back to article Decision time: Uninstall Adobe Flash or install yet another critical patch

Adobe has issued yet another update for Flash Player to patch a critical vulnerability revealed in documents leaked from spyware maker Hacking Team. The update patches 36 CVE-listed flaws, including the hacking Team's CVE-2015-5119 bug – which can be exploited by a malicious Flash file to run malware on a victim's system. Some …

  1. Ken Hagan Gold badge
    Childcatcher

    Won't somebody think of the children?

    Have we now reached the point where sites that *use* Flash (and thereby encourage non-nerds to have it installed and active) should be named and shamed as internet sociopaths?

    1. petur

      Re: Won't somebody think of the children?

      There's simply too many of them :((((

      1. Nigel 11

        Re: Won't somebody think of the children?

        Write a shim that goes between the browser and the Flash player, displaying appropriate things about the dangers associated with clicking the "view" button and the stupidity of the site that wants you to use Flash. Give it a password option so you can lock non-authorised users of the computer out of Flash.

        Flashblock contains most of this functionality, apart from the insults (which might have to be lawyer-vetted).

    2. Shannon Jacobs
      Holmes

      Won't somebody think of the market opportunity?

      Why hasn't anyone produced a competing Flash player of MINIMAL, STABLE, and SECURE functionality?

      I still have no idea what market model Adobe thinks they are using, but whatever it is, it's broken to death.

    3. Anonymous Coward
      Anonymous Coward

      Re: Won't somebody think of the children?

      The BBC for starters

    4. Voland's right hand Silver badge

      Re: Won't somebody think of the children?

      That shall be all children sites and all educational sites with BBC proudly leading the pack.

  2. Florida1920
    Paris Hilton

    As a gesture of goodwill

    Adobe at least ought to change the default of trying to install something from McAfee every time you update Flash. How much do they think we can bear?!

    1. BillG
      Facepalm

      Re: As a gesture of goodwill

      Adobe at least ought to change the default of trying to install something from McAfee every time you update Flash.

      Yes, but the irony is delicious!

      "If you install our Flash, you better have an antivirus".

      1. Wade Burchette

        Re: As a gesture of goodwill

        I was thinking the irony was confusing McAfee with an antivirus program. From my personal experience, McAfee couldn't find water stand knee-deep in the ocean.

    2. PeterM42
      Stop

      Re: As a gesture of goodwill

      I think you mean McCRAPafee.

      Installation of Flash (sorry CRASH) has been trying to foist McCRAPafee on unsuspectiong users for some time - STOP IT!!!!!

  3. Anonymous Coward
    Anonymous Coward

    Without flash, how are we supposed to watch porn? Not all sites use html5 you know.

    :)

    1. Anonymous Coward
      Anonymous Coward

      > Without flash, how are we supposed to watch porn?

      Like in the old days: ASCII art.

      1. Anonymous Coward
        Anonymous Coward

        .... and it might come to that, soon. A porn "actress" today is paid about 600 EUR for a shoot, the male performers about 200 EUR, Nobody on the consumer side pays for porn any more* so it is only a question of time before it has to be produced automatically in server farms to make a profit.

        .... An extra "bennie" is that the high-end graphics cards of today at least can produce much more realistic looking people than the plastic surgeons can.

        *) I suspect the money comes from ad-ware, spy-ware and whatever else they can shovel down the pipes on the porn sites; digital life is mimicking the biological: "You go and poke that ... aand you better see the doctor on Monday".

        1. Nigel 11

          and it might come to that, soon

          But surely there's hundreds of times more porn out there than any person could watch in a lifetime? So start recycling it, like rubbish.

          about 600 EUR for a shoot

          That's about sixty times the recently uprated minimum wage (1 hour shoot?), for which a tidal wave of illegal immigrants are trying to break into the UK. Methinks it's got a long way to fall yet.

          Aren't there some strange folks who would pay the producers to be in a porn movie? Exhibitionists, I think they're called ....

          1. Anonymous Coward
            Anonymous Coward

            Louis Theroux

            I do enjoy Loius, and he did another episode on the US porn industry recently.

