Print

[ethercat]

http://www.adobe.com/support/security/advisories/apsa11-01.html

Since most of us rely on these applications, it would be wise to be careful of the content you download and where you download it from until this vulnerability is fixed.

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Release date: March 14, 2011
Last updated: March 14, 2011
Vulnerability identifier: APSA11-01
CVE number: CVE-2011-0609
Platform: All Platforms

Summary
A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
Affected software versions

    * Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
    * Adobe Flash Player 10.2.154.18 and earlier for Chrome users
    * Adobe Flash Player 10.1.106.16 and earlier for Android
    * The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

More info, including details, at the link above.

Bolding in the quote is mine.  Just because reports involve "a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment" doesn't mean that's the only place it may be being used.  Let's be careful out there.

* ethercat queues up the Hill Street Blues theme song.

[Mary_McConnell]

Thanks, just went and got my updates and will make sure I keep up with them.

[ethercat]

Very good.   

[Sarcasm Pirate]

-insert witty Pro- Steve Jobs/ Anti-Flash Comment-

/laziness

Seriously though... Adobe just released a rather big update for Mac.  I don't think it did anything to fix this though.  If I recall the recent update for me came out just before this was announced as an issue. Computers can be so annoying.  I feel like I'm never done updating something. 

[ethercat]

-insert witty Pro- Steve Jobs/ Anti-Flash Comment-

One of the posters to the forum I read about this on originally already did that, and another poster was quick to point out that this one also affects Mac.

http://androidforums.com/android-lounge/297872-flash-has-critical-security-risk.html

/laziness

Seriously though... Adobe just released a rather big update for Mac.  I don't think it did anything to fix this though.  If I recall the recent update for me came out just before this was announced as an issue. Computers can be so annoying.  I feel like I'm never done updating something. 

And you won't be, unless you give up the computer, period - no operating systems are immune.   

There is discussion (and partial implementation by browsers) of video support in the HTML5 spec, which would make Flash largely unnecessary, however it is hampered by controversy over patents and disagreement over which video formats to support.

Of course, end users can always install additional plugins or other software to view any video format they wish, but the controversy lies in which formats should have support built into the browsers without the users having to install additional software (since many users seem incapable of anything other than turning the computer on and clicking buttons and links - God forbid people should have to learn anything  ).

Rest of rant snipped.

Edit: more discussion here: http://www.w3.org/QA/2007/12/when_will_html_5_support_soone.html

[Sarcasm Pirate]

Learning hurts. D:

[ethercat]

Awww, I'm sorry.     I wasn't directing that at you.

[Sarcasm Pirate]

:-) It was a poorly sarcastic joke.  I actually found that rather interesting. ;-) I, as a younger person, feel somewhat cheated by currently technology.  No one has ever explained how things work.  It's just always been 'here's this, use it'.  I feel like if we all had to start from the basics and learn how these tings actually work we might appreciate it more.

I supposed most people don't care to appreciate any of it though. lol

[ethercat]

:-) It was a poorly sarcastic joke.  I actually found that rather interesting. ;-)

Whew!  I am relieved.  I should have known.  You are the Sarcasm Pirate, after all.   

I, as a younger person, feel somewhat cheated by currently technology.  No one has ever explained how things work.  It's just always been 'here's this, use it'.

 

I'll gladly give you a crash course in what I know next time I see you.   

I feel like if we all had to start from the basics and learn how these tings actually work we might appreciate it more.

I believe that also.  As things have been made simpler for people to use, it's become much more complex to understand how they work.  I started learning about computers when there were no windowing systems, only command line and programs.  No multi tasking.  The files created by your programs were easy to find; they were in the same place you went to to run your program (yes, you had to type stuff to run your program!), unless you deliberately put them somewhere else.   But the basics I learned way back when still apply today, so I feel like this hardship gave me an understanding many people (excluding geeks) don't have. 

I supposed most people don't care to appreciate any of it though. lol

Unfortunately, you're probably right with that.   It's their loss. 

[mefree]

:-) It was a poorly sarcastic joke.  I actually found that rather interesting. ;-)

Whew!  I am relieved.  I should have known.  You are the Sarcasm Pirate, after all.   

I, as a younger person, feel somewhat cheated by currently technology.  No one has ever explained how things work.  It's just always been 'here's this, use it'.

 

I'll gladly give you a crash course in what I know next time I see you.   

I feel like if we all had to start from the basics and learn how these tings actually work we might appreciate it more.

