or Connect
AppleInsider › Forums › Software › Mac OS X › Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix
New Posts  All Forums:Forum Nav:

Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix

post #1 of 48
Thread Starter 
A well-known vulnerability in Adobe's Flash player that could allow malicious users to steal browser data -- including cookies -- on Macs, PCs, and Linux machines has been exploited for the first time, prompting Adobe to issue a patch and urge users to upgrade their system as soon as possible.

Flash


Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.

The flaw relies on specially-crafted SWF files that consist entirely of alphanumeric characters, which will be executed by Flash Player even though they are not valid Flash files. Those malicious files can take advantage of the special privileges granted to embedded objects on a web page, making cross-domain requests on behalf of a user and capturing returned data.

In addition to the end-user mitigation, website owners can patch the vulnerability -- assigned CVE identifier CVE-2014-4671 -- on their end with one of a number of fixes identified by Spagnuolo.

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu.
post #2 of 48
Or just use Click2Flash...

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #3 of 48

Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.

post #4 of 48

So, they knew about the issue but did not bother fixing it until the exploit had been used?

 

How is there not a media storm over this?

iPad, Macbook Pro, iPhone, heck I even have iLife! :-)
Reply
iPad, Macbook Pro, iPhone, heck I even have iLife! :-)
Reply
post #5 of 48
Steve Jobs was a Genius!... no flash for you iPads!!!!, iPods, iPhones....
post #6 of 48
That's why I don't install Flash in Safari and just have to switch over to Chrome for websites stuck in the last century (ahem, CNN and Facebook)
post #7 of 48
Quote:
Originally Posted by SpamSandwich View Post

Or just use Click2Flash...

Click2Flash doesn't eliminate the vulnerability from your system, it just prevents Flash from auto-executing on the web browser that the plug-in is installed.

 

Of course, if you did click on the plug-in to execute the Flash content, you are at the same vulnerability level as Joe Consumer who has installed Flash without using Click2Flash. The end user really doesn't know which Flash content is dangerous and which is safe. Click2Flash is not a good security measure, it's just a handy tool to block irritating content, speed page rendering, save battery life, and decrease network bandwidth.

 

Apple is right in not installing Flash by default on currently shipping Macs.

 

If you don't want to expose yourself to Flash vulnerabilities, A.) don't install Flash period, and B.) don't use Google Chrome.


Edited by mpantone - 7/9/14 at 7:06am
post #8 of 48
Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?
post #9 of 48
Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?

Not a peep outta these people.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #10 of 48
Quote:
Originally Posted by smiffy31 View Post

Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?

 

Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡

post #11 of 48
Quote:
Originally Posted by smiffy31 View Post

Does this mean that chrome needs to be updated or is the flash player in chrome sandboxed somehow so that these FLAWS do not work ?

Chrome needs to be updated. The Flash Player in Chrome is not a panacea against Flash vulnerabilities and exploits.

 

Again, if you are serious about protecting your system from malicious Flash activity, do not install Flash Player and do not use Google Chrome.


Edited by mpantone - 7/9/14 at 7:45am
post #12 of 48
Quote:
Originally Posted by Suddenly Newton View Post

Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?

Not a peep outta these people.


Remember those same people spate vitriol at Apple for a lack of Adobe Flash on the iPhone for many years. Furthermore, those same people proclaim the openness of Android while also promoting proprietary Adobe Flash. Honestly, Android proponents seem completely illogical and irrational.
post #13 of 48
Quote:
Originally Posted by mpantone View Post

Chrome needs to be updated. The Flash Player in Chrome is not a panacea against Flash vulnerabilities and exploits.

Again, if you are serious about protecting your system from malicious Flash activity, do not install Flash Player and do not use Google Chrome.
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #14 of 48

As long as people persist in using Adobe Flash on their Macs, it takes the pressure off web-site programmers to convert to HTML5, a safe alternative.

 

No-one should chance the dangers of using Adobe Flash. 

 

Letters of protest should be written to sites still using it. The People generally win.

post #15 of 48

I love how Apple is held to a far higher standard then everyone else. If this was an Apple security flaw, the press would be screaming and ranting.

Help! I'm trapped in a white dungeon of amazing precision and impeccable tolerances!

Reply

Help! I'm trapped in a white dungeon of amazing precision and impeccable tolerances!

Reply
post #16 of 48
Quote:
Originally Posted by TheWhiteFalcon View Post

Flash should be dead by now. It's garbage. Slow, unreliable, a resource hog, and a security disaster.

Indeed. When Apple was reluctant to form a partnership with them years ago they were criticized. Now, once again, they look like geniuses. HTML5 has been a much better resource, so thank you Adobee for your hubris and stupidity. The world has now moved on.
post #17 of 48
Quote:
Originally Posted by Suddenly Newton View Post

Wait...Adobe waited until now to patch the known flaw? Where are the howls of forum outrage and vitriol that we saw when Apple delayed patching a vulnerability on Macs by a few days?

