back to article Patch now! Flash-exploitin' PC-hijackin' attack spotted in the wild by Huawei bods

Adobe has issued new versions of Flash to patch a load of security flaws – one of which is being exploited in the wild. Curiously, that particular vulnerability (CVE-2015-8651) was reported to the Photoshop giant by Kai Wang and Hunter Gao of Huawei's IT security department. Could the Chinese tech goliath have caught …

  1. Anonymous Coward
    Anonymous Coward

    Unfortunately

    Or perhaps fortunately, Flash is disabled or removed from all my computers. It is interesting that a Chinese company now has a functioning security department, while a certain US one seems not to.

  2. chivo243 Silver badge
    Facepalm

    First Job

    After returning to work... Updating the Swiss cheese. I really wonder why it smells like Limburger? Tastes like Limburger, feels like Limburger and looks like Limburger. Too bad we already stepped in it!!

    1. Rusty 1
      WTF?

      Re: First Job

      Surely it's not a surprise that this has happened? If you follow in the path of Limburger, you will step in it at some time and experience all that that entails?

      Obvious really.

      Surely your admin will have sorted all of this out anyway, to avoid you being involved?

      1. chivo243 Silver badge
        Facepalm

        Re: First Job

        @Rusty 1

        Short story for ya...

        A guy walks into the psychiatrist's office and says "you gotta help me doc, I'm really depressed." The doctor says, "You know I have the best solution for you, the circus is in town, go have a good time. See Grimaldi the clown, he'll lift your spirits!"

        The guy says "But doc! I'm Grimaldi!"

        1. Rusty 1

          Re: First Job

          Oh no! You were the poor sap who had to install the patches, *and* stand the stench of the cheese!?

          There must be better opportunities weaving baskets.

  3. channel extended

    I'm Upgrading

    To Flash version 147.9, so maybe I'll be safe for a couple of weeks.

    Please!! Adobe start writing code for the 'Internet of T*rds' and make the NSA happy.

  4. Anonymous Coward
    Anonymous Coward

    SLOC per security flaws?

    Is anyone keeping a score of total the number of security flaws found in this wretched piece of software? Surely it must exceed the number of lines of code by now!

    I too have it uninstalled or disabled on all my computers and don't miss it all.

    1. Anonymous Coward
      Anonymous Coward

      Re: SLOC per security flaws?

      The only metric you need to look at to see how terrible their code is is the number of use after free() issues. I'd suggest running Purify against their code, but if they did it would probably flag thousands of errors. They've probably decided they will only fix memory errors that result in known security exploits, so they will be forever chasing their tail.

      If ever a list of fixes ever showed why no one should be using Flash, it is this one (maybe they all show many use after free() and I haven't noticed, but I did this time and it certainly caught my attention!)

      1. Stoneshop
        Flame

        Re: SLOC per security flaws?

        I'd suggest running Purify against their code,

        I'd suggest Purify to add an exit message "I've erased all this, please start again with a team who can write proper code" with an exit code of 666.

  5. Mikel

    Hey now

    Which one of you was still installing Flash? We need to talk.

  6. Anonymous Coward
    Facepalm

    Another day....

    Another Flash security patch.

    I'd say that Adobe has their software pen testing done by a roomful of drunken monkeys, but that might be unfair to actual drunken monkeys.

  7. Maty

    The internet needs to kill off Flash. It's like a family pet suffering a painful terminal illness, except that this illness is dangerous for everyone around.

    Just put it out of our misery already.

    1. Mark 85

      We don't love flash so the analogy isn't right.. it's more like a rabid dog. Pets will be missed, rabid dogs... not so much.

  8. chasil

    Firefox is just as bad

    I do like very much that Firefox is almost completely open source, and that ssllabs.com has a high opinion of it.

    That being said, critical Firefox vulnerabilities are issued for my Linux distro at LEAST once a quarter, and more commonly once a month.

    https://linux.oracle.com/pls/apex/f?p=105:21:0::NO:RP:P21_ADVISORY_TYPE,P21_RELEASE:SECURITY,7

    If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review. There should be sound reasons why a user community should endure a stampede of exploitable flaws - reasons that pass the muster of an independent review.

    (This does seem to include the Linux kernel itself.)

    1. John Tserkezis

      Re: Firefox is just as bad

      "If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review."

      Perhaps I should direct your attention to some goverment departments? You know, get the important ones taken care of first, then worry about the rest...

      1. chasil

        Re: Firefox is just as bad

        ...Perhaps I should direct your attention to some goverment departments? You know, get the important ones taken care of first, then worry about the rest...

        When you have an efficient government, you have a dictatorship. -Harry S Truman (for a small subset of dictatorships).

        1. Anonymous Coward
          Anonymous Coward

          Re: Firefox is just as bad

          Chrome is just as bad now. And there are other packages constantly coming up for patches... libxml2 in particular ... which may be used by both browsers.

    2. Hans 1

      Re: Firefox is just as bad

      >If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review.

      Windows development would halt, then, in January of each year until June or July ...

      For the Linux kernel it is different, because, well, the Linux kernel is 99% drivers, most of which are compiled into kernel modules in most distributions. When a flaw in Windows affects 100% of the Windows customer base, a flaw in a driver in Linux kernel might affect 0.0001%. I am pretty sure that security issues found in drivers in Windows are reported against the hardware manufacturer who wrote the driver, not Microsoft ...

      And Linux supports all hardware supported by Windows 95+, a number of drivers from the Windows 3.x days have been deprecated in Linux. Windows 7 had deprecated drivers from Windows XP era ... my Chinese noname webcam no longer worked on Windows 7....

