I hate adobe now. Hate.

I don't know about you guys but I consider a true hack to be something that doesn't require the stupidity of the victim. Freeporn.exe is a trick.

Thankfully, Adobe were not in the dark about the security risk, however, if they were in the know, don't you guys think they have a responsibility to release the fix ASAP?

How do you know they're not releasing it ASAP? Do you not think it is reasonable that companies should test updates before they release them?

why does everyone keep posting that the ubuntu machine was impenetrable, when they clearly said there were exploits, they just didn't want to put in the time to do the code...it makes the OS sound better than it is.

The funny thing about mac is that what makes it "safer" is the fact that not a lot of people use it. Since only a small percentage of users are of the "1337" population, you have a much better chance of staying away from viruses and hackers on a mac.
Apple should stop running ads, if their user base gets too big they're screwed.

Wow that's pretty lame. I still don't like Vista though but now I'm positive that it's not all Microsoft's fault.

When a software company finds a flaw that is a security risk, what are the procedures that they must follow before releasing it. I kinda wanna know how long it usually takes to fix a problem, test it, and release it. I think its good that adobe knew of the problem at least, but really dont hate adobe yet because i know i definitely do not know what needs to be done to fix this problem. Any people here have any insight on how this works?

"I run vista and I did your sista"
LMAO!!!!!
Funniest.Caption.Ever!
x'D

Software companies are damned if they do and damned if they don't: if they release a patch prematurely, and it breaks stuff, we complain. If they wait until it's fully tested, we complain. How long it takes to implement and text a fix will vary, depending on the flaw, but you can't expect Adobe or anyone else to just put an untested fix out there, especially when there are no exploits in the wild. Also, rolling multiple fixes up into major patches makes more sense than incremental fixes for every little hole discovered. Hence Microsoft's Patch Tuesday, Apple's humongous OS X updates, etc.

Also, it's not clear that this hole wouldn't affect Linux as well; the people who cracked the Vista laptop apparently did so because it was a better machine.

And this is why open-source is so great (or why linux wasn't hacked). See a security problem, report it. If its not patched by the distributer, any security minded individual can grab the source and fix it himself, and/or release it.

@mcg1969 & barfoo: whilst it's true that it's important for companies to test their software patches before releasing them, in this case Adobe have known about the fault since before the competition, have been working on it and have now scheduled a release date for the fix - surely if they've reached the point that they can schedule a release date, then it's ready to go and should just be released ASAP, no?

@digodemais: as opposed to linux?

A scheduled release does not guarantee a stable version of the patch. Also, Adobe, and even MS or Apple, should not be responsible for user stupidity. It is unfair to expect these companies to account for every possible stupid mistake that the user is going to make. Should MS be held responsible if some user deletes some file that makes their system no longer work? How about if they turn off all the security measures? Is it still the fault of MS or Apple? The hacked machines were only hacked due to the fault of the user, not that of the software. Also, Linux isn't even close to "impenetrable" if a user opens up the same possible vulnerabilities someone can hack into a Linux machine too. I'm all for open source as the next guy, but the reality is that the quality of open source will, in general, never live up to that of commercial software.

In the long run, does it really matter? Seems to me (a guy who doesn't download a lot of crazy stuff) that the commercial software got hacked because they were better targets. OS X and Vista were bound to be hacked. And by hacked, I mean, use vulnerabilities in programs installed on the OS.

I'm not flaming the fire, but it just sounds like bickering to bicker. All 3 seemed to be very secure during the competition. My .02...and not worth a whole lot more.

Oh well... does it really matter? Folks are going to run whatever OS they want.

I run Vista because I like it. Finally, a version of Windows where you don't need virus scanning software.

A cursory reading of the cited article CLEARLY shows Adobe HAD a fix. They chose to delay it for reasons OTHER than testing.

It turns out that Adobe was already aware of the issue and had even patched it, but simply has not yet released the fix: "After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month," Erick Lee wrote on the Adobe Product Security Incident Response Team (PSIRT) blog.

