Adobe's Flash and Acrobat have 'critical' vulnerability, may allow remote hijacking
By Vlad Savov 
posted June 5th 2010 5:45PM
posted June 5th 2010 5:45PM
When Adobe said Flash gives you the full web experience, it meant it. Part and parcel of the web, as we all know, is the good old hacking community, which has been "actively exploiting" a vulnerability in Flash Player 10.0.45.2 (and earlier versions) and Adobe Acrobat and Reader 9.x to overtake people's machines and do hacky stuff with them. This so-called flaw also causes crashes, but that's probably not what's worrying you right now. Adobe says the 10.1 Release Candidate for Flash Player looks to be unaffected, while versions 8.x of Acrobat and Reader are confirmed safe. To remedy the trouble, the company advises moving to the RC for Flash, and deleting authplay.dll to keep your Acrobat from performing undesirable gymnastics. Oh boy, Steve's gonna have a field day with this one.
I'm laughing at your ass now.
S. Jobs
Sent from my iPad
know another critical vulnerability...the web. snap the ▬uck out of it already with the flash trashing.
@HighestRanked2
Hahhahahaha
The more things change, the more they stay the same...
Wait, Paul Thurrott said that the whole point of Vista was to modernize the Windows Kernel. But still... same old crap
Wouldn't be wise for Steve to bring it up, as people would then simply question how OSX was hacked faster than any other OS last go around, and point out the dangerous security holes in Safari.
Best not to throw stones in glass houses.
@HighestRanked2
Funny how mac zealots always claim that their systems are invulnerable, but at the same time is up in arms over vulnerabilities in the Flash Player.
Since most Mac systems do have the Flash Player installed and still never been exploited in the real world, surely Flash does not compromise your systems like you claim?
@HighestRanked2 I usually try to ignore you, but for other's benefit, as mentioned there are numerous security holes in OSX and it was the fastest to be hacked, but there simply isn't much of a market for malware/viruses for an OS with such insignificant market share.
http://blogs.csoonline.com/files/vista-90day-vuln-compare.PNG
But the reason that Mac antivirus software exists. is because malware/viruses exist such as Leap-A. I wouldn't bother with it, but the point is that few exploits clearly doesn't mean few vulnerabilities. If OSX were to break out of single digit adoption, it would start to get attention, and at present is not robust enough to stand up to that.
The best part is that while im typing this both banners at the top are for Adobe LOL
@NeatOman
What's your point? Adobe is targeting the techies to turn on Apple... You're shocked that hey buy adspace on Engadget?
Quoting Adobe:
'Adobe Flash Player
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.'
'..does not appear..' - Hey Adobe - don't you know?
We ♥ Flash? Oh boy.
You know, Steve made a great argument against flash. Am I the only one who read his letter on the stance of flash and read the history of adobe? Man i have too much time on my hand.
@Agent3rror i also believe once we move away from flash, there will be increased security (especially for windows) and great features/ innovated ideas without worrying about patient whores.
Flash has had these types of problems for a long time. It's one reason I don't want Flash on my iPhone.
HTML5 all the way baby. I can live without flash. If somebody wants to bring me content you better convert to HTML5 or have 2 versions.
Although this is not OK by any means, this security flaw only pertains to older versions of Flash. Flash 10.1 represents the new initiative by Adobe, both in performance and security.
@adrock Flash 10.1 has not been released, thus 10.0 is the most current version. Release candidates and betas could potentially have more serious flaws than this one, as the testing process is not yet complete.
Steve jobs is smiling...somewhere!
@HighestRanked2
You seriously never head of JavaScript vulnerabilities?
And you think Flash is not sandboxed?
Great way to prove you are clueless.
Yes it's a problem Apple would love to have with such a installed base. 5% to what 92%?
