Another Adobe Security Flaw
Can we puh-lease stop referring to Adobe with any word that has any meaning remotely connected to security?
Adobe today confirmed that hackers are exploiting a critical unpatched bug in Flash Player, and promised to patch the vulnerability in two weeks.
The company issued a security advisory that also named Adobe Reader and Acrobat as vulnerable.
"There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat," said Adobe in its warning. The company said it's seen no sign that hackers are also targeting Flash Player itself.
So how does one protect a computer from being pwned by Adobe’s insecure software? By disabling the software you depend on :
Security experts have regularly criticized Adobe Flash's security, with some questioning the company's decision to integrate the media player's capabilities within the almost-as-popular Reader. Adobe has countered those arguments with its own, saying that many users rely on the functionality.
Until a patch is available, users can protect themselves from active attacks by deleting the "authplay.dll" file that ships with Reader and Acrobat. It gave the same advice in June when the earlier Flash vulnerability was reported.
Dumping authplay.dll, however, will crash Reader and Acrobat or produce an error message when the software opens a PDF file containing Flash content.
So the choices are :
1. Use Adobe software and let your computer be pwned by an as-yet-anonymous ‘hacker’
OR
2. Disable the software, and not be able to use it.
Remind us again... why does anyone use Adobe software?
Worse?! How Could I Possibly Make it Worse?!
How do you take a horrible security situation and make it worse? Add a can of Microsoft to the mix !
NEW YORK — Shares of Adobe soared in heavy trading Thursday on a report that Microsoft CEO Steve Ballmer discussed a possible buyout of the company.
A report posted in the "Bits" blog of The New York Times said Ballmer recently met with Adobe CEO Shantanu Narayen to talk about Apple's control of the cell phone market and how Microsoft and Adobe could work together to fend off the iPhone maker.
It was in this context that a possible buyout of Adobe by Microsoft Corp. came up, according to The Times.
There is absolutely no reason to believe this is not a true and accurate report. It fits a pattern of past behavior in which Microsoft has engaged, most recently with the courting of Yahoo!. This is the second stunning admission Microsoft has made in the past few days, that being simply Microsoft cannot innovate so it must acquire.
The first? Oh, just a little something Microsoft cooked up to let it seize control of the internet :
Virus-infected computers that pose a risk to other PCs should be blocked from the net, a senior researcher at software giant Microsoft suggests.
The proposal is based on lessons from public health, said Scott Charney of the firm's Trustworthy Computing team.
It is designed to tackle botnets - networks of infected computers under the control of cybercriminals.
Putting machines in temporary quarantine would stop the spread of a virus and allow it to be cleaned.
"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," he said in a blog post.
Here we have the most clear, concise, tacit admission that Microsoft is completely incapable of writing secure software.
Never once do we see in this report what software is running on the majority of those ‘bot-nets’ to which Microsoft refers. Why, that would be Microsoft Windows. So if one were to assign blame and fault, naturally all heads would turn to Microsoft for creating and - more importantly - sustaining the problem in the first place.
Microsoft should be dropped like a bad habit immediately for even suggesting a guilty-until-proven-innocent model in the first place. All free people should be outraged at the very thought, and disgusted and repulsed that it was ever given utterance in public in the first place. One should not have to ‘prove’ a fit computer to navigate the internet. If Microsoft truly wants that model, then perhaps Microsoft should have to prove it has a secure OS in the first place.
There are two great problems with the model Microsoft suggests. First, who will decide what computers are “healthy” and which are not? And second, who is watching the watchers? We undoubtedly know who Microsoft chooses for the task : itself. We offer up Microsoft’s security track record since November 1985 as the entire case on why Microsoft should never be allowed anywhere near the task.
But then - to combine two companies with abysmal security track records? Exactly what reason does the average victim of Microsoft or Adobe insecurity have to believe the combined companies will get better? Both companies have a track record of security failure after security failure going back at least a decade. They do not have anything to bring to the table which would countenance them being considered experts on security in the greatest stretch of human imagination.
So then who will be watching the completely unfit watcher? We are still convinced Microsoft will suggest AdobeSoft (or MicroDobe) should be given that power. And we are equally convinced Microsoft will suggest it be allowed to self-police. We would agree to this insanity on one condition : AdobeSoft, by force of law, is completely unshielded from liability when a “healthy” computer is blocked, and it pay a minimum $10,000 fine directly to the owner of the computer for each instance.
If Microsoft is at all confident in its ability to organize and run such a system, then let them put up the bond and finance a court specifically for adjudicating the ‘mistakes’ Microsoft’s track record has shown they will make. Let those aggrieved get direct compensation, and let the market take its course. Short of that, everyone who cares a single whit about freedom and security should let it be known they will not stand for such an intrusion by a company more known for its bungling than true security.
Shame on you, Microsoft.
Adobe on Security
Ok, you can stop laughing. We know using “Adobe” together with “security” is cause for raucous laughter. Funny, despite all their protestations about security, it would seem Adobe isn’t laughing anymore either :
BREAKING ITS MONTHLY PATCH CYCLE, Adobe has issued emergency fixes for its Reader and Acrobat software products.
The firm released fixes for twenty three vulnerabilities that exist in its software packages, issues that could have affected machines running Windows, Macintosh and Unix. Not sensational enough? Well, the update is tagged as 'critical'.
The vulnerabilities, which affect a long list of versions - deep breath, Adobe Reader 9.3.4 and earlier versions on the Windows, Macintosh and Unix platforms, and Adobe Acrobat 9.3.4 and below on Windows and Macintosh, and Adobe Reader 8.2.4 and below and Adobe Acrobat 8.2.4 and below - could have let a remote attacker take control of systems or make them crash.
Please allow us to highlight a passage from the above paragraphs :
“The firm released fixes for
twenty three vulnerabilities
that exist in its software packages...”
Can we please stop pretending that Adobe even lives in the same zip code as security, let alone the same neighborhood?
We are of the mind the next time anyone claiming to be a ‘security expert’ uses the words “security” or “productivity” or “stable” in conjunction with the words “Adobe” or “Flash” or “Reader”, they be rolled in Alpo and thrown to a pack of starving poodles.
Somebody Should Have Warned Us!
Someone should have spoken up about the security problems in Adobe Flash!
... oh, wait. Someone did :
Third, there’s reliability, security and performance.
Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
So it shouldn’t come as a huge surprise there are security problems with Adobe Flash :
Adobe revealed a critical zero day flaw in Adobe Flash--the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.
An Adobe spokesperson contacted me and shared that, "A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh."
In a nutshell, the critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.
The Adobe spokesperson explained, "Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date."
In a nutshell, instead of doing all they can to prove Apple wrong, Adobe is even going so far as to off-load the problem on third-party security software, which one may-or-may-not have, to deal with the mess.
Perhaps it is wise to go back and re-read the entirety of Thoughts on Flash and paying heed to the sage advice therein. It isn’t like Adobe has been moving mountains to prove Apple or Steve Jobs wrong.
What a Shock
This seems to be the only problem we have with Safari. It’s kind of spooky...
It’s almost as if Steve Jobs was right!
