Is adobe labs 64 bit flash player vulnerable latest exploit ?

Discussion in 'all things UNIX' started by Ocky, Jun 9, 2010.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    authplay.dll on Linux ... don't they mean a shared object?

    Adobe instructions, no mention of "UNIX" removal of authplay.dll.

    And Flash in PDF, Acrobat ... sounds like more poo than it really is. I hazard that if you do not use Acrobat Reader on Windows, this is not a biggie.

    Mrk
     
  3. tlu

    tlu Guest

    I read somewhere that under Linux libauthplay.so is affected. I can't find this file on my system. :)

    However, I'm only using flash player. Perhaps this file only exists on a Linux system if also Adobe Reader is installed ?
     
  4. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    On my Lucid I have adobe reader - the file is here /opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so
    On my Karmic I don't have the reader, only flash, and that file is absent. :)

    I am more concerned about the 64 bit Linux flash player from adobe labs. I don't know whether it is affected and if so when it will be patched.
     
  5. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    If you have apparmor enabled, I don't see flash vulnerability doing much damage anyways.
     
  6. tlu

    tlu Guest

    Hm. I'm not an apparmor expert but I don't seem to have a profile for flash, not either in /usr/share/doc/apparmor-profiles/extras/. The usr.bin.firefox profile covers java but not flash. So out of curiosity: How can apparmor protect against flash vulnerabilities (unless you've created an extra profile for flash, of course)?
     
  7. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    The attack if I am not mistaken is via Javascript and in this case, the browser is locked in by apparmor so I don't think any harm can be done. I maybe wrong but last time in pwn2own when all systems fell via flash hack, ubuntu was the only system that survived.
     
  8. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    you mean linux linuxforall or just ubuntu :rolleyes:

    got fedora + selinux enable dont worry

    it keep giving irritation to hacker he pull his hair and leave my system alone :p


    just kidding
     
  9. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Well Ubuntu runs on Linux so yes, final credit goes to Linux. So far not a single case of this exploit affecting Ubuntu or other linux distros have surfaced. Had that been the case, updates would be out in a jiffy. Also according to the Adobe blog, I don't see a single place where x64 alpha flash is mentioned for this vulnerability even though version numbers do match.
    http://www.adobe.com/support/security/advisories/apsa10-01.html
     
  10. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  11. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    Solution given on http://secunia.com/

    Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files.

    what i did is i remove the root cause i mean that file

    #rm -f /opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so

    adobe reader is working fine it blocks flash swf (Shockwave Flash)content playing in adobe i guss who use that i never used that feature in adobe so i okies with that :D

    for flash

    Solution
    Reportedly, the latest version 10.1 Release Candidate is not affected.
    Further details available in Customer Area
     
  12. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Why use Adobe reader when there are good and working solutions in Linux distro which are safer, Evince which is default in Ubuntu also comes with its apparmor profile for all this nuisance.
     
  13. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    I like evince, but I do not think the font rendering is as good as acroread (make sure to disable the javascript function in acroread if you are a suspicious person like myself). Actually use Foxit for my pdfs. Yes, I went outside the repos for this one, shoot me.
     
  14. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    How bout Okular?
     
  15. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Isn't that more of a kde app? Not that I can't install it, but I'm one of those peculiar people that does not like to install kde apps in gnome (and vice-versa). I'm going to check in synaptic right now. Although I really like the linux version of Foxit.

    Edit: Yes it is kde, with a hell of a lot of dependencies. Although I do remember it as a very good program when I ran PCLOS 2010.
     
  16. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    sorry asking out of topic question

    my firefox show apparmor show i am new to apprmor

    sudo /etc/init.d/apparmor start
    * Starting AppArmor profiles ok

    Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
     
  17. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Exactly, that's what I was (am) confused about.
    Did you enable it like this ?

    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox (for Lucid)

    Then check. sudo apparmor_status
     
  18. tlu

    tlu Guest

    Please tell us what

    sudo aa-status

    shows.
     
