Systems Affected
• Adobe Flash Player
• Adobe AIR
US-CERT’s alert states also that “other Adobe products that support Flash may also be vulnerable.”
According to the alert, “there are vulnerabilities in Adobe Flash player and AIR. An attacker could exploit these vulnerabilities to take control of your computer.”
Solution
– Update Flash Player and Adobe AIR Adobe Security Bulletin APSB10-16 recommends updating using the Adobe Flash Player Download Center and the Adobe AIR Download Center. Both Flash Player and AIR support automatic updates. Following these instructions will update the Flash web browser plug-in and ActiveX control, as well as AIR. However, it will not update Flash support in Adobe Reader, Acrobat, or other products.
To reduce your exposure to these and other Flash vulnerabilities, consider the following mitigation technique.
– Disable Flash in your web browser Uninstall Flash or restrict which sites are allowed to run Flash. To the extent possible, only run trusted Flash content on trusted domains. For more information, see Securing Your Web Browser. Note that disabling Flash may affect your browsing experience on certain websites.
US-CERT’s alert explains, “Adobe Security Advisory APSB10-16 describes vulnerabilities in Flash Player and AIR. Flash content could be on a web page, in a PDF document, in an email attachment, or embedded in another file. By convincing you to open malicious Flash content, an attacker may be able to take control of your computer or cause it to crash.”
References:
• Adobe Security Bulletin APSB10-16 – http://www.adobe.com/support/security/bulletins/apsb10-16.html
• Adobe Flash Player Download Center – http://get.adobe.com/flashplayer/
• Adobe AIR Download Center – http://get.adobe.com/air/
• Securing Your Web Browser – http://www.us-cert.gov/reading_room/securing_browser/
Source: US-CERT National Cyber Alert System, Cyber Security Alert SA10-223A
MacDailyNews Take: Being Flash-free is a selling point.
Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
In addition, Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it. Adobe publicly said that Flash would ship on a smartphone in early 2009, then the second half of 2009, then the first half of 2010, and now they say the second half of 2010. We think it will eventually ship, but we’re glad we didn’t hold our breath. Who knows how it will perform?
– Apple CEO Steve Jobs, Thoughts on Flash, April, 2010
[Thanks to MacDailyNews Reader “Carl H.” for the heads up.]
Click2Flash. Awesome.
I second Click2Flash. Awesome app.
Just one more reason why no one cares for Flash anymore.
Flush flash forthright.
Gee, after reading that I so WISH I had Flash on my iPad!
Bummer
I presume this vulnerability puts Macs at risk too.
Why can’t Adobe issue combo updates? Their updates take forever in CS4. Just give me ONE update for SC4…..
Safari on my almost 10 year old Cube has new life thanks to Click-To-Flash. I see a speed improvement even on Flash-free websites if another tab is open to a site that uses Flash.
Someone pass this on to the FTC and the EU regulators.
All You Need.
Ditto on the Click2Flash luv.
Also, if you are stuck on Winblows at work but use Safari, there is a nifty plug-in for Safari that will do basically the same thing. Sorry I don’t remember the name but I *think* I found it on Apple’s plug-in page.
Cubert, I agree on the Cube. It has been a breath of fresh air not to have to wait for Flash stuff to load.
Thanks Adobe!
I hope you fu**ing die a horrible death! I think that every time Photoshop stalls for 5 minutes when I try adding a layer effect to a vector graphic (on a MacPro with 12gb of ram and a RAID-0 scratch volume). Or any time I read an update regarding the investigations into Apple’s not allowing Flash on their iDevices that you b*tched about and started (even though Flash isn’t even available on such devices).
Maybe one of these days AutoDesk, or some other decent software manufacturer will give you a run for your money and produce a decent design suite. In the meantime, f*ck the hell off!
Just another AIR biscuit….
NoScript combined with Ghostery and BetterPrivacy add-on’s for Firefox offer much more protection than a simple Flash firewall.