I love flash to death, but I swear to whoever, I got a virus from the updater months ago. I f'in hate the fact it happened, and no help is online about it, but this wmpscfg or w/e is online, and takes names under "adobe_reader" but it also tried getting to my laptop, and my friends computer over in California.
this is just shows how ignorant journalists are working in Engadget, before you reporting such news you should consult with security expert. Don't delete my post as you did delete my previous post... the issue is with integer overflow that allows code execution to running dll how this libary file cant be run separate from rest of the library...in worst case the application will crash, I wanna see real life example were such excution has taken over the control of pc... this is total bs..
@mark838 They are just repeating what Adobe said themselves. http://www.adobe.com/support/security/advisories/apsa10-01.html
remove your fucking bug steve or else say goodbye to safari
Is Steve also going to have a field day with the critical and unfixef bugs in osx and safari? If you dont know what I mean, wait for the next pwn2own contest where, without a doubt, the latest macbook will be the first to be pwned - just like it has been over the last couple of years.
Apple FTW!
@Diondon
Apple does FTW! In the rear....without lube....
@HighestRanked2 Stop being the comment fool of the day.
@HighestRanked2
A couple of posts up you said "Does HTML5 have its own runtime like Flash does? NO. It runs native code. Is it safe? Yes.".
You seem a bit confused about what HTML5 is. A text markup is not very likely to have vulnerabilities, but that is not what "HTML5" is refereed to in marketing talk. The vulnerabilities will be with JS, which has been been exploited many times.
You main argument seem to be that because the makers of the browser will have to patch instead of Adobe. A vulnerability in a browser is in no way less of an issue. Considering how efficient Flash Player proven to push out updates quickly compared to most browsers, and how fast Adobe tends to be in providing fixes to vulnerabilities, usually the opposite would be the case.
Oh Steve's gonna wank himself raw today! And after that just some more for measure! XD
@darknessangel
You mean his frail little one eyed wonder worm? I don't think he can handle more than one wanking....let alone pee more than 2 times a day without hurting something....
@Gator352
Someone like you should get on your knees and bow your head in St. Steve's glowing presence.
@ddddd The main problem with Flash is that it is provided by a single vendor. If there is a critical security flaw such as this, we are all reliant on Adobe for a fix. With HTML 5, as it is an open standard, there will be several implementations - from Microsoft, Apple, Mozilla, Google, Opera, etc. We can choose the best and most secure. Also, given HTML 5 is a standard, serious security/privacy design flaws such as LSO (Flash cookies) would probably never pass through the peer review process.
@Psilion No, his point is that with HTML 5 we can choose which implementation to use, as there will be many. Don't like security with one? Switch to another. With Flash it is Adobe, that's it. How would you feel if there were only one web browser available from a single company, and that company owned the HTML standard?
@xbryan
I'm afraid you are misinformed, which is understandable with all the FUD going on.
You can use Gnash of Swfdec if you prefer.
The source code for Adobes implementation of the Flash Player is available for partners in the Open Screen Project without licensing restrictions, so if it's security is so appalling they can make an improved version if they like to.
Some people are idiots, Nexus one is running 10.1. So what is the story really about. Adobe says the 10.1 Release Candidate for Flash Player looks to be unaffected, while versions 8.x of Acrobat and Reader are confirmed safe. Again what is this about. Thats right Apple is coming out with a new phone. Remember with the IPad was about to lunch. You stated getting stories about android frag's. The new X-Files. Look past the stories.
@fort Um...the report came straight from Adobe themselves. Are they in on the conspiracy too?
Also, why does it matter what the Nexus One is running? That represents probably 0.1% of all Flash users. The vast majority of users, unfortunately probably won't even be aware of the issue nor is Adobe going to prompt them to upgrade (especially since 10.1 isn't even the official new version yet).
@LHC Thats true. But most everyone is using 10 or 11. So this story much to do about nothing.
@fort 10.0 is the current release thus most everyone is running that, so this is much ado about something. This affects Reader as well. Also, this is not some theoretical exploit. It is currently being used by malicious sites, hence Adobe ranks this as "critical". You should probably read before posting next time.