It seems there is an entire group of Gizmodo readers, epitomized by apologists like barfoo and mcg1969- who will unthinkingly leap to the defense of corporations. I don't know if it's generational, or a more general inculcation of corporate values, but it bodes ill for consumer rights.

if they were in the know, don't you guys think they have a responsibility to release the fix ASAP?

Generally, no.

Software vulnerability patching isn't like dealing with normal computer issues. Simply having a known issue doesn't mean that issue will be used, or be dangerous. There's a period of time before black hat hackers will come up with a working bit of malicious code based on it, and even once they've done so, malicious code usually follows some rather specific growth patterns that mean it won't be hazardous on a wide scale for a period of time. Mail code exploits, for example, might only multiply a couple of times a day, meaning that they might not infect a truly large number of people for a while.

Where a normal code issue -- for example, losing data under specific actions -- is going to have negative results directly proportional to the amount of time that program is used and the number of people using it, security flaws are very unlikely to cause harm in general early on. Compare that to the results of a hurried patch, which could cause its own type of issues (crashes would be the most common, but poorly designed code has been known to accidentally delete data in outlier cases, like that of the recent EVE Online change)... and it's not so relevant to release as early as possible.

Even when a patch is released, it's not really sure to fix an issue. The infamous Code Red and Nimda malicious code used exploits that had had been known and patched for a month, if not longer. Code Red still managed to reach nearly four tenths of a million IIS servers during the height of its reign. That's not normal user machines, that's server-side Windows stuff, with owners who are supposed to know better. Unless you force them, people are slow to update.

OSX, fashion and nothing else.

Well regardless its fair to say that OS X was hacked by flaw the Apple had a responsibility for whereas Vista was hacked by a flaw that Microsoft didn't have a responsibility for.

But also to agree with another post. It is all user stupidity, and Apple or Microsoft shouldn't be responsible (beyound plugging flaws) for people doing stupid thing. Its amazing when people ask me to fix their computer what they have managed to download and install. Some people don't even have anti-virus installed or their memory or hard drive is failing or have bad graphics card drivers and yet turn around and blame Microsoft. And the manafutures perpetuate this lie by not taking responsibility for bad drives and hardware and would rather their users think Sony/Dell/HP/IBM is perfect and its all Microsoft's fault.

surely if they've reached the point that they can schedule a release date, then it's ready to go and should just be released ASAP, no?

A schedule does not always indicate working code. Otherwise, we'd be working on Windows OS 7 or whatever the hell is going to come around.

That said, I expect they had the fix roughly finalized. The issue, however, is that as I've pointed out above, such exploits don't present a lot of harm immediately.

Tell me, if Mac OS X, Adobe, Microsoft Office for Mac (a major security risk, surprisingly), chat clients, Flash, your PDF reader, Steam, Firefox, Opera, and a couple other programs had updates to download and install every other day, how many people do you think would actually update them regularly? For some of these programs, that is the rate that known exploits and fixes come out, and I know people that complain enough already about the endless Firefox and Windows patches every month.

I can't believe I'm defending Mac and Adobe, here -- I personally hate both of them (I'd rather use a terminal window than OS X's interface, and I'd rather code html by hand than deal with friggen PDFs) -- but this isn't a bad act by them.

@lianna_g: I don't know if Adobe has done the right thing here, and they might well be in the wrong. I just think knee jerk reactions on either side are silly. There are legitimate reasons a patch doesn't come out right away as well as illegitimate ones. It makes little sense to argue about particular cases without knowing the details; it's much more useful to look at a company's overall track record.

This contest was practically designed to start flamewars. People are pretty much going to keep their opinions on their OS no matter what, so it's not really important.

i just have to say that pic is ridicolous

You have to ignore the Ars Technica report to make your assertions. I guess if that works for you, it works for you. It didn't work for the Ars Technica crew. Here's what they said:

On the one hand, Adobe looks good because it wasn't clueless on the subject of the flaw in question but, on the other hand, a fix should have already been released. I do not doubt that Adobe would have shipped the new version of Flash sooner if there were exploits in the wild. Still, the fact that the new version is not available yet provides further evidence of how dependent the security of an operating system is becoming on third party software.

