash I don’t really want or need to see or hear.

Dan

Waiting for Che Bosco’s comments…

MOSiX Man

Waiting for Che Bosco?s comments?

Rule number 1: Don’t encourage a horse to defecate while you’re standing right behind it.

Lee Dronick

Whew. My phone is safe!

I was going to make a snarky remark that from the iPhone you wouldn’t be able to use the www.residentevil-movie.com website. However, I tried it and lo it works! Must be HTML 5 or something modern. Now why couldn’t they just be Flash free on the page that loads on your Mac, or PC.

Bosco (Brad Hutchings)

The group yank-fest over this simply shows what you guys do not know about software security. The important thing is that the problem is identified, fixed in an orderly manner, and if it’s a new class of exploit (as it appears it might be), learned from.

Sorry to interrupt.

MOSiX Man

Wow. Please do enlighten us oh wise chocolate drink! Never mind. I forgot that you just presume to know more than the rest of us.

In reality, while it is important that the problem is identified and fixed in an orderly manner, it’s more important to start with software that is reasonably secure in the first place. Flash has proven itself to be a medium for more than its fair share of serious security exploits. (I honestly can say that I know about Acrobat’s security record.) That’s what we’re talking about here, and it’s a legitimate concern.

Kudos to Adobe for finding and reporting this security hole in a timely manner, but it seems likely that their software will eventually play host to other exploits that they might not catch until it’s too late.

redcorvette

Dan said:Waiting for Che Bosco?s comments?
Rule number 1: Don?t encourage a horse to defecate while you?re standing right behind it.

LOL I needed that chuckle this morning.

Nemo

So this is the great Flash, which runs so badly on the latest version of Android, version 2.2, Froyo, that it is unusable on any website that isn’t specifically designed for mobile devices, and which doesn’t work that well on any device, suffering another of its frequent, serial critical security flaws that make using the web on all but Apple iOS devices, which don’t implement Flash, a game of Russian Roulette. 

Well, once again our IT people began their day by disabling Flash on every computer, as I did last nigh on my personal computers.  We are told that a fix can’t be expected until 27 September 2010.  I wonder how much mischief will be done and money and man hours lost from now until the 27th. 

This performance and security nightmare that is Flash is what Apple is to supposed welcome onto its iOS devices and into the world of mobile computing?

Bosco (Brad Hutchings)

it?s more important to start with software that is reasonably secure in the first place.

Good grief. The technique employed in this exploit looks to be an innovative one that could bear fruit in all sorts of software.

The most dangerous long-term security threat is people who have no humility about security and no understanding of the complexity of the problem. If you did, your reaction would be more “sorry it had to be them (glad it wasn’t us)”.

As much fun as it is jumping on Apple missteps, you didn’t see me crowing about Safari on Windows getting bit by the DLL substitution bug last month. In a funny twist of irony, the cross-platform tool I use (REAL Studio) produced apps immune to that bug because some at REAL Software was very careful (well, paranoid) when he wrote the DLL loader several years ago. I look at that as good luck. Ah, but anyway, when your opponent suffers bad luck, it’s fun to blame them. Resume…

computerbandgeek

REAL Studio

Man I haven’t looked at REAL Studio in years. Is it still working well? I was always concerned about how it would handle hardware interfacing, such as working with a webcam. How does it do with things like that? It’s a really neat idea though!

Bosco (Brad Hutchings)

Funny. It’s worked with webcams very well for a few years. MBS Plugin for the Mac side, Windows Functionality Suite for Windows. Of course, back when it first started to work with webcams, it was called REALbasic.

You can find more information here.

computerbandgeek

I’ll be honest, I didn’t look that closely into it. But now I’m interested. Thanks!

Bosco (Brad Hutchings)

When you download a trial, get on the NUG mailing list. Smart people there to help you out and point you at the right things. As to webcams… took me about a day to get a Mac/Windows module working for my “Share from” products. Not sure it’ll get rolled into a release any time soon, but it was easy enough.

Bosco (Brad Hutchings)

I just found out about a very cool app for iPad that was approved recently after 6 months in the review queue. Why so long? Because it was made with Flash Packager.

I’d also recommend the developer’s story about the wait. He truly believes the App Store is a valuable place for him to be, but was hurt by what Apple did in March.

I think if you’re going to be a Flash hater, this would be a good $0.99 to invest to see if you can stomach the effects of your hate. I kinda wish I could just gift it to 20 of you.

Log-in to comment