I believe that also.  As things have been made simpler for people to use, it's become much more complex to understand how they work.  I started learning about computers when there were no windowing systems, only command line and programs.  No multi tasking.  The files created by your programs were easy to find; they were in the same place you went to to run your program (yes, you had to type stuff to run your program!), unless you deliberately put them somewhere else.   But the basics I learned way back when still apply today, so I feel like this hardship gave me an understanding many people (excluding geeks) don't have. 

I supposed most people don't care to appreciate any of it though. lol

Unfortunately, you're probably right with that.   It's their loss.

Ugh! Don't even get me started on this topic. I'm in the middle of some computer-related learning and it is giving me a few headaches. Fortunately, I have a few geeky friends that I can ask questions of.

Some aspects come really naturally to me, others do not

I believe there is a lot to be gained from trying to understand how it all works.

[SocialTransparency]

Flash is the past . It does not exist in my world. Current box is a 12 core Mac Pro. Embrace HTML5 for it is good. . 22+million iPad sales in less than a year and a half tends to have an impact on what software/firmware you the buying public will use. Flash had its moment in the sun. Time to move on.
The future is here now. DOS based fail is just that FAIL!

[ethercat]

Flash is the past . It does not exist in my world.

Flash does not exist in your world because, like my FreeBSD, your Mac OS (based on FreeBSD) has trouble with Flash because versions of Flash were developed for Microsoft and Linux, but not for FreeBSD.  FreeBSD and Linux address the hardware in different ways, so getting FreeBSD (and your OS) to work with Flash is kind of a "hack".

Deny it all you want, but:

http://www.apple.com/hotnews/thoughts-on-flash/
We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now.

22+million iPad sales in less than a year and a half tends to have an impact on what software/firmware you the buying public will use.

Not really.  Discussion of HTML5 began in 2004, long before the iPad was produced.  So did the concept and implementation of  the "tablet computer" begin long before the iPad.  22+ million is far from market saturation - with over 300 million people in the U.S. alone and an estimated 75% of them using computers.

Flash had its moment in the sun. Time to move on.

Flash is still in use in many, many places on the web.  Not that I am at all a fan of Flash, in fact, quite the contrary.  (It is what source code people call a "binary blob".)  But you can't deny reality just because you proclaim it to be so. (I can't, anyway.)

With respect to video, HTML5 means primarily just including native (built into the browser) support for already existing video formats, such as Ogg Theora, H.264, VP8/WebM, and "others".  It is not a video format in and of itself.  According to the chart on the wikipedia page linked above, Ogg has the greatest support, with the holdouts who don't support Ogg being Safari and Internet Explorer. 

The iPad supports H.264, but not flash.  H.264 is patented, and requires that most users (the developers, that is, and not the end users) have to pay royalties to use it.  Guess who owns interests in H.264?  Apple and Microsoft.  Uh hmm.   


Google owns WebM/VP8, which is now covered under a BSD license.  The BSD license is considered more open and liberal than the GNU license, in that it will allow the source code to be used in proprietary commercial projects/software products  (which is why Apple can develop an OS based on FreeBSD and charge for it), where the GNU license requires any use of the code itself to remain free ($0).

Ogg is not covered by any known patents, as the codec it was derived from has been released into the public domain.  However:

Although Theora is not affected by known patents, companies such as Apple and (reportedly) Nokia^{[citation needed]} are concerned about unknown patents that might affect it, whose owners might be waiting for a corporation with extensive financial resources to use the format before suing.^[5][6] Formats like H.264 might also be subject to unknown patents in principle, but they have been deployed much more widely and so it is presumed that any patent-holders would have already made themselves known. Apple has also opposed requiring Ogg format support in the HTML standard (even as a "should" requirement) on the grounds that some devices might support other formats much more easily, and that HTML has historically not required particular formats for anything.^[6]

Not too surprising that Apple and Microsoft would both oppose Ogg, when they both own interest in one of the competing formats.  VP8 (WebM) comes after Ogg with the 2nd greatest support, which makes sense considering it does not require payment of royalty fees.

Of course, the individual end user can install support for any codec he wishes, on his own computer, provided he knows how and that the hardware and OS support is there.

The future is here now. DOS based fail is just that FAIL!

I don't really understand the DOS comment, as DOS (Disk Operating System) fell by the wayside for the most part with the release of Microsoft's NT-based operating systems (that would include NT server from the mid 90's for businesses, and everything from Windows 2000 for consumers on to present day).  Care to explain?