Given that the Mac was hacked first anyway and virtually no-one really gives a toss about Linux on a PC, does this really matter?

Pro seven, dolt and nothing else.@ProSeven: OSX, fashion and nothing else.

One never needs a REASON to punch Mr. Smug Mac in the face!

@ProSeven: [lex-wrong.ytmnd.com]

Question: the Pwn2Own competition revolves round the winner uncovering a new security flaw and exploiting it - if Adobe knew about this hole, then does it still count as 'new' and are the two guys who cracked Vista still entitled to their laptop?

Shocker. I heard that it was a Java exploit that allowed the hackers to get in to Vista. O well I'm switching to Mac soon, even though they got that first.

The flaw they used to hack Vista also would work for Linux and Mac OS X because its a Flash flaw. The guy choose to hack Vista because he "was more familiar with it" and had worked with Microsoft operating systems in his career.

@esecasco:

This is a ridiculous argument, Adobe's Flash player isn't open source.

Furthermore, the theory held by armchair security researchers / sheeple compsci majors that "thousands of eyeballs make all bugs shallow" hasn't held up worth a darn in general. On of the most scrutinized codebases on the planet (BIND) has had uncounted number of eyeballs peruse the code yet still vulnerabilities are found.

But hey keep on the "open source r0x0rz" bandwagon because independent thought might be really hard.

@thechansen: Where can I get a copy of freeporn.exe? LOL

Mac sucks a$$!

The guys who hacked these systrems really got pwned by being stupid enough to do security testing for huge corporations for essentially nothing. They sold themselves too cheap.

$10,000, a laptop and all the free publicity you can eat for your business is 'essentially nothing'?

Sheesh. Tough crowd.

If this contest is the best and only thing you have against Mac, then you're plainly lame.

And if Vista runs nice for your machine, great (My 4-core 3GHz Xeon machine with 4G of RAM and decent video cards doesn't get THAT job done, but hey, it's "secure").

But since we're just apparently throwing pseudo-memes out there (e.g., Mac is only secure because "no one" uses it), here's some for you:

(1) Only people who are too poor to afford Macs, too stupid to figure them out, or who have never seen them make fun of them.
(2) Only people who love taking it in the ass from big corporations like Microsoft, Adobe, or Apple blame the user
(3) Only people who've only had sex with Rosy Palmer use Linux, or think that most people are "stupider than I am" (How's that mentality working out for you?)
(4) George W Bush is a good president

All are equally as false as the kind of crap I'm reading here about Mac and Linux.

@storm: wow. someone should get you on def comedy jam or something. you pwn dude.

Fanboys and supporting different OSs aside, Adobe should immediately release security patches for any product of theirs on any platform (OSX, Windows, etc) whenever they finish the patch.

What is the point on holding out on releasing a security patch?

@storm: So much anger over so mundane a thing as another man's opinion. You won't be winning over any minds with your current approach.

I heard this story once about opinions and assholes both having foul odors. I'm not sure if its true but it deserves more research.

Blog fodder.

@Step666: well in that case, the Safari flaw that they used would also disqualified it, as it was a known flaw that required the user to cause the hack to happen (ie they authenticate the attack themselves)

the basic rundown is the pwn2own contest was a fraud. they couldnt hack the machines on the first day, so they allowed for hacks that are more trojans than actual hacking on the second.

what?! you mean some large corporation decided not to give a shit about the little guy? Say it ain't so Jo!

@LJKelley:

I couldn't agree with you more.
I also repair computers for the general public, I find it a never ending battle to defend Microsoft when I know damn well that failed hardware isn't their fault. I have even had people blame MS for a bad back light in there LCD monitor, when it was clearly labeled DELL on the front! (Not to bash DELL, it just happens to be a Dell this time.)

As for the hacking, why would you install anything but a fresh OS load with updates on to a system when you enter it into a hacking competition? That's unfair in my opinion.

I call a do over! Who's with me?

--Deamion.

@Deamion: You don't need a do-over. Every OS is flawed and can be hacked. It's just matter of finding someones crap code.