Solve : Newest Adobe Flash Exploit?

1.	Solve : Newest Adobe Flash Exploit?
Answer» To early to say, but the following might turn out to be an issue. (Or it is just over reaction and has nothing to do with anything else.) Quote Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit A researcher has published some information about two new previously unknown vulnerabilities that appear to be exploitable in Adobe Flash version 11.1.102.55 and previous. Adobe has not yet released an advisory. There is no patch or workaround for the vulnerabilities. As far as I know there have not been any IDS/IPS or anti-virus signatures released yet for the exploit .... Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself. Quote from: Geek-9pm on December 09, 2011, 01:59:23 AM Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself. Do you get those pop ups a lot? What version of flash player do you have? Why don't you like to keep your software up to DATE?I find that Adobe is a royal pain as they almost daily seem to be producing "updates'. Too bad they just wouldn't take the time to get it "right" and then publish.Like Geek i have stopped doing the updates as they arrive and will only do so if i see a deterioration in performance which might be associated with their program.truenorthWhile I prefer maintaining control of updates installed in computers, I disagree with the notion of sticking with old versions of Adobe Flash Player. This exploit affects version 11.1.102.55 and Previous. So, if you continue using an older version after Adobe releases an update with a patch for this vulnerability, then you're still vulnerable. Couldn't agree more Soybean... Quote from: Geek-9pm on December 09, 2011, 01:59:23 AM (Or it is just over reaction and has nothing to do with anything else.)Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself. I, on the other hand, agree with this, unlike everybody else. Why? First, I think every "vulnerability warning" is a lot of hot air. How many people can say with any certainty that they were affected by a given vulnerability? PARTICULARLY with regards to flash. The best most people can think of is how some person they know had a trojan and that they think it was a vulnerability. Take a look at the list of requirements for your average exploit/vulnerability. In this case, you've got what is pretty much the lowest bar to entry, which basically just requires the accessing of a Flash document (SWF). But think about it. If somebody was "serious" about security, they would either have flash disabled or only have it enabled for sites they trust. And I cannot think of a reason not to at least do the latter. In that case, the only way for a the exploit to work would be if the swf was existent on a trusted domain. And that is the "lowest" barrier to entry. A lot of them require carefully crafted cookies, special network conditions, insane URL strings to be specified, parameters to be passed via a PHP post and other nonsense that ought to push it out of the realm of "dangerous vulnerability" to trivial sidebar. All these "vulnerability" warnings serve to do is line the pockets of AV vendors who thrive off Fear, Uncertainty and Doubt about Viruses, malware, and how it all fits together. Now, with things like Windows, updating is relatively painless. Heck most of it can be done automatically. Personally I have it set to download automatically and then I install when I get a GOOD chance to reboot. But otherwise, it requires very little interaction. updating Adobe Flash is just plain idiotic. First off, I have to use some braindead custom installer hand-crafted by a few specially trained monkeys kept in Adobe's Banana room, which stops working if I happen to have the gall to break any of it's myriad false assumptions. Even before that the trouble begins. In order to download the bloody thing you have to fill out these short forms, and make sure to tell it that "No, you don't want to line Adobe's pockets with ad revenue from Mcaffee for pretending to do a scan and installing software on your machine". If you are lucky, the installer will actually start and install, at which point it will tell you to close half the programs you are running (Firefox, Thunderbird, Internet Explorer, Visual Studio, and a few others in my case). And if you have the luck of a 5-footed rabbit you might actually get through that point without issues, at which point it will steadfastly insist that you reboot. Why? I don't know. This is adobe they have an importance complex, they like to think of Flash as a "critical OS component" for whatever reason. And then when you reboot of course you find that they 'helpfully' installed an "update manager" which is a pointless piece of software that does absolutely nothing useful, since the most it can do is say "you should download a new version" but anybody can write that by just having it say that once every week. Which is part of the problem, repeating this idiotic routine once a month might be tolerable but the fact is that you need to usually go through it once every week if you want to "stay updated" which if you ask me is overrated anyway. for every update they are going to fix some vulnerabilities but no doubt they are going to introduce new ones that nobody knows about anyway. The evil you know about is better than the ones you don't if you ask me. Quote Why don't you like to keep your software up to date? With every new version they document some fixes. But they also add new bugs, new vulnerabilities, expose old vulnerabilities, accidentally introduce configuration errors that allow for exploits, and so on and so forth. The net difference is that there are just as many PROBLEMS, it's just that fewer people know about them. And the fact is that the "bad guys" know about them a lot faster than anybody else. I prefer to know about the vulnerabilities so I can use various other sane methods to prevent them from being "exploited" (as if there are anything but isolated incidents of that HAPPENING these days), rather than assume that the newest version is invincible. BC, A great deal more meat on the bone than this "I find that Adobe is a royal pain as they almost daily seem to be producing "updates'." but then with this ".Like Geek i have stopped doing the updates as they arrive ". Your statement "I, on the other hand, agree with this, unlike everybody else." Would tend to not acknowledge that there are in fact "somebody else" (two at least that we know of). truenorth Quote from: truenorth on December 09, 2011, 05:38:58 PM BC, A great deal more meat on the bone than this "I find that Adobe is a royal pain as they almost daily seem to be producing "updates'." but then with this ".Like Geek i have stopped doing the updates as they arrive ". Your statement "I, on the other hand, agree with this, unlike everybody else." Would tend to not acknowledge that there are in fact "somebody else" (two at least that we know of). truenorth I only glanced over the previous posts. All I really saw was a variety of "your crazy" and "why don't you update" type replies. I'm sorry if my omission of "almost" before "everybody" has made you feel excluded from the group.

