Firefox 4 repo

Christofer C. Bell christofer.c.bell at gmail.com
Mon Jul 19 07:17:18 UTC 2010 

On 7/19/10, Suvayu Ali
<fatkasuvayu+linux at gmail.com<fatkasuvayu%2Blinux at gmail.com>>
wrote:

I have a copy of the "buggy" 64 bit flash(10.0.45), and it works with
> the fedora version of FF 3.6 very well. I am having a problem with _all_
> my plugins when I use the tarball. I guess I'll have to give up my wish
> to test the beta release of FF. :-\
>

It's not so much "buggy" as it contains an actively exploited security
vulnerability that can lead to remote compromise of your computer.

"A critical <http://www.adobe.com/support/security/severity_ratings.html>vulnerability
exists in Adobe Flash Player 10.0.45.2 and earlier versions
for Windows, Macintosh, Linux and Solaris operating systems, and the
authplay.dll component that ships with Adobe Reader and Acrobat 9.x for
Windows, Macintosh and UNIX operating systems. This vulnerability
(CVE-2010-1297) could cause a crash and potentially allow an attacker to
take control of the affected system. There are reports that this
vulnerability is being actively exploited in the wild against both Adobe
Flash Player, and Adobe Reader and Acrobat."[1]

"Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR
before 2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x
before 8.2.3 on Windows and Mac OS X, allow remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via crafted
SWF content, related to authplay.dll and the ActionScript Virtual Machine 2
(AVM2) newfunction instruction, as exploited in the wild in June 2010."[2]

So yes, the software "works well" in much the same way that "an unpatched
Windows XP works well" but leaves you open to compromise.  Note the key
sentence here: "There are reports that this vulnerability is being actively
exploited in the wild against both Adobe Flash Player, and Adobe Reader and
Acrobat."

I'm not sure I'd have such a caviler attitude toward it as you.

[1] http://www.adobe.com/support/security/advisories/apsa10-01.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297

-- 
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20100719/41dbd098/attachment.html

More information about the users mailing list