Adobe announces new Flash security vulnerability
by Joe Perez 
Sep 17th 2010 at 11:00AM
On Sept. 13, Adobe Systems released a security advisory detailing a vulnerability in its Flash Player 10.1.82.76 for earlier versions of Windows, Mac, Linux and Solaris, and Adobe Flash Player 10.1.92.10 for Android. The vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and Unix and Adobe Acrobat 9.3.4 for earlier versions of Windows and Macintosh. The vulnerability allows remote attackers to cause a denial of service crash and execute a code to take control of your system by delivering this malicious code through a specially crafted PDF or Flash file.
For WoW players, this can mean infection by keyloggers that could potentially steal your login information and compromise your account.
Adobe Systems is working on a patch to stop this type of attack from being possible and plans to make it available the week of Sept. 27, with plans to update Adobe Reader 9.3.4 and Adobe Acrobat 9.3.4 the week of Oct. 4.
For WoW players, this can mean infection by keyloggers that could potentially steal your login information and compromise your account.
Adobe Systems is working on a patch to stop this type of attack from being possible and plans to make it available the week of Sept. 27, with plans to update Adobe Reader 9.3.4 and Adobe Acrobat 9.3.4 the week of Oct. 4.
The good news is the security breach requires you to actively interact with the infected file, and as a result, there are many things you can do to stay safe from this type of exploit.
- Always make sure your software is up to date by patching whenever a patch is made available. Adobe releases regular updates, and making sure you have your program patched can help keep you safe.
- Never trust file downloads from emails you don't recognize or click on links to sites you aren't 100 percent sure about. Err on the side of caution.
- If you don't have one, pick up an authenticator for your account to add an extra layer of security to your Battle.net accounts. Authenticators come as a keyfob for a small price or in a mobile version for free.
- Run a PDF and flash blocker such as NoScript or enable secured browsing features in your preferred browser's settings.
- Surf with caution -- remember, even the most cautious of people can still get hacked by accidentally downloading a keylogger by visiting the wrong site or clicking the wrong link. Make sure you are protected with trusted anti-virus and anti-spyware software. Be sure that your protection is up to date, and actively run scans. Having the latest security definitions goes a long way to keeping these types of exploits from being possible.
For more information regarding the Flash security issue, visit the Adobe Security Advisory site.
Filed under: News items, Account Security
Reader Comments (Page 1 of 4)
(cutaia) Sep 17th 2010 11:04AM
September 27th? Oh, cool. I guess I won't go on the internet for 10 days. :P
arielespadas Sep 17th 2010 1:39PM
10 days with no internetz?! thats blasphemy
Ginny Sep 17th 2010 11:09AM
So.. Now do people understand why Steve Jobs doesn't want to put flash on the iPad/iPhone?
Sayis Sep 17th 2010 11:19AM
Apple's policy for Flash is based more around the idea that they want to shape how their platform, and even the internet, advances. Having to rely on another company is a big no-no for Apple.
Jerodar Sep 17th 2010 11:19AM
Yeha that's obvious, but if only the rest of the interwebs would dumb flash >
Ginny Sep 17th 2010 11:29AM
@Sayis Well, we're both right: http://www.apple.com/hotnews/thoughts-on-flash/
MikeLive Sep 17th 2010 11:42AM
@Sayis Close, they don't want other companies shaping the internet, by having so much of it depend on a closed, proprietary technology (Flash, Silverlight, etc.).
cricketcaper Sep 17th 2010 12:09PM
Typical Mac fanboy response "see Job's is right" The only reason flashed is attacked on a constant basis is that they have the biggest market share. Just as hackers targeted Windows over Mac OS, market share. The reality is that at Black Hat nearly every year Mac OS goes down first. Just in the same, HTML 5 is no more secure than Flash, it is just off the hackers radar for the moment.
Drakkenfyre Sep 17th 2010 12:22PM
One of the biggest reasons Steve Jobs doesn't want Flash is because then he couldn't charge people for game apps, when you could play many free Flash games.
Spark Sep 17th 2010 1:31PM
-----
Ginny Sep 17th 2010 11:09AM
So.. Now do people understand why Steve Jobs doesn't want to put flash on the iPad/iPhone?
-----
I have an Android phone. I installed Flash. Then thought better about it and removed Flash (oh - that's right... I need NoScript to make having Flash a sane idea... forgot all about that). The difference here is that it was my choice, not Steve Jobs' choice.
Jobs is pretty spot on in general. If Flash were on the "IOS" platform, if I were Apple, I wouldn't be using it. I might even point out how good a job I was doing without using it. But that's very different than saying Adobe can't make it so you and I can't use it.