There is this thing called Flash cookies (LSO’s) that are not deleted by a browser. So all sites tap these Flash cookies to see where you have been. BetterPrivacy will delete those everlasting Flash cookies every time you quit.
Ghostery is a web bug blocker, quite alarming when one finds out how many there are on pages. Must be updated and enabled first.
NoScript not only doesn’t allow Flash to run unchecked, but Java and Javascript too, plus a whole bunch of other scams and tricks, like tab hijacking, click pinging, cross site scripting attacks etc. It’s the best web cop software available.
Advertising can be used as a malware angle, thus there is Ad Block Plus. It needs to subscribe to a free subscription list included.
All these add-ons for Firefox are free and will allow you to white list your favorite sites you trust so they work as intended and/or get their advertising revenue.
For the more paranoid, there is RequestPolicy and Track Me Not.
Also if you insist on using Safari, you should TURN OFF everything in Adobe Flash Settings Manager. It is WEB BASED!
Link is here or Google it yourself
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
Check the status of any browser plug-in’s at this link for free.
https://www.mozilla.com/en-US/plugincheck/
Note: Java is updated by Apple through Software Update as it’s a special version for OS X. QuickTime too.
Flip4Mac is updated through the OS X System Pref Pane for Flip4Mac.
Silverlight (Microsoft) and Flash/Air/Shockwave (Adobe) are updated via their respective web site(s).
Keep your plug-ins updated.
Anyone who uses Air is an idiot. It is already a given that it is a security risk. It is also slow, buggy, and does not support the platforms native user interface.
As for Flash, I cannot wait for the death of it.
Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat.
what a way for the Gov’t to contradict itself… “not allowing flash”… yet flash is a security risk…
FTC and EU just found enough reason to dump Adobe’s and whining consumers complaints… At the same time, Apple should allow consumers the choice… BUT make it clear that the user is responsible…. and not legally bind Apple for Flash related problems.
In addition to the most wonderful ClickToFlash:
The Safari extension YouTube5:
http://www.verticalforest.com/2010/06/09/youtube5-html5-converter-for-youtube-videos/
It forces all YouTube Flash videos you run into anywhere on the net to run with HTML5 video tag equivalents. IOW: No more YouTube Flash! It also lets you choose what resolution you prefer, on up to 1080p.
‘BSOD’ asks: “Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat.”
You can dig around at the CVE site for each of them. CVE stands for Common Vulnerabilities and Exposures. It keeps track of each reported software security problem:
http://cve.mitre.org/
Wikipedia.org also covers each of them and gives a general description of their security:
Adobe Flash: “As of May 17, 2010, The Flash Player has 77 CVE entries, 34 of which have been ranked with a high severity (leading to arbitrary code execution), and 40 ranked medium.”
Adobe PDF: “On March 30, 2010 security researcher Didier Stevens reported an “exploit” that causes an arbitrary executable to be run when a PDF file is opened, after the user accepts a warning prompt. The exploit works in several different PDF viewers including Adobe Reader and Foxit Reader.”
And, earlier this year Adobe were embarrassed into creating the <>Adobe Product Security Incident Response Tearm (PSIRT).</b> You can keep up with their blog here:
http://blogs.adobe.com/psirt/
Adobe maintain their Security Bulletins and Advisories page, going back to 2005, here:
http://www.adobe.com/support/security/
• There are approximately 88 Adobe Flash security bulletins.
• There are 6 Adobe PDF security bulletins.
• There are over 100 Adobe Acrobat security bulletins.
• There are over 100 Adobe Reader security bulletins.
• The only Adobe AIR related bulletin is the Adobe Flash bulletin from June 10, 2010.
Apple will be dead long before Adobe.
Adobe kept Apple alive in the 90’s and early 2000’s and now Apple is trying to screw adobe.
Apple has no idea whats about to hit them.