Adobe Flash Exploit

For non-computer-geek guys: UPDATE YOUR FLASH VERSION NOW and you can skip the rest. It can hurt your brains if you read it.

I'll be short on this one. Mark Dowd, a guy from IBM Internet Security Systems, have found a vulnerability in Flash player that allows attacker to execute code on your machine. Internet Explorer and Firefox are vulnerable. Since the latest Flash version is not compiled with ASLR — what the fuck did Adobe think? — Vista is also vulnerable.
Adobe was quick to issue the patch (well come on, they only needed to change one comparison operand in the code - always be careful with signed/unsigned comparisons, compilators give warnings for a reason). Vulnerable versions are Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier.

At some time I was really impressed by this quote from Christopher Baus:

Software isn't about methodologies, languages, or even operating systems. It is about working applications. At Adobe I would have learned the art of building massive applications that generate millions of dollars in revenue. Sure, PostScript wasn't the sexiest application, and it was written in old school C, but it performed a significant and useful task that thousands (if not millions) of people relied on to do their job. There could hardly be a better place to learn the skills of building commercial applications, no matter the tools that were employed at the time. I did learn an important lesson at ObjectSpace. A UML diagram can't push 500 pages per minute through a RIP.

There are two types of people in this industry. Talkers and Doers. ObjectSpace was a company of talkers. Adobe is a company of doers. Adobe took in $430 million in revenue last quarter. ObjectSpace is long bankrupt.

I agree on that. You should do, not talk. After reading this quote, though, I started to imagine all Adobe software as big Pandora's boxes, that are cluttered, huge and evil inside, but outside just work. Seems, "evil inside, work outside" strategy can have it's consequences - you can put your customers into risk. A big risk. That leads to my second point: know what you are doing. Cowboy coding isn't a wise approach for companies with PageRank 10.

Links:

1. Vulnerability analysis in english
2. Short vulnerability analysis in russian
3. Vulnerability description on IBM Internet Security Systems
4. 25 pages original description by Mark Dowd (pdf)
5. Adobe's patch for Flash Player
   

0 said thank you for this page

Liked this article? Bookmark/share it with others: Digg It del.icio.us StumbleUpon Other Email this

Didn't like the article, found a mistake or just want to express your own opinion? Post a comment!