            Hint: It takes quite a bit longer than 1 hour to produce a porn video and there are lots of production costs.

            However, the porn surfers of the world are apparently satisfied with grainy 240p clips for free, free webcam girls and whatever else is shuffled down the pipe, rather than pay for quality productions. Porn as we we knew it is in decline, though IMHO they largely have themselves to blame with their incessant emphasis on over-large plastic tits, pumped up pouts and poorly dubbed soundtracks.

  4. Anonymous Coward
    Anonymous Coward

    More Flash vunerabilites...

    It does appear that Steve Jobs was right on this point.

    Yeah, I know it sucks to say this but if you can have all those i{devices} working without flash then why on earth do we still need this POS elsewhere?

    Come on Web Developers, we know you can make those sites work without Flash so just make your sites work for everyone the same way.

    Flash, be gone. your time has passed.

    At least MS seems to have thrown in the towel with Silverlight.

    1. Wensleydale Cheese

      Re: More Flash vunerabilites...

      "Flash, be gone. your time has passed."

      BBC please take note.

      It is riduculous that I need Flash to listen to the radio.

      (I'm not in the UK, so other means like iPlayer don't work)

      1. Charlie Clark Silver badge

        Re: More Flash vunerabilites...

        Use TuneIn or side-load the BBC iPlayer Radio apk like everyone else.

    2. jaime

      Re: More Flash vunerabilites...

      Yeah but that's only because they were able to force Mozilla/Firefox to include HTML DRM support into their browser!

    3. Anonymous Coward
      Anonymous Coward

      Re: More Flash vunerabilites...

      Only reason Jobs could dump it so quick was because didn't he say he didn't want people watching porn on their ipads, etc.. LOL

    4. Anonymous Coward
      Anonymous Coward

      Re: More Flash vunerabilites...

      Whilst Flash is showing itself to be full of holes, we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows...

      So when the next set of updates for Windows are released, can we expect the headline:

      "Decision time: Uninstall Microsoft Windows or install yet another critical patch"

      1. Anonymous Coward
        FAIL

        Re: More Flash vunerabilites...

        "we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows..."

        You may want to address your attention span, clearly you have trouble getting more than a few lines in.

        "Users of Flash Player for Windows, OS X, and Linux are all advised to update to the latest version of Flash, though the update is only considered a top priority for Windows and OS X users"

        1. Anonymous Coward
          Anonymous Coward

          Re: More Flash vunerabilites...

          Re: You may want to address your attention span, clearly you have trouble getting more than a few lines in.

          "Users of Flash Player for Windows, OS X, and Linux are all advised to update to the latest version of Flash, though the update is only considered a top priority for Windows and OS X users"

          I was aware of the other versions, however, for the majority of Flash exploits, including this one, most of the security experts note that they tend to be very difficult to actually exploit on Linux. Also for many the payload is a Windows executable. Hence why I singled out Windows; but you are right the fact that all three OS's can be compromised does raise concerns.

          My point was that the headline implied that Flash was especially bad code because it required the regular application of critical patches, yet the regular monthly rollout of critical patches for Windows doesn't receive a similar headline when reported in ElReg...

          Interestingly, if you were already running Malware Bytes Anti Exploit Premium or Free (Windows XP/7/8) you were protected from this exploit. Which would suggest that there are things that could be done by the 'OS' to protect from this style of attack.

          Personally, MS should include and enable EMET as standard and so require all vendors who don't want to comply with it's constraints to have to explicitly opt-out, with such exceptions being reported in the Windows Event Security Log. Yes some stuff will fail, but then it would be a relatively simple task to make the necessary changes, just as we had to do with firewall settings for HP All-in-one's before HP modified the installer.

      2. Nigel 11

        Re: More Flash vunerabilites...

        Decision time: Uninstall Microsoft Windows or install yet another critical patch

        At least Windows can apply its own bandages ... until the bad guys get there first and cripple its auto-updating.

