Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions

[MagnusVonMagnum]

Quote:

Originally Posted by FloatingBones

[Silence. No response.] You can't point to a single writeup anywhere backing up your conjecture that a "zero day exploit" ceases to be one once it's discovered and is now simply an exploit of the prior versions.

By definition, Aiden is correct. It WAS a zero day attack until patched. It no longer is since there is now a patch available. The Wikipedia page clearly paints the entire process as a timeline like an attack in a war. Once the attack is over, it's over. The final step(s) are patching the result (and/or users applying the patch). The attack is then history, not present tense. The battle of Midway isn't still going on, for example. That doesn't mean you couldn't step on a landmine left over on an island from WWII somewhere (i.e. unpatched software on someone's computer that they didn't update could still get infected), but the attack itself is long over.

Frankly, I find this argument ridiculous since it's over tense and category, but then your arguments smack of high school debate class where the argument and desire to "win" always seems to be more important than the actual communication. This is a discussion forum, not a contest. Let it go already.

[FloatingBones]

Quote:

Originally Posted by MagnusVonMagnum

By definition, Aiden is correct. It WAS a zero day attack until patched. It no longer is since there is now a patch available.

You say what it was, but you fail to say what it has become. What should one call a zero-day attack whose window of vulnerability is closed? You have painted yourself into the same semantic corner.

Here's a novel idea: why not call it a zero day attack whose window of vulnerability is closed?

They still have to be called something! AFAICT, any journalist or professional discussing them continue to call them zero-day attacks.

Quote:

The battle of Midway isn't still going on, for example.

Precisely. And yet we still call it The Battle of Midway.

Quote:

Frankly, I find this argument ridiculous [SNIP]

Frankly, I found Aiden's comment:

Quote:

Originally Posted by AidenShaw

This is not a zero-day exploit.

categorically ridiculous. 0-d exploits are a difficult enough concept for the mainstream to understand, but saying that they can no longer be called that after discovered heaps a layer of superfluous obfuscation on top of that concept. I asked the mods to delete the entire sub-discussion, but they demurred.

[AidenShaw]

Quote:

Originally Posted by MagnusVonMagnum

By definition, Aiden is correct. It WAS a zero day attack until patched.

Actually, as soon as it was discovered - it was no longer a zero-day attack. You don't have to wait for a patch to be prepared - just for the developers to realize that a patch is needed.

"Known but no patch available" is not the same as "zero-day". Mitigation of the known threat can occur even before a patch is available.

Apple's actions here clearly explain the concept.

• Flash is running, with a zero day exploit. Because it's zero-day, nobody knows that it's there. Apple does not block Flash, because by definition a zero-day exploit is unknown. (The only reasonable alternative to block all zero-day exploits is for the computer to refuse to power up - there might be a zero-day anywhere, so the only safe state is powered down.)
• The exploit becomes known, and is given a CVE number. It is no longer zero day - it is known. The developers begin working on a patch, and the anti-malware vendors can develop code to block the execution of the malware even before a patch is released.
• Apple blocks Flash, because there is a known unpatched vulnerability. (mitigation, without a patch)
• Adobe releases a patch, which closes the vulnerability, and passes Apple's block test.

The concept of "zero-day" is very useful in the security community. Once an exploit is known, you can release specific mitigations - even before a patch is available. (E.g. Apple's Flash block)

Defending against zero-day (that is, unknown) exploits is an area of active research and development. Behavioural heuristics can block many of them (as in, "WTF is the Flash player doing opening outbound sockets to hardcoded IPs (or hashed DNS names)?").

Quote:

Originally Posted by FloatingBones

You say what it was, but you fail to say what it has become. What should one call a zero-day attack whose window of vulnerability is closed?

We've said repeatedly that it becomes a known exploit.

Why cannot you understand that a threat has a timeline, and that its categorization changes along the timeline?

"Zero-day" refers to the timeline before "discovery". A known vulnerability is on the timeline after "discovery". A known, patched vulnerability is even further on the timeline.

"Zero-day" doesn't mean "a horrific bug that dooms all mankind to return to the stone age". It simply refers to the period in time before the bug became known. "Zero-day" is nothing special - most exploits are there for a while until they're discovered.

Just because a vulnerability was "once zero-day", doesn't mean that it is "now zero-day" and "always zero-day". Pay careful attention to the tense of the verbs that I've used in this conversation.

