Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions
- Thread starter MacRumors
- Start date
- Sort by reaction score
From Computerworld (Friday, February 8, 2012):
That's the quintessence of a zero-day attack -- two zero-day attacks.
@Aiden: the MR article quoted the section of the ARS Technica article explicitly noting these as "in the wild" attacks. Did you read the article before commenting on it?
Last edited:
What I don't like is the ambiguity of the notification. Apple should know better. I get a random popup telling me that I need to update my Flash plain, yet when I go to Flash Player in sys prefs, it says Flash is up to date. It also doesn't help that Apple took away the icon in Safari that showed if the site had been verified or not.
What I don't like is the ambiguity of the notification. Apple should know better. I get a random popup telling me that I need to update my Flash plain, yet when I go to Flash Player in sys prefs, it says Flash is up to date. It also doesn't help that Apple took away the icon in Safari that showed if the site had been verified or not.
You're right -- it's good to be suspicious of pop-up messages you've never seen before. The malware notifications have been around since Snow Leopard, but many people have never seen them until this week.
Adobe provides the system preferences module. If it fails to report that there's a new version of Flash available, that sounds like Adobe's problem. After all the zero-day Flash exploits through the years, don't you think that Adobe would regard their version-checking software as mission-critical?
In the big scheme of things, a swift intervention to catch a zero-day exploit sounds like small potatoes. How many
icons do you use to complain about websites that have failed to rid themselves of Flash code? How many would you have put in a posting if your computer had gotten infected by CVE-2013-0634? 
How is it that you guys claim to be "Mac admins" but don't know the first thing about security update settings on a Mac?
Yes.
http://support.apple.com/kb/HT1338
Uncheck the box that says "Install system data files and security updates":
That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?
Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.
I think you are hanging on the literal words "shut down" rather than what was implied (i.e. them throwing a switch to prevent you from running something you may want to run).
Using a different browser won't re-enable Java if Apple puts it on their block list since it's a system wide plugin (although Firefox CAN still disable it for their own browser DESPITE it being re-enabled for Safari).
Who actually got any flipping Malware??? One can debate about the tiny POSSIBILITY of getting malware accidentally with something like Flash, but it's an absolute CERTAINTY that your computer will be blocked from running things you may want to run when Apple puts something on their list (unless you have chosen ahead of time to not download safe download updates; the problem is there's a huge difference between wanting to be warned about "downloads" and just out and out blocking a major part of the computer's capability (whether Flash or Java).
Dictators and the like have used similar words to take rights away from the people (who are always too ignorant to make decisions for themselves). Sadly, Apple is acting like a dictator here rather than warning people with an OPTION. Apple isn't too good about options, historically, though so I'm not surprised.
Changing the setting AFTER the fact won't do any good without editing the Plist and that's beyond just "knowledgeable" IMO. And by turning off ALL security updates you've also blocked true threats like Trojan warnings that SHOULD be on the list at all times (whereas Flash and Java are legit apps with vulnerabilities that present a certain risk level, not malware themselves; OSX is the same way. It can have a known vulnerability. Should Apple shut down all Macs until they can update OSX? That would be absurd an that's why Apple doesn't do it. They just keep quiet and update the security settings and rarely mention specifics.
Do you have ANY idea how many vulnerabilities have been found in OSX and Windows over the years? You act like this issue is something related only to Java and Flash. Again, the primary difference is Apple won't disable their entire OS, but they apparently won't hesitate to block Java and Flash.
As I said to the other person above, turning off the safe download function AFTER it's disabled something like Java or Flash won't do you any good without going in and removing the program in question off the Plist and there is not user GUI access to that list so you'll have to manually edit it. The setting in the Security Preference Pane is simply a way to disable AUTOMATIC updates to that list; it doesn't remove things from the list that are already there. Besides, exactly who wants to DISABLE *ALL* security updates just to avoid having Apple turn off Flash or Java with no option to even temporarily re-enable them without jumping through hoops?
In other words, there's a BIG difference between a known trojan or worm and a vulnerability/exploit in something like Java. The former should always be on EVERYONE's list and NEVER removed from it while the latter is blocking something legit from running that has some risk attached to it (e.g. playing Scrabble on Pogo.com doesn't really quality as much of a "risk" to approve Java to run anyway despite the exploit. Apple should give a warning in those circumstances and offer to block or not block it. They should also have a GUI editable list for such things to add/remove it at the user's own risk (thus absolving Apple from any fault and making life tolerable for those that need to run certain things like Java regardless of a small threat that only occurs if you run an actual bogus application (not going to happen on a trusted site unless the entire site was hijacked or something).
Yes, because Android smart phones are just rampant with people getting their stuff stolen because Flash is available for it.
We use it daily in EMS for some of the charting software, no issues for me so far in past 4 years.
I honestly didn't even know about this! I feel kind of naive to be honest.
All I know is last night while on Facebook I got a popup from Apple saying Flash needed to be updated. So I opened up System Preferences to see what version of Flash I had and went to Adobe's site to see what the current version was.
The version on Adobe's site was newer so that led me to believe the popup I got was right and I downloaded the current version of Flash from Adobe and installed it.
I had no idea there was ever any security issues
All I know is last night while on Facebook I got a popup from Apple saying Flash needed to be updated. So I opened up System Preferences to see what version of Flash I had and went to Adobe's site to see what the current version was.
The version on Adobe's site was newer so that led me to believe the popup I got was right and I downloaded the current version of Flash from Adobe and installed it.
I had no idea there was ever any security issues
I'm not saying they can't change I'm just saying what they are now using, it's like cars mostly run on petrol (Gasoline for those in the US) but there are also some that run of diesel it doesn't mean the manufactures are going to all switch to bio-fuels because it is better for the environment. Fact is many sites partly or solely use Java and it's going to take time for them to switch to better code.
Your messages in this discussion have been ambiguous. Who is the "you" you're talking about? Who has been disenfranchised? I'm confident that MagnusVonMagnum knows how to hack plists, so it clearly wasn't you. In other words, the "you" you keep referencing is some hypothetical person...
Neither you nor Aiden seem to have carefully read the article you're commenting on.
The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I'm taking Adobe's report at face value: this is a real zero-day attack. Do you have some reason to disagree?
Again, the "your" is referring to some hypothetical user who you assume has been disenfranchised, and you think you're qualified to speak for this hypothetical person.
Please read the article: all a user had to do was upgrade to the current version of Flash and they could proceed. If "you" don't want that checking to happen in the future, then turn it off.
Oh, please. Dictators don't give people an option of overriding the check, and they don't provide plists for people to manually edit. Do we really need to invoke Godwin's Law in this discussion?
Apple clearly disagrees, and I think Apple is completely right in their comprehensive response to this clear and present malware attack.
Please explain why your hypothetical about an OS X problem is remotely comparable to what happened this last week. Note: please actually read the Adobe security advisory before responding.
Why do you think the ancient history of malware pertinent in this discussion? What's pertinent is the malware threats present today.
What a convoluted statement! Again, the "you" in that spaghetti-statement clearly isn't you. For some quaint reason, you presume to speak for some hypothetical disenfranchised person with hypothetical outrage over some hypothetical "dictator".
If some real person wants to actually complain, let them complain. But you're clearly not that person.
Nonsense. The only thing anyone had to do was to update Flash to the current version.
You presume there's a difference. Apple clearly does not, and I agree with them. I personally am quite happy they're taking such an active stance against malware.
That's your opinion. The fault with your position: if Java/Flash is enabled, then the computer is vulnerable to the current batch of zero-day exploits. Users are vulnerable to both general attacks and spear phishing using those exploits.
What's fascinating to me is that you have no anger towards Oracle and Adobe for failing to button down the security on their applications. Year after year, the exploits continue to happen; these third-party vendors fail to address them. Oracle even uses Java updates as an opportunity to install deceptive software on PCs. You have no anger about any of that? Really?
Yes, because Android smart phones are just rampant with people getting their stuff stolen because Flash is available for it.
Really? iOS devices are far more secure than Android ones. Do you disagree?
The analogy is fundamentally flawed. Those websites had to already ditch their Java and Flash code, or they could not be run on the 400M+ iOS devices and other mobile devices that cannot run plugins.
Last edited:
I've seen plenty of unhappy people on these forums regarding Apple disabling Java and Flash. Whether it's the principle of the matter or they genuinely don't know how to reenable them is not my concern. My quibble is with how Apple is handling this issue. They could easily offer a simple yes or no option with a warning rather than just disabling something that a user may need (as in the case of several people on here with Java in the past couple of weeks). Whether I know how to do something is irrelevant. The topics of discussion have been about Apple's handling of the matter and that is what I'm addressing. I don't think just disabling something entirely is a good way to proceed when they could offer more options. They could have a GUI list of blocked apps and let the user choose to override if needed. Requiring a user to edit a Plist is hardly the "Apple" or "Mac" way. Surely, you would agree to that much.
Neither you nor Aiden seem to have carefully read the article you're commenting on.
I'm not commenting on a specific article or this one specific incident, but rather how their block list is set up and what's required of the user to get around if they feel they NEED to still use something like Java. Yes, in this case Flash could be immediately updated, but that was NOT the case with Java and it clearly shows how the system works when an update is not available but a threat is identified. It is clearly not handled well. It's treating the user like a grade school child. Whether they have the technical know-how to bypass it is irrelevant. Apple could handle things in a more appropriate manner.