      3. Anonymous Coward
        Anonymous Coward

        Re: More Flash vunerabilites...

        > we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows...

        It is so because 98% or so of the installed user base are running Windows. If you are in the business of desktop computer intrusion of course that's what you're going to target. Likewise, people trying to commandeer network servers go for Sendmail / Exim vulnerabilities instead, to put an example.

        I don't know if you meant it this way, but your post sounds like one of those silly partisan rants about this or that product or operating system or whatever. Honestly dude, I haven't touched a Windows machine in years and I never owned one, but that's just what rocks my boat and I don't need to go preaching to other people about my this being better than your that. Do yourself a favour and get a life, will ya?

    5. Stevie

      Re: Steve Jobs right

      Speaking as someone using an iOS device (as I type) I think your definition of "working" would have to be a bit looser than mine. Safari over iOS is a distinctly less awesome experience than I was led to believe before I dipped my feet in the water. But then that has been my experience of just about every Apple device other than the original iPod Nano - people simply don't talk about the Apple horseshirt the way they do about the Windows version.

      The app I had only one moan about, the music player, was just updated under me. It now has controls you'd have to have electron microscope eyeballs to find, let alone use and defaults to a splash screen trying to trick me into trying a "free" trial of their "radio" service instead of using an ounce of user-friendliness and taking me to the 80+ gigs of music I have in my library. Now, to play an album I have to wake up the app, fight my way free of the iTunes store and its free trial bullshirt, locate the album, then swipe upward to try and get the iPad control panel to appear - and sometimes the gesture doesn't work properly so several attempts must be made.

      So thanks, Apple, for moving to the Microsoft model of unwanted and unhelpful software changes foiisted on an unwilling audience, you almighty pricks.

      1. AbelSoul
        Alert

        Re: Steve Jobs right

        the music player, was just updated under me. It now has controls you'd have to have electron microscope eyeballs to find, let alone use and defaults to a splash screen trying to trick me into trying a "free" trial of their "radio" service instead of using an ounce of user-friendliness and taking me to the 80+ gigs of music I have in my library. Now, to play an album I have to wake up the app, fight my way free of the iTunes store and its free trial bullshirt, locate the album, then swipe upward to try and get the iPad control panel to appear - and sometimes the gesture doesn't work properly so several attempts must be made.

        I've been hesitating to update iOS for a number of reasons and you've just given me another one.

        Thanks for the heads up - the extant version of the music player is perhaps the least frustrating app I use regularly.

      2. Anonymous Coward
        Anonymous Coward

        Re: Steve Jobs right

        And where's the shuffle button gone?

    6. Charlie Clark Silver badge
      Thumb Down

      Re: More Flash vunerabilites...

      Jobs wanted rid of Flash for two reasons: better battery life and promoting his walled garden. Quicktime and Safari have both had more than their own fair share of bugs and Apple's speed at patching them is far from ideal.

      Kudos to Adobe for getting these patches out so quickly. Flash remains far from ideal and we can thank Jobs for promoting the idea of avoiding Flash but we shouldn't be so foolish as to think the replacements are much better. If you want good performance on a device you normally want unhindered access to the hardware. This almost inevitably introduces security risks. As I'm sure we'll see ass we move from Flash and Silverlight-based to HTML DRM extensions.

  5. ElReg!comments!Pierre

    No shit, Sherlock.

    Adobe Flash... pretty sure it serves a useful purpose, somewhere, for someone. Come to think of it, for me it does serve a purpose. It spares me from seing the most useless parts of the terwebz. I just see a "Flash is a small install from Adobe, please click 'yes' to install it in order to view this slideshow of domesticated felines" which is definitely an improvement over the intended content.

    I do wget a few .flv clips that I play in mplayer, from time to time, though.

    1. Nigel 11

      Re: No shit, Sherlock.

      Adobe Flash... pretty sure it serves a useful purpose, somewhere, for someone.

      the NSA and other countries' intelligence agencies?

  6. Boris the Cockroach Silver badge

    I just

    updated damnit.