Of course... this has all been rather well covered in more appropriate forums than one dedicated to WoW. Following this path is simply racing to the bottom of the well... where it's trolls all the way down.
icepyro Sep 17th 2010 1:46PM
So... are you implying Steve Jobs may have turned down Flash because he magically knew how vulnerable it is? If so, why did he allow the antenna issues or the proximity sensor issues? That's code written by Apple itself! It may not be a security threat, but it does far more to make them look bad and, you know, being able to see the future and all....
Ginny Sep 17th 2010 1:54PM
I like how anyone who says anything pro Jobs is automatically a mac fanboy/girl/whatever. :\
Oh noes, I have opinions! Better vote me down!
Josin Sep 17th 2010 2:48PM
I thought that was because Adobe charges people to use their filetype/architecture? (Good thing the inventors of the .gif and .jpg didn't do that... we'd have no internet.)
Drakkenfyre Sep 17th 2010 4:29PM
Josin, back in the day the people behind .GIF did indeed sue people. I remember when Netscape was like the only browser to have legitimate licensing.
Shif Sep 17th 2010 11:17AM
Javascript has hundreds of these kind of vulnerabilities, its all over the internet but no one releases warnings about these, and that you use a website with flash doesn't mean that you are getting a keylogger.
Spark Sep 17th 2010 1:51PM
-----
Shif Sep 17th 2010 11:17AM
Javascript has hundreds of these kind of vulnerabilities, its all over the internet but no one releases warnings about these, and that you use a website with flash doesn't mean that you are getting a keylogger.
-----
That's very misleading. Javascript does not have these kinds of vulnerabilities. If they did, malware authors wouldn't bother attacking handler applications. The issue tends to be some incorrect way of handling Javascript calls by the application in question. It's as if the text "jump off a bridge" meant the English language had a vulnerability rather than the individual who had a tendancy to act out everything they read (which is a poor analogy, but still).
A website with Flash doesn't mean you're getting a keylogger if the website in question can be trusted. And we're not just talking about trusting the people who produce content for the web site, but whether the website has been compromised to serve malicious content that takes advantage of this flaw. But the simple truth is that many sites don't produce all their own content (read: syndicated ad banners). And occasionally, sites get hit by vulnerabilities and malicious content gets slipped in (there is historical precedent - not just a 'what if' scenario). Nobody can be completely sure any given Flash object is safe. And when a vulnerability is being actively exploited out in the wild, the safe bet is that eventually you're going to run in to an example of it.
We should take this seriously and not simply blow it off as you have implied.
Luke Sep 17th 2010 2:32PM
*Cough*
http://wow.joystiq.com/2010/09/15/cataclysm-beta-guild-ranks-can-be-set-to-require-authenticator/comments/30414042/
And yes, it is dangerous for your system to auto-magically load all of the scripts that appear on a website. Does this mean that the majority of those scripts contain keyloggers?
No.
Does that mean that even most scripts are in a hand basket headed straight to New Jersey, and need to accept Jesus into their lives or face eternal lame-nation?
Nope, doesn't even mean that.
But there are plenty of Mr. Burns of the Java world that CAN and will infect your computer with all kinds of malicious crap. And they'll try to steal your lollipop too.
The best solution kids?
Don't pee in your own pool.
Wait that's not right. I mean it's good advice but not relevant to what we're talking about.
The solution has a sex analogy of some kind that may not be appropriate here. But let's just put it this way:
I'd sooner, uh... "cuddle", with a Tijuana "barista" than surf the internet without "protection".
All this means is if you know the websites you visit are safe (WOT), and you're not going around pointing your mouse and every shiny banner ad (Adblock Plus), you should be okay. Especially if you learn to say no (NoScript), every once in a while.
Spark Sep 17th 2010 9:30PM
Let's be completely clear on this. Javascript in itself is not dangerous. But it can interact with other things that become dangerous when a vulnerability is discovered. Javascript is the fuse that starts the sequence to firing off the payload that hurts us. So treating Javascript as if it is dangerous is the first step to protecting onseself; take away the match and it's hard to light the fuse.
But we still have to fix the things that are broken and are dangerous.
V3rr1n Sep 17th 2010 11:17AM
ANOTHER adobe hacking possibility? These guys send out updates like BP cleans up oil spills.
If they fail again, what do we get? A hardy handshake and apology? Or a smirk/shrug with some cheesy sitcom line?
"Well, ya get what you pay for!"
Wonder what the shareholders think....
Elleyna Sep 17th 2010 11:39AM
It's not like it's the same issue each time... Vulnerabilities are bound to happen in just about any code, when one vulnerability gets fixed, the hackers attempt to find others. At least they're aware of it and are attempting to fix the issue.