Security

How to deal with Adobe Flash and Reader vulnerability

As of Wednesday, 22 July 2009, Adobe reports that Flash and Reader share a serious vulnerability. Can you still watch YouTube videos safely?

Adobe's Security Advisory APSA09-03 begins:

A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.

For more information about this vulnerability, see US-CERT Technical Cyber Security Alert TA09-204A.

According to Adobe's own Flash Player Statistics page, this means that 99% of us (where "us" is people who use the Internet) are vulnerable right now. Some may dispute this number, and I'm suspicious of it myself, but there's no disputing the fact that many, many people -- surely a significant majority of regular Web surfers -- are at risk.

Exploits are already in use for the Reader version of this vulnerability. Chances are very good that you are affected by this vulnerability, too -- though, like me, some of my readers may actually be immune to this vulnerability on their primary workstations. There are options to help protect yourself, though. The single most effective way to protect yourself is to simply uninstall your browser's Flash plugin and Adobe Reader on your machine.

That may seem drastic, but I think it is time to make a point most people simply do not want to confront: that sometimes, security means just saying "no" to unsecured software. There are ways to work around some of the "need" for these pieces of Adobe software anyway:

  • If your primary Flash "need" is YouTube, there are some alternative options. For instance:
    • You could download YouTube videos with youtube-dl
    • There is also the option of using a Firefox extension such as DownloadHelper to grab Flash video content from the Web. If you run into problems with some low-quality Flash videos from YouTube whose audio and video do not sync up properly, MPlayer supports framerate adjustment for crappy Flash video.
    • Once you have downloaded Flash videos, you can watch them using a locally installed media player that is capable of supporting the format, such as MPlayer. You would just need to ensure that the correct codecs are available for watching Flash video.
  • If you actually need to be able to visit sites that require Flash for navigation or present their content through Flash -- a definite no-no of accessible Web design and search engine optimization, but many companies do it anyway -- there are alternatives to the official Adobe Flash player:
    • Gnash is an open source GNU project Flash player that runs in (almost?) any X Window System environment, and supports the majority of Flash sites on the Web.
    • Swfdec is the freedesktop.org project's answer to Gnash.

    One sometimes works better for a particular operating system configuration than another, and the two of them have achieved substantial parity with the Adobe Flash player, but both have some shortcomings when it comes to supporting the full range of Flash objects on the Web.

    If you absolutely must have the stronger support of the Adobe Flash plugin, you can at least mitigate the danger somewhat by picking and choosing which Flash objects to view:

    • Flashblock is a Firefox extension that masks each Flash object so that it will not actually load. Only by clicking on the mask will the Flash plugin be able to play the Flash object, thus leaving it up to you, the user, to decide which Flash objects to trust.
  • For PDF viewing, alternatives to the Adobe Reader are numerous, and most of them perform much better than the Adobe Reader in practice, though some do not offer browser plugins:
    • Xpdf is my current choice for (the majority of) my PDF viewing needs. This open source PDF reader can be installed on Unix and Unix-like operating systems such as various Linux distributions, BSD Unix systems, and Solaris, as well as DOS and MS Windows. If you are using an open source Unix or Unix-like system, check the software management system archives for your OS of choice; otherwise, see if there is a binary download available for your system on the Xpdf Website, or download the source and compile it yourself.
    • OpenOffice.org is an open source office suite that can export PDFs, serving as a replacement for Adobe Acrobat as well as for Microsoft Office for people who do not need the more advanced features of Acrobat. With the addition of the Sun PDF Import Extension, you can import PDFs for reading and editing as well. This application is actually what I use to produce invoices, though I keep telling myself I'm going to switch to something else so I do not have to deal with the resource overhead of running an entire office suite just to gain the ability to generate PDFs.
    • Ghostscript is a PostScript tool that has evolved to provide PDF support as well.
    • Foxit Reader is a popular commercial software choice for MS Windows systems. There is a free download availalbe as well as an option to pay for it, depending on your needs.
    • The GIMP is an open source alternative to Adobe Photoshop, and it can load PDFs by converting them to raster images for editing. It is available on a wide variety of platforms, and there is even a version that emulates Photoshop's interface called GIMPshop.
    • Google Docs supports PDF viewing as well, displaying the contents of a PDF as HTML in the browser.
    • Poppler is a PDF support library based on Xpdf code. The Poppler page at the freedesktop.org wiki offers a short list of some applications that make use of Poppler for PDF rendering.
    • Wikipedia offers a list of PDF software as well, in case none of the above options appeal to you.

