Adobe Flash: The most INSECURE program on a UK user's PC Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. …
"Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security."
As the previous poster surmised, it says that Adobe dropped support for Linux at version 11. As always the problem is that Flash still exists in the first place.
Irongut, my money would be on Anonymous Coward being up-to-date on Linux with Flash Player 11.2.202.394. Your comment certainly announced a thing or two about yourself.
...that they've included an auto-updater now so Flash can patch itself twice or three times a week without bothering you too much.
Just like the Java Updater, more useless shite sitting in the system tray and consuming resources is just what we all need.
I know Apple users have to update Flash regularly too, but what do linux users do? Has Flash been abandoned on that OS or is it still soldiering on bravely?
It's been abandoned, however the update at least was native to Linux (for YUM* users at least, not sure about apt)
*YUM is the auto-updater for most RPM based Linux distros (what is the plural of Linux?), Adobe provided an add-on repository for it Flash so it at least fit in nicely with the system standard way of installing/updating applications.
what is the plural of Linux?
There isn't. Like 'fish' it is both singular and plural. Similarly, Linuxes, like fishes, can also be correct and I suspect that Linuxen would also pass in most circles. I'm against the latinized plural form, Linuces, simply because too many non-Latin words are hashed by people wishing to appear to be "learned folk".
Anyway getting back to the article, isn't this news along the lines of the Pope is a Catholic who would shit bare - or something like that?
Shumway, Mozilla's flash clone, also generally falls over if you throw something that Mozilla didn't make themselves as well. The thing is that its pre-alpha or just went into alpha, the only way to get it is by sideloading it from Mozilla's Github. I don't think the Nightlies or Aurora even ship with it yet though its a fairly important project going on over there.
But Gnash is like a damned Greek tragedy to me. It should work fairly well at this point but it still doesn't which is kind a shame, Id rather use code that I could audit if I so choose as opposed to whatever Adobe's shipping.
I'd still figure Java was a bigger problem than Flash though.
Seems to have tens of thousands of features I'm sure no one ever uses. Why do I need all that animation crap in there if I only care about video? And all the other weird shit it can do, but if it ever did, I would close the browser faster than you would drop a ball of molten lead.
Adobe PDF reader also has the same issue, including features that let you compromise a system by simply opening a PDF file with PDF reader.
It would be really nice if Adobe would include a "secure mode" whereby their plugins could be locked down to just being a video player, or just a PDF picture viewer instead of the security nightmares that they are at the moment.
when you upgrade a point release of 13 it happens in the background without you doing anything, when 14 came out you are presented with an update wizard that takes you to the adobe website to download version 14. This all happens when you are logging in to your computer, how many people have time to download an install an update when they have just logged on to their computer. It's the second most stupid auto updater after the idiotic java which asks for elevated privileges before it asks if you'd like to install the update and only then does it go and download the actual update to install it along with the ask Jeeves toolbar.
my god that toolbar. You'd think Adobe was a big enough company what with ruling the worlds graphic design industry that they could lay off trying to sneakily inject bullshit toolbars and stuff along with their very regulular patches and updates. Isnt it them them that will put that mcaffee thing on at any opportunity unless you watch them like a hawk?
Or not, as the case may be.
But I digress. The revelation that there are insecure unpatched installations out there is a bit like making proclamations about the toilet habits of bears that frequent forested areas. Flash is very common on home devices, but probably less commonly used than it used to be. If its update function fails, most won't know/care. A bit like the free couple of months of Symantec abandoned on home PCs by users reluctant to pay for AV.
It's no worse than Java, where old versions are often retained simply because backward compatibility is often a problem.
The marketing department insists the perfectly working software needs more glam, more pizazz, more flash.
Eventually as a user I am forced into removing their blinged up garbage and have a need to find another provider, one that hasn't been around long enough to have a need for a marketing guru.
Why anyone, other than a teenage chav wannabe would find a need for ninty percent of what Adobe shoehorns into its products is beyond reason.
Oh and while I've got Adobe in my sights, your flash player, with all that extra gooeyness would be much improved if the moronic caption telling me the escape key will cancel full screen mode has a subtext telling me the caption which is currently ruining your viewing pleasure can be stopped forever by typing Yes, yes, I know already, otherwise please wait several lifetimes for the crappy message to go and then restart the video from the beginning.
"Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. Users had not updated to version 14."
Hah - I work for a global organisation with thousands of PC's and being on FP13 would be a good step up - a lot of our work PC's are all still on Flash Player 10... our internal desktop support team don't like patching applications and like to bundle them in with the SOE image - once deployed they may not get updated for 4 or 5 years! Our internal security team doesn't mandate minimum application patching levels for internal PC's. Comparing the average PC corporate PC with MS Update online, we are a good 60+ patches down.
Posting Anonymously to "protect" my current employer.
I am still constantly disappointed/dismayed by the apathy within the IT support teams to do what should be a general housekeeping task. The other annoying thing is that the business doesn't understand the risk its in and therefore cannot help IT provide the adequate resourcing to address these concerns (if resourcing is an issue).
This is the third global organisation I have worked for, and only 1/3 had a holistic approach to security, and even that one had some gaping holes (but at least it was going through a process of addressing them all). There is a lot of talk about securing countries and organisations from Electronic Warfare and hackers, if we can't do simple patch management, what hope do we have?
