Kill Flash Now: 78 bugs patched in latest update Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in. The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute …
I suspect, in very many cases, it's not the designers but their bosses who have the intelligence deficit. "Thatwouldcosttomuch" might just go away if they could be held responsible (say, legally) for using a plugin with a history of vulnerabilities.
This should be particularly true in cases where use of flash is made mandatory, as in the case of some school systems mentioned when one of the last raft of vulns came to light.
@a_yank_lurker
Double sigh here. Our institutional collector of funds (aka SARS) insists on living on the bleeding edge with Adobe (I sometimes think they must get some sort of kickback for testing Adobe's delightful products) - so much so that I have to use my better half's Windows machine, as Adobe does not update their Linux products anymore.
Personally I would have thought that, being a public service and all (and we being mostly a third world country) that they would cater for the broadest demographic, not just the risk takers going after the latest shiny-shiny, but there you are.
-------> for SARS (South African Revenue Services), obviously. Wish I could add the nuke icon for Adobe as well.
Those that do won't work on any iOS and most Android devices, which are a large and growing chunk of browsing activity today.
I think you'll find that if you remove flash (don't just disable it with flashblock) most sites that use it when it is installed won't "demand" it but will instead use whatever they are using on mobile. It is only crappy sites that base the decision on whether to use flash based on browser/OS checks that will insist on it on non-mobile platforms based on a judgment that they "should" have flash installed. Vote with your feet by refusing to patronize them, and they'll either come around or die.
"I think you'll find that if you remove flash (don't just disable it with flashblock) most sites that use it when it is installed won't "demand" it but will instead use whatever they are using on mobile. It is only crappy sites that base the decision on whether to use flash based on browser/OS checks that will insist on it on non-mobile platforms based on a judgment that they "should" have flash installed. Vote with your feet by refusing to patronize them, and they'll either come around or die."
From my experience some of the largest users of Flash are jewelry and European motorcycle kit manufacturers . It really peeves me, when I go to so many of their web sites, how utterly dysfunctional they are without Flash activated; for many, you get not much more than a header and an otherwise blank screen.
As a hard-core rider I can't begin to count how many of these Flash-enabled product websites I encounter. Why do the manufacturers do this? Because they feel that it makes their web site more "copyright protected" - right-clicking an image to downloading and save is, of course, impossible, so I'm stuck using them (and I then make sure that my company's web site, for which I am responsible, demands as little as possible from the visitor).
"I've asked this question before but whenever I disable Flash YouTube stops working (this is Firefox on Windows 7/8). Is there some magic to persuade it to work or is this just fallout of a codec war?"
That can't be right, YouTube already switched to HTML5 a while back. It should be serving up HTML5-based videos to you - only serving up Flash if you specifically asked for it, or when using a browser that doesn't support the relevant HTML5 elements.
Go to https://www.youtube.com/html5 and follow the instructions.
This post has been deleted by its author
Got a call from a friend's parents "Our plugin needs updating!" I assumed (correctly) it was Flash, and I showed them where to go and how to upgrade it. This was after we had a fruitless discussion about removing it completely - "Oh no, I need Flash to play my [card and casino] games..."
Most people who just have a computer for plain home use (online games, browsing, email, shopping) have no concept of how to keep their machines secure, or even updated. That's a reality, and certainly/sadly not new.
Would it be apropos to say: You are to dumb for a real computer, get an iPad/Fire/Galaxy/etc.
It's required for a large corpus of electronic literature. That may not be of interest to the general populace (though some titles have large and enthusiastic audiences), but it's quite important to some readers, literature scholars, librarians, historians, and so on.
Alternative implementations, such as Mozilla's Shumway, may eventually be viable replacements for the "real" Flash player, and - who knows? - might even be less insecure. But for now, people with a serious interest in e-lit pretty much have to keep using Flash, hopefully judiciously with whitelist blocking.
But for now, people with a serious interest in e-lit pretty much have to keep using Flash,
I was fortunate to inherit some material. I have a rediculously stupidly large collection of ebooks, plus subscriptions to a few libraries. I could finish a couple of novels a day and not need to add to the collection before I die (someone I knew was an obsessive collector).
.lit, pdf, txt, html, doc(x), and a couple of formats I haven't looked at yet. Not one bit of flash. Over 30k files (note the books in html format are often a chapter per file and some have extras like images, so it's not quite 30k titles - then again their's things like Chronicles of Narnia and the Darkwar stuff all in a single file).
Not one bit of flash. Not for the collection I have, and not for the libraries I visit (rarely nowadays)
This has got to be a record (except for Perl obfuscation) for the number of bugs you can stick in a single line of code.