    If it was'nt for candy crush, flash would die on this box

    Wow lined 5 up!

    1. Anonymous Coward
    2. ElReg!comments!Pierre
      Meh

      Re: I just

      And you think you jest!

      Not funny in the least (sez the sysadmin who can't get his wife off the online version of candy crush)

  7. Velv
    Pirate

    It's lucky for Adobe's shareholders that the company doesn't offer a bug bounty, otherwise it would be more profitable for criminals to focus their efforts reporting the bugs than exploiting them

  8. Anonymous Coward
    Anonymous Coward

    It's the patch option, I'm afraid

    Two words: Streaming porn

    1. Anonymous Coward
      Anonymous Coward

      Re: It's the patch option, I'm afraid

      anyone who is still using flash for porn is looking in the wrong places. There are plenty of sites that work without it, and on iOS as well

  9. Anonymous Coward
    Anonymous Coward

    NSA sponsored ?

    I really do wonder if the NSA are funding flash and java in the browser.

    I'd say 50% of the all web client patching over the last 20 years have been for these two products alone. I'm starting to think that they are faulty by design ?

    1. Nigel 11

      Re: NSA sponsored ?

      I'm starting to think that they are faulty by design ?

      Only starting to think so?

      I've thought that since about a year after flash first arrived on the scene. Only thing I'm not sure, is whether the faulty design is by incompetence or by malice.

      Windows is also faulty by design, ever since MS broke the NT 3.5 kernel's designed-in security on purpose. Again, incompetence or malice? You decide.

  10. Tromos

    A new term is needed

    Patch is defined in a dictionary as "A small piece of material affixed to another, larger piece to conceal, reinforce, or repair...". In the case of Flash, there is no longer a larger piece, it is all patchwork. They ought to call it 'Quilt'.

    1. Toastan Buttar
      Windows

      The Young Ones

      Vyvyan: "My nickers are so old, it's only the stubborn under-stains that are holding them together".

  11. Mystic Megabyte
    FAIL

    MPV

    On this Ubuntu box I uninstalled Flash and installed youtube-dl and mpv. In BBC iPlayer I can right click and select "Play with MPV", it works fine. However it will not play the Flash videos that are on the BBC news site.

    Someone please tell the BBC to stop using Flash! If I wanted to "steal" their content I could just record it from the TV or radio. Broadcasting, the clue is in the name.

  12. Z80

    I've just updated. Upon completion, the installer tells me "You may need to rest..."

  13. Stevie

    Bah!

    Given the audience for this e-rag, do we really need the statement of the bleeding obvious re: not using Flash in every single article about another exploit being found? Can't we assume that if someone at the level of IT graspitude to be reading here is using Flash they have a good reason to be doing so?

  14. Anonymous Coward
    Anonymous Coward

    I would like to point out

    As a general comment (i.e., not related to Flash in particular, and not considering its merits or lack thereof), frequent patches are not a sign of a bad product--on the contrary, it means there is someone out there who cares enough about the product to fix problems as they appear or as they are discovered.

    Remember, especially those of you in the corporate scene: just because a product does not receive frequent patches it doesn't mean it's secure. It means that either its bugs have not been discovered yet, or they haven't been fixed.

    I understand that Flash may be a product with a bit of "baggage", but let us not extrapolate from there.

    1. Steve Davies 3 Silver badge

      Re: I would like to point out

      Whilst many of your points are vaild, what pisses me off is that there is what seems a reducing period between Flash updates. This means that almost as soon as you have applied one update, another is waiting for you.

      If it wasn't so bug ridden this would not be needed.

      This endless patching is a PITA.

      Like IE6, Flash should be consigned to the scrapheap ASAP.

    2. Dan 55 Silver badge

      Re: I would like to point out

      It's not pre-emptive patching or refactoring, there's always a new version in response to a CVE. It doesn't look like anyone at Adobe has the wit to globally search for sprintfs.

    3. tin 2

      Re: I would like to point out

      I disagree, they are a sign of both a bad product AND someone out there who cares enough about the product to fix problems as they appear.

