What's your point? That page is a technical explanation for one known vulnerability. That page is useless to Joe Consumer surfing the Web
You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.
You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.
Nope, I didn't read beyond the first couple of sentences.
The page is relevant for coders and website operators, I am neither. I am far more of a Joe Consumer than anything else. I don't run beta operating systems, I don't jailbreak my phone, I don't sign up for WWDC, I don't write software, I don't run websites. Personally, I don't care about the specifics of how this particular vulnerability works.
As a matter of fact, I don't care about the detailed mechanism of how any computer-based vulnerability works. I do take an interest in understanding the high-end overview of various types of vulnerabilities, not the specifics of a single threat. I care more that they get fixed in a timely manner and that I have taken reasonable measures as an end-user to minimize the risks of using the Internet.
The document you linked to doesn't fix the vulnerability, it just describes it. In the same way, if GM sends me a ten-page explanation of how the ignition switch in their cars is faulty and how they are going to fix it, the document itself doesn't fix the badly-designed component. Someone still needs to remove the faulty ignition switch and install a new device.
Anyhow, since this is a Flash-based exploit, I really don't care. It's not like I'm running Flash on my Mac, and Flash certainly doesn't run on my iOS devices. Oh, and I don't drive a GM either.
A well-known vulnerability in Adobe's Flash player... has been exploited for the first time... in a proof-of-concept by Google engineer Michele Spagnuolo.
Now hang on a minute... a GOOGLE employee produces a flash exploit "proof of concept" and the world goes into a panic and is supposed to stop what they're doing and take defensive measures against this threat? Why is Google in the business of producing malware? Perhaps this little exploit does not impact chromebooks, eh? Sounds to me like a shady move to threaten the competition, under the guise of a "proof of concept", that should be investigated. I can think of many activities that would cause disruption and chaos, that could be smugly claimed to be mere "proof of concept" actions. I think this is an industrial strategy on the part of Google. Shame on them--who's being EVIL now?
I'm confused. According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks. I hate defending Adobe, but this patch was issued a while back. What am I missing here? How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today? It's been fixed, update and get it!
I've gotten so tired of Adobe's nagware and nagging update messages that I ignore most of them too. The company is a blight.
Wait...Adobe waited until now to patch the known flaw?
I'm not sure when Adobe was informed of the flaw but I would suspect the AppleInsider language is probably intentionally misleading. If Google just released a proof of concept, how well-known could it really be? It was probably fixed as quickly as possible.
"A well-known vulnerability in Adobe's Flash player..."
This Adobe bug lets attackers steal cookies, the Safari bug let attackers run arbitrary code. Security bugs in plug-ins are objected to more strongly as they are really optional add-ons.
DO NOT INSTALL FLASH AT ALL. REMOVE IT! I installed the latest Flash and it secretly installed Bing on my system, replacing Google as my first choice. When I tried to uninstall it, I learned through much research that the Bing program was hidden in my system, not even called Bing. It took me hours and hours and days of work to finally get the damn thing off my computer. Flash and Bing are in cohoots to switch you from Google to Bing, and they installed this malware on my system and messed up my computer. Stat away from Flash...and Bing. They both suck. If you don't believe me, Google it. Very sneaky.
And yet Google's Chrome browser is the one with more security issues and holes than Swiss Cheese? Time to open your eyes to the real world, Google is NOT your friend, not by a long shot!
If you're on a Mac, Safari or bust, and if needed, Firefox as a backup.
And while you're at it, install AdBlock Plus, ClickToPlugin (big brother to ClickToFlash) and Ghostery (or DoNotTrackMe) plug-ins in Safari, and switch to DuckDuckGo. DDG just redesigned their engine and it kicks butt!
I'm not sure when Adobe was informed of the flaw but I would suspect the AppleInsider language is probably intentionally misleading. If Google just released a proof of concept, how well-known could it really be? It was probably fixed as quickly as possible.
"A well-known vulnerability in Adobe's Flash player..."
My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.
Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡
Or you could use Chrome but set Flash to run on user click (no extensions needed -- this is just a preference setting). If for some reason you need to use Flash, chrome is arguably the safest way to use it, since it sandboxes the plugin and will do a better job of keeping the plugin up to date than if you installed Flash manually; Safari was arguably the least secure until it started sandboxing plugins last year.
My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.
Which is exactly the interpretation that AI wanted you to have.
The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.
If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.
Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.
My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.
Oh yeah, wasn't that that doohicky that they mainly used for ads about a decade ago?
My work PC still has it - I know, because there's a pop-up that appears semi-regularly that says Flash has crashed. I just hit the "x" in the corner and go on with my life.
Which is exactly the interpretation that AI wanted you to have.
The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.
If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.
Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.
My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.
And if you read the blog, you would see the ENTIRE PARAGRAPH dedicated to describing that it was already a well-known issue:
Quote:
This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.
My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.
Generally correct except that Google didn't "release" it. They created a proof of concept to demonstrate to Adobe how it might be exploited. A big thank you is due the Google engineer.
I don't have flash installed and never want to. It's the most bloated crap ever. I hate it when websites refuse to serve content in a web standard format. That "friendly" suggestion for me to download flash makes me want to punch your website in the face.
Comments
You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.
You're not Joe Consumer nor are most other AI members. You got the point just fine. It explains what this particular vulnerability is and how it's being addressed just as you found out when you read it.
Nope, I didn't read beyond the first couple of sentences.
The page is relevant for coders and website operators, I am neither. I am far more of a Joe Consumer than anything else. I don't run beta operating systems, I don't jailbreak my phone, I don't sign up for WWDC, I don't write software, I don't run websites. Personally, I don't care about the specifics of how this particular vulnerability works.
As a matter of fact, I don't care about the detailed mechanism of how any computer-based vulnerability works. I do take an interest in understanding the high-end overview of various types of vulnerabilities, not the specifics of a single threat. I care more that they get fixed in a timely manner and that I have taken reasonable measures as an end-user to minimize the risks of using the Internet.
The document you linked to doesn't fix the vulnerability, it just describes it. In the same way, if GM sends me a ten-page explanation of how the ignition switch in their cars is faulty and how they are going to fix it, the document itself doesn't fix the badly-designed component. Someone still needs to remove the faulty ignition switch and install a new device.
Anyhow, since this is a Flash-based exploit, I really don't care. It's not like I'm running Flash on my Mac, and Flash certainly doesn't run on my iOS devices. Oh, and I don't drive a GM either.
A well-known vulnerability in Adobe's Flash player... has been exploited for the first time... in a proof-of-concept by Google engineer Michele Spagnuolo.
Now hang on a minute... a GOOGLE employee produces a flash exploit "proof of concept" and the world goes into a panic and is supposed to stop what they're doing and take defensive measures against this threat? Why is Google in the business of producing malware? Perhaps this little exploit does not impact chromebooks, eh? Sounds to me like a shady move to threaten the competition, under the guise of a "proof of concept", that should be investigated. I can think of many activities that would cause disruption and chaos, that could be smugly claimed to be mere "proof of concept" actions. I think this is an industrial strategy on the part of Google. Shame on them--who's being EVIL now?
I'm confused. According to Adobe I'm on the updated version, but I know I haven't updated in at least 1-2 weeks. I hate defending Adobe, but this patch was issued a while back. What am I missing here? How is this any different than saying a known exploit for iOS 7 SSL issue was found in the wild today? It's been fixed, update and get it!
I've gotten so tired of Adobe's nagware and nagging update messages that I ignore most of them too. The company is a blight.
Or just use Click2Flash...
Actually it's called "ClickToFlash". But yeah, it's an absolutely essential plug-in for Safari.
Why Steve Jobs had a low opinion of Flash and the people who continue promoting this heap.
Wait...Adobe waited until now to patch the known flaw?
I'm not sure when Adobe was informed of the flaw but I would suspect the AppleInsider language is probably intentionally misleading. If Google just released a proof of concept, how well-known could it really be? It was probably fixed as quickly as possible.
"A well-known vulnerability in Adobe's Flash player..."
