I'm a bit confused about the title of this post. The actual title of the blog post is "Security Updates Available for Adobe Flash Player (APSB16-08)". The current HN link text is “Adobe is aware of a report that CVE-2016-1010 is being actively exploited”.
I can't help but think that the HN post has that title to give the impression that Adobe knows about an issue and isn't fixing it. But isn't this blog post an announcement about patches that have be deployed for people to install and Adobe included that line to emphasize the importance of the patch?
I think the intention here is to make people realize they should have disabled Flash a long time ago and use it only for a limited number of critical whitelisted websites (like banking sites built on Air). If you do otherwise, you're increasing the risk of being a victim of a malicious attack.
Wow, I can see it way now. I had first imagined a community of loyal Adobe fans wondering why Adobe hasn't addressed CVE-whatever-is-up-today and getting pitch-forky. I saw the title as a response to that: in the tone of "Yeah, folks, Adobe knows. Here's the fix, now calm the fuck down."
Adobe's attitude towards security is mediocre, possibly irresponsible. They know that Flash is being phased out, so they invest no effort. For 2014--15, they relied on Google Project Zero to find and sometimes even fix their security flaws.
I especially enjoy the ad for "another Adobe product I might enjoy" that they serve up at the end of the standard install process if you don't autoinstall. "Oh yes please, may I have another?"
Adobe is a business. They need to move on too. When companies like Microsoft or Adobe, for example, let users hang on for too long to legacy software, it hurts everyone.
It's not an easy process to stop maintaining softwares for such large companies.
Flash is still widely used, and so many websites still rely on it that it will take a lot of time to fully abandon it, so Adobe will still have to fix all security issues for years.
Completely disabled Flash in my main browser (Firefox) a couple months ago. The occasional video player doesn't have a HTML5 fallback, but otherwise it's all good.
I've got Chrome set to only run flash when I explicitly allow it. (chrome://settings/content -> Plugins -> Let me choose when to run plugin content)
All plugins are blocked unless I right click on the area where they appear on-screen and click "Run this plugin". Over time I've found myself needing to do that less and less.
Is there a site which lists details of these CVE security issues? The closest thing I could find via google is cve.mitre.org but CVE-2016-1010 is "reserved" for future usage.
In this case Adobe is mentioning only the "registration number" of the vulnerability to avoid revealing publically what the actual vulnerability is. Don't you feel safer already?
I am failing to download the signed key in Debian Linux when running update-flashplugin-nonfree from the flashplugin-nonfree package. (Key not maintained by Adobe...)
Meanwhile I just noticed that my Windows Firefox plugins for Reader DC are not 2015.010.20060 but .20056. I leave these completely disabled at all times anyway.
And nothing annoys me more than having to download the self-deleting autodownloader in Windows.
What a total waste of time for something I rarely use these days...
Adobe exploits are still a thing. I regularly get emails from silicon valley investors asking for me to open their pdf file which contains their propsal...I chuckle everytime at that line, THERES SIMPLY NO WAY IM GOING TO OPEN A PDF or visit a site with Flash turned on in 2016.
Is the PDF format itself broken, or just the awful Adobe Reader? There are dozens of PDF reader implementations, including all the major browsers. I cannot imagine they are all exploitable in the same way.
Early PDF was quite sane. It was the Postscript imaging model turned into a binary bytecode format with almost all the programmability features removed.
Later on it got wonky (though never even close to the extent to which Flash did!) with all the hypertextification features. But basic PDF is actually one of the Great File Formats in computer history.
I didn't realize that this standard existed. Thanks for the link, that's very helpful to know. I've always viewed "modern PDF" as an ad hoc thing defined by the intersection of whatever was supported by the popular free renderers.
The standard is 1000 pages long. Most reader implementations are written in C/C++.
They are of course exploitable in different ways.
Adobe sometimes does not follow its own spec.
People publishing PDFs sometimes use that non-standard behavior to display some graphics. This is especially true with many research papers that only render on Adobe Reader.
In particular, other viewers often display zero-width lines, which is annoying for colormaps. Those can't safely be saved as bitmaps without oversampling either, as not all viewers can be made to avoid interpolating.
The PDF format is unbelievably complex, far more than is necessary for the average sales brochure or report.
Given that nearly all reader implementations are written in C/C++, it's always going to be an easy target. Sandboxing hash helped a lot, but there's just a lot to go wrong and always will be.
That's why I'm on Chrome, because it's sandboxed. In November we'll be celebrating 10th anniversary of lagging behind IE if electrolysis isn't integrated into Firefox stable builds.
I have on few occasions seen PDF files where the text looked horrible in pdfjs. All in all, it's very useful, though, to quickly look at a PDF before saving it.
For regular use, I have come to really like SumatraPDF on Windows, it is relatively lightweight can be used without an explicit installation (hence no admin privileges are required to get it to work), and most importantly, it saves the position on opened PDF files, so if I open a file again later, I am back right where I stopped reading.
You are depriving yourself of a lot of information by avoiding files based solely on file extension (most academic papers are in PDF format, for example). Avoiding Flash, on the other hand, I completely understand.
I can't help but think that the HN post has that title to give the impression that Adobe knows about an issue and isn't fixing it. But isn't this blog post an announcement about patches that have be deployed for people to install and Adobe included that line to emphasize the importance of the patch?