Not a peep outta these people.

 

Double Standars exist for a reason, you know.
post #18 of 48

I'm confused.  According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks.  I hate defending Adobe, but  this patch was issued a while back.  What am I missing here?  How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today?  It's been fixed, update and get it!

Just say no to MacMall.  They don't honor their promotions and won't respond to customer inquiries.  There are better retailers out there.
Reply
Just say no to MacMall.  They don't honor their promotions and won't respond to customer inquiries.  There are better retailers out there.
Reply
post #19 of 48
DO NOT INSTALL FLASH AT ALL. REMOVE IT! I installed the latest Flash and it secretly installed Bing on my system, replacing Google as my first choice. When I tried to uninstall it, I learned through much research that the Bing program was hidden in my system, not even called Bing. It took me hours and hours and days of work to finally get the damn thing off my computer. Flash and Bing are in cohoots to switch you from Google to Bing, and they installed this malware on my system and messed up my computer. Stat away from Flash...and Bing. They both suck. If you don't believe me, Google it. Very sneaky.
post #20 of 48
Quote:
Originally Posted by lkrupp View Post

Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡

It is. Chrome is the official browser of AppleInsider and Huddler Lifestyle. Safari users were left to rot.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #21 of 48

What's your point? That page is a technical explanation for one known vulnerability. That page is useless to Joe Consumer surfing the Web.

 

My stance is that it is better not to install Flash at all, not to prevent against a specific threat, but to limit exposure to a whole group of Flash-based threats, some of which are known and documented, others which are yet to be discovered.

post #22 of 48
Quote:
Originally Posted by mpantone View Post

What's your point? That page is a technical explanation for one known vulnerability. That page is useless to Joe Consumer surfing the Web

You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #23 of 48
Quote:
Originally Posted by Gatorguy View Post


You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.

Nope, I didn't read beyond the first couple of sentences.

 

The page is relevant for coders and website operators, I am neither. I am far more of a Joe Consumer than anything else. I don't run beta operating systems, I don't jailbreak my phone, I don't sign up for WWDC, I don't write software, I don't run websites. Personally, I don't care about the specifics of how this particular vulnerability works.

 

As a matter of fact, I don't care about the detailed mechanism of how any computer-based vulnerability works. I do take an interest in understanding the high-end overview of various types of vulnerabilities, not the specifics of a single threat. I care more that they get fixed in a timely manner and that I have taken reasonable measures as an end-user to minimize the risks of using the Internet.

 

The document you linked to doesn't fix the vulnerability, it just describes it. In the same way, if GM sends me a ten-page explanation of how the ignition switch in their cars is faulty and how they are going to fix it, the document itself doesn't fix the badly-designed component. Someone still needs to remove the faulty ignition switch and install a new device.

 

Anyhow, since this is a Flash-based exploit, I really don't care. It's not like I'm running Flash on my Mac, and Flash certainly doesn't run on my iOS devices. Oh, and I don't drive a GM either.


Edited by mpantone - 7/9/14 at 9:14am
post #24 of 48
Quote:
Originally Posted by AppleInsider View Post

A well-known vulnerability in Adobe's Flash player... has been exploited for the first time... in a proof-of-concept by Google engineer Michele Spagnuolo. 

 

Now hang on a minute... a GOOGLE employee produces a flash exploit "proof of concept" and the world goes into a panic and is supposed to stop what they're doing and take defensive measures against this threat?  Why is Google in the business of producing malware? Perhaps this little exploit does not impact chromebooks, eh? Sounds to me like a shady move to threaten the competition, under the guise of a "proof of concept", that should be investigated.  I can think of many activities that would cause disruption and chaos, that could be smugly claimed to be mere "proof of  concept" actions.  I think this is an industrial strategy on the part of Google.  Shame on them--who's being EVIL now?

post #25 of 48
Quote:
Originally Posted by razorpit View Post
 

I'm confused.  According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks.  I hate defending Adobe, but  this patch was issued a while back.  What am I missing here?  How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today?  It's been fixed, update and get it!

 

I've gotten so tired of Adobe's nagware and nagging update messages that I ignore most of them too.  The company is a blight.

post #26 of 48
Originally Posted by SpamSandwich View Post

Or just use Click2Flash...

 

Actually it's called "ClickToFlash".  But yeah, it's an absolutely essential plug-in for Safari.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #27 of 48
Another Flash security exposure - I'm shocked! /s

Why Steve Jobs had a low opinion of Flash and the people who continue promoting this heap.
post #28 of 48
Quote:
Originally Posted by Suddenly Newton View Post

Wait...Adobe waited until now to patch the known flaw? 

