Gentle Linkers, Late in June, Adobe issued YAFU (Yet Another Flash Update). And then yesterdaym YAFU, this one quite serious. It is being exploited in the wild. You are advised to update to Adobe Flash 18.0.0.203 (Windows and Mac), 11.2.202.481 (Linux).
I decided to read all about it here: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html Here is a summary of what went wrong in the penultimate release of Flash, along with my observations of this billion dollar companies programming skillset: heap buffer overflow: programmer unable to count from one onwards correctly, i.e. he or she stuffed too many characters into a string buffer ... this is kindergarten stuff memory corruption vulnerabilities: programmer unable to stay within memory limits, i.e. he or she wrote code that accessed and wrote memory that does not belong to the Flash program - very naughty, stupid and once again, kindergarten level programming null pointer dereference: this is plain silly: the programmer used an invalid (zero) pointer to access computer memory from within Flash. sheer idiocy type confusion: kindergarten programmers have trouble distinguishing apples from oranges, well, erm, integers from real numbers, that sort of thing use-after-free vulnerabilities: more kindergarten stuff - after freeing up system memory when it is no longer needed, the programmer went and reused that memory for another purpose, which of course would confuse the underlying operating system who will give that same memory (since it is now free) to another piece of software to use. I would fail a year one programmer for a piece of software that had all of the above bugs been present in a programming assignment. A question arises from the above list of country bumpkin programming gaffs. Can Adobe not afford software sourcecode analysis kits? They ain't that expensive and would at least alert programmers at this august company to the presence of ALL of the above exploits. Why the rant? Because of all the software I use that must be updated, Adobe Flash is by far the software that requires the most updates. Besides that, their update "app" for Macs running Mtn Lion is broken, and one has to engage in a near fruitless and time consuming search through their tortuous website to find a direct download for the DMG file containing the update. Adobe bullied itself into web applications since the early days of the internet. As such, they have a responsibilty to provide thoroughly tested and vetted plug-ins that guarantee online user safety. They have failed miserably in their remit and deserve all of the flack and bile we hapless users can direct at them. Bring on HTML5 with its embedded video and audio capabilities and banish Adobe Flash to the trash-heap of crapuscent (my word) software for eternity. regards rickw -- ------------------------------------ Rick Welykochy || Vitendo Consulting I contend that for a nation to try to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. --Winston Churchill _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