Answer»

To early to say, but the following might turn out to be an issue.
(Or it is just over reaction and has nothing to do with anything else.)
Quote

Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit
A researcher has published some information about two new previously unknown vulnerabilities that appear to be exploitable in Adobe Flash version 11.1.102.55 and previous. Adobe has not yet released an advisory. There is no patch or workaround for the vulnerabilities. As far as I know there have not been any IDS/IPS or anti-virus signatures released yet for the exploit ....

Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself. Quote from: Geek-9pm on December 09, 2011, 01:59:23 AM

Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself.

Do you get those pop ups a lot?

What version of flash player do you have?

Why don't you like to keep your software up to DATE?I find that Adobe is a royal pain as they almost daily seem to be producing "updates'. Too bad they just wouldn't take the time to get it "right" and then publish.Like Geek i have stopped doing the updates as they arrive and will only do so if i see a deterioration in performance which might be associated with their program.truenorthWhile I prefer maintaining control of updates installed in computers, I disagree with the notion of sticking with old versions of Adobe Flash Player. This exploit affects version 11.1.102.55 and Previous. So, if you continue using an older version after Adobe releases an update with a patch for this vulnerability, then you're still vulnerable. Couldn't agree more Soybean... Quote from: Geek-9pm on December 09, 2011, 01:59:23 AM

(Or it is just over reaction and has nothing to do with anything else.)Myself, I ignore all the pop ups that say I need a new flash. I will get it only if I need it. And I will do it myself.

I, on the other hand, agree with this, unlike everybody else.

Why? First, I think every "vulnerability warning" is a lot of hot air. How many people can say with any certainty that they were affected by a given vulnerability? PARTICULARLY with regards to flash. The best most people can think of is how some person they know had a trojan and that they think it was a vulnerability. Take a look at the list of requirements for your average exploit/vulnerability. In this case, you've got what is pretty much the lowest bar to entry, which basically just requires the accessing of a Flash document (SWF). But think about it. If somebody was "serious" about security, they would either have flash disabled or only have it enabled for sites they trust. And I cannot think of a reason not to at least do the latter. In that case, the only way for a the exploit to work would be if the swf was existent on a trusted domain.

And that is the "lowest" barrier to entry. A lot of them require carefully crafted cookies, special network conditions, insane URL strings to be specified, parameters to be passed via a PHP post and other nonsense that ought to push it out of the realm of "dangerous vulnerability" to trivial sidebar. All these "vulnerability" warnings serve to do is line the pockets of AV vendors who thrive off Fear, Uncertainty and Doubt about Viruses, malware, and how it all fits together.
Now, with things like Windows, updating is relatively painless. Heck most of it can be done automatically. Personally I have it set to download automatically and then I install when I get a GOOD chance to reboot. But otherwise, it requires very little interaction.

updating Adobe Flash is just plain idiotic. First off, I have to use some braindead custom installer hand-crafted by a few specially trained monkeys kept in Adobe's Banana room, which stops working if I happen to have the gall to break any of it's myriad false assumptions. Even before that the trouble begins. In order to download the bloody thing you have to fill out these short forms, and make sure to tell it that "No, you don't want to line Adobe's pockets with ad revenue from Mcaffee for pretending to do a scan and installing software on your machine". If you are lucky, the installer will actually start and install, at which point it will tell you to close half the programs you are running (Firefox, Thunderbird, Internet Explorer, Visual Studio, and a few others in my case). And if you have the luck of a 5-footed rabbit you might actually get through that point without issues, at which point it will steadfastly insist that you reboot. Why? I don't know. This is adobe they have an importance complex, they like to think of Flash as a "critical OS component" for whatever reason. And then when you reboot of course you find that they 'helpfully' installed an "update manager" which is a pointless piece of software that does absolutely nothing useful, since the most it can do is say "you should download a new version" but anybody can write that by just having it say that once every week. Which is part of the problem, repeating this idiotic routine once a month might be tolerable but the fact is that you need to usually go through it once every week if you want to "stay updated" which if you ask me is overrated anyway. for every update they are going to fix some vulnerabilities but no doubt they are going to introduce new ones that nobody knows about anyway. The evil you know about is better than the ones you don't if you ask me.

Quote

Why don't you like to keep your software up to date?

With every new version they document some fixes. But they also add new bugs, new vulnerabilities, expose old vulnerabilities, accidentally introduce configuration errors that allow for exploits, and so on and so forth. The net difference is that there are just as many PROBLEMS, it's just that fewer people know about them. And the fact is that the "bad guys" know about them a lot faster than anybody else. I prefer to know about the vulnerabilities so I can use various other sane methods to prevent them from being "exploited" (as if there are anything but isolated incidents of that HAPPENING these days), rather than assume that the newest version is invincible.

BC, A great deal more meat on the bone than this "I find that Adobe is a royal pain as they almost daily seem to be producing "updates'." but then with this ".Like Geek i have stopped doing the updates as they arrive ". Your statement "I, on the other hand, agree with this, unlike everybody else." Would tend to not acknowledge that there are in fact "somebody else" (two at least that we know of). truenorth Quote from: truenorth on December 09, 2011, 05:38:58 PM

BC, A great deal more meat on the bone than this "I find that Adobe is a royal pain as they almost daily seem to be producing "updates'." but then with this ".Like Geek i have stopped doing the updates as they arrive ". Your statement "I, on the other hand, agree with this, unlike everybody else." Would tend to not acknowledge that there are in fact "somebody else" (two at least that we know of). truenorth

I only glanced over the previous posts. All I really saw was a variety of "your crazy" and "why don't you update" type replies. I'm sorry if my omission of "almost" before "everybody" has made you feel excluded from the group.

Solve : Newest Adobe Flash Exploit?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment