New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X 167
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
Re:Huh? (Score:5, Insightful)
>Who in their right mind opens a Word doc from and unknown source
The idiot secretary in the next office over, or the next floor down.
Then the payload mines her email addresses and sends you "Minutes from meeting" or some similar crap. So now instead of having an email from an unknown person you get an email from someone you'd expect to get word documents from. Hopefully you are in a company that has decent A/V on incoming mail, most small businesses don't.
LOL ... (Score:4, Insightful)
Or, don't even run it. Flash has been a security and privacy hole for a decade or more.
I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.
Yet another exploit? I'd like to say I'm shocked, but that would be a lie.
Re:And replace it with what? (Score:5, Insightful)
Can you tell us what that is?
For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.
Comment removed (Score:2, Insightful)
Re:And replace it with what? (Score:5, Insightful)
There's a reason Flash is the world's most popular online multimedia platform.
Yes. DRM.
Re:Why is it so bad? (Score:5, Insightful)
Probably because there is not much you can do to fix a fundamentally bad idea. Think of it like all the various attempts to make smoking 'healthy' at the end of day intentionally sucking combustion gases into your lungs just is not good for you, no matter how low tar, free of synthetic chemicals etc you make it.
What does flash do? It executes code from unknown origin on your machine. That has never been a good idea; even if in some cases you can't get around needing to do it. Flash has more problems though it can't be fully sandbox'ed without breaking all those old apps, it needs to be able to do things like read files, open sockets connections, etc.
Re:And replace it with what? (Score:5, Insightful)
And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?
It's true that for this one particular use-case, Flash may still have an edge against open technologies. But 99% of the Flash on the web is either ads or videos. We don't want to see the ads anyway, and HTML5 makes embedding videos without Flash in a standards-compliant fashion relatively easy. And remember, if your site relies upon Flash, no one with an iDevice will be able to use it correctly. And that's not going to change. In contrast, HTML5 videos work fine on both desktop browsers and portable devices.
If the only thing Flash is good for is some types of online gaming, then many users don't need it at all, and for those who do, it should be set by default to use a whitelist and only permit the plugin to be invoked on domains that are specifically authorized by the user.