  19. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    aha thanks ocky sorry yes i did the default mode

    Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.
    mack@mack-desktop:~$ sudo aa-status
    apparmor module is loaded.
    33 profiles are loaded.
    13 profiles are in enforce mode.
    /sbin/dhclient3
    /usr/bin/evince
    /usr/bin/evince-previewer
    /usr/bin/evince-thumbnailer
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/lib/connman/scripts/dhclient-script
    /usr/lib/cups/backend/cups-pdf
    /usr/lib/firefox-3.6.3/firefox-*bin
    /usr/lib/firefox-3.6.3/firefox-*bin//firefox_java
    /usr/lib/firefox-3.6.3/firefox-*bin//firefox_openjdk
    /usr/sbin/cupsd
    /usr/sbin/tcpdump
    /usr/share/gdm/guest-session/Xsession
    20 profiles are in complain mode.
    /bin/ping
    /sbin/klogd
    /sbin/syslog-ng
    /sbin/syslogd
    /usr/lib/dovecot/deliver
    /usr/lib/dovecot/dovecot-auth
    /usr/lib/dovecot/imap
    /usr/lib/dovecot/imap-login
    /usr/lib/dovecot/managesieve-login
    /usr/lib/dovecot/pop3
    /usr/lib/dovecot/pop3-login
    /usr/sbin/avahi-daemon
    /usr/sbin/dnsmasq
    /usr/sbin/dovecot
    /usr/sbin/identd
    /usr/sbin/mdnsd
    /usr/sbin/nmbd
    /usr/sbin/nscd
    /usr/sbin/smbd
    /usr/sbin/traceroute
    3 processes have profiles defined.
    1 processes are in enforce mode :
    /usr/sbin/cupsd (1570)
    2 processes are in complain mode.
    /usr/sbin/avahi-daemon (1011)
    /usr/sbin/avahi-daemon (1010)
    0 processes are unconfined but have a profile defined
     
  20. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I am using bodhi.zazen's profile for Opera as I don't have time to learn about apparmor profile creation (i.e. really effective profile). http://bodhizazen.net/aa-profiles/
    It is fine and I also use flashblocker http://my.opera.com/Lex1/blog/flashblock-for-opera-9
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    The only process that has a profile in enforcing mode is cupsd, which comes with a profile enabled by default. In order to turn the Firefox profile on, you will need to do:

    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
    In fact, I suggest you put all the profiles in enforce mode:

    Code:
    sudo aa-enforce /etc/apparmor.d/*
    Then restart Firefox and run aa-status again.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think I don,t need to run this command:

    sudo aa-enforce /etc/apparmor.d/*

    Am I true?

    Also is there a profile for latest chromium? Thanks
     
  23. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    re: mack_guy911's output........
    That's new to me - why does the output then show that of the enforced profiles, firefox is there ? viz. /usr/lib/firefox-3.6.3/firefox-*bin
    /usr/lib/firefox-3.6.3/firefox-*bin//firefox_java
    /usr/lib/firefox-3.6.3/firefox-*bin//firefox_openjdk
    I have the same and java is blocked - proving that the profile is loaded. Maybe I have misunderstood apparmor all the time. No idea anymore.
     
  24. tlu

    tlu Guest

    Because he has set it to enforce mode in post #19? :D
     
  25. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    No, you're right. They are in enforce mode but he apparently didn't have FF running when he did aa-status. These lines:

    Code:
    3 processes have profiles defined.
    1 processes are in enforce mode :
    /usr/sbin/cupsd (1570) 
    show only one process in enforce mode. But, of course, that means only one running process is in enforce mode.

    Nevertheless, he still has a lot of profiles in complain mode that I think he should turn on.

    Code:
    sudo aa-enforce /etc/apparmor.d/*
    will do it.
     
Loading...
Thread Status:
Not open for further replies.