Not quite, this thread a couple of months ago got very little attention:
http://appleinsider.com/articles/14/05/21/apple-issues-safari-704-and-614-updates-with-enhanced-security
This Adobe bug lets attackers steal cookies, the Safari bug let attackers run arbitrary code. Security bugs in plug-ins are objected to more strongly as they are really optional add-ons.
DO NOT INSTALL FLASH AT ALL. REMOVE IT! I installed the latest Flash and it secretly installed Bing on my system, replacing Google as my first choice. When I tried to uninstall it, I learned through much research that the Bing program was hidden in my system, not even called Bing. It took me hours and hours and days of work to finally get the damn thing off my computer. Flash and Bing are in cohoots to switch you from Google to Bing, and they installed this malware on my system and messed up my computer. Stat away from Flash...and Bing. They both suck. If you don't believe me, Google it. Very sneaky.
And yet Google's Chrome browser is the one with more security issues and holes than Swiss Cheese? Time to open your eyes to the real world, Google is NOT your friend, not by a long shot!
If you're on a Mac, Safari or bust, and if needed, Firefox as a backup.
And while you're at it, install AdBlock Plus, ClickToPlugin (big brother to ClickToFlash) and Ghostery (or DoNotTrackMe) plug-ins in Safari, and switch to DuckDuckGo. DDG just redesigned their engine and it kicks butt!
Sadly Flash is still used in places where it needn't be like streaming World Cup games.
Having said that I have a serious question. Is there a competing technology for developing online games?
I'm thinking mostly of my children who visit sites like pbskids.org that use Flash for interactive content and games.
My interpretation of the article's wording is: A known flaw was not patched until Google released a proof of concept attack, and this prompted Adobe into action.
Just stop using Chrome. Use Safari without Flash installed. Problem solved. Oh, but Chrome is SO mush better than Safari, or any stinky Apple product for that matter¡
Or you could use Chrome but set Flash to run on user click (no extensions needed -- this is just a preference setting). If for some reason you need to use Flash, chrome is arguably the safest way to use it, since it sandboxes the plugin and will do a better job of keeping the plugin up to date than if you installed Flash manually; Safari was arguably the least secure until it started sandboxing plugins last year.
I already have the .145 version installed. Looks like it was released prior to today because I don't remember updating it recently.
Which is exactly the interpretation that AI wanted you to have.
The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.
If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.
Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.
My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.
"Flash"?
Oh yeah, wasn't that that doohicky that they mainly used for ads about a decade ago?
My work PC still has it - I know, because there's a pop-up that appears semi-regularly that says Flash has crashed. I just hit the "x" in the corner and go on with my life.
Which is exactly the interpretation that AI wanted you to have.
The proof of concept was posted in a blog on July 8 and Adobe patched it on July 8.
If you read the blog, the author praises Adobe for the quick fix. In other words it looks like the flaw was not publicly disclosed by the security researcher until Adobe had time to fix it.
Adobe also acknowledges Michele Spagnuolo for helping them identify and correct the issue. Google and Adobe have always been good working partners. Google would not disclose a flaw without first working with Adobe to fix it.
My conclusion is that it was not a well-known vulnerability as is written in the article. And it was not exploited either, as written in the first paragraph. It was simply identified and fixed.
And if you read the blog, you would see the ENTIRE PARAGRAPH dedicated to describing that it was already a well-known issue:
Generally correct except that Google didn't "release" it. They created a proof of concept to demonstrate to Adobe how it might be exploited. A big thank you is due the Google engineer.
And if you read the blog, you would see the ENTIRE PARAGRAPH dedicated to describing that it was already a well-known issue:
I stand corrected. thanks.
Something interesting:
HERE’S A THOUGHT, YOU BRAIN DEAD PILES OF GARBAGE: INSTEAD OF WASTING TIME PUTTING IN A BROKEN OPTION, WHY NOT JUST NOT HAVE THE OPTION AT ALL.
I don't have flash installed and never want to. It's the most bloated crap ever. I hate it when websites refuse to serve content in a web standard format. That "friendly" suggestion for me to download flash makes me want to punch your website in the face.