The reason my own setup is so well insulated against this danger is that I do not actually use any actual Adobe software on my primary Web browsing platform at all. If you happen to use FreeBSD, in fact, the top Google result when searching for "youtube-dl" mplayer freebsd happens to be Flash Workarounds for FreeBSD — especially YouTube, a description of exactly the setup I use for dealing with Flash on the Web.

The key is to protect yourself, of course. If you can get by without having the Adobe tools for viewing Flash and PDFs at all, perhaps by using an alternative, that is the preferred option for security's sake. Otherwise, at least take measures to mitigate the danger, such as installing the Flashblock extension for Firefox and only using a seperate Adobe Reader desktop application so that you choose which files will be opened on your computer, instead of leaving it up to the browser to decide.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

37 comments
Oz_Media
Oz_Media

[i]"Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3."[/i] Adobe recognized and patched it, are you referring to something new? I use teh entire Adobe suite daily, well I don't work with FLASH these days unless on a multimedia based website. I did have a potentially nasty trojan (first time with this Vista book) a couple of weeks ago, but seemingly unrelated to this vulnerability and easily cleaned and removed now. I usually find that if there is an exploit, just holdin goff on using specific software for a couple of days gives the author time to patch it and then you can carry on. No need for Open Source replacements, uninstalling apps or locking up your daughters though, unless you hold all the Area 51 secrets, photos of JFK's killer and Dolly Parton as a flat chested teen on your hard drive. I understand security, but I find even most companies are WAY over the top with security. Unless of course client account details etc., which would naturally be stored on a secured LAN.

jimiznhb
jimiznhb

I Just DO NOT use adobe... Mainly because adobe is SO SLOW & FoxIT BLOWS adobe AWAY EVERY TIME!!!

Deadly Ernest
Deadly Ernest

software on a web site - they should just use the industry standard items that are available to a range of players.

Lazarus439
Lazarus439

Please explain why and how non-proprietary software is automatically anointed so as to prevent such problems as this. So far as I know, most, if not all, software is still written by human beings, all of whom are equally capable of mistakes, oversights, or just plain laziness. Until/unless that changes, ANY code can be problematic and probabaly not even then.

Deadly Ernest
Deadly Ernest

Proprietary code usually has but one source of software that can access the code fully and display it. While non proprietary code written to industry standards (like AVI, MPEG, JPEG, etc.) is using code that's been well reviewed and checked by many people and has many applications that can display it. Yes, any code can be problematic, but also, any code that's totally open to review will be much better checked and sorted than code that's not open to review. Most vulnerabilities require a fault in the software running it to be able to exploit it, and thus a multitude of players means more ways of running it and less with the same vulnerability - if at all. However, the real issue here is people re-inventing the wheel and marketing it so they can tie you down to their software and making money off you instead of letting you use the free design wheel (edit to add) and then doing it badly.

apotheon
apotheon

I'll just take that as an admission you never had any interest in discussing this like a reasonable human being. edit: typo

apotheon
apotheon

In the nearly 25 years I've been using proprietary software (I think I stared with MS DOS 2), I've never had anyone with any sort of firearm, or any other lethal or even non-lethal weapon, accost me about using - or not using - any program. Clearly, you're one of these people who ignores the obvious meaning of a somewhat figurative statement and, instead, goes with a ridiculously literal interpretation, considering this some kind of brilliant rhetorical victory. Let me know when you want to try discussing the matter like a human being rather than an assweasel. If you don't like the license terms that are included with the software, don't buy the software. That's what I do, most of the time. Only the fact that I have to test code across platforms, and otherwise do work with the assumption that end-users might be using crappy software, causes me to ever spend any money on the popular garbage people like you use.

Lazarus439
Lazarus439

In the nearly 25 years I've been using proprietary software (I think I stared with MS DOS 2), I've never had anyone with any sort of firearm, or any other lethal or even non-lethal weapon, accost me about using - or not using - any program. If this is happening to you, I suggest you relocate immediately, preferably a long way from wherever you are. If you don't like the license terms that are included with the software, don't buy the software. Since "free" software is "free", you are "free" to use it in any way, shape, fashion or form you see fit. If enough people feel as you do, in due course there won't be Microsoft, Adobe, Corel, Symantec, etc., etc. Whether that would be a good thing remains to be seen. If it comes to pass, we'll both know.

apotheon
apotheon

I want to be paid for my work. I just don't want to get paid for extortion. There are other ways to get money from people than holding guns to their heads and telling them they aren't allowed to use what they've "purchased" as they wish. I prefer the ways that trade value for value, rather than trading legal pressures for value. I don't know about Deadly Earnest, but I for one don't object to paying for software. I just object to being told I don't own it after I've paid for it.

