If they're offering a temporary fix, shouldn't they at least push that temp fix as an update, and fully update the issue later? This leaves the non-technically inclined out in the cold, and informs those who may not know of the exploit of its existence.
Just something as simple as removing authplay.dll for Acrobat and Reader, and even upgrading the current version of Flash Player to the 10.1 beta, just temporarily… anything other than just announcing it and not patching it at all.
I don't know if this is a standard way of dealing with zero day exploits, but it sure doesn't seem like a good way.
It's possible that they were in the right by announcing an issue, rather than ignoring it.
Securing and maintaining software up-to-date in a non-intrusive way is hard in a way that works for all (ie, personal computers and large networks of computers), I think it is also a good business opportunity.
Maybe someday Chrome will have a plugin "whitelist" for sites so I can only allow Flash on the sites I want to.
Of course, this is on desktop Ubuntu. On my Droid I guess I just use Chrome...
I can't say I'm missing it. Nearly all website work, a lot of ads are gone. Strangely, html5/h.264 is often the fall back for flash, I really would wish they did that the other wise around.
Vimeo: Right below the description, see: http://imgur.com/yuf4R
Obviously not an automatic fallback but I guess that's because it is still in 'beta'.
Youtube videos with ads won't work, or embedded ones (I think the same goes for embedded vimeo vids)
Btw. I did already opted into the html5 beta tests here and there. That might have influenced the result.
I'm using http://clicktoflash.com/
But the first step of installing 10.1 (on Windows and MacOS) is to run an uninstaller, also available on the download page:
http://labs.adobe.com/downloads/flashplayer10.html
Perhaps the prudent should stop after that uninstall step, for safety from other future exploits, as well.
(Any chance Apple's 'Preview' PDF-reading capabilities are similarly vulnerable?)
In any case, Adobe, the timing has exactly the level of thoughtfulness we have come to expect from the Flash team. The only way you could have done more damage would be to have done it last week when the US had a long weekend, or some other even longer holiday.
Windows is my primary OS, and I don't even have Adobe Reader installed.
I wont comment on the whole "use our RC release" as a mitigation path in production env's....
Also it would be a great time to upgrade Firefox to the 3.6.4 release candidate for those using Firefox. Plugin process separation... yummo.
http://blog.mozilla.com/blog/2010/06/01/firefox-3-6-4-releas...
Chromium v6.0.417.0
After finding out about this 'sploit, I looked in vain for the authplay.dll . It turns out I had a newer build that wasn't listed as vulnerable (and I couldn't find the file itself, where does it usually reside?).
Within one sentence (and with absolutely no commentary or statements from me in any way) you successfully made the connection between Adobe and Apple. This connection is obvious and I shouldn't really have to explain it -- in other words, it's painfully obvious why a security bulletin for Flash has shown up on the front page of HN and why I've never seen one for an Apple product despite fairly wide ranging security concerns in the community about Apple products.
Here's Jobs on the topic.
https://www.apple.com/hotnews/thoughts-on-flash/
"Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash."
Before Jobs explicitly banned Flash from the platform, the only thing I ever remember seeing on HN regarding flash was that it performed a bit poorly under Apple's operating systems because Apple wouldn't provide the necessary APIs that would allow Adobe to make it as performant as it is under Windows (and the occasional comment regarding the Linux port that like most software ported to Linux, it was a few generations behind the times). But these complaints are pretty much the same for lots of cross platform software and generally blended into the background noise, even canvas runs poorly on most systems! One thing I don't ever recall hearing about on HN was any commentary about Flash as insecure. That all changed with "Thoughts on Flash".
Before Thoughts on Flash, I bet there was never an Adobe Flash related security posting on the front page of HN. Yet Flash has had its share of security issues, the same as anything. Which is what my link was meant to demonstrate.
In other words, it's essentially a non-issue.
My point in posting one of a million links regarding Apple security problems is that Apple is also not free from issues with its platform. Yet these never make it to the front page of HN. More importantly, Apple is rather poor at self-reporting security problems, yet here we are bashing Adobe for doing the responsible thing and reporting the problem themselves.
It's actually an interesting example of social dynamics, demonstrating how people will follow the direction a chosen leader and orient their opinions regarding their own safety to be in line with what that leader says rather than an objective review of the actual situation. People often follow leaders as a proxy for doing their own thinking. I've just demonstrated why this is dangerous. Jobs doesn't want to bring attention to the security issues of his own platforms and has tried, successfully, to direct natural concerns for that to somebody else. It's a masterful piece of political manipulation. Most politicians would sell a limb to have this kind of mind share.
My link provided no commentary, no judgment, no counter-statements, no Apple bashing or Apple praise, in fact no statements of any kind.
Yet the fact that that link is providing uncomfortable information contrary to that provided by Jobs has caused it to be annihilated by downvotes (meta-comment: pg has obviously changed something in the karma scoring because it only shows -4, but my account is down -9 since yesterday and that's the only change I can find, either the karma math is screwy, or he's experimenting with some social engineering of his own and counting all downvotes but only showing -4 no matter what. I find this interesting since, if that were true, people have continued to downvote a link to unwanted counter information even though it already stands at -4).
I actually cannot find a statement from Jobs regarding platform security other than "Thoughts on Flash". Even in response to things like this http://www.theinquirer.net/inquirer/news/1495591/security-ex.... Considering that Jobs is among the more chatty CEOs of a major corporation, this omission is rather perplexing. This leads to the obvious conclusion that Jobs has taken the opportunity to call out Flash security as a red herring, to turn our attention away from the problems on his own platform. And, as is demonstrated here by bashing on Adobe for flash security, bashing on people who point out apple security, people have bought his play -- hook, line and sinker.
I provoked the response I expected to get based on the history of how the dynamics of the situations has occurred. A swarm of downvotes for a link regarding Apple security problems flies directly in the face of what Jobs has said. It's a shame he had to put "Thoughts on Flash" out there. I found his comments on Flash at D8 far more coherent and sensible and without the obvious manipulative language he used in "Thoughts". What I find a shame is how easily and gullible people who follow Jobs have been regarding the entire issue -- people who are otherwise very smart and very bright.
edit I'm actually down -10 on my karma now. I guess pg does count all downvotes even if -4 is all that's displayed.
edit 2 this poor comment was similarly in negative territory as well, further reinforcing my point. http://news.ycombinator.com/item?id=1406477
(Snarky comment removed.)
</sarcasm>
