You are not logged in.
Couldn't post this on the security announcements obviously, so here goes:
There is a critical 0-day exploit in Adobe Flash, meaning PDF's are potential vectors since they can allow embedded flash files.
Adobe planning a patch in 2 WEEKS at this time (unless prompted or necessitated to do so sooner).
http://www.zdnet.com/blog/security/adob … o-day/7598
Recommended action at this time is to uninstall flashplayer until the vuln. is patched.
http://www.adobe.com/support/security/a … 10-05.html
Last edited by sultanoswing (2010-12-18 00:46:04)
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
Unless I am missing something, the attack vector is against Reader / Acrobat and the patch is to spike the autoplay capability in Reader / Acrobat.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Flash autoplay inside pdf's?! madness
Offline
Thanks for posting. Use the pre-release package from the AUR. As I read it, that is not affected.
http://aur.archlinux.org/packages.php?ID=32072
Affected software versions
* Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
better yet, don't install adobe reader/acrobat
Adobe is not currently aware of attacks targeting Adobe Flash Player.
Last edited by hokasch (2010-10-29 22:23:57)
Offline
Thanks for posting. Use the pre-release package from the AUR. As I read it, that is not affected.
http://aur.archlinux.org/packages.php?ID=32072
Affected software versions * Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
You'd probably be reading it wrong, since Adobe was only aware of the exploit a day or two ago - well after even that pre-release build. Hence they would have had no reason to include any as-yet-to-be-coded patch.
Last edited by sultanoswing (2010-10-30 04:36:06)
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
better yet, don't install adobe reader/acrobat
adobe bulletin wrote:Adobe is not currently aware of attacks targeting Adobe Flash Player.
But others are. This is Adobe covering to prevent mass panic. The 'vuln. exists in Flash primarily. Believe me, with a patch 2 weeks away and the ubiquity of Flash, you better believe it's going to get hit by the end of this weekend. Do you feel lucky?
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
I use Okular + Okularplugin-git anyways
Offline
Not an Arch Discussion, moving to Workstation User.
ᶘ ᵒᴥᵒᶅ
Offline
From the announcement it would seem that authplay.dll is needed for the exploit and that is shipped with reader not flash ... but who knows.
I'd guess that any new security problem affects all flash versions ... it seems to be a bottomless pit of security holes
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
I hope the chances that someone would make a Flash file that exploits this on LINUX are pretty slim.
Offline
Not an Arch Discussion, moving to Workstation User.
And not to Security Announcements?
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
And not to Security Announcements?
That is up to the maintainers to decide, if they feel the matter is urgent enough they will pull the package (like they did before).
ᶘ ᵒᴥᵒᶅ
Offline
update:
Fix for Flashplayer hopefully arriving tomorrow... but how long it takes to get into Arch, or the AUR flashplugin-prerelease package is another matter.
The PDF 'sploit via Adobe Reader still won't be patched until 9th November.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
So don't use Adobe reader?
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...
Offline
So don't use Adobe reader?
At least not until the patch has been implemented. There are plenty of other non-vulnerable, opensource pdf readers out there.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
A patch has been released by Adobe, but not yet for 64-bit versions. Sigh.
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
Patched versions for 64-bit "Square" Prelease 3 now available from Adobe Labs: http://labs.adobe.com/downloads/flashpl … quare.html
Confirmed as patching APSB10-26: http://forums.adobe.com/thread/744888?tstart=0
6.5.3.arch1-1(x86_64) w/Gnome 44.4
Arch on: ASUS Pro-PRIME x470, AMD 5800X3D, AMD 6800XT, 32GB, | Intel NUC 7i5RYK | ASUS ux303ua | Surface Laptop
Offline
Patched versions for 64-bit "Square" Prelease 3 now available from Adobe Labs: http://labs.adobe.com/downloads/flashpl … quare.html
Confirmed as patching APSB10-26: http://forums.adobe.com/thread/744888?tstart=0
Its been in the AUR for more than 2 weeks
Offline