NINETY PER CENT of Java black hats migrate to footling Flash Almost every Java-hacking black hat is now popping Adobe Flash, after Microsoft's hard-line patch policy made it harder to target software such as Java. The stricken scum now face a choice: work harder to find Java zero-days or abandon ship and start exploiting old Flash bugs. Redmond's security brains trust – Tim Rains, Matt …
So the war against bad plug-ins might actually be being won? Well that's taken only 20 years to make plug in version checking commonplace and effective...
It shows the power of having software version checking and automatic update mechanisms. It's the only effective way to keep connected software and operating systems secure for at least some of the time.
With desktops and laptops of all types we are now in a position where the OSes, the browsers and the plug-ins are either updated or blocked automatically (just flash on Windows 7 left?). That's good.
IOT
It should be a lesson for eveyone else doing software driven Internet connected devices. I mean the IoT crowd. They just don't seem to realise what they're getting themselves into. Without a similar constant stream of updates and vigilance their products will become infested with malware, and their reputation will be wrecked. It's not far off that already.
Worse still a lot of things that are becoming Internet connected will require very long term support e.g. fridges; people will not be expecting to have to buy a new fridge after just a couple of years simply because the software in their old one is no longer supported. That's not how we buy fridges. Same with thermostats, aircon, etc. Cars might turn out to be slightly better, though given BMWs poor start perhaps they too won't ever be good enough.
Keeping software up to date for that length of time is very expensive, and a lot of the manufacturers just aren't set up to maintain old software.
"It should be a lesson for eveyone else doing software driven Internet connected devices. I mean the IoT crowd. "
I think the sort of people who get excited about the IoTs are either fairly young or just salesmen pretending to be ethusiastic so that they can flog their companies tat. I don't think many adults over the age of about 30 probably get all that turned on by the idea of an internet connected fridges or curtains or ovens that can do ... well who knows really what the point is... so I think a lot of these companies might find their market is somewhat smaller than they invisaged and IMO it'll all go the way of 3D TVs.
I'm not sure that the architecture and specifically the cost of running that architecture was really available until fairly recently. IT has matured and the total cost has come down making it feasible to have millions of PCs hitting your update service 24/7, the cost of running that 15-20yrs ago (for "free") would have sunk most companies.
This leaves the interesting question of what happens when IoT companies go bust as well: do you have to bin your fridge if you got it from a company that goes bust? What about smaller companies? When the only software engineer leaves, the new guy takes over, can't do anything with the abysmal documentation left to him (don't pretend that's never happened, even if it shouldn't) he starts the new products from scratch, are they really going to keep patching old products though don't understand?
For that matter I've been involved in projects where by I've built something, then left and it's just been left working again in the smaller business sector. Do I get kept on retainer for the rest of my life? What happens if I left on bad terms? Don't have time? Changed industry completely?
Things that need patches for the rest of there working lives open the industry up to a entirely new range of interesting and exciting problems....
Speaking of IoT...
Two things are obviously needed and therein will be a whole new set of problems...
1) The company must be willing to sacrifice some profit for updates and maintenance of the software. We as IT know this, but most of the companies doing this don't care except for the bottom line.
2) User education. This is the toughest as education on the simplest things is rapidly disappearing in the US, maybe elsewhere. The users/customers should ask questions.... like "how often for software updates and fixes?", "What do I need to do to keep these things updated and secure?". But given that most people will buy the shiny and not give a thought to upkeep.... meh....
I'm fairly sure Netscape navigator had no plug in support in 1995.
How sure? The first NPAPI-capable Netscape came out in 1995. IE added NPAPI support in '96.
Sun's HotJava browser was first demonstrated in '95, though it wasn't generally available until '97.
Much of the problem with Flash is due to its complexity and scripting capabilities. If a basic Flash player was produced that could only play videos (no scripting or ability to perform other functions) this would meet the needs of most users and be far more secure.
(The same is true with PDF viewers but thankfully there are good non-scriptable alternatives to the Adobe Acrobat Reader - Sumatra (Windows) , Evince (Linux) and a partially scriptable alternative Foxit (Windows).)
You can go into adobe PDF reader and turn off all the options including flag and opening external video viewers. AFAIK this drastically reduces the attack surface. However this assumes that this button has been implemented properly something I wouldn't trust adobe to do properly...
Duncan, see here:
Mozilla's Flash-killer 'Shumway' appears in Firefox nightlies
Much of the problem with Flash is due to its complexity and scripting capabilities. If a basic Flash player was produced that could only play videos (no scripting or ability to perform other functions) this would meet the needs of most users and be far more secure.
How do you know it "would meet the needs of most users"? What's your study methodology and sample size?
It wouldn't meet the needs of users who want to read Flash-based electronic literature. It wouldn't meet the needs of millions of Homestuck readers.
Or did you mean "most readers who are like me"?
Nothing new here, but I guess I'm glad they reminded us. There is no way to convert these scumbags into decent human beings, but if you heat up their rocks enough, they will move to other rocks, hopefully much less visible and dangerous rocks...
I wish there were more tools that would allow the potential victims to help fight against these scumbags. You don't have to help out, but I think there are lots of people who would if they could.
“2014 saw a shift from a balanced targeting of Java and Flash to over 90 percent focus on Flash,"
There may have been a change of number of exploits which shifted focus, but how on earth can you say that 'Java' blackhats shifted their focus by that figure? But the very nature, you never can tell - there isn't exactly a professional body they belong to.
%90 of me is pretty sure of that.
Today's Adobe news: http://jobs.aol.com/articles/2015/04/24/adobe-gives-employees-giftcards-kickstart-initiative/?SiteID=cbaolcompromotion_apr_84&icid=maing-grid7%7Cmain5%7Cdl15%7Csec1_lnk2%26pLid%3D710390111
Now if they would just put some of that cash into fixing (hahahahahaha) Flash.
Sorry for the long link... I'm tired and lazy as it was bitch of a weekend upgrade.
This best is to de-install flashplayer entirely. Since Q3 2014 this crap had many zero days, where people got infected by just visiting a website with flash based ads that were engineered to infect PC's.
They proved to be incapable to fix this product, so better remove it, life is possible without flash.
See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0311
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
