One civilized reader is worth a thousand boneheads - Smart Set magazine, 1914
|
|
|
Adobe issues an emergency fix for Flash Player flaw
SOFTWARE DEVELOPER Adobe will release a Flash Player update tomorrow, moving very quickly to plug a zero-day vulnerability found earlier in the week.
The fix will be made available for Flash Player on Windows, Mac OS X, Linux and Solaris. Hackers are already launching attacks by using Flash (.swf) files embedded in Microsoft Word (.doc) files sent as email attachments.
There is also a vulnerability in the Windows Authplay.dll component shipped with Adobe Reader and Acrobat, but fixes for this software will appear at later dates for Windows and Mac OS X.
Adobe is releasing this update pretty quickly, helped in part by its increased cooperation with the security people at Microsoft. But buggy software isn't the real problem, said F-Secure's chief security researcher, Mikko Hypponen.
Speaking with The INQUIRER in London he said, "It's the fact that [Adobe software] has such a huge market share. Flash has a bigger market share than Windows!"
Hypponen said he didn't understand why Flash needed to be embedded in Word files and, in an earlier case, Excel files.
"Could somebody explain that to me? Because I can't. But it's supported, and it's a hole," he said. "Most people need it in the browser - not in their Office applications." µ
Tags: Security
Share this:
Share
As usual this won't be released for PowerPC OS X. They won't fix the 10.1 version either.
Thanks to them for making me used to flashblock type plugins.
It's the curse of component software. Word and Excel will happily embed any component that is installed on your system. An ActiveX control looks just like an embeddable document format, like embedding an Excel worksheet or chart in a Word document. Office programs are probably more vulnerable than web pages at this point, because they don't use the 'safe for scripting' or 'safe for initialization' rules that IE checks for before loading a control, and they don't honour the 'kill bits' that are periodically updated by Microsoft - there was an update on Tuesday to kill some more known-bad components.
Office 2010 will not allow editing of a file downloaded from the Internet, as long as you saved it with a program that uses Windows XP SP2's 'attachment security' interface to taint the file. (You have to click 'Enable Editing' in the gold bar.) I don't know if that's enough to stop vulnerable components being initialized though.
I don't think there's anything practical that Adobe can do to prevent Word and other OLE Document containers from embedding a Flash player. IE doesn't have any other extensibility model - they have to provide an ActiveX control.