Adobe has fixed a potentially serious cross-platform security bug in its Flash Player software with an out-of-sequence security update. A series of patches for different platforms, published on Sunday, tackles a cross-site scripting vulnerability in Flash. Adobe Flash Player version 10.3.181.16 – and earlier across a range of …
how many fecking "updates" do I need in a month. I've lost count of the number of times I have logged into a PC to be greeted with that fecking message about an update being ready.
Even the not-at-all-PC-aware Mrs has noticed that "This Flash thing always needs updating".
Fecking fecking flash
And just to make it even better, you seem to need administrator rights to update it (at least on IE); Yeah!!!
Also fecking, why isn't it fecking dead yet? It's lasting longer than fecking SCO group :(
I see no issue
Regular updates mean a secure system. The more the better.
Just let your package manager handle the updates for your OS and installed apps, authenticate once, all done. You don't even need to reboot unless the kernel changes.
Use Chrome, and uninstall all the standalone flash players. The Chrome automatic updater is discrete, and you need never worry about flash patching again.
"Regular updates mean a secure system. The more the better."
Let me just correct that for you.
"Regular updates mean an insecure system. The more updates, the more insecure it is".
Most people are still using Windows, remember. That means ten or so resource hogging bespoke-written app updaters all starting up and lurking in the system tray, popping up heavily skinned windows at random intervals demanding an update, then proceeding to install Yahoo! toolbar because you missed a checkbox somewhere along the multi-screen update-confirmation-and-license-agreement process. After a couple of reboots (Stage 1/3... stage 2/3... stage 3/3). Or just failing because they they can't write to Program Files like they expect.
No system is 100% secure. None. So a system will always starts out with, say W problems. Over time X more are found for any given time period t. So the total number of faults is W + Xt. This number grows with t.
Fixes, Y, for those problems are released. So the total number of faults is now W + t(X - Y).
Ah, but wait, those fixes may introduce some other issues, Z, so the total number of faults is W + t(X -Y +Z) where Z is some fraction of Y...say f, so Y is fY
W + t(X -Y + fY) which si W + t(X -Y(1-f))
So long as Y(1-f) > Z then a patched system actually gets more secure as time goes on rather than an un-patched one, because more are holes are getting plugged than are being discovered/created.
Just because Windows makes keeping a system up to date a raging pile of ball-ache does not make a highly patched system a bad thing. So long as those patches fix more problems than they cause.
Load of round dangles
Cannot fault maths. Assumptions and logic on which maths is based is utter tosh.
To test the logic, test an extreme example. Plug in numbers for code that contains some vulns, and plug in the numbers for code containing nil vulns. According to your logic, because the perfect code is never patched (which of course it would never need to be), it is the more vulnerable system.
PS Logic break here
In case you did not spot it.
"a patched system actually gets more secure as time goes on rather than an un-patched one"
It itself a true statement, but based on the assumption that you are comparing code with the same (approx) number of vulns at the outset.
I just got done writing up the package for OpenIndiana, not I have to redo it -_-.
I built a new PC yesterday, installed Flash and it's already out of date? I appreciate a rapid response to vulnerabilities but can't they just write a decent version? Again, I know things move on and new attacks are coming all the time but seriously, Flash is the swiss cheese of software. They need to get their act together. Of course, as long as people 'rely' on it and it's seen as being vital, they've got little incentive to improve things. Now, if enough people started saying they weren't going to install Flash because of it's shortcomings they might do something.
Sources of exploits
I always thought Flash was the biggest source of exploits too until I saw Microsoft's Security Intelligence Report  (Figure 6), which indicates that Java exploits are much more common (by at least an order of magnitude).
 - http://www.microsoft.com/security/sir/
@Sources of exploits
Interesting report, but part of me is a trifle suspicious of MS reporting on their own problems. I would be more interested in reading 3rd party assessments.
I guess the other aspect is there are probably far more PCs with Flash installed than Java, so more targets? Also a favourite has been that other piece of crap, the Adobe Reader & its PDF browser plug-in.
Back to today's rand - why can't Adobe sort of their software? It must be only a fraction of the code base size of Windows, and yet they make MS look like the golden boy of security by comparison.
Maybe this is why the wife's PC has just gotten two fresh copies of Malware Defender in two days? The last one after she opened a page on the Daily Mail ... and I'd only just finished cleaning the Damn thing last night.
And this on a fully patched version of XP while running the current release of Firefox and SpyBot Defender - all updated last night.
Hey, if it weans her off The Mail...
...then that's a good thing, right?
upgrading wifes web site habits
She's now reading FARK - I view this as an improvement.
I long for the day when I can uninstall every fucking Adobe program for good.
come on html5, get yourself in here!!
And how many times did you update your browser in the last month or two?
Painting the Forth Bridge
I've just finished updating the 4500 machines I manage, just to find another update.......
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great