Printed from http://www.electronista.com

Adobe admits to zero-day exploit in Flash for Android

updated 04:45 pm EDT, Tue September 14, 2010

Adobe Flash, Reader, Acrobat vulnerable to attack

Adobe outlined a zero day flaw in Adobe Flash that can be used to crash the system it's hosted on or even let an attacker install other malicious software. The problem includes Flash for Android OS devices as well as components, and Flash is the only component Adobe says is being exploited, with no reports of attacks on Reader or Acrobat to date.

Adobe is taking steps to fix this by sharing information with security partners to bring out detection and quarantine methods. Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android are vulnerable, as is Adobe Reader 9.3.4 for Windows, Macintosh and Unix, and Adobe Acrobat 9.3.4 along with earlier versions for Windows and Macintosh.

Concerns exist about what kind of security updates portable Android device owners can expect, as the platform is not as well protected as notebook computers.

Adobe security advisory said it is finalizing a solution to this issue and Flash Player Windows, Mac, Linux, Solaris and Android users can expect a software update the week of September 27. A similar update for Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 for Windows and Mac is due to arrive the week of October 4.

The hole represents one of the first security exploits to affect mobile Flash 10.1 as well as the desktop version and reinforces fears about Flash mentioned by Apple chief Steve Jobs and others. On a mobile device, the plugin ends up creating a vulnerability where one wouldn't exist without the plugin. Security is more of an issue on mobile as many devices with cellular devices are more exposed through an always-on connection and a lack of powerful security software.



By Electronista Staff
toggle

Comments

  1. JuanGuapo

    Fresh-Faced Recruit

    Joined: Jan 2008

    +17

    Flash.

    I'll bet Jobs & Co. are enjoying this.

  1. bleee

    Mac Enthusiast

    Joined: Mar 2002

    +10

    Reputations are at stake

    If you were an average consumer that didn't read Macnn... and your iPhone crashed because of Flash would you know it was Flash or would you blame Apple? Would your first instinct be to alert Apple or alert Adobe?

    Now imagine you're surfing a website with a random flash advertisement with this exploit.... How easy would it be to just buy some ad space on an and network and flight the ad with the exploit?

  1. bjojade

    Fresh-Faced Recruit

    Joined: Jun 2007

    +16

    No enjoyment.

    I doubt SJ really enjoys seeing flash security holes. He is the kind of guy that gets upset when things 'suck' He'd love to see Adobe create an awesome, stable version of flash that he could approve for the phone. If they did, he'd be knocking on their door to get it on the phones. They can't, so he doesn't.

  1. chas_m

    Moderator

    Joined: Aug 2001

    +5

    BWAHAHAHA

    Sorry, I don't mean to laugh -- it's actually getting tiresome how right Steve is all the damn time.

    I do agree with bjojade's comment though -- Apple would have preferred (at least at one point) to have Adobe come up with a stable, efficient, low-resource Flash. They know perfectly well that HTML5, cool as it is, isn't going to be able to match all the things Flash can do (except video delivery).

    Adobe just isn't used to being held to a higher standard (certainly not by their customers -- and I am one, btw) and dealt with it rather petulantly. I notice they've gone more quiet of late ...

  1. SockRolid

    Forum Regular

    Joined: Jan 2010

    +8

    Google + Adobe

    This is what you get when Google and Adobe team up. Google can't protect users against malware because Marketplace is such a weed patch. And Adobe can't keep Flash bug-free and exploit-free at the same time.

  1. CarlRJ

    Fresh-Faced Recruit

    Joined: Mar 2010

    +5

    Nah, not knocking on the door...

    I agree that SJ is almost certainly NOT walking around the office shaking a fist in the air and whooping it up, but I strongly suspect that if Adobe came up with a version of Flash that ran perfectly (for now) on the iPhone, he still wouldn't want to include it as a standard part of the iPhone software -- Flash as a web browser adjunct puts too much control in the hands of Adobe, and he doesn't like handing over (any) control of Apple's destiny to any other company, when Apple has too often suffered because of the indifference of other companies...

    The Mac was held back by the PowerPC chip that first Motorola, then IBM, said "no really, we'll make it run faster one of these days", but left it to languish ... Mac OS X was held back by MetroWorks getting lots of companies to write their applications using CodeWarrior's libraries, then shifting their focus to embedded applications and leaving the libraries to languish. Adobe's Flash has had similar parallels in its life on the Mac, often performing much more poorly than its Windows counterpart, because Adobe couldn't be bothered to put the effort into improving the Mac version.

    Open Standards are good. Eight years ago, tons of websites only worked with Internet Explorer, because developers could mostly get away with assuming everyone had IE. Now most sites work mostly with a variety of browsers. Three years ago, most websites that displayed video or did other complicated tricks, required Flash, because developers could get away with assuming everyone had Flash. Now we're starting to see that assumption/limitation fall by the wayside, and I'm very happy to see it go.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -1

    Re: BWAHAHAHA

    Sorry, I don't mean to laugh -- it's actually getting tiresome how right Steve is all the damn time.

    And yet everyone just brushed over the zero-day exploit in the iPhone's PDF engine that could allow a malicious web site to basically jailbreak your iPhone and do whatever it wanted as root, without any user interaction at all.

    And how do we know it existed? Because it was what the jailbreak folks used for iOS 4.0 and 4.0.1 to jailbreak. Go to a web site, jailbreak your phone.

    But, again, that was Apple, so we can excuse it. But Adobe! Ha, just security hole after security hole! Steve is so right.....

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -2

    Re: Reputations are at stake

    If you were an average consumer that didn't read Macnn... and your iPhone crashed because of Flash would you know it was Flash or would you blame Apple?

    How does the average consumer know it crashed because of Flash? What if I go to a site that crashed because of a bug in Safari? Again, how would any average (or even above average) user know what caused the crash? All they'd know is it crashed.

    And most 'average' people would blame the web site. For they go to a bunch of sites and they work fine, so the issue must be with the web site (which, in your argument, it is, since it is the one hosting the 'exploit' that is crashing).

    Would your first instinct be to alert Apple or alert Adobe?

    Most people's instincts are not to alert anyone, they just try it again. And if it fails, they move on to another site. Most people don't spend their time trying to lay blame going to some site. It's the internet, they expect stuff to not work.

    Now imagine you're surfing a website with a random flash advertisement with this exploit.... How easy would it be to just buy some ad space on an and network and flight the ad with the exploit?


    Can we also imagine we're surfing a website with a random ad or code that loads a PDF that hijacks your pre-OS 4.0.2 iDevice? How easy would that be to buy some ad space and do that?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Patriot Supersonic Rage XT 128GB USB drive

USB memory sticks are getting larger by the day, their growth speeding along with the availability and expansion of memory chips. But ...

Crucial MX100 256GB SATA-3 SSD

While the price-per-gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

Sponsor

toggle

Most Commented

 
toggle

Popular News