Quote:

Originally Posted by MagnusVonMagnum

Frankly, I find this argument ridiculous since it's over tense and category, but then your arguments smack of high school debate class where the argument and desire to "win" always seems to be more important than the actual communication. This is a discussion forum, not a contest. Let it go already.

+1

I'm outta here unless there's an intelligent comment....

[FloatingBones]

Quote:

Originally Posted by AidenShaw

Actually, as soon as it was discovered it was no longer a zero-day attack.

If this were true in actuality, you could provide real references confirming this usage. But you can't do that; the wikipedia page definitely does not make this distinction. I regularly listen to the Security Now! podcast; I've never ever heard Steve Gibson make this distinction. Have you?

Quote:

Apple does not block Flash, because by definition a zero-day exploit is unknown [SNIP]

By what definition? Continuing to imply that you're referencing some definition without actually referencing that definition is strange behavior. Repeating a dogmatic claim does not make it true.

Quote:

Why cannot you understand that a threat has a timeline, and that its categorization changes along the timeline?

Magnus explained it well: we still call it The Battle of Midway -- even though it's not still going on. CVE-2013-0634 is a zero-day exploit -- even if the window of vulnerability of that zero-day exploit has been closed.

Quote:

"Zero-day" [BIG SNIP]

If you're going to provide a definition, please provide the reference for that definition.

Quote:

I'm outta here unless there's an intelligent comment....

Here's an intelligent suggestion: please don't submit personal definitions of technical terms. If someone asks you to provide external confirmation of your definition, either provide a reference or retract your personal definition. The world is complicated enough without commenters here making up our own definitions. Capiche?

Quote:

Originally Posted by MagnusVonMagnum

Quote:

Who do you know who was harmed by this "attack" ?

You asked us: Who actually got any flipping Malware???. We don't know the specifics, but Adobe's report CVE-2013-0634 happened in response to the attacks. If you care about the who/what/where specifics, I recommend listening to this week's Security Now! podcast. I didn't hear the beginning of this week's show; they were talking about an Adobe Reader spear phishing attack when I tuned in today. We may never know the specifics of the victims of CVE-2013-0634.

Quote:

Has even a single person on here or any other known site reported that their machine was compromised by this "attack" ? Who was harmed by the Java attacks a couple of weeks ago? Do you know a single person?

How exactly does my personal knowledge of these zero-day attacks have to do with their validity? Are you suggesting that Adobe and Oracle issued false reports about the attacks? What would be their motivation for doing that?

Quote:

But in BOTH cases, my machine was disabled by Apple.

How, exactly? The malware-definition updates have been part of the OS since Snow Leopard. If you wanted to stop those updates, you could have done that at any time. If you're still upset about those updates, you should do it immediately.

If you wish to selectively use Apple's malware updates, you're clearly fully capable of hacking the plist file.

Quote:

Who did MORE harm here?

It's very difficult to know. Apple's proactive measures have dramatically lessened the window of vulnerability for these zero-day attacks. If the ROI for these kinds of exploits is significantly lessened by such prophylactic measures, the value of creating such exploits could drop significantly. If you see no value in using Apple's malware protection, your course should be obvious: turn it off.

Quote:

I have seen dozens on this site alone reporting their inability to access services they feel they NEED to access. THAT is my point. It's SAD you don't seem to comprehend it.

You're right. I don't comprehend it. All anyone had to do was update to the fixed version of Flash. What real users actually had "inability to access services"? One user complained that Adobe's code in system preferences failed to report the existence of the new version. That was confusing, but it was clearly an Adobe bug in their code.

Quote:

This is simply not true. I had to waste my TIME (and time is valuable to me) to look up what was going on (I am new to Mountain Lion and never had such an occurrence happen before so advanced or not, I still have to look up how to bypass it). I had to describe to another family member what to do and it was beyond their comprehension what I was talking about and I could not reasonably expect them to update their Plist.

Why didn't you just follow the instructions and update to the latest version of Flash code?

Quote:

Thus, we could not play online games on Pogo.com until the update. This might seem trivial to you, but in other cases it was prescriptions, banking, etc. and not so trivial.

Any banking/medical companies providing mission-critical services for their customers through Flash code are performing a major disservice to their customers. I wouldn't be at all surprised if DHS intervenes and gives companies a deadline for expunging such code from their servers.

