A monkey was once tried and hung for being a French spy in Hartlepool
|
|
|
Adobe Flash flaws exploited
INSECURITY EXPERTS claim to have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.
Symantec has warned that any software that uses Flash could be vulnerable to the attack. This means that Adobe Reader is also vulnerable because its Flash interpreter is targeted, too.
Adobe has admitted that it is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. It is planning an update soon, it said.
However Adobe has recently been slammed for not updating its download site which means that those who update their Adobe Acrobat readers and Flash software will be vulnerable until the software updates itself.
Writing in his bog, Patrick Fitzgerald said that the authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique.
Basically an attacker would entice a user to visit a malicious website or send a malicious PDF via email.
Once the unsuspecting user visits the website or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine.
The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse.
The bug has been around since December but the exploit first appeared two weeks ago.
The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.
The only cure seems to be to disable Flash until the problem is fixed. But we don't imagine most users will be doing that. µ
Share this:
Share
Is there another way to access the online statement without using Adobe?
I guess the reason why Citibank forces customers to use Adobe Flash is because the IT experts at Citibank are - what - morons?
I know that the Linux system is not vulnerable, just that it has better odds then MS thats all!
What really needs to happen is for HTML5 to be ratified, then Flash and Sliverlight will be eventually kicked into touch....
Adobe's Flash plug-ins are getting worst every day (or by each minor/major versions). One simple flash applet could slow and freeze a browser on a 2.8GHz system. What a great job Adobe!
And talking about security, they never bother to update their plug-ins until is too late. Come on! We know the bugs are there, please do fix them!
Or maybe is time that we should explore other options too (e.g. JavaFX...etc).
@bazza (Download Manager thing)
One reason that these download managers are become fashionable are because there are too many leecher out there. And a download manager could be a mean of making things a little harder...
I am running Firefox on my Ubuntu laptop. It does not automatically run flash adverts, thankfully. My last post was from prior experience with that crap plug in.
Yeah, that's what we need: another proprietary thing from Microsoft, a company well known from their concern about security and being multiplatform.
And don't tell me about Moonlight. This should be Microsoft making their thing working on other OSes, not users (and for free).
We all know that adobe make some of the least secure and most bloated software out there. There is a constant stream of security bugs for acrobat and flash, not to mention all the times they simply kill your browser, and the auto updaters don't work on many corporate networks. And yet, people still prefer flash over Silverlight. I just don't get it. Silverlight is easier to develop for, faster, and more secure. Why all the hate for silverlight when it should be welcomed with open arms, if only because it's not flash.
Adobe aren't looking too clever just now are they?
They're also becoming very ****ing annoying - tried downloading adobe reader recently? Because you can't - what you get is their poxy download manager that does the business for you.
But if all you want is a .exe so that you can avoid downloading it n times for n machines, tough. In the end I booted linux then said I wanted the windows version and most reluctantly they stumped up the .exe. Perhaps I should have stayed in Linux...
This download manager things seems to becoming very fasionable - you don't seem able to get an installer for anything anymore. Google Earth, Real Player, Flash, none are easily available as download-and-keep installers, which is a waste of my bandwidth and time.
And as for browser tool bars - why oh bloody why does everything from Java, Adobe, AVG, etc. etc. try and force on to you another search bar, browser, security product, office suite and new search providers? It's ****ing annoying.
I'm enjoying this rant - I'll carry on. Online apps? Oh what a piece of shit. Using Javascript to turn rubbish browsers in to bloated, slow and crap thin clients is an absolute joke. Anyone remember X servers? Wouldn't that be a better starting point? And why oh why would anyone in their right mind use something online (and therefore not reliably available) when you would be better off with open office and a memory stick.
No one seems to care about being efficient anymore, and its costing us all a fortune in ISP fees :-(
Why aren't you using ad-blocking software or ad-blocking HOSTS files (check MVPS.org's)? I haven't seen a Flash ad in ages.
The worst use of Flash ads was (is?) on the INQ, which would sometimes have as many as THREE of the same ad on the page. Firefox on Linux would slow to a crawl because of its low-quality Flash plugin. It'd also push the body of the article down, or squeeze it into a tiny space to the left of the in-article ad. The INQ was one reason I actually took trouble to ad the ad-blocking HOSTS file on a work Linux machine.
Flash and advert servers are one of the main reasons the net runs slow. Go to a heavy adverts site and watch all the advertisement (doubleclick and such) redirects that you wait for until the page will finish loading, it's getting out of hand. Then there is the resource hog, Flash, don't believe me go to a all flash site, game publisher and car companies like it, the pages load like crap and suck. Ban Flash if you ask me.
DONT fall into the fallacy that Linux makes you safe.
There is no reason why there might not be a Linux oriented payload in one of these attacks.
Escalating Root privileges on Linux is fairly easy :)
Assume you can be infected: it's the easiest method.
There are other PDF readers out there (some are much faster than Acrobat, although I hardly consider that an accomplishment).
Any ideas if they are also vulnerable to the attack?
The exploit requires Admin or Root privileges to successfully exploit the system. (Most typical "easy to use" Linux distros aren't using Root by default).
For those who are running Windows; its best you start creating and using Limited User Account (XP or lower) or Standard User Account (Vista or newer) as a new habit for 2009.
Suffice to say, Adobe is now becoming a laughing stock when it comes to security matters...I'll be glad for the day when we don't need crap like Flash, Silverlight, Java Script, etc...Nothing but trouble.
Disabling flash works fine. I've had it turned off for years to avoid ads.
Now, I can avoid viruses too. Sounds like a winner.
sj
Considering that the purpose of the vista UAC is for users to run as standard permissions rather than administrators which gives write access to the system folders, and since linux has this control anyway ie SU or root it should be A.OK
What about Linux? Or Android from the latest HTC phone?