Tuesday, September 21, 2010

Adobe Flash Player Updated is to v10.1.85.3

--
Adobe has successfully hidden from the public, apart from at their two security pages, the fact that a 'Critical' security update was posted to to their website on Monday. The Adobe website simply says you're downloading version 10.1, same as last weeek, which is a worthless statement!

So, grumble, let me do their job for them and let you know that:

A) The current version of Adobe Flash Player for Mac that is up on the Adobe website IS indeed the promised updated version.

B) The previous version of 'Flash Player.plugin' was 10.1.82.76.

C) The new updated version you're installing is 10.1.85.3.

The inevitable rant:

Why this has to be a secret is beyond comprehension. I sniff the scent of some Marketing Moron at Adobe in the air who is attempting spin control by hiding the fact that Adobe has had to provide 'out of band' security updates to Adobe Flash Player EVERY MONTH THIS SUMMER. Sorry marketing kiddies, but facts are facts. You are directly damaging customers by hiding updates from them. This is why I call you Marketing Morons! Get it? Drop an anvil on your head, or whatever it takes, and turn yourselves into beneficial Marketing Mavens and HELP YOUR CUSTOMERS! Otherwise get out of the business and benefit the world by your absence.
--

Saturday, September 18, 2010

Adobe Flash Player Security Update:
Moved Up To Monday, September 20th

--
Adobe have announced that they've moved up the critical security update for Flash Player to Monday, September 20, 2010.

Be sure to grab the update ASAP as the security hole it patches (CVE-2010-2884) is being exploited in-the-wild on at least Windows boxes. So far no known exploit is being used on Mac OS X.

You can read Adobe's announcement here:

Schedule Update to Security Advisory for Adobe Flash Player (APSA 10-03)

Meanwhile, the critical security updates for Adobe Reader and Acrobat remain scheduled for the week of October 4, 2010.

--

Tuesday, September 14, 2010

NEWEST-New CRITICAL Adobe Security Holes
déjà vu déjà vu déjà vu...


--
Question: What is the point of 'in band' quarterly Adobe security updates when this stuff keeps repeating month after month after month?

SHORT VERSION:

Don't use Adobe Reader, Adobe Acrobat, or Adobe Flash until yet-another-nother set of 'out-of-band' security updates are available. Each of these applications have NEW security holes that are being exploited IN THE WILD.

[...Hysterical laughter is heard from some distant room...]

Temporary fix options:

A) PDF Viewing

Use Preview, provided with Mac OS X, for all PDF file reading.

Delete the Adobe PDF Viewer Internet plug-in. You will find it here:
/Library/Internet Plug-ins/AdobePDFViewer.plugin
Delete Adobe Reader 9. You will find it here:
/Library/Applications/Adobe Reader 9
B) Flash Playing

Control Flash in your web browser and/or delete Flash Player:

There are several options for taking control of Flash in your web browser. I personally use ClickToFlash for Safari and other WebKit browsers, as well as Flashblock for FireFox.

OR

Just delete Adobe Flash Player from your computer.

How to remove Adobe Flash Player:

Check to see if you have the 'uninstall_flash_player_osx.dmg' file and run it. It should be located here:
/Applications/Adobe Flash Player/uninstall_flash_player_osx.dmg
OR

You can find and remove the Flash web plug-in files here:
/Library/Internet Plug-Ins/Flash Player.plugin

/Library/Internet Plug-ins/flashplayer.xpt
After deleting Adobe Flash Player files, be sure to Quit then restart your web browsers in order to clean Flash Player out of memory.

~~~~~~~~~~~~~~

LONG VERSION:

Just when you thought your Adobe apps were safe, this dark sense of wariness creeps into your subconsciousness followed by a sense of déjà vu as you read the latest news. I'll let Adobe give you the bad news. Here are the two pages at Adobe where you can find their security announcements:

Adobe Product Security Incident Response Team (PSIRT)

Adobe Security Bulletins and Advisories

The latest Adobe bad news déjà vu déjà vu déja vu (with added emphasis mine):


I) Security Advisory for Adobe Reader and Acrobat (APSA10-02)
Release date: September 8, 2010

Last updated: September 13, 2010

Vulnerability identifier: APSA10-02

CVE number: CVE-2010-2883

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

MITIGATIONS

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of public exploit code for this vulnerability.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010. These updates will also address the issue referenced in Security Advisory APSA10-03 (CVE-2010-2884).

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security updates originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

ACKNOWLEDGMENTS

Adobe would like to thank Mila Parkour of http://contagiodump.blogspot.com for working on this issue with Adobe to help protect our customers.

REVISIONS

September 13, 2010 - Updated information on the release schedule, and that the releases represent the next quarterly security update (originally scheduled for October 12, 2010).
September 10, 2010 - Added the Mitigations section with instructions for a mitigation option for Windows users.
September 8, 2010 - Advisory released.

II) Security Advisory for Adobe Flash Player (APSA 10-03)
Release date: September 13, 2010

Vulnerability identifier: APSA10-03

CVE number: CVE-2010-2884

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL:

http://blogs.adobe.com/psirt

or by subscribing to the RSS feed here:

http://blogs.adobe.com/psirt/atom.xml

ACKNOWLEDGMENTS

Adobe would like to thank Steven Adair of the Shadowserver Foundation for working with us on this issue with Adobe to help protect our customers.

~~~~~~~~~~~

And now for another rant:

This past week we learned that the first version of Adobe Flash Player had been released for the Google Android OS for smartphones. We also learned that it is a dreadfully buggy, slow, battery consuming POS. Now we learn, if you read through the Adobe bulletins above, that Flash for Android has a 'critical' security hole.

These two Adobe Flash problems were known over a year ago. Dr. Charlie Miller warned us that Flash is the single biggest source of pwnage security holes on the Mac OS X platform. Steve Jobs made it clear that Flash for Mac is a resource hog, verifiable by anyone with a brain (which apparently is not the case with Adobe's current CEO). It is no surprise that Flash turns out to be a resource hog, running as slow as a one-legged dog on Android.

Conclusion: It's time for Flash to die.

Then what?

Contrary to popular mythology, there is no perfect replacement for Flash. The HTML5 video spec promises to replace one niche for Flash with a totally free-forever video playing alternative. (Yes kids. The patent holders for H.264 are giving it away for everyone forever). However, actual Flash applications will be more difficult to replace. These include games, slideshows, web page embedded applications, etc.

Once upon a time we dreamed that Java would take up these roles, and perhaps it may someday. But for now, Java is considered much more difficult to program than Flash, slow to run, and Java has its own security problems. Ideally a Java app building program, as easy as Flash, will appear and will use stringent security protocols, secure memory management and decent speed along with restrained CPU access. It could happen! For all I know, such a Java app builder already exists. Please post a comment if you have related information.

In the meantime, I'm supported the death sentence for Adobe Flash.

Share and Enjoy,

:-Derek
--