@xbryan My problem was with Engadget and the story. As noted several times, There quick to post this story but if it was Apple they are hard to find. Read then try to find on Engadget.
http://www.boygeniusreport.com/2010/06/09/security-breach-allows-hackers-to-obtain-info-on-114000-att-ipad-owners/
@Psilion Gnash is based on Flash 7 (yes 7, as in 3 versions ago) and can only play Flash movies, it does not run all Flash content. Swfdec is based on Flash 9 and development all but halted 2 years ago. You obviously don't know what your talking about. They are not acceptable alternatives to Adobe's Flash player.
@ddddd isn't a lot of the HTML5 functionality from javascript? eek....and you think flash is bad?
@Psilion lalz like Gnash and SWFDEC are viable alternatives. How many people do you think have those installed?
Those versions of Flash are behind Adobe's player in several respects because Adobe never open sourced the entire Flash software.
Interesting. I guess this explains the wierd things I have been seeing with Adobe Acrobat 8 on Win7. I still have Adobe Acrobat Professional 8 due to not being made of money, and I'm not so sure 8 isn't completely unaffected. AA8 doesn't fully integrate with Win7, and sometimes (most times) trying to open a .PDF from a web page brings up AA with an error that it can't open the file, but when you click OK the file opens with the browser plug-in anyway. (BTW, installing Adobe Reader 9 doesn't stop this from happening, and having both the Reader and the Writer installed isn't necessary or advised anyway.) Sometimes when surfing not-so-reputable sites this will happen when I'm not trying to open a .PDF. The Java icon appears in the System Tray as well. I click OK and AA goes away but no .PDF opens. I managed to capture one of the offending .PDF malware files and it is obviously not a normal file. Only once did a fake AntiVirus program pop up, but it didn't get a good hold and was gone with a reboot.
I hope Adobe can fix this pretty soon.
authplay.dll? I have 32 separate files on my laptop with that name. How about a little specificity.
The problem is not Flash, the problem is Adobe.
Every piece of software have security holes. It is the owner of the software who plugs the holes, in case of open source everyone is owner. We can judge from the attitude of the owner if they are serious about fixing it. Adobe have shown considerable traction in updating or upgrading Flash over the years. Why they took so much time for bringing a Mobile version of Flash?
I don't agree with all of SJ's comments but it is apparent that they took the drastic and dangerous decision of leaving Flash behind out of frustration with Adobe. Whatever Adobe says now, it is a fact that they did not put much effort on the Mac and Mobile platform. You may say that's a small segment but an important one nonetheless. I wonder if they considered mobiles as an unimportant one as well.
Flash could have been a standard itself if Adobe released them. Some are saying that they are open source and anybody can build a Flash Player. I am not a Tech guy but the fact that there are no other viable (if any) alternative to Flash Player by Adobe shows that Flash is closed. I have no problem with a closed systems but the owner must show the enthusiasm and willingness to improve their platform regularly. I am sure most people feels Adobe didn't show the enthusiasm or dedication. Only after Apple left Flash behind they started working on Flash. It is too risky to rely on a Tech company which is so reactive. Naturally, they lost many supporters as nobody is sure if & when they will deliver.
SJ must have done a very good job by shaking Adobe. Otherwise, I am sure Flash would have remain as pathetic as it is now. Yes, it can do many things which others couldn't but the question remains, "are we ready to compromise speed, security, battery life for these fancy things?" Some people will say yes, but as more and more alternatives arrive, Flash may well go onto oblivion faster than most people imagine if they do not address these issues. The fact remains, more and more people started using some sort of flash Blocker.
Yes, Adobe needs to agree that they failed to improve Flash but they can win many peoples heart by showing that they are willing to do it. If they rely on the popularity of Flash, the dooms day is not far away.
@LHC
Oh fragmentation, really?
And browsers are not fragmented?
Does IE8 have full support for HTML5?
Point is that you can choose what implementation to use or make your own if you are not happy with the existing ones.
But you seem to think Adobes offering is superior, in which case I would suggest using that.