I disagree that just disabling things without an option to override for people without the skills to do it themselves is a bad way to run a business. No one is suggesting Apple shouldn't warn the user and offer to disable the program in question. Forcing it disabled is another matter entirely. The Java threat was hardly threatening, particularly if a user has "high" level security enabled and Java apps cannot run without approval (i.e. if you're on a site like Pogo.com and you know the Scrabble App is the one requesting to run, it's a pretty safe bet that it's not going to take over your computer regardless of the vulnerability on some unknown site).
And who are YOU qualified to speak for? You seem to be arguing long and hard on a specific position and like to bring up IRRELEVANT things like "who is YOU?", but apparently have no argument or logic what-so-ever to counter the arguments presented or you'd have something useful to say rather than wasting my time.
Oh, please. Dictators don't give people an option of overriding the check, and they don't provide plists for people to manually edit. Do we really need to invoke Godwin's Law in this discussion?
The ability to override Apple's security does not discount their methods and as I said, disabling security overrides AFTER the fact will not help. But again, you ignore all the arguments and logic presented and just harp on your view that turning off all security forever is a good solution to a specific problem when it clearly is not.
That is your right to to have that opinion, but I personally think it's a really bad one but that is the same reason I've argued against Apple's approach in both threads. Your computer is not their property to disable valid programs. Security threats like trojans are completely different from turning off what to some people are vital systems (i.e. people who need Java for work, for example).
There is nothing hypothetical about past security vulnerabilities in OSX. Apple has patched numerous flaws in OSX in the past. They never once disabled anyone's computer until they came up with a security update, however. Your inability to even comprehend the most basic logical argument makes this discussion pointless. IMO.
Those who ignore history are doomed to repeat it. That reason alone is enough to look at any form of history. Your mission in life, however, seems to be to try and win an argument at all cost, even when you have absolutely not logical basis to base an argument upon. You just keep repeating yourself and seem to want to talk only about this one particular case and ignore the problems with the Java block (hardly "ancient" by anyone's account). In point of fact, I've only had a Macintosh since 2006. I'd hardly call anything from that time period "ancient" either and yet I've had dozens of security updates for OSX in that time frame.
You prefer to invent strawmen than actually deal with the argument at hand. You keep harping on about the use of the word "you" rather than deal with the discussion at hand. It's blatantly obvious you have no clue what to say other than to try and use a lot of words and hope that people are fooled by lines of text rather than making a cogent point.
Again, that was not the case with Java less than two weeks ago. But that's "ancient history" to you? How has Apple fixed the problems presented since then? By waiting until an update was available? That's coincidence and not a fix for their methods.
Of course you did! In this thread, you said:
The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I am also baffled why Adian said that this wasn't a zero-day attack. The attacks are really happening, and real people are being harmed.
OTOH, you are not being wronged with Apple's anti-malware efforts. You are clearly clever enough to hack the plists if you needed to do that. You're complaining on behalf of some hypothetical user. I've gotta ask: why don't you just let those [hypothetically wronged] users speak for themselves?
Bingo. That's the exact question you need to ask yourself, Magnus. If some real user was harmed by Apple's system, they should speak for themselves. You were clearly not harmed.
Trying to run Flash-free for the past 4 months. So hard to quit I thought I would relapse. At times only when Safari for iOS is detected will the website display its available non-Flash version.
Both
Couldn't state it more clearly.
I would take something to substantiate it with, not that I disagree, far from it.
There are no known zero-day attacks, on any platform.
Neither you nor Aiden seem to have carefully read the article you're commenting on.
You claim to carefully read, but you don't understand what you are reading.
Last edited:
LOL agree.
Debian is the bastard child of Linux, and Ubuntu is the bastard child of Debian.
It's so sad that many people think that Linux is an OS, not a war among different tribes succeeding in tearing it apart.
Last edited:
Aiden, it's sort of a bizarre thing to say without explaining your claim. Adobe's report directly contradicts what you say:
You're clearly denying what Adobe is saying -- yet none of the media is challenging their factual claims. Why should we believe you? Your definition of "zero-day attack" clearly disagrees with the wikipedia definition or computer security expert Steve Gibson's use of the word (here's an example from his podcast).
Then please explain yourself. Please tell us what's wrong with the usage of the concept that Adobe, Ars Technica, Steve Gibson, MacRumors, and others are using. Please tell us why you think that the CVE-2013-0634 report is fiction.
Making the one-line claim without explaining yourself contributes nothing to the discussion.
There are no known zero-day exploits, there are only unknown zero-day exploits.