      Oh, and Edge had its first critical flaw in September 2015, +/- a month after release. Note that Edge was written by the SAME NUMPTIES who designed/developed flash ... ;-)

      1. h4rm0ny
        Paris Hilton

        Re: Firefox is just as bad

        >>"Note that Edge was written by the SAME NUMPTIES who designed/developed flash ... ;-)"

        Say what????

      2. Anonymous Coward
        Anonymous Coward

        Re: Firefox is just as bad

        "For the Linux kernel it is different, because, well, the Linux kernel is 99% drivers"

        But the vast majority of Linux kernel vulnerabilities are not driver related, and the Linux kernel still manages to accumulate lots more documented holes than the Windows kernel.

        "I am pretty sure that security issues found in drivers in Windows are reported against the hardware manufacturer who wrote the driver, not Microsoft ..."

        No - even Flash vulnerabilities show as Microsoft when it's an included version of Flash...

        "Note that Edge was written by the SAME NUMPTIES who designed/developed flash"

        Utter rubbish.

        1. Anonymous Coward
          Anonymous Coward

          Re: Firefox is just as bad

          "Note that Edge was written by the SAME NUMPTIES who designed/developed flash"

          Why then has Edge had far fewer security holes than Chrome or Safari?

        2. Roo
          Windows

          Re: Firefox is just as bad

          "and the Linux kernel still manages to accumulate lots more documented holes than the Windows kernel."

          Oooh look, an AC Shillingsworth having a pop at Linux again with zero citations to back themselves up. Have a downvote to go with your shilling.

  9. Your alien overlord - fear me
    Coat

    Er, should I update my flash player on Android? Would it even work on an Android system?

    Mine's the 'Flash'er mac - geddit?

  10. Anonymous Coward
    Anonymous Coward

    The Internet Explorer / Edge link points to the Google Chromium homepage. Is that some attempt at sarcasm, or is it an error?

  11. Dr. Ellen
    Flame

    Curse you, McAfee!

    I don't know how many times I've unchecked the box that says "install McAfee such'n'so" while updating programs (including Flash). I wasn't paying sufficient attention, and this time they got me. Constant Vigilance!

    1. Mark 85

      Re: Curse you, McAfee!

      Which is worse then: (pick as many as you want):

      1) McAfee

      2) Ask Toolbar

      3) Chrome

      4) Yahoo

      5) Flash for offering any and all of the above.

    2. tempemeaty
      Mushroom

      Re: Curse you, McAfee!

      Yes. The level of how much I detest BOTH Adobe and McAfee for this can not be measured on any scale in the known universe. I recently was had when I was sure I had ALL the install boxes unchecked as well.

      This is an absolutely CERTAIN way to wreck any computer which already has another brand of Anti Virus software on it. It's an incredible irresponsibility on the part of Adobe to include McAfee in the install at all.

  12. s. pam Silver badge
    Mushroom

    "If you haven't already enabled click-to-play for Flash in your browser".....

    Did that, we've purged Flash is Trash from ALL computers in our family. And extended family. And closest friends.

    Adobe should have their doors forcibly closed for perpetuating Flash!

  13. Anonymous Coward
    Anonymous Coward

    There's really little reason to run flash these days - most stuff works with html5, and you can keep a separate browser for the occasional site that needs it.

    Nice side effect: less crud as it breaks the most annoying adverts, and sites load quicker.

    1. Vector

      "...and you can keep a separate browser for the occasional site that needs it"

      I hope you keep that "separate browser" in a sandbox (perhaps even in one of those isolation boxes with the rubber gloves), because many of these vulnerabilities compromise the system, not the browser in use!

  14. Winkypop Silver badge
    Stop

    When will the horror end?

    Enough already, OK?

    Even though my gear is Flash-less, the people who's machines I (get roped into) fix are often NOT.

    1. Jan Hargreaves

      Re: When will the horror end?

      When HTML5 can be anywhere near Flash for gaming in the browser. It's a LONG way away...

      1. Cameron Colley

        Re: When will the horror end?

        HTML5 gaming? See Bananabread. OK, so it's a different sort of game to the ones generally made in Flash but it illustrates nicely that it's probably not HTML5 itself holding gaming back but, perhaps, lack of experienced developers.

        1. Hans 1

          Re: When will the horror end?

          >HTML5 gaming?

          What about SVG gaming!!!! 1/1000 of the loading time as compared to flash, native browser support, except some ie's, but those who are dumb enough to use ie or edge use oudated flash and java plugins anyway ...

          1. Anonymous Coward
            Anonymous Coward

            Re: When will the horror end?

            Voice of experience speaking: "the browsers all suck"

            I wouldn't touch SVG for games, when there's an immediate-mode equivalent: Canvas API. For a stupid web game that doesn't push the performance limits of a phone/tablet, it's fine. The bigger obstacle for most people coming to HTML5 from Flash is async resource loading. You can punt by embedding all your resources in one HTML file (audio+images in base64 data:// urls) but if that ends up being more than a few MBs in size, give up.

  15. Patrick R
    Holmes

    Misleading

    "An unpatched PC or Mac can be compromised by simply running a malicious Flash file on a webpage." Herm ...I'm pretty sure I've read this line before. That seems to imply that patching would make you safe(r) but reality is Flash makes your computer unpatched for life.

  16. Anonymous Coward
    Anonymous Coward

    And.....like a flash!

    It was gone!

  17. x 7

    surely it must be possible to create a sandboxed codec which just allows Flash videos to play back and do nothing else?

  18. rordjjjfg

    This is why browser vendors should not be using adobe plug-ins to display HTML 5 DRM video content.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like