      Or more like, in the case of flash, if they didn't "care" enough to release patches in response to exploits the product would be immediately finished.

  15. JLV

    Channelling Mrs. Reagan sitting on Mr. T's lap**

    Just say 'No', Fool*.

    Many, many, sites do not use Flash. Many more will work just fine without you having the plugin. Yes, news sites like the BBC are still stuck in Flash land, but only for some of their videos. Just like Java applets, once you get rid of them, you realize how the risks far outweigh the benefits.

    * Sorry, didn't mean to be rude. I did have to channel Mr. T too, hence "Fool".

    ** google "Mrs. Reagan sitting on Mr. T's lap". disturbing.

    1. razorfishsl

      Re: Channelling Mrs. Reagan sitting on Mr. T's lap**

      Top quality sources such as the sun & the Daily mail both use flash.

  16. Dana W

    I ALWAYS use flash blocker, I only allow flash to run on a case by case basis. Only Youtube white listed.

    1. Dan 55 Silver badge

      I wouldn't put my trust in Flashblock, it often downloaded and ran Flash objects for a fraction of a second before replacing it with the icon.

      Click-to-play is the way to go.

  17. Teiwaz

    Flash? Isn't that the Floor Cleaner?

    No Flash on my machine.

    The only handicap I've noted so far is the BBC News site, not p0rn. Their video clips don't really add much to the accompanying article to be worthwhile (which am I talking about? BBC or p0rn - take your pick).

    1. Tabor
      Coat

      Re: Flash? Isn't that the Floor Cleaner?

      "BBC or p0rn - take your pick"

      I'm assuming you forgot an R in there.

      Sorry, couldn't resist. I'll get my coat now.

      1. Teiwaz
        Go

        Re: Flash? Isn't that the Floor Cleaner?

        Heh.

        Nicely spotted. I should have formatted it 'p(r)ick'

        - although what you find on the BBC news site to 'fondle yourself' over scares me...

        (can't be George Osbourne... - or at least I hope not, 2nd day in a row that smug get is 'covergirl')

        ...better stop now before my good-taste filter chip burns out...

  18. Anonymous Coward
    Anonymous Coward

    Such effort to update......

    I just updated (remembering to untick the kind offer to install sh1te as well) and when it was complete it told me : You may need to rest....

    I wonder how they knew I was so tired? :)

  19. Gareth Perch

    Why whitelist YouTube for Flash? I haven't got it installed in Firefox and all the videos I've wanted to watch work fine without it.

    1. DropBear

      Not all versions of Firefox can play HTML, and not everyone is free to upgrade to the latest FF on the latest OS (please don't mention Palemoon - same issue applies except this time you won't even get to install it).

      1. Teiwaz

        That is illogical, captain...

        Not free to upgrade to the latest Firefox(or latest / more secure browser) or OS,

        but free to keep ('seemingily' endlessly vulnerable) Flash.

        Nope, no logic there. Company IT security policy beggars belief

        1. Anonymous Coward
          Anonymous Coward

          Re: That is illogical, captain...

          > Nope, no logic there. Company IT security policy beggars belief

          Indeed it does. Welcome to corporate IT. :-(

  20. Teiwaz
    Joke

    Do you tire easily?

    'You may need to rest'...

    Maybe Adobe realise that in this day and age, anybody installing flash is either...

    an ignorant 'kid' who still needs naps in between tantrum inducing angry birds (or whatever) sessions.

    or an 'ole fella' who still thinks flash is the 'must have' for internet , (along with realplayer and quicktime + insert anything else from the 90's I may have forgotten in my dotage) and who insists the family all sit down to watch panorama because 'it's important to take an interest in current affairs' but will fall asleep almost as soon as the programme titles finish.

    Joke alert - in case peeps don't realise... (some truth in jest though)

  21. Rick Giles
    Linux

    Uh...

    Adobe only provides security backports for Flash on Linux. I believe this one to be 11.2.202.468

    But that's okay. Adobe is dead to me anyway as I don't use their crap after that stopped major development on Flash anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like