Once the exploit is known, it is no longer zero-day. This exploit is not only known, but a patch is available. It is not a zero-day attack.
One can always hope that it would trigger someone into looking up the definition of the term, and realize that it was being mis-used.
Who do you know who was harmed by this "attack" ? Has even a single person on here or any other known site reported that their machine was compromised by this "attack" ? Who was harmed by the Java attacks a couple of weeks ago? Do you know a single person? But in BOTH cases, my machine was disabled by Apple. That's a 100% ATTACK on my computer's operability and in Java's case, there was nothing a normal, non-advanced user could do to restore it until Oracle provided an update. We had NUMEROUS people on here report they could NOT access their banks, medical records/prescriptions, etc. etc. due to their country making extensive use of Java as a platform to access those services/documents. Who did MORE harm here? The supposed hackers (of whom I have yet to see a single person report their computer was maligned in some damaging way) or Apple where I have seen dozens on this site alone reporting their inability to access services they feel they NEED to access. THAT is my point. It's SAD you don't seem to comprehend it.
This is simply not true. I had to waste my TIME (and time is valuable to me) to look up what was going on (I am new to Mountain Lion and never had such an occurrence happen before so advanced or not, I still have to look up how to bypass it). I had to describe to another family member what to do and it was beyond their comprehension what I was talking about and I could not reasonably expect them to update their Plist. Thus, we could not play online games on Pogo.com until the update. This might seem trivial to you, but in other cases it was prescriptions, banking, etc. and not so trivial. So AGAIN, I reiterate that Apple in its current method is doing MORE HARM than any threat out there because they affect EVERYONE, not just the few that visit some pRoN site or whatever and get infected. Apple could handle this sort of thing MUCH BETTER as I described above. PERIOD.
If you would speak for yourself, you'd just say, "I wasn't harmed so I don't care" or something to that effect, but NO, you want to argue and lecture everyone on here that disagrees about it, so I'd say you are NOT speaking JUST for yourself. You're taking up the mantle of all those on Apple's side by making that argument. Instead of arguing the pointed debated, however, you seem to want to come back to the idea that I should only speak for myself and thus concede. How ridiculous an approach is that?
Now please stop wasting my time arguing about your opinion. You're currently doing ME more harm in time wasted than Apple.
Can you point to a single place where any credible reporter or security expert is using your particular definition of "zero-day attack"? AFAICT, yours is an obfuscation that no credible reporter or security expert is making. Claiming that CVE-2013-0634 isn't a zero-day attack is doing a disservice both to the term and to the discussion here.
And where exactly should we go to find your personal definition? The wikipedia article you reference certainly doesn't say it. If you tried to add such nonsense to the wikipedia page, it would be removed.
You still have done nothing to back up your initial claim:
and I see this isn't the only time you've attempted to impose your personal definition of "zero-day" into a MR discussion. Unless you can produce some credible source that actually backs up what you say, I request you stop doing this.
Last edited:
Can *you* produce any evidence to support the claim that an exploit for which a patch is already available is still a "zero-day exploit".
Your "personal definition" of "zero-day" won't stand up to scrutiny.
Let me again quote the opening paragraph of the Wikipedia article:
I don't need to "add nonsense" to the Wikipedia article - it's already in 100% agreement with what I am saying.
How on earth can you continue to blather on about calling a known attack with an available patch a "zero-day" exploit? By definition, labeling the exploit "CVE-2013-0634" removes it from the "zero-day" category, and places it into the "known" category.
This is a known exploit with an available patch. It fits no accepted definition of "zero day" exploit.
Of course, in the blogosphere one can find quotes from confused beings to support about any lame-brained conjecture. You can't shut up stupid.
Last edited:
[Silence. No response.] You can't point to a single writeup anywhere backing up your conjecture that a "zero day exploit" ceases to be one once it's discovered.
If you look at the wikipedia article's section about vulnerability window, you'll get your answer: it's a zero-day attack whose vulnerability window has closed. Apple's use of their malware plist to include known exploits of Flash and Java has served to close the vulnerability window on those exploits. Another way to address your question: if a different term existed to describe zero-day attacks whose vulnerability window had closed, then you would be able to name it. But you can't do that -- you ignore the question. If there were some other word, then you would know what it was. Simple.
Actually, wikipedia article fails to support your conjecture -- for exactly the same reason. If we had a separate term to describe a zero-day attack whose vulnerability window had closed, then the wikipedia article would tell us that term. But no such word exists!
Please keep the tone respectful, Aiden. I'll repeat the question: what name are you suggesting we use as an alternative name for a zero-day exploit whose window of vulnerability has expired? Why do you find fault with that name?
A known what?
Congratulations. You have painted yourself into a semantic corner.