Lazarus439
Lazarus439

I missed the part where someone was forcing anyone to use - and pay for - proprietary software. There are a number of "free" Flash players, PDF readers (and PDF writers for that matter). It happens that this bug is indeed in Adobe's software, but the software is free - both the Acrobat Reader and Adobe Flash player are free for the asking. It's not clear to me that this bug is in the code of these programs or related to the underlying format and thus applies to all players. You'll recall that the PDF bug this past spring was in the PDF format itself and impacted all PDF readers, not just the one from Adobe. Also, PDF became an official standard last year, fully blessed and a number assigned by ISO. Yet there was this bug in it.... Without a doubt, no software - and no standard - is perfect. However, the assertion there's something morally or ethically objectionable to programmers wanting to be paid for their work is itself offensive. There's no quantifiable distinction between inventing a better mouse trap and creating a better Flash player. Both require time and effort on the part of person who comes up with either product. Unless you think that mouse traps should always be free, why do you object to paying for software?

apotheon
apotheon

Non-proprietary Does Not Equal Perfect Who said it does? Please explain why and how non-proprietary software is automatically anointed so as to prevent such problems as this. Who said it was? The major problem here is that proprietary, closed source software actively inhibits the development of work-alike alternatives. That, in turn, leads to vulnerabilities in a single corporation's applications affecting many, many people pretty much inescapably. By contrast, if Flash was an open source application, given time we could have several different implementations in widespread use before long, allowing for people to switch implementations to avoid being subject to a given vulnerability. Furthermore, differences in the developer environment between open source development projects and closed source development projects tend to lead to more rapid security patch development and testing for the open source equivalent, all else being equal. So . . . no, there's no guarantee that open source software (or other "non-proprietary" software) must be "perfect". Such a guarantee isn't needed for open source software to tend to provide greater security benefits.

apotheon
apotheon

Deadly Earnest's assertion that all such problems are cured/prevented by using non-proprietary software requires the assumption that non-proprietary software is inherently and automatically superior to proprietary software. Actually, his assertion appears to be thta such problems are mitigated, and are more likely to be cured in specific cases, when the software is open source than when it's closed source. There is a difference -- perhaps subtle, but no less important for that -- between a guarantee and a tendency. I believe Deadly Earnest may have meant to refer to a tendency, where you have assigned an understanding of a guarantee to his words that is not strictly evident within the words. You apparently do; I don't. I think this is another case of you assuming meaning that is not actually presented in the words you're reading. I don't believe that "non-proprietary software" is necessarily, inherently, or automatically superior to "proprietary" software. I do, however, believe that open source software provides procedural benefits for its development model that are absent from common closed source software development models so that in the long run, all else being equal, the open source software will tend to provide a statistically significant improvement in code quality over the closed source counterpart. It's a matter of degrees, of tendencies, and of development model advantages. It is not a matter of automatically improved code just by virtue of having declared code "non-proprietary", as if such words acted as a magical incantation to improve the code without having to do any work. Something that might be worth reading to help you understand why open source software can tend toward better quality -- particularly security, in this case -- is 10 security challenges facing closed source software. Of course, only Deadly Earnest can answer for sure whether he speaks of tendencies or absolutes, but it appears undeniably, unarguably true that nothing he said in that initial comment of his necessarily implied an absolute claim of perfection or even unavoidable superiority. Period.

Lazarus439
Lazarus439

There comes a point where two presumably reasonably people simply have to agree to disagree. This is such a point. Deadly Earnest's assertion that all such problems are cured/prevented by using non-proprietary software requires the assumption that non-proprietary software is inherently and automatically superior to proprietary software. Some people accept this as axiomatic; others don't. You apparently do; I don't.

apotheon
apotheon

It's interesting how you avoided actually providing anything he said that suggests "non-proprietary" equals "perfect", or that "non-proprietary software is automatically anointed so as to prevent such problems as this".

Lazarus439
Lazarus439

"they should just use the industry standard items that are available to a range of players" Nearly everything starts out proprietary. PDF, for example, is Adobe's invention. They've managed to make it ubiquitous by having the good luck to invent it about the time people needed a device and program independent way to present information on a computer; by writing reader software for the great majority of platforms in existence at the time and then giving the reader software away for free. PDF was proprietary from its birth is 1993 until ISO released it as a standard in 2008. (http://en.wikipedia.org/wiki/Portable_Document_Format) It's becoming a "standard" didn't have a single thing to do with the variety of programs available today that can create, manipulate and read PDF files. They were already alive and collecting fans well before ISO put its blessing on PDF. Those programs were created because PDF became ubiquitous and people could make money undercutting Adobe. The FoxIt reader, so beloved by so many, is free, but it's also intended to get you to buy the UN-free program by reminding you of the extra and nice-to-have feature in that version. CutePDF is the same: the free program offers basic capability, but there's also a more muscular version available - for a fee - if you need the extra features. My point is this: if nothing was implemented until "industry standard items" there was "a range of players", nothing would get implemented. ISO didn't create the PDF standard; ISO accepted what was already a defacto standard.

