Day two of the Pwn2Own competition at CanSecWest was again successful for French Vupen security, as they succeeded in exploiting Adobe Flash on Internet Explorer 9 on Windows 7 by chaining together three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) and earning themselves another $70,000.

George Hotz exploited Adobe Reader XI (also on IE 9 on Win7), and Ben Murphy - the last contestant to target Java - has also managed to earn a prize even though he wasn't there, because James Forshaw, a winner from the previous day, agreed to serve as proxy and demonstrate the attack.

All in all, ZDI has awarded over half a million dollars in cash prizes and, of course, the compromised laptops and ZDI reward points.

The Google financed Pwnium hacking contest - also held at CanSecWest - this year requires contestants to "break" Chrome OS but has so far not witnessed a successful exploitation.

In the meantime, Mozilla has already fixed the use-after-free zero-day flaw exploited yesterday by Vupen Security, and Google has issued a Chrome update that fixes the flaws discovered by the MWR Labs team.

Adobe on Wednesday patched six vulnerabilities in Flash Player, including one it admitted is already being exploited by attackers.

That vulnerability, identified as CVE-2011-2444, shares some traits with an earlier Flash flaw that was used to target Gmail accounts in June.

Adobe labeled CVE-2011-2444 as a cross-site scripting (XSS) vulnerability, a class of bugs often used by identity thieves to steal usernames and passwords from vulnerable browsers. In this case, browsers were not directly targeted; rather, attackers exploited the ubiquitous Flash Player browser plug-in.

Like the June Flash bug, CVE-2011-2444 was reported to Adobe by Google's security team.

Adobe also used almost identical phrasing to describe both CVE-2011-2444 and the June vulnerability in its security advisories.

"There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," said Adobe in Wednesday's advisory as well as the one it published in June. "This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website."

Adobe declined to comment on how the CVE-2011-2444 vulnerability was being exploited and instead referred questions to Google. The latter did not immediately reply to an emailed query.

Four of the five other Flash bugs that Adobe patched today could be exploited by attackers to run their malicious code on victimized computers, Adobe said in its advisory.

Wednesday's Flash update was the first since Adobe patched 13 bugs on Aug. 9. Adobe has fixed Flash eight times so far this year, including several emergency, or "out-of-band," updates rushed to users because attacks were under way.

The patched versions of Flash Player for Windows, Mac, Linux and Solaris can be downloaded from Adobe's Web site. Alternately, users can run Flash's update tool or wait for the software to prompt them that a new version is available.

Android users must browse to the Android Market to update Flash.

Google silently updated its Chrome browser on Tuesday to include the patched version of Flash Player. Google has been including Flash with Chrome since April 2010, and remains the only browser maker to bundle the plug-in with its own releases.

Adobe has announced the next version of its Flash Player, repositioning its media platform for a mobile world where it is being increasingly shunned.

The company today unveiled the Flash Player 11 and the Flash-based runtime AIR 3, with a heavy emphasis on 3D gaming both in the features and in a roll-call of customers endorsing the duo.

Flash Player 11 and AIR 3 are scheduled for release in early October. Adobe didn't give the date, but you should expect release at Adobe's annual Max conference, between 1 and 5 October.

Both support full hardware acceleration for 2D and 3D graphics, which Adobe claims provides rendering performance 1,000 times faster than Flash Player 10 and AIR 2.

There's also something called Stage3D from Adobe's Labs, built to provide more detailed graphics. Stage3D renders "hundreds of thousands" of z-buffered triangles at 60Hz compared to thousands of non z-buffered triangles at 30Hz in earlier versions of Flash.

H.264 hardware decoding is now available for AIR applications on Apple's iOS, while Flash now works with 64-bit on Windows, Mac and Linux and in the browser.

Installation has been simplified: developers can now automatically package AIR runtimes for Android, Windows, and Apple's OS and iOS so the user doesn't have to download.

The news comes gift-wrapped in endorsements from Zynga, EA Interactive, Ubisoft and Pro 3 Games, among others.

Adobe calls Flash Player 11 and AIR 3 "the game console for the Web"; the emphasis on fine-grained rendering, hardware acceleration and H.264 is deliberate.

Gaming looks like it has become one of the niches that Adobe has bet on for the future survival of its software in a world where – at least when it comes to mobile computing – the days of defaulting to Flash for graphics or media content are coming to an end.

