You are not logged in.
- Topics: Active | Unanswered
#1 2010-10-29 21:52:24
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
[solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Couldn't post this on the security announcements obviously, so here goes:
There is a critical 0-day exploit in Adobe Flash, meaning PDF's are potential vectors since they can allow embedded flash files.
Adobe planning a patch in 2 WEEKS at this time (unless prompted or necessitated to do so sooner).
http://www.zdnet.com/blog/security/adob … o-day/7598
Recommended action at this time is to uninstall flashplayer until the vuln. is patched.
http://www.adobe.com/support/security/a … 10-05.html
Last edited by sultanoswing (2010-12-18 00:46:04)
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#2 2010-10-29 21:59:28
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,804
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Unless I am missing something, the attack vector is against Reader / Acrobat and the patch is to spike the autoplay capability in Reader / Acrobat.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#3 2010-10-29 22:20:59
- hokasch
- Member
- Registered: 2007-09-23
- Posts: 1,461
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Flash autoplay inside pdf's?! madness
Offline
#4 2010-10-29 22:21:44
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,600
- Website
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Thanks for posting. Use the pre-release package from the AUR. As I read it, that is not affected.
http://aur.archlinux.org/packages.php?ID=32072
Affected software versions
* Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systemsCPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#5 2010-10-29 22:22:45
- hokasch
- Member
- Registered: 2007-09-23
- Posts: 1,461
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
better yet, don't install adobe reader/acrobat
Adobe is not currently aware of attacks targeting Adobe Flash Player.
Last edited by hokasch (2010-10-29 22:23:57)
Offline
#6 2010-10-30 04:35:01
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Thanks for posting. Use the pre-release package from the AUR. As I read it, that is not affected.
http://aur.archlinux.org/packages.php?ID=32072
Affected software versions * Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
You'd probably be reading it wrong, since Adobe was only aware of the exploit a day or two ago - well after even that pre-release build. Hence they would have had no reason to include any as-yet-to-be-coded patch.
Last edited by sultanoswing (2010-10-30 04:36:06)
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#7 2010-10-30 04:40:17
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
better yet, don't install adobe reader/acrobat
adobe bulletin wrote:Adobe is not currently aware of attacks targeting Adobe Flash Player.
But others are. This is Adobe covering to prevent mass panic. The 'vuln. exists in Flash primarily. Believe me, with a patch 2 weeks away and the ubiquity of Flash, you better believe it's going to get hit by the end of this weekend. Do you feel lucky?
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#8 2010-10-30 05:31:09
- Anonymo
- Member
- Registered: 2005-04-07
- Posts: 427
- Website
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
I use Okular + Okularplugin-git anyways
Offline
#9 2010-10-31 12:28:23
- litemotiv
- Forum Fellow
- Registered: 2008-08-01
- Posts: 5,026
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Not an Arch Discussion, moving to Workstation User.
ᶘ ᵒᴥᵒᶅ
Offline
#10 2010-10-31 23:12:43
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
From the announcement it would seem that authplay.dll is needed for the exploit and that is shipped with reader not flash ... but who knows.
I'd guess that any new security problem affects all flash versions ... it seems to be a bottomless pit of security holes 
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#11 2010-11-01 19:20:36
- aardwolf
- Member
- From: Belgium
- Registered: 2005-07-23
- Posts: 304
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
I hope the chances that someone would make a Flash file that exploits this on LINUX are pretty slim.
Offline
#12 2010-11-03 06:54:11
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Not an Arch Discussion, moving to Workstation User.
And not to Security Announcements?
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#13 2010-11-03 22:00:19
- litemotiv
- Forum Fellow
- Registered: 2008-08-01
- Posts: 5,026
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
And not to Security Announcements?
That is up to the maintainers to decide, if they feel the matter is urgent enough they will pull the package (like they did before).
ᶘ ᵒᴥᵒᶅ
Offline
#14 2010-11-04 07:09:23
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
update:
Fix for Flashplayer hopefully arriving tomorrow... but how long it takes to get into Arch, or the AUR flashplugin-prerelease package is another matter.
The PDF 'sploit via Adobe Reader still won't be patched until 9th November.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#15 2010-11-04 11:25:30
- moljac024
- Member
- From: Serbia
- Registered: 2008-01-29
- Posts: 2,676
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
So don't use Adobe reader?
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...
Offline
#16 2010-11-05 00:16:40
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
So don't use Adobe reader?
At least not until the patch has been implemented. There are plenty of other non-vulnerable, opensource pdf readers out there.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#17 2010-11-05 08:07:20
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
A patch has been released by Adobe, but not yet for 64-bit versions. Sigh.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#18 2010-12-18 00:45:40
- sultanoswing
- Member
- Registered: 2008-07-23
- Posts: 314
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Patched versions for 64-bit "Square" Prelease 3 now available from Adobe Labs: http://labs.adobe.com/downloads/flashpl … quare.html
Confirmed as patching APSB10-26: http://forums.adobe.com/thread/744888?tstart=0
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
#19 2010-12-18 01:43:49
- skunktrader
- Member
- From: Brisbane, Australia
- Registered: 2010-02-14
- Posts: 1,543
Re: [solved] 0-day Flash Player vulnerability - ALL PLATFORMS
Patched versions for 64-bit "Square" Prelease 3 now available from Adobe Labs: http://labs.adobe.com/downloads/flashpl … quare.html
Confirmed as patching APSB10-26: http://forums.adobe.com/thread/744888?tstart=0
Its been in the AUR for more than 2 weeks
Online