or Connect
AppleInsider › Forums › General › General Discussion › New Flash flaw could let attackers control Macs, Adobe urges users to update
New Posts  All Forums:Forum Nav:

New Flash flaw could let attackers control Macs, Adobe urges users to update

post #1 of 61
Thread Starter 
Adobe on Monday disclosed a new vulnerability in its Flash platform that may allow attackers to remotely take over and control Macs, PCs, and Linux machines and advised users to update their system as quickly as possible.

Flash


The bug affects Flash Player 13.0.0.201 and earlier on the Mac, Flash Player 13.0.0.182 and earlier on Windows, and Flash Player 11.2.202.350 and earlier on Linux. Adobe says that attacks exploiting this flaw have been discovered "in the wild," so users are strongly urged to apply the latest updates sooner than later.

Mac owners and those on Windows-based PCs should update to Flash Player 13.0.0.206, while users running Linux should update to Flash Player 11.2.202.356. Those using the versions of Flash installed alongside Google's Chrome browser or Microsoft's Internet Explorer 10 and 11 will receive updates automatically.

According to security firm Kaspersky Lab, the vulnerability -- which received CVE number 2014-0515 -- is "located in the Pixel Bender component, designed for video and image processing." Exploits seen in the field using this bug are somewhat unique, using slightly different code depending on the operating system being targeted.

This is the second remote execution bug to crop up in Flash this year. A similar flaw surfaced in February, also affecting all platforms.

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.
post #2 of 61

Has there been a single week without a critical flash flaw? It seems like I get a warning every couple days on my PC. Why the **** isn't this technology dead yet? It's been long enough. Any website that still relies on flash for video, etc does not even deserve to exist, when most are accessing the web through mobile now. Half the sites I visit still say "missing plugin" for video on mobile devices. Disgusting. 


Edited by Slurpy - 4/28/14 at 10:08am
post #3 of 61
Flash 13 didn't even work on my Mac, I couldn't use ANY Flash content. I had to downgrade to 12. They want me to update to 13 again? No thanks.

Cant wait for Flash to die off entirely.
post #4 of 61

fuking hate flash

 

GTFO already

post #5 of 61

Who uses Flash anyway?

post #6 of 61

Strange.  A[nother] security vulnerability in Flash.  Didn't see that coming.

post #7 of 61
Not sure how a video player and web player can allow someone to control access to your computer. Adobe must employ some of the worst programmers. Then again Adobe is not in the top paying in the valley and it shows in their products.
post #8 of 61

Is it just me, or does the Flash logo look like a sore, oozing, infected rectum to anyone else? Because that's what your computer feels like after you install this plugin. Well, that and Adobe PDF Reader together. You want hackers and viruses to have their way with your computer, just add Adobe.

post #9 of 61

Like so much about Adobe these days... another reason to look for a light on the horizon to signal an alternative route, away from Adobe.

 

HTML5 in this case.

 

And don't get me started on the rental-only Adobe CC, which I think is an insult to previous users of their software products.

 

The new features are getting fewer and fewer, so Adobe knows you may not buy their very-expensive software again soon. They've decided to charge you monthly for the privilege making your digital designs, whatever they are. Then their bottom line won't suffer when their technical progress is slow.

 

I kinda wish Apple would buy Adobe, since many of their users always have been Mac users, and make their software free when you buy a Mac.

 

Then someone else would not have to make another Creative Suite from scratch for us to buy, not rent.

post #10 of 61
Quote:
Originally Posted by hydr View Post
 

Who uses Flash anyway?

Some of us can't avoid it at work unfortunately.... it sucks.

 

Ugh. Not again.

post #11 of 61
What is Flash and how does this affect my iPhone and iPad?? ;-)
post #12 of 61

Flash needs to die.

post #13 of 61
Quote:
Originally Posted by pikester View Post

...how does this affect my iPhone and iPad?? ;-)


It doesn't. Steve Jobs, bless his heart, wouldn't allow Adobe Flash on his mobile devices.

post #14 of 61

STEVE did a great job by injecting a virus to the FLASH virus. 

post #15 of 61

5+ years and counting .... living my digital life without these 2 piece of craps:

 

1. Adobe Flash (and other garbage they sell!)

2. F****ng JAVA!

 

They don't die though because of Ads ... Ads ... god damn google and more Ads!

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply
post #16 of 61
Quote:
Originally Posted by stevenoz View Post
 

Like so much about Adobe these days... another reason to look for a light on the horizon to signal an alternative route, away from Adobe.

 

HTML5 in this case.

 

And don't get me started on the rental-only Adobe CC, which I think is an insult to previous users of their software products.

 

The new features are getting fewer and fewer, so Adobe knows you may not buy their very-expensive software again soon. They've decided to charge you monthly for the privilege making your digital designs, whatever they are. Then their bottom line won't suffer when their technical progress is slow.

 

I kinda wish Apple would buy Adobe, since many of their users always have been Mac users, and make their software free when you buy a Mac.

 

Then someone else would not have to make another Creative Suite from scratch for us to buy, not rent.

The update was quick and easy to install.

 

You complainers should spend less time complaining and more time working so you could better afford Adobe's products.

 

We think CC is much better than the old business model, and $50/mo is easy to handle for all the great tools we now have access to.

Daniel Swanson

Reply

Daniel Swanson

Reply
post #17 of 61
Quote:
Originally Posted by stevenoz View Post

Like so much about Adobe these days... another reason to look for a light on the horizon to signal an alternative route, away from Adobe.

HTML5 in this case.

And don't get me started on the rental-only Adobe CC, which I think is an insult to previous users of their software products.

The new features are getting fewer and fewer, so Adobe knows you may not buy their very-expensive software again soon. They've decided to charge you monthly for the privilege making your digital designs, whatever they are. Then their bottom line won't suffer when their technical progress is slow.

I kinda wish Apple would buy Adobe, since many of their users always have been Mac users, and make their software free when you buy a Mac.

Then someone else would not have to make another Creative Suite from scratch for us to buy, not rent.

This is a great idea! I'm sure most wouldn't mind paying a bit more for a computer that had the Adobe CS built-in to it. I know I wouldn't mind it at all and it would be worth a little more of my money on the front end to save all the back end hastles of installation and updates.
post #18 of 61
Originally Posted by Disturbia View Post

They don't die though because of Ads ... Ads ... god damn google and more Ads!

 

Couldn’t find an animated version…

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #19 of 61

To bad the pukes at Adobe ont support older Mac OS (10.5.8). They shove the lousy player down our throats and then refuse to support older OS's when a security flaw is found. I think its total BS!

post #20 of 61

"Flash"?

 

What's that?

post #21 of 61
Quote:
Originally Posted by DanielSW View Post

The update was quick and easy to install.

You complainers should spend less time complaining and more time working so you could better afford Adobe's products.

We think CC is much better than the old business model, and $50/mo is easy to handle for all the great tools we now have access to.

Sounds like someone needs to get off of their high horse. I agree with you about the subscription model being better long term for users (50 month is better than coughing up over 2 grand at one pop).

Adobe needs to put Flash in the trash. I block all flash on my home Mac and it is an annoying advertising-only tool that uses resources for nothing. Who cares if the constant updates only take a few minutes. Flash is 90's tech used to annoy people.
post #22 of 61
Maybe if Adobe just open sourced Flash, it would be more secure. Haha.

Another day, another Flash bug.
post #23 of 61

I've updated by removing Flash.

post #24 of 61
Quote:
Originally Posted by stevenoz View Post
 

HTML5 in this case.

 

It is usually the new advanced features in Flash that get exploited because the standard features have mostly been patched. HTML 5 is great but I don't think it has Pixel Bending on video which is what was exploited in this case. When HTML 6,7,8,9 whatever has all the same capabilities as Flash and an equivalent rapid application development environment, perhaps people will stop using Flash.

 

EDIT: Actually I have now discovered that Pixel Bender is not a new feature as I suspected, only because I never heard of it before. As it turns out it is obsolete and will not work with the latest versions of Adobe products. I think it only works up to Flash Player version 10 so most people have long since upgraded to a newer version.

 

​Other details are that there are actually two different versions of the attack but the one that could affect Macs is the much older exploit referenced above. The second similar technique requires Cisco Meeting plugin and ActiveX on Windows, as well as the older version of Flash player, and so far only while using Firefox. All the attacks are considered extremely sophisticated and originate in Syria. More information here: 

http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks


Edited by mstone - 4/28/14 at 1:47pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #25 of 61
Quote:
Originally Posted by hydr View Post
 

Who uses Flash anyway?

All the ads on AI for one.

post #26 of 61

I have the Flash preference panel set to automatically install updates. I just checked and my Flash plugin is already at 13.0.0.206 so...

post #27 of 61
Quote:
Originally Posted by Slurpy View Post
 

Has there been a single week without a critical flash flaw? It seems like I get a warning every couple days on my PC. 

I get security notices, patches and updates from Apple on a regular basis too. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #28 of 61
I got rid of Flash long time ago on all my Macs and all the Macs from my company. Life on the web became just better.
post #29 of 61
Quote:
Originally Posted by Slurpy View Post
 

Has there been a single week without a critical flash flaw? It seems like I get a warning every couple days on my PC. Why the **** isn't this technology dead yet? It's been long enough. Any website that still relies on flash for video, etc does not even deserve to exist, when most are accessing the web through mobile now. Half the sites I visit still say "missing plugin" for video on mobile devices. Disgusting. 

 

You have absolutely no idea what you're talking about. But keep it up, I'm sure you'll get plenty of up votes from iPhone owners.

 

You are blissfully unaware of the multitude of Flash Web Applications that are still in use in the corporate sector...and are not going anywhere anytime soon.

post #30 of 61
Quote:
Originally Posted by Disturbia View Post
 

5+ years and counting .... living my digital life without these 2 piece of craps:

 

1. Adobe Flash (and other garbage they sell!)

2. F****ng JAVA!

 

They don't die though because of Ads ... Ads ... god damn google and more Ads!

 

pretty easy when you're just an average consumer browsing the web. no need for either

post #31 of 61
Quote:
Originally Posted by lkrupp View Post
 

All the ads on AI for one.


It's a great ad-block!

 

No Flash? No ads.

post #32 of 61

I'm interested in how that is possible to...  

post #33 of 61
FFS, Adobe. Die already.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #34 of 61
Quote:
Originally Posted by jungmark View Post

Maybe if Adobe just open sourced Flash, it would be more secure. Haha.

Only if they use SSL for all the connections. 1wink.gif
Quote:
Originally Posted by jungmark 
Another day, another Flash bug.

Another thread of the same Adobe hate comments. I expect everyone has deleted Firefox too because of all the critical security flaws:

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

https://www.mozilla.org/security/announce/2014/mfsa2014-29.html
"these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution."
https://www.mozilla.org/security/announce/2014/mfsa2014-31.html
"This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution."
http://www.infosecurity-magazine.com/view/36635/mozilla-patches-thunderbird-remote-exploit-vulnerability/
"The vulnerability allows the attacker to execute malicious script code in the victim’s browser, resulting in script code injection, persistent phishing, client-side redirects and similar client-side attacks."

http://www.computerworld.com/s/article/9247381/Apple_patches_Safari_s_Pwn2Own_vulnerability_two_dozen_other_critical_bugs
^ 27 vulnerabilities in Safari, 26 critical allowing arbitrary code execution. 33 OS vulnerabilities, not being fixed in Snow Leopard.

6 vulnerabilities in Chrome:
https://msisac.cisecurity.org/advisories/2014/2014-018.cfm
"Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution"

Guess we're back to using good old trusty Internet Explorer. Hold on:
http://www.pcworld.com/article/2148368/new-internet-explorer-zero-day-puts-web-at-risk-and-xp-isnt-getting-a-fix.html
"This new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user."

It annoys people with Flash more because it's a non-essential add-on but it's not the case that Adobe's developers are worse just because the vulnerabilities are publicized more.
post #35 of 61
Quote:
Originally Posted by Psych_guy View Post
 

Flash needs to die.

And it will after the last porn site switches to HTML5.

post #36 of 61
Another Flash security hole. What a shock.

Why is this crap even possible anymore? What happened to sandboxing?
post #37 of 61
I went for a year w/o flash installed on my computer a few years ago and really didn't have any problems w/o it. I installed it again several months ago, as I was lazy and wanted to see a video that required it and figured by now Adobe made the product more streamlined and better performing on OSX. After this article came out, I decided I'd update the flash player installed... turns out, there's not really an efficient way to do this w/o going to the website, so... problem solved, I found the "uninstall" option in my utility folder. Thanks adobe for making the uninstall much easier than an update. I think I'll try another year or two w/o flash or maybe indefinitely. Didn't Adobe lose their talent behind flash to Apple anyway?
post #38 of 61
Quote:
Originally Posted by pmz View Post
 

You are blissfully unaware of the multitude of Flash Web Applications that are still in use in the corporate sector...and are not going anywhere anytime soon.

 

You're seriously arguing that Flash is the new COBOL?

Quality isn't expensive... it's priceless.

Reply

Quality isn't expensive... it's priceless.

Reply
post #39 of 61
Quote:
Originally Posted by pmz View Post
 

 

pretty easy when you're just an average consumer browsing the web. no need for either

Yep! I don't need to watch porn ... so average I am!

 

My point is if above average consumers stop accessing sites which are built on top of Flash / JAVA, then they'll try to come up with non Flash / JAVA solutions.

 

Or at least, voice your concerns ....

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply
post #40 of 61
Quote:
Originally Posted by stevenoz View Post

Like so much about Adobe these days... another reason to look for a light on the horizon to signal an alternative route, away from Adobe.

HTML5 in this case.

And don't get me started on the rental-only Adobe CC, which I think is an insult to previous users of their software products.

The new features are getting fewer and fewer, so Adobe knows you may not buy their very-expensive software again soon. They've decided to charge you monthly for the privilege making your digital designs, whatever they are. Then their bottom line won't suffer when their technical progress is slow.

I kinda wish Apple would buy Adobe, since many of their users always have been Mac users, and make their software free when you buy a Mac.

Then someone else would not have to make another Creative Suite from scratch for us to buy, not rent.
If apple took over Adobe we would see current works better,(a few deleted), and flash working better than html5.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › New Flash flaw could let attackers control Macs, Adobe urges users to update