Mind you this only counts real LOC, not comments and testing harness stuff (what's that, they say).
Now that the Adobe have decided to focus on HTML5 (with Flash riding alongside) I expect to see them expose some vulnerabilities in that spec too.
>Now that the Adobe have decided to focus on HTML5 (with Flash riding alongside) I expect to see them expose some vulnerabilities in that spec too.
I challenge the proposition they have any kind of focus. I'd wager at exec level you wouldn't find a single person who could even match all their current product line to broad functionality.
Everyone focused on the rebrand of Pro Studio to Animate CC [HTML5 there is basically banner ad creation, there's practically no interaction support and maybe 5% of the functionality of AIR/Flash] but failed to notice they've just canned all their new HTML5 tools - Edge etc at the same time.
There's no compelling reason for developers to use any Adobe tools - beyond the 'from my cold dead hands' attitude of designers to PhotoShop/Illustrator. Someone will say PhoneGap I'm sure, but look at their app showcase before you do.
I ran this for a "friend" who insists on using it. He called me because VoodooShield found one of the components (gcheck.exe) to be "unsafe". WTF, Adobe???? It's supposedly something from ask.com.
Anyway, the friend got what he wanted... I'm not sure why and didn't ask. I just said, I'm not supporting Flash for anyone after today... friends, relative, etc. as it is crap and will increase your odds of getting malware.
What really gets to me....
"I ran this for a "friend" who insists on using it. He called me because VoodooShield found one of the components (gcheck.exe) to be "unsafe". WTF, Adobe???? It's supposedly something from ask.com.".
"Just said, I'm not supporting Flash for anyone after today... friends, relative, etc. as it is crap and will increase your odds of getting malware".
Using ask.com along with Adobe, is just increasing the odds 100% of getting malware.
The last two updates I've tried to run have been met with a connection failure to Adobe's servers, followed by the deletion of the executable file, requiring you to download it again!
The solution used to be to visit this page: https://www.adobe.com/in/products/flashplayer/distribution3.html
...and grab the offline installer. Now though I see this message:
"WARNING
This page and the download links will be decommissioned on January 22nd, 2016."
So Adobe, do you have to work at being the biggest bunch of cunts on the planet, or does it just come naturally?
"Personally I switched to Sumatra a long time ago..."
Smart choice. It's the _only_ thing I know of that actually can load in a timely fashion hundreds of megabyte's worth of those stupid image-laden PDF product catalogues some firms insist on having. Now, imagine my surprise when just the other day it actually failed to display a few pages in a fairly small PDF (only a few pages, but all of them horrendously large images)...
And a self-deleting installer, so that any installation of Flash definitively undoes itself after a short time--a month, say. That way, anyone intent on using it has expressly to go to adobe.com to get one of the ever-thinning options for re-installing it, fresh from the latest bug-fixing. No matter what, though, Flash is going to have a long tail-off. That is now the issue. Over to you, Adobe...
>No matter what, though, Flash is going to have a long tail-off.
They just need someone with the balls to Open Source Player - they did it with Flex, it's not unimaginable. The only practical obstacle was hard cash from premium video and they've all but lost that battle now. It remains a vastly superior platform technically to the horrors of HTML5/JS - it's rendered appalling only by a failure to secure and support it.
They might be deprecating Flash, but some places seem to be advocating strongly for Adobe Air still.
Adobe Air is really Flash in it's own executable environment (non-browser), with bundled extensions. Seems to be vulnerable to many of the same bugs, though not by browser vector.
Adobe Air sits on the JVC which means that if you have (say) a copy of the complete National Geographic and if (say) you rebuild your machine after a couple of years, your CNG won't work after Java updates itself on installation. Nothing you can do will fix it either.
Given the piss-poor implementation of the reader the loss is debatable.
Adobe Air also uses a proprietary document format. Anyone know how to port these to pdf format, because I'd like to have access to those magazines again.
That's some autogenerated spam pages to get people to download their, probably ad/malware laden, PDF software..
AIR files are ZIP files with some AIR-specific metadata, so converting that to a PDF would mean... what exactly? Producing a PDF version of the list of files?
Adobe Air has nothing to do with Java. It's basically Flash Player + APIs for stuff like unrestricted filesystem access + packaging.
Considering a whole lot of tools for targeting it are open source that should be a good starting point for any Flash/Air-associated formats. If that doesn't help, chances are they rolled their own or are using some obscure 3rd party lib.