I also wouldn't be surprised to see someone try a spear phishing attack on pogo.com or one of the other Flash-game vendors. As you note, so many just presume those sites are guaranteed to be "safe". Attacking them could be a good way to get broad access to a bunch of computers.

Quote:

I reiterate that Apple in its current method is doing MORE HARM than any threat [...] Apple could handle this sort of thing MUCH BETTER as I described above.

You're certainly entitled to your opinion. Apple's prophylactic measures dramatically cut the window for these exploits; you really have no objective means to quantify the cost/benefit of your complaint.

Quote:

If you would speak for yourself, you'd just say, "I wasn't harmed so I don't care" or something to that effect

There's the disconnect. You claim to abhor dictators, but you're trying to put words in my mouth. That's kinda funny! I do care, and Apple does care. Their decision was mindful and decisive, and I'm certain it was the right decision. You're certainly welcome to disagree.

The other thing that astonishes me: the continued reliance on Flash/Java by a variety of vendors is becoming an escalating problem. If businesses put a priority on this, we could remove 90% of the Flash/Java code within a year (or 18 months tops). This is the path to remove the Flash/Java malware threat, and many of those website owners simply seem to not care.

I do fear that the government will impose themselves on getting the web Flash-free. I wish the website owners would just handle this themselves.

[John.B]

I noticed this morning on my work Win7 laptop that Firefox has disabled the Flash plug-in and the Adobe installer doesn't actually install the latest update, it just quits and then deletes the installer. Where is the line to hate on Mozilla over "controlling my computer"?

Quote:

Originally Posted by AidenShaw

Actually, as soon as it was discovered - it was no longer a zero-day attack. You don't have to wait for a patch to be prepared - just for the developers to realize that a patch is needed.

So is this a zero-day? Thanks, Adobe. Protection for critical zero-day exploit not on by default (ArsTechnica.com)

If not, maybe you can set the guys at Ars straight while you are at it.

[AidenShaw]

Quote:

Originally Posted by John.B

So is this a zero-day? Thanks, Adobe. Protection for critical zero-day exploit not on by default (ArsTechnica.com)

If not, maybe you can set the guys at Ars straight while you are at it.

Ars is correctly using the term "zero day" - reread the article. It describes a security setting in Reader that would have blocked the exploit while it was still unknown - while it was still zero-day.

[linux2mac]

This about sums it up:

"We’ve been hoping for a quick and painful death to Flash for a while now. It’s been slowly coming, but we’re getting closer to the day of no longer needing the crash crazy, disease injecting plugin."

[FloatingBones]

Quote:

Originally Posted by AidenShaw

Ars is correctly using the term "zero day" - reread the article. It describes a security setting in Reader that would have blocked the exploit while it was still unknown - while it was still zero-day.

Perhaps you should have read the other Ars article that John.B noted:

Quote:

Originally Posted by Ars Technica

The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe's ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said.

In your semantic universe, they couldn't have possibly used the phrase recently discovered zero-day attack. You told us:

Quote:

Originally Posted by AidenShaw

Quote:

We've said repeatedly that it becomes a known exploit.

But Ars didn't call it a "known exploit". They did call it a "recently discovered zero-day attack". Ars is certainly not following your rules, Aiden.

Quote:

Originally Posted by John.B

So is this a zero-day? Thanks, Adobe. Protection for critical zero-day exploit not on by default (ArsTechnica.com)

If not, maybe you can set the guys at Ars straight while you are at it.

Bravo.

Quote:

Originally Posted by linux2mac

This about sums it up:

"We’ve been hoping for a quick and painful death to Flash for a while now. It’s been slowly coming, but we’re getting closer to the day of no longer needing the crash crazy, disease injecting plugin."

The vocabulary is a bit extreme, but I agree with the sentiment. I am baffled by the complainers here who have no outrage whatsoever for the owners that have failed to make their sites Flash-free and Java-free. Google: are you listening?

[AidenShaw]

Someone suggested the Battle of Midway to help explain the temporal naming. I completely missed that one, though.

I did think of an analogy, though, that might help the less dense understand the temporal naming of threats.

Human pregnancy.

For many months, the new human is hidden, and called a "fetus" (as well as some other names for earlier stages).

At the time of birth, the fetus emerges, breathes on its own, and is now called a "baby".