Windows 8 has become the latest tablet operating system to block Flash, through Microsoft's Metro UI. A version of Flash for Windows Phone, meanwhile, is still missing. The problem is Microsoft's browser, Internet Explorer, the PC version of which is now being built for the phone and tablet.

You can blame Apple's Steve Jobs, who started things by blocking Flash from the iPhone and then the iPad and then began championing HTML5, Cascading Style Sheets (CSS) and Javascript as the future of online programming. Sounding a lot like Jobs, Microsoft's IE chief Dean Hachamovitch blogged on the Metro UI news:

Running Metro style IE plug-in free improves battery life as well as security, reliability, and privacy for consumers. Plug-ins were important early on in the web's history.

But the web has come a long way since then with HTML5. Providing compatibility with legacy plug-in technologies would detract from, rather than improve, the consumer experience of browsing in the Metro style UI.

It's not all over for Flash on tablets or smartphones, with Flash running on Android and Blackberry machines. Flash can also run on iOS via AIR, it just can't run natively.

Announcing Flash Player 11 and AIR 3, Adobe let rip its standard ubiquity statistic of more than 98 per cent of internet-connected PCs supporting Flash, with some added numbers on the mobile front. Adobe expects that more than 200 million smartphones and tablets including iOS devices will support Flash-based applications via Adobe AIR. By the end of 2015, the number of devices that will support AIR is expected to increase to one billion.

As for the Microsoft question, Adobe reckons it will bring Flash to the Metro UI in the same way it landed on iOS, via the AIR runtime.

Jobs, it has to be said, cynically hyped HTML5 – a spec that is not even finished – and obfuscated what it really is. Jobs's anti-Flash thrust focused greatly on media and presentation; on the HTML5 video codec; the rendering afforded by CSS that is not a part of the core spec; and on using both HTML5 and CSS with Javascript – which comes from completely outside of the HTML family.

But history is written by the victors, and during the time Jobs blocked Flash he convinced Microsoft to dump its own proprietary plug that it built to challenge Flash, a plug-in called Silverlight, for HTML5. Also during this time, HTML5 has been continuing to evolve as a standard – even though it is still not finished – and it has become something even more people in the industry can claim to be aware of.

And while Adobe is talking tough on Windows 8, Flash will have to co-exist on Metro AIR along with Javascript and HTML, a fact that will compound the overall problem for Flash rather than make it go away or reverse its fortunes.

Flash might not be dead yet

Adobe does seem to have accepted that Flash is going to lose ground to HTML5. In a recent blog post, tools group product manager Andrew Shorten essentially called talk of Flash's death greatly exaggerated, but he also reckoned it was incumbent upon Adobe to focus on where Flex – the software development kit for building Flash-based apps – "provides unique value in the marketplace".

"There are countless examples where, in the past, Flex was (rightly) selected as the only way to deliver a great user experience. Today, many of those could be built using HTML5-related technologies and delivered via the browser," Shorten wrote here.

Where does this leave Adobe? It is not giving up. Shorten continued: "That doesn't mean, however, that HTML5 is the right choice for all use cases – the performance, framework maturity and robust tooling provided by Adobe are cited as critical factors by enterprise customers as to why they continue to select Flex."

Instead, we're seeing Adobe position Flash as something for gaming because of the fine level of detail you can get in graphics or because of the rendering speeds. Also, Adobe is punting something that is missing from HTML5: the ability for games' authors to do things like control where their games are published – meaning, ultimately, they will get paid. In other words: digital rights management (DRM).

In the meantime, Adobe is going to embrace HTML5 through its tools. Shorten said: "We will provide tooling to help designers and developers create those experiences – Edge and Muse are two such examples."

Flash 11 and AIR 3 couldn't have arrived at a period of greater uncertainty for Adobe. Thanks to Jobs, it is easy to forget that HTML5 isn't actually a product, it is a spec – and there are plenty of tooling and features missing that you would rely on tech vendors to deliver.

Also, HTML5 isn't just the video or associated graphics capabilities hyped by Jobs; the core spec remains bread-and-butter page markup while there are interesting new possibilities in areas such as offline data access.


For the future that Adobe might wish for Flash, we should perhaps look to Microsoft and Silverlight – once hailed as a plug-in usurper to Flash. Now Microsoft can't admit to having de-prioritised Silverlight and instead talks of its player being suited for use on a case-by-case basis.