Flash actually comes with an important security advantage: It can be disabled, click-to-played, enabled on a case-by-case basis, etc. Now, thanks to this "great" idea called "HTML5" (+supporting technologies) you now have a huge, immensely complex, attack surface in every major browser and no comparable way to get rid of it. At most you can disable some of the worst ideas like WebGL one by one, but just like what happened with JS I bet a lot of sites will start assuming it's always there. And nowadays having any JS functionality at all enabled means exposing approximately one gazillion lines of extremely complex heavily optimized utterly unsafe code even when you'd be just fine with a simple interpreter.
So even if browsers magically have an order of magnitude less bugs than Flash, everyone is still worse off.
Correct me if I'm wrong, but isn't html 5 just an open web standard, as such it simply defines a set of interfaces; nothing to be afraid of there? HTML 4 etc were like wise just standards. It's the flash implementation that causes issues, being closed source and full to the rafters with bugs it is widely regarded as somewhat problematic. Problems with HTML 5 code will arrise, some will be caused by numpty web designer/developers using implementations incorrectly, and some by poor implementation in vendor specific browsers.
To surmise:
flash bugs + browser bugs + web bugs > browser bugs + web bugs (we hope ;) )
PS The ability to slightly control flash behaviour is probably about as much use as a tin foil hat
HTML5 and the associated technologies is a huge, immensely complex beast. Implementing them means an immensely increased attack surface. Even with far better practices, coding standards, review/audit processes, etc than any browser vendor maintain you are bound to end up with a _lot_ of issues.
If I could turn all that new stuff geared at rich-internet-application-stuff off, fine. But I can't. At most I can run an ESR release or whatever. Unlike Flash, which I can disable/enable completely as needed. And disabling/click-to-play'ing it isn't exactly "slightly control[ing] flash behaviour".
(For the record, click-to-play with Java has turned out not to be 100%, but AFAIK Flash has a simpler model without Webstart et al.)
flash bugs + browser bugs + web bugs > browser bugs + web bugs
Jury's out on that. Fact is all the browsers are more robust than they used to be and the plugin architecture is on the way out. But the same multimedia that provides such a rich vein of attack vectors for Flash may also turn out to be useful for anything accelerated API that is more than likely being given privileged access to hardware (codecs, openGL, etc.). Quicktime and Windows Media Player in the past have had their own share of bugs and they are still providing part of the services for the new browsers.
My guess is that the new attack toolkits just aren't as sophisticated yet as they are for Flash, et al. True the new browsers have been hardened in a way that Macromedia could never have thought of when it was adding the bells and whistles, but who knows if that'll be enough? The browsers have one thing going for them in that they don't publish implementation APIs so that are freer to replace an implementation if it turns out to be a turkey. This comes at on overhead of having to agree the API with other interested parties and then make it work. Flash is a victim of backwards compatibility. Back in the day that meant it could add features quickly and keep developers happy and it effectively ended the "install a plugin to what this video" malarkey we had for much of the first decade of this millennium.
This post has been deleted by its author
78 NEW vulnerabilities, from the LAST lot of (supposedly) fixed code borks..
For fucks sake, how is it possible to write (or fix) code so effing badly that 78 NEW separate exploitable bugs exist in a fucking piece of software that has been around for the last decade and a half and has had more holes than a colander...
KILL
FLASH
NOW.
Where does it say that they are actually exploitable? Adobe seems to list anything crashy as potentially exploitable, which may or may not be the right thing to do. False negatives are rare but really nasty - classic example of this would be apache-scalp from the early 2000's.
However, judging by the number of actual Flash exploits in the wild, the vast majority of the bugs are at the very least not wild-grade.
"Multi-million line software with a 20MB executable contains 78 unfixed bugs" certainly doesn't sound very dramatic, or (sadly) out of the ordinary.
Unfortunately with all web-stuff nowadays the {performance,features}/{reliability,security} tradeoff is heavily weighed towards the former.
You say "Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools "Animator" and encouraging a move over to HTML5. ®"
Who's right, I wished flash would just curl up and die either way
Web developers get taught how to work on Adobe products since day 1, same way people learning networking get taught to use Cisco products since day 1 and server administrators and desktop app developers get taught to use Microsoft tools since day 1; those companies have taken universities and main learning centers as hostages so students won't learn alternative ways to do stuff and only use their products.
While it's not on my personal machines at home, we are forced to have it on the comps we have at work for some business critical applications (payroll and vehicle booking). The people who make decisions here didn't even consult and the PHB didn't think to object either when these solutions were implemented.
Unless it's heavily intertwined with the web site (like calls Javascript on the pages to do stuff) you should be able to run the SWF in the standalone player just fine, although you need to do some voodoo to let it do networking stuff. It's been ages since I fiddled with anything Flashy, but http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html# might be what you need.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
