Latest Adobe Security Advisory for Flash Player

[26Dolphins]

Read it here.

Most dissapointing is the release date of a fix, two weeks from now.
Almost looks like Adobe is competing against MS as to which company takes longer to patch vulnerabilities

[Anupam]

I too saw this just a while ago on some blog. Its really sad to see such a state. Adobe products are like a mine of vulnerabilities. No sooner they fix some vulnerabilities, there are more to crop up.

The vulnerability affects Flash Player on Windows and even Android phones.
Adobe Reader is also affected.

With Flash Player so much widespread across all over the world, and over so many sites, from YouTube, to flash games to whatever... just think how many systems are at risk of being affected. Sad.

I scanned the system with Secunia again, and this advisory has made its way into Secunia too.

[bo.elam]

Quote:

Originally Posted by Anupam

I too saw this just a while ago on some blog. Its really sad to see such a state. Adobe products are like a mine of vulnerabilities. No sooner they fix some vulnerabilities, there are more to crop up.

The vulnerability affects Flash Player on Windows and even Android phones.
Adobe Reader is also affected.

With Flash Player so much widespread across all over the world, and over so many sites, from YouTube, to flash games to whatever... just think how many systems are at risk of being affected. Sad.

I scanned the system with Secunia again, and this advisory has made its way into Secunia too.

I was going to say pretty much what you are saying but I think it should
be added that the reason why Flash is attacked so often is because, since
the usage is so widespread, is profitable for malware writers to exploits
programs like Flash. Its easy to infect people, exploiting Flash, because
most of us have installed and use Flash. Every time a new version comes
out and cover some wholes, there is always going to be new ones. It s
just how it is and that wont change soon. So even though Flash is the only
program that I have from Adobe, I personally don't complaint about their
security holes because I can understand the problem and realize that they
take a long time to fix their problems because usually, like this one, they
affect more than one of their products.
Things like this is what makes, in my opinion, NoScript great. I, for instance,
block Flash 100% and only allow it on Youtube and some times, rarely, on
other sites, but ads that use Flash and that kind of stuff, I just don't see it
at all.

Bo

[vasa1]

Steve Jobs won't be shedding too many tears.

[Anupam]

Bo, you are right, and I agree with you, that since Flash Player is so widespread, therefore too, there are a lot of vulnerabilities that crop up. But still, its a thing to worry because ultimately, in present times, you cannot avoid Flash... its just everywhere. So, the risk is really a lot. Adobe Reader has alternatives, but flash does not. That's the problem too.

I have stopped using NoScript for two reasons. First, Firefox seems to respond faster without it. Second, there was a controversy associated with NoScript sometime back, and the developer himself had admitted his mistake. That made me think about using it, or not. When I discovered that it made Firefox slow a bit, I stopped using it altogether. Felt a little unsafe in the start, but now its OK. I am living without it.

[bo.elam]

Anupam, NoScript actually makes pages open faster because there's much
stuff not been displayed as is being blocked, so maybe you ought to try it
again. I have every thing blocked including frames and IFrames and only allow
some of the content to be displayed on Youtube, Virus Total, Jottis and a
a couple of places where I DL videos like Rapidshare. I think the developer
for NoScript does great benefit to all surfers around the World and even
though he had some problems with Mr Pallant, that does not bother me as
I use both, NoScript and Adblock Plus.

Bo

[26Dolphins]

Hi,

My disappointment has to do with the fact that any vulnerbility found/ exposed, no matter how critical or widespread it is, is always addressed by Adobe within their scheduled updates.
The fact that there isn't an alternative to Flash makes the whole situation even more frustrating.


*Off topic*

Quote:

Originally Posted by bo.elam

...
even though he had some problems with Mr Pallant, that does not bother me as
I use both, NoScript and Adblock Plus.

Bo

If I may, you're missing the point when you state "he had problems with Mr Pallant".
Mr Maone coded his extension to inject a filter-set in AdBlock Plus which prevented AdBlock Plus from blocking ads on his sites. So, users of both extensions were served ads on Mr Maone's sites, without being asked if they wanted to and with no means to change this situation (Mr Maone, some how, forgot to include it in the release notes).
When this first broke out, his first reaction was to just add a screen informing the user about it and an option to change it later, not through NoScript's interface, but going into AdBlock's options.
This was the doing of a developer who's own extension also offers the option to block any Flash based ads on any site on the Internet.

So, if you really think about it, this was not "just" a (personal) problem between Mr Maone and Mr Pallant (though messing with someone else's stuff without consent is serious), but a misuse of NoScript-user's trust.
It's bad enough that he whitelists all his sites, plus googlesyndication.com, in NoScript by default.

[bo.elam]

@26dolphins, the problem this 2 gentleman had, in my opinion, is a problem
between them and its solved, so I don't bother with it and every body makes
mistakes some time and that includes Mr Maone. In my opinion Mr Maone
learned from his mistake and if he is ever again in a similar situation, lets
hope he does not commit it again.
Whenever I install NS, the first thing I do is clear all the white listed sites,
it only takes about 10 seconds, so that's no big deal for all the protection
we get out of NoScript.

Peace my friend
Bo

[26Dolphins]

Read it here.

Quote:

We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.

[Anupam]

Quote:

Originally Posted by 26Dolphins

Read it here.

Thanks 26Dolphins. I was going to post about this, but you did . Just in the morning, I ran PSI and found this vulnerability.

The vulnerability in Flash Player is a zero-day vulnerability. I wish they would release an update sooner than they plan to. If everyone was as fast as Mozilla.. sigh.