Adobe: crashing 100 million machines not an option The vast majority of time Adobe spends patching zero-day vulnerabilities in its ubiquitous Reader and Flash Player applications is devoted to making sure the fixes won't cause catastrophic crashes on end-user machines, the company's security chief said. “The last thing we want to do is ship a release that blue screens hundreds …
I think the main problem is that the first versions of both Reader and Flash were released 18 years ago in 1993. That's several years of patches and bloat right there. And management can't see the value of code re-organisation or optimisation, if it looks pretty on the screen then it works. Eventually you end up with an unmaintainable car crash.
The greater likelihood would seem to be that a change to flash expose a driver weakness as a side effect. Can't blame Adobe for testing this scenario - if your computer was "running fine" an you installed a flash update which exposed a bug in your graphics driver which blue screened, who would you blame?
I have directly experienced this type of thing, albeit with a WPF application rather than flash. WPF takes advantage of graphics hardware acceleration where available and running it on a machine with an old graphics driver caused an immediate bluescreen - it was nothing the application was doing wrong, just the graphics driver was outdated and broken. Guess who the client blamed?
The graphics driver runs at ring 1. If the graphic driver blows up then you get a blue screen. So Adobe gets the blame but it's not necessarily their fault.
In some cases it might be, e.g. sending corrupted data, other times it might be the driver not working the way it's supposed to. Or the firmware. Or the service pack level.
I expect it means testing against a gazillion different hardware setups to make sure it doesn't go kaboom on any of them and trying to work around the issue or downstepping to software mode or blacklisting the driver.
The same issue with broken drivers also has the potential to break browsers that use hardware acceleration for rendering, 3D, video etc.
I did. I noted that user-level apps can't cause blue screens. I deduced that the man in charge of Adobe's quality control EITHER is unaware of this OR treats his customers with such contempt that he expects us to be unaware of this.
Either way, I came away with an even lower opinion of Adobe's products.
Unfortunately it's still a bridge too far to dump flash yet, but I've said goodbye to reader years ago. Both Windows and Linux have excellent alternatives, that don't have all the bloat, plugins and attack surface.
If ever there was a piece of unneccesary bloatware it has to be Adobe Reader.
Penguin, because it never blue-screens me. Ever.
I agree... Flash is tricky to dump but the default document reader in Ubuntu works just fine.
First thing I do on a Windows machine is remove the bloated crap that is Adobe Reader and install Sumatra, update Flash and Java, install Firefox with NoScript, AdBlock Plus, Better Privacy, Ghostery and WoT.
Bloated! not kidding!
Never has a simple document reader got so far above itself , 100's of useless "features" that a simple document reader has no business having.
go back to .txt I say!
whenever an email is sent round our building with a pdf attached , or a link to one, there will always be half a dozen Adobe reader installations that have out of the blue decided to stop working , or stop being integrated in the right way.
But fucking up their browsing esperience with crud is a MUST, eh??
Doesn't the amount of effort put in to chasing down vulnerabilities tell you a lot about how good the original product must be..?
Thank God I no longer have to suffer from Acrobat Reader, thanks to Foxit!
Adobe may be proud of the turnaround time on their 0-day exploits, but there's still a 72 h lag from every discovery to a fix -and there is at least one official patch a month, plus often an emergency patch.
Why are acroread and flash so vulnerable? They are attacked more often than the entire MS office suite?
Adobe need to get flash patches out because they fear that all OS vendors -not just Apple- will stop bundling flash, that all Browser vendors will disable it by default. I don't think the latter is a bad thing at all
Flash's ubiquity across platforms makes it an attractive target for hacks. That is primarily used on the internet makes it even more attractive - people don't click on a link to download something but open a page hoping to watch something. This is more attractive for hackers than say office because it is one less hurdle.
But being a popular target does not necessarily mean that the software is more or less badly written than other stuff. As the browsers' own runtimes expand we can expect to see a return to targeting them, ie. poisoned h.264 or webm files, XSS, etc. Just wait for "online" office suites to become really popular for whole new problems to appear.
Simply bashing individual programs and vendors for software displays considerable ignorance about software development. Best power off your machine and pick up a book.
Getting hacked is worse than not being able to use your Adobe program because of a crash or anything else.
Having two separate Adobe Flashes to update separately is and always was stupid, and dangerous. Users run the update on one and they assume they're secure when they aren't. And when I install the Firefox/Opera/whichever edition, it finishes by running Internet Explorer to (fail to) confirm installation.
Last time I failed to tell it not to side-load unwantedware on my PC -
McAfee Security Can't-give-it-away-we-have-to-do-it-sneaky. The no-thanks option doesn't appear at first when downloading Flash, and is sometimes off-screen in the scrollable window. It does appear to have worked to uninstall it withithe icon provided.
Here's what I think Adobe should do. Say they are made aware of a security issue with, I dunno, dynamic floating pointers. They should immediately release an edition with dynamic floating pointers simply disabled. Some web sites will still work, some won't, everyone's safe. And meanwhile and soon, Adobe prepares and releases another new edition with the dynamic flOating pointers all fixed safe. And NO SNEAKYWARE. Particularly NO IF I ALREADY SAID NO LAST TIME. And if I ALREADY HAVE SOME OF WHATEVER IT IS, jeez.
"In the next several months, the company will introduce a new update mechanism for Flash that will upgrade the application for all browsers. Currently, Windows machines with more than one browser must be upgraded twice"
So it's not going to be part of Flash 11 release? Misplaced priorities fellas. Totally agree with Robert Carnegie above.
@"a new update mechanism for Flash" ... "users had slow internet connections and wouldn't tolerate larger file sizes" ... "that's no longer a problem."
Its still a problem, as I don't want my bandwidth used to download Adobe bloatware and it sounds very much like Flash updates are going to get even bigger and even more bloated, just to allow them to detect and update multiple browsers on our machines, as well as scanning our machines to find out what browsers we use.
Oh what joy. Even more shit to download from Adobe, just so I can continue to NoScript block it most of the time. :(
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