It's still the same bundle of cells, but the name completely changes once it's out.

You'd never call a newborn baby a "fetus", nor a 1 year old nor a 2 year old. The transition from the womb to the open air changed the name completely.
_________________________

In a similar fashion, an unknown exploit is called "zero-day". Actually, it isn't called anything, because it is unknown. Once it's known, its previous state is called "zero-day", and for a short time it might be called "zero-day" - although technically it can't be "zero-day" for more than 24 hours.

The term "zero-day" implies that the classification is temporal and short lived. (Why don't we have "one-day" and "two-day" exploits?)

Saying that you "have a patch for a zero-day exploit" is akin to saying "I'm taking my fetus to its first day of kindergarten".
_________________________

Both of the ArsTechnica articles were referring to the pre-discovery state of the exploit - therefore "zero-day" was appropriate.

Anyone interested in learning more about zero-day attacks might find these papers interesting: Zero-Day Attacks Escape Detection for Nearly a Year: Symantec Study and Hackers Exploit 'Zero-Day' Bugs For 10 Months On Average Before They're Exposed

(Note that these papers use "zero-day" to refer to the historical time before these exploits were known - five months before birth the kindergartener was a fetus, so referring to Samantha as a "fetus" is fine if you're talking about five months before she was born. Referring to a currently known and patched exploit as "zero-day" is fine if you're referring to the time window when it was unknown.)

(Also note that the Forbes article defines "zero-day" in an Aiden-consistent way - "Software vendors are constantly on the watch for so-called “zero day” vulnerabilities–flaws in their code that hackers find and exploit before the first day companies become aware of them." The obvious implication is that once the companies become aware of them they are no longer "zero-day".)

I just don't understand the notion that "zero-day" is some horrible kind of exploit, rather than simply referring to the time window between the bug being shipped and the bug being publicized.

[AlexBerkman]

this thread started the 8th... and I got a new update of the flash-player today.

The right version number is now;

Plug-in version 11.6.602.167

[dan027bucsko]

I have updated my flash player as prompted but still i couldnt view youtube videos . Mine is iMac running lion 10.7.5.
can somebody help me ?


Dan Buscko
http://www.youtube.com/user/danielbucsko

[FloatingBones]

Quote:

Originally Posted by AidenShaw

I just don't understand the notion that "zero-day" is some horrible kind of exploit, rather than simply referring to the time window between the bug being shipped and the bug being publicized.

Because, quite simply, the phrase is used for both concepts. In your discussion of the analogy, there's an implied presumption that the naming of things should make logical sense. That premise is false; one need look no further than the phrase birth control to see a name that is not logical. We do need some way to name these exploits after the supplier has fixed the problem and a solution has been distributed. Just like birth control, the most important thing is that there be widespread agreement on a name. Earlier in the discussion, you had said:

Quote:

Originally Posted by AidenShaw

We've said repeatedly that it becomes a known exploit.

Where "it" was a zero-day exploit whose window of vulnerability had been closed. Yesterday, you told us:

Quote:

Originally Posted by AidenShaw

Both of the ArsTechnica articles were referring to the pre-discovery state of the exploit - therefore "zero-day" was appropriate.

So, apparently, you trust Ars's use of the terminology. However, if one searches for "known exploit" on the site arstechnica.com, you'll discover that the phrase hasn't been used on that site in over three years and has only been used 4 times in the history of the website. OTOH, the phrase "zero day exploit" gets 2,890 hits; the two-word phrase gets over 11k hits. As Obama is fond of saying: do the math.

You may not think using the same phrase for two different meanings makes logical sense; I can appreciate your thinking. If you find yourself exchanging riddles with a Sphinx or chatting with The Artist Formerly Known as Prince, this might be an interesting phrase to discuss. However, based on common usage on sites like Arstechnica.com, it should be readily apparent that "known exploit" is not the phrase used to describe a defused zero-day exploit.

Quote:

Originally Posted by dan027bucsko

I have updated my flash player as prompted but still i couldnt view youtube videos . Mine is iMac running lion 10.7.5.
can somebody help me ?

Welcome to MacRumors, Dan. I don't know. You may want to ask your question in this forum.

[munkery]

Interestingly, there isn't actually a sample of the supposed exploit that affects OS X.

The sample distributed as that exploit was simply extracted from the other exploit.

Samples that have been analyzed have no payloads affecting OS X.