« AIR testimonial | Main | Silverlight tripling »

April 16, 2008

"Flash vulnerability" story

"Flash vulnerability" story: I'm bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted. The Mark Dowd paper describes an issue which was addressed in the current Player, v9.0.124. None of the numerous paragraphs describing the horrors seems to mention this, and because these blogs don't support open comments, they may not hear unless they get publicly called out on it. It'd be better if they had open conversations on their weblogs, though... would serve their readers better.

Update 9pm PDT: The Ptacek/Matasano link got picked up by Microsoft's Larry Osterman, via Robert Hensing. Neither has advised their readers that this vulnerability is addressed in the current Player. I do not see the full story in comments at OSNews, although Ben Lucyk got it in a trackback there. (Thanks, Ben!)

Check out the comments at Matasano and OSNews... lots of "proprietary garbage" type of prejudice. The reality is that these people are not harvesting information effectively, not analyzing their harvested information effectively, and not responding to feedback effectively.

Update Thu Apr17 8am PDT: ZDNet Security Blog ran with the story last night. The guy spent paragraphs writing about basketball games and his mother, but never even checked Adobe sources to see the problem was already addressed. He is part of the problem which must be fixed... our world is taken up too much by those who speak too much, yet do not listen, do not question.

(Thanks to "Skila", a member of OSNews, who added in comments "This was fixed in the latest version of Flash Player - released 8 April 2008 so this is olds not news.")

Followup: I got an internal email last night that the ZDNet reporter did mention "new version" down towards the bottom of his text.

Update Sat Apr 19, noon PDT: It seems that most of the conversation now is focusing on the vulnerability in coding practices, rather than the Flash aspects... Computerworld had the "Adobe already fixed it" datum as the first sentence in the fourth paragraph, and with this highlighting, subsequent reporters have followed suit. Even the Slashdot discussion is more about the coding than about the Player.

I want to emphasize that the original discoverer, Mark Dowd, did act in good faith -- he notified Adobe security, and published his whitepaper only after the Player changes were public. He helped everyone by handling this the way he did. (I also understand how the early bloggers were excited by the coding acrobatics, but I wish they had clearly advised concerned readers to keep their software current. The increasing moderation of useful blog comments is a separate issue. No blame, just room for increased openness.)

Update Mon Apr 21 8am PDT: Most of the followup reports do a little bit of research, but today's BBC account is another lengthy personal reaction to the Matasano paper and the new type of coding exploit, and despite its length and extraneous details, does not advise readers that they should just update to the software already available. (Meanwhile, in comments below, the original popularizer wants me to retract that I submitted a comment there which was not published, even though he hasn't published it yet, nor amended the article to include the vital non-inflammatory news that the vulnerability was addressed before the publicity.)

Posted by JohnDowdell at April 16, 2008 02:25 PM

Trackback Pings

TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/9369

Comments

There are almost 40 comments on the blog posts you've referenced; our blog comments are open (like most open blogs, we filter only spam). And, of course, you have this blog to comment from as well. Hope that helps clear things up.

[jd sez: If you see my prior comment in the moderation queue, then please let it free, thanks. (Oh, and if you can put up at the top "This problem only occurs in older Players" then that'd be helpful too, thanks.)]

Posted by: Thomas Ptacek at April 16, 2008 03:25 PM

Sorry I didn't include that - I didn't have a URL for the update when I wrote the article, but I should have. I will update the article to point to your link.

[jd sez: Thanks, Larry! It's a vulnerability which is getting more attention now, so knowing that it's already addressed would help many. Appreciate it! 8) ]

Posted by: Larry Osterman at April 16, 2008 10:11 PM

JD, you might want to have someone check the Adobe update site - I just tried to install the fix on my Vista x64 machine and while it apparently tried to update the plugin after running the update, it was still the 9.0.115.0 version after the update. According to your bulletin, that version is still vulnerable.

[jd sez: IE? The ActiveX Control can be registered for a session, and requires restart to unregister and discard. Similar situation?]

Posted by: Larry Osterman at April 16, 2008 10:25 PM

I've got a comment pending at Mike Shaver's blog, and I'll copy the text here in case it never quite arrives there:

Howdy Mike, the Mike Dowd paper was actually released after the condition was addressed, in Adobe Flash Player 9.0.124. The Matasano paper, as well as other articles, did not advise that people concerned about the issue simply update their internet software.

I left a comment at the originating blog, but it never made it out of the moderation queue. The author knows about the omission, but has not corrected his report. More background here:
http://weblogs.macromedia.com/jd/archives/2008/04/flash_vulnerabi.cfm

tx, jd/adobe

Posted by: John Dowdell at April 17, 2008 02:55 PM

Den Ivanov, who is (like me) listed in MXNA, reported it as "very scary". He has not yet published my comment there, without feedback as to how long it might take to approve the comment.

It's lengthy, but omits that this potential vulnerability was already addressed in Player 9.0.124. It does frighten people, and encourage prejudice, but does not tell people what they can do to avoid the issue.

I left comments there when it appeared, but the blogwriter has not published them. More info here:
http://weblogs.macromedia.com/jd/archives/2008/04/flash_vulnerabi.cfm

jd/adobe

Posted by: John Dowdell at April 18, 2008 08:04 AM

Would you mind retracting, in the text of your original blog post and not in an inline edit to my own comments, the assertion that our blog "moderated out" one of your comments?

[jd sez: The quote was "'I'm bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted." I could update that if the comment did get published (73 comments there now, but not mine). Or if the comment was lost, an update to the post advising that people get the current software could help. My basic goal is to make sure that those who are concerned simply protect themselves, by updating to the version already released, thanks.]

You've now written and updated a story about how security blogs are increasingly preventing the free flow of information about your employer's product, on your employer's masthead. None of that is true. As it pertains to my blog, I've directly refuted it. Please issue a correction. It's what any of us would do for you if roles were reversed.


Posted by: Thomas Ptacek at April 20, 2008 09:48 AM

So far as I know, we're fully up-to-date with approving non-spam comments. Like the vast majority of Wordpress blogs, we use Akismet to filter out greviously spammy comments. Perhaps you did something to trip that up? As a blogger yourself, you can understand why I'm not going to wade through the 323,051 spam comments currently trapped by our filter.

Or, perhaps it was simple operator error, and your comment was not in fact submitted.

What is doubtful is that you submitted any comment that we purposely suppressed.

Since I've now cleared that matter up, and you don't seem interested in correcting your story, I'll leave you to your audience of Flash users, and I'll attend to my audience of security professionals, and we'll meet again the next time someone finds a way to make Flash steal people's computers.

[jd sez: Like I said, I don't know how it was not published, only that it was not, and that multiple requests to prominently include the info that this vulnerability was already addressed in the current version have been denied. If you include either the (lost?) comment or the core info, then I'll be happy to update this entry with the word, thanks.]

Posted by: Thomas H. Ptacek at April 21, 2008 09:14 PM