Actually, as soon as it was discovered it was no longer a zero-day attack.
If this were true in actuality, you could provide real references confirming this usage. But you can't do that; the wikipedia page definitely does not make this distinction. I regularly listen to the Security Now! podcast; I've never ever heard Steve Gibson make this distinction. Have you?
Apple does not block Flash, because by definition a zero-day exploit is unknown [SNIP]
By
what definition? Continuing to imply that you're referencing some definition without actually referencing that definition is strange behavior. Repeating a dogmatic claim does not make it true.
Why cannot you understand that a threat has a timeline, and that its categorization changes along the timeline?
Magnus explained it well: we still call it The Battle of Midway -- even though it's not still going on. CVE-2013-0634 is a zero-day exploit -- even if the window of vulnerability of that zero-day exploit has been closed.
If you're going to provide a definition, please
provide the reference for that definition.
I'm outta here unless there's an intelligent comment....
Here's an intelligent suggestion: please don't submit personal definitions of technical terms. If someone asks you to provide external confirmation of your definition, either provide a reference or retract your personal definition. The world is complicated enough without commenters here making up our own definitions. Capiche?
The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I am also baffled why Adian said that this wasn't a zero-day attack. The attacks are really happening, and real people are being harmed.
Who do you know who was harmed by this "attack" ?
You asked us:
Who actually got any flipping Malware???. We don't know the specifics, but Adobe's report CVE-2013-0634 happened in response to the attacks. If you care about the who/what/where specifics, I recommend listening to this week's
Security Now! podcast. I didn't hear the beginning of this week's show; they were talking about an Adobe Reader spear phishing attack when I tuned in today. We may never know the specifics of the victims of CVE-2013-0634.
Has even a single person on here or any other known site reported that their machine was compromised by this "attack" ? Who was harmed by the Java attacks a couple of weeks ago? Do you know a single person?
How exactly does my personal knowledge of these zero-day attacks have to do with their validity? Are you suggesting that Adobe and Oracle issued false reports about the attacks? What would be their motivation for doing that?
But in BOTH cases, my machine was disabled by Apple.
How, exactly? The malware-definition updates have been part of the OS since Snow Leopard. If you wanted to stop those updates, you could have done that at any time. If you're
still upset about those updates, you should do it immediately.
If you wish to selectively use Apple's malware updates, you're clearly fully capable of hacking the plist file.
It's very difficult to know. Apple's proactive measures have dramatically lessened the window of vulnerability for these zero-day attacks. If the ROI for these kinds of exploits is significantly lessened by such prophylactic measures, the value of creating such exploits could drop significantly. If
you see no value in using Apple's malware protection, your course should be obvious:
turn it off.
I have seen dozens on this site alone reporting their inability to access services they feel they NEED to access. THAT is my point. It's SAD you don't seem to comprehend it.
You're right. I don't comprehend it. All anyone had to do was update to the fixed version of Flash. What real users actually had "inability to access services"?
One user complained that Adobe's code in system preferences failed to report the existence of the new version. That was confusing, but it was clearly an Adobe bug in their code.
This is simply not true. I had to waste my TIME (and time is valuable to me) to look up what was going on (I am new to Mountain Lion and never had such an occurrence happen before so advanced or not, I still have to look up how to bypass it). I had to describe to another family member what to do and it was beyond their comprehension what I was talking about and I could not reasonably expect them to update their Plist.
Why didn't you just follow the instructions and update to the latest version of Flash code?
Thus, we could not play online games on Pogo.com until the update. This might seem trivial to you, but in other cases it was prescriptions, banking, etc. and not so trivial.
Any banking/medical companies providing mission-critical services for their customers through Flash code are performing a major disservice to their customers. I wouldn't be at all surprised if DHS intervenes and gives companies a deadline for expunging such code from their servers.
I also wouldn't be surprised to see someone try a spear phishing attack on pogo.com or one of the other Flash-game vendors. As you note, so many just presume those sites are guaranteed to be "safe". Attacking them could be a good way to get broad access to a bunch of computers.
I reiterate that Apple in its current method is doing MORE HARM than any threat [...] Apple could handle this sort of thing MUCH BETTER as I described above.
You're certainly entitled to your opinion. Apple's prophylactic measures dramatically cut the window for these exploits; you really have no objective means to quantify the cost/benefit of your complaint.
If you would speak for yourself, you'd just say, "I wasn't harmed so I don't care" or something to that effect
There's the disconnect. You claim to abhor dictators, but you're trying to put words in my mouth. That's kinda funny! I
do care, and Apple
does care. Their decision was mindful and decisive, and I'm certain it was the right decision. You're certainly welcome to disagree.
The other thing that astonishes me: the continued reliance on Flash/Java by a variety of vendors is becoming an escalating problem. If businesses put a priority on this, we could remove 90% of the Flash/Java code within a year (or 18 months tops). This is the path to remove the Flash/Java malware threat, and many of those website owners simply seem to not care.
I do fear that the government will impose themselves on getting the web Flash-free. I wish the website owners would just handle this themselves.