I'm not sure when Adobe was informed of the flaw but I would suspect the AppleInsider language is probably intentionally misleading. If Google just released a proof of concept, how well-known could it really be? It was probably fixed as quickly as possible. 

 

"A well-known vulnerability in Adobe's Flash player..."

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #29 of 48
Quote:
Originally Posted by GadgetCanadaV2 View Post

I love how Apple is held to a far higher standard then everyone else. If this was an Apple security flaw, the press would be screaming and ranting.

Not quite, this thread a couple of months ago got very little attention:

http://appleinsider.com/articles/14/05/21/apple-issues-safari-704-and-614-updates-with-enhanced-security

This Adobe bug lets attackers steal cookies, the Safari bug let attackers run arbitrary code. Security bugs in plug-ins are objected to more strongly as they are really optional add-ons.
post #30 of 48
Quote:
Originally Posted by stoutie View Post

DO NOT INSTALL FLASH AT ALL. REMOVE IT! I installed the latest Flash and it secretly installed Bing on my system, replacing Google as my first choice. When I tried to uninstall it, I learned through much research that the Bing program was hidden in my system, not even called Bing. It took me hours and hours and days of work to finally get the damn thing off my computer. Flash and Bing are in cohoots to switch you from Google to Bing, and they installed this malware on my system and messed up my computer. Stat away from Flash...and Bing. They both suck. If you don't believe me, Google it. Very sneaky.

And yet Google's Chrome browser is the one with more security issues and holes than Swiss Cheese? Time to open your eyes to the real world, Google is NOT your friend, not by a long shot!

 

If you're on a Mac, Safari or bust, and if needed, Firefox as a backup.

 

And while you're at it, install AdBlock Plus, ClickToPlugin (big brother to ClickToFlash) and Ghostery (or DoNotTrackMe) plug-ins in Safari, and switch to DuckDuckGo. DDG just redesigned their engine and it kicks butt!

post #31 of 48

Sadly Flash is still used in places where it needn't be like streaming World Cup games.

 

Having said that I have a serious question. Is there a competing technology for developing online games?

 

I'm thinking mostly of my children who visit sites like pbskids.org that use Flash for interactive content and games.

post #32 of 48
Quote:
Originally Posted by mstone View Post

I'm not sure when Adobe was informed of the flaw but I would suspect the AppleInsider language is probably intentionally misleading. If Google just released a proof of concept, how well-known could it really be? It was probably fixed as quickly as possible. 

"A well-known vulnerability in Adobe's Flash player..."

My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #33 of 48
Quote:
Originally Posted by lkrupp View Post
 

 

Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡

Or you could use Chrome but set Flash to run on user click (no extensions needed -- this is just a preference setting). If for some reason you need to use Flash, chrome is arguably the safest way to use it, since it sandboxes the plugin and will do a better job of keeping the plugin up to date than if you installed Flash manually; Safari was arguably the least secure until it started sandboxing plugins last year.

post #34 of 48

I already have the .145 version installed. Looks like it was released prior to today because I don't remember updating it recently.

post #35 of 48
Quote:
Originally Posted by Suddenly Newton View Post
 
My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.

Which is exactly the interpretation that AI wanted you to have.

 

The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.

 

If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.

 

Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.

 

My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.


Edited by mstone - 7/9/14 at 12:21pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #36 of 48

"Flash"?

 

Oh yeah, wasn't that that doohicky that they mainly used for ads about a decade ago?

 

My work PC still has it - I know, because there's a pop-up that appears semi-regularly that says Flash has crashed. I just hit the "x" in the corner and go on with my life.

post #37 of 48
Quote:
Originally Posted by mstone View Post
 

Which is exactly the interpretation that AI wanted you to have.

 

The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.

 

If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.

 

Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.

 

My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.

 

And if you read the blog, you would see the ENTIRE PARAGRAPH dedicated to describing that it was already a well-known issue: 

 

Quote:
 This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.
post #38 of 48
Quote:
Originally Posted by Suddenly Newton View Post

My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.

Generally correct except that Google didn't "release" it. They created a proof of concept to demonstrate to Adobe how it might be exploited. A big thank you is due the Google engineer.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #39 of 48
Quote:
Originally Posted by BobJohnson View Post
 

And if you read the blog, you would see the ENTIRE PARAGRAPH dedicated to describing that it was already a well-known issue: 

I stand corrected. thanks.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #40 of 48

Something interesting:

 

 

HERE’S A THOUGHT, YOU BRAIN DEAD PILES OF GARBAGE: INSTEAD OF WASTING TIME PUTTING IN A BROKEN OPTION, WHY NOT JUST NOT HAVE THE OPTION AT ALL.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Flash flaw could allow attackers to steal browser data on Macs, Adobe issues fix