apotheon
apotheon

Quote it for me. Quote for me the part that says what you claim. Even if he meant it the way you say, his words don't say that -- and you shouldn't leap to conclusions about his meaning like that. At minimum, you should have asked what he meant. . . . and I'm still not convinced he even meant what you say, to say nothing of the fact he didn't say what you claim.

Lazarus439
Lazarus439

With all due respect, I stand by my reading of his post. You are, of course, free to hold a different interpretation, just as I am.

apotheon
apotheon

I reread what he said -- and he definitely didn't say so.

Lazarus439
Lazarus439

It was to his comment that I replied.

CG IT
CG IT

meaning that users simply surf to a web site that has malicious code embedded in flash. Since flash automatically runs, the code is automatically executed. It's criminals way around the having the "click it" problem to load malicious code. Users are educated enough about clicking on unknown urls that that gimmick no longer works. The criminals are exploiting the autorun features of programs because previous methods to download their payload are becoming less effective. Simply switching to another flash application might not provide sufficent protection against the drive by attack. That is why Adobe recommends disable playing flash altogether. While the player has the vunderability, the malicious code is still in the flash animation. The malicious code that runs doesn't really need the adobe product to execute just a player that can play flash.

apotheon
apotheon

The malicious code that runs doesn't really need the adobe product to execute just a player that can play flash. Actually, what it needs is a vulnerable player that can play Flash objects. If non-Adobe Flash players aren't vulnerable, the malicious code does need the Adobe software.

Kingbackwards
Kingbackwards

Given that adobe's flash player has claimed 90%+ saturation in the market makes it a HUGE target for exploitation. And even Java and other "industry standard items" have ways to be exploited for malicious intent. The more people use a single software application the bigger of a target it becomes. And really, the safest thing to do, is unplug the computer. But only slightly less safe than that, is to educate users and professionals and takes steps to avoid these pitfalls. And if one of these alternatives rises to significant popularity, its only a matter of time before there is a discovered security fault. Then the ultimate question is and this also goes for adobe. How soon will they fix the problem?

kraterz
kraterz

The two gorillas - flash and silverlight are both proprietary. Java, google gears, etc are pretty much has-beens today with the kind of exposure and use they are seeing today. Yes, youtube could come up with an alternative to their stupid FLV format, say MPEG video that could potentially be played on any MPEG compliant plugin, but that's a corporate decision and who's going to make it?

Deadly Ernest
Deadly Ernest

proprietary code players. get enough people saying o, I can't play that as I don't use that, and they'll respond. As it is no one cares and just keep pouring money into the pockets of the proprietary people.

apotheon
apotheon

Really, the best option is to remove Adobe's Flash player and PDF Reader applications entirely -- and use an open source alternative if you must.

O & G IT Guy
O & G IT Guy

Of course one of the best things we can ALL do, is complain to sites that use flash that they are putting YOU at risk by requiring that you have a proprietary plugin that keeps having security vulnerabilities.. I personally reported this is a security vulnerability to youtube by sending email to security@youtube.com If enough people do this, they will at least have to think about switching. If we all keep watching videos and not complaining, they won't even think about it.

helpwithvb
helpwithvb

when i get the annoying adobe, i try to wait at least 5 seconds before i click the next one. and if for any reason i get the lag, i unplug right away. this worm takes over the first master boot record in sector zero, needs any 2 drive on the network to keep itself alive, it seems to replace bios drivers, takes a part of memory and sets it aside for the hackers use. he seems to always connect at memory location 3e7 as remote anonymous login. he creates any root certificate he needs and i found one in an email that if i abused allowed me to write an email as from being "support.microsoft.com" the good news is that he is in a lawsuit for cybercrimes, but the worm still is in all my computers.. i feel violated.. hehe

Slayer_
Slayer_

Heck, some code samples would be good too. I am not sure what you are thinking you can use instead of flash, but please, suggest it too them.

apotheon
apotheon

What about MKV+Dirac, Ogg+Theora? Any of those would be more portable and broadly compatible than FLV+Sorenson. Even 3GP+MPEG-4 would be better. I'm rather looking forward to the upcoming Schrodinger, too -- sure to perform better, provide smaller file sizes, and be more portable and widely compatible than YouTube's FLV nonsense.

Editor's Picks