Why do so many websites including large parts of YouTube's content require this POS? YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?
I'm travelling right now, but wanted to see some World Cup matches. But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers, I've had a few hairy moments wondering if my machine is going to be pwned...
"YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?"
You answer your own question with this:
" But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers,"
Implementing inline ads (and, additionally, encryption on streams for DRM) is tricky with HTML5 video, and the DRM part is poltically sensitive as they 'need' proprietary stuff in there which (rightly) sticks in the craw of the open source peeps - Mozilla, IIRC, eventually capitualated, but large chunks of the Linux world can't include that sort of thing by default.
In short it's all down to those slimy cunts in marketing and advertising - as it usually is. Come the revolution, and all that.
I installed FlashBlock in Firefox to see if I could manage without Flash (having realised a while back that there was no good reason to have Java any longer) and the only time I noticed anything being blocked was when trying to view video on YouTube and the BBC news site (I block ads so I'm not exposed to that nonsense). Is there any way to view video on YouTube and BBC news without Flash? I'd dearly love to un-install it...
YouTube has video in a large range of formats, it's the luck of the draw whether any particular vid you want to see is served as Flash.
This video claims to show you how to view almost all of YouTube without Flash at all. I can't vouch for the content, because ironically I can't view it on my current 'puter...
Is there any way to view video on YouTube and BBC news without Flash?
There are many, at least for youtube. I am not sure about BBC. VLC can play many url videos including youtube. Totem on GNU/Linux can do it too. There is also a python program youtube-dl . As the name suggests it can download video from youtube, it can also downlaod videos from other websites. You can try youtube-dl BBC too, try vlc for it too. I myself cannot, I am in the US. wireshark might be another possibility.
For non youtube movies, you might simply examine a page source, when it's hidden, I use tcpdump to determine the url
To legitimately access BBC iplayer without flash, google 'get_iplayer'
To legitimately access it when it appears you are not in the UK when really you are, (e.g. the multinational you work for peers outside the UK) a cheap UK proxy/vpn (or even set one up on your home machine) would work fine, because the actual raw rtmp streams are not regionally restricted, so can be accessed directly (courtesy of your local akamai or limelight CDN) once you know the stream rtmp url. (But why such content can be accessed in California [just tried it and it worked - rtmp server 1ms ping from my server there] is anybodys guess, though I assume it's cache on request at least)
"To legitimately access BBC iplayer without flash, google 'get_iplayer'"
Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash.
I sometimes use my fileserver as a proxy when I'm traveling - it usually worked very well.
" Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash."
Ah yes, sorry, I misread the post.
But when he said 'view video on YouTube and BBC news', just in case he meant :
(view video on YouTube), and BBC news
rather than:
view (video on YouTube and BBC news)
(ahhhh, the ambiguous wonders or the English language!) get_iplayer can be used to view or record the live channels too.
I had to uninstall Flash from my PC yesterday as it was crashing with Firefox every minute (massive list of FF crash logs) and locking up my entire PC 3 times a week. Been through the reinstall cycle previously btw. The discussion forums on a solution go round in circles, one thing is sure: It's FF and Flash together, plus maybe some interaction with 64 bit OS and video drivers that lock up a machine. One of the warning signs of trouble is a jumping cursor.
What will happen , as before is that eventually I'll hit a site - be it internal corporate (e.g. interactive training) or an external essential service - that demands Flash. So will have to switch to IE for those reluctant moments.
Flash, begone forever out of my life (I wish).
I never updated it ever since I got Chrome.
It seems Chrome does it for me. And for the Flash running for other browsers, it tries to update whenever I reboot the machine, which only happens when Microsoft tells me to, after every Patch Tuesday. But oh, do I feel tempted to just skip the damned warning.
Why don't they auto-update silently like Chrome ON FREAKING DEMAND, instead of running a bloody TSR?
So, yes the bloody thing is updated, but it didn't update itself silently like everything else. Java is another bothersome POS, but at least it will only ask for update when you are actively trying to use its features.
it is incorrect to say that adobe flash player 13 is "EOL".. flash player 13 is an ESR version:
http://blogs.adobe.com/flashplayer/2014/03/upcoming-changes-to-flash-players-extended-support-release.html
so, just because someone is using FP 13, that doesn't mean it is outdated and unpatched.. FP 13 is a ESR version which will continue to be patched, for years to come..
many people choose to use ESR versions in order to try to avoid having problems.. i myself used the ESR versions of "flash player" for several years (ever since FP 11.x was first released).. it was only last month that i decided to go ahead and install FP build 14.0.0.125, instead of using the ESR version (since there isn't that much difference between FP 13 and FP 14).. and, yes, i have FP build 14.0.0.145, now..
i don't like that the article says that FP is the most insecure program on people's computers.. that statement is misleading, suggesting that using FP is the greatest security-risk to computer-users.. i don't think that you can blame FP for malware-infections, any more than you can blame the browser, or the OS.. the end-user is the problem.. people need to be conscious of the malware-threat and take measures to avoid having their computers infected with malware.. don't blame flash player (or the browser, or the OS)..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
