back to article Dear Windows, OS X folks: Update Flash now. Or kill it. Killing it works

Adobe has published new versions of Flash to patch a vulnerability being exploited right now by hackers to hijack PCs and Macs. The APSB16-10 update addresses a total of 24 CVE-listed flaws, including one (CVE-2016-1019) that's been exploited in the wild to inject malware into Microsoft Windows and Apple OS X systems. Users …

  1. Dieter Haussmann

    Hopefully this hoohah will be it's death.

    1. VinceH

      We can but dream.

    2. Salts

      It's dead to me :-)

  2. Mitoo Bobsworth

    Genuine query

    I recently upgraded to a new machine & started with clean installs of everything, SANS Flash. However I still use chromium for the odd website & was wondering if pepper flash is as susceptible - I would like to keep my new setup free of cooties for as long as possible.

    1. Shadow Systems

      Re: Genuine query

      Just don't install anything that can run Flash, then you won't have to worry if an exploit can ruin your day.

      If your system can't run Flash, then all the exploits that rely on it to infect you have to go infect someone else. You can't run the container, thus the shit inside it can't splatter all over you.

      Flash: just don't.

      1. joed

        Re: Genuine query

        "Just don't install anything that can run Flash" - like Windows 10 (Flash included courtesy of wise folks at MS).

    2. Charlie Clark Silver badge

      Re: Genuine query

      However I still use chromium for the odd website & was wondering if pepper flash is as susceptible

      Yes, but an the update should be automatic.

  3. Steve Davies 3 Silver badge

    Get the content producers to kill it

    Otherwise it will linger on and on and on and on.

    Come on people, stop producing content that needs Flash. Then it will go away.

    Yes you, BBC and the rest... You know who you are.

    It is all well and good saying that you are going to stop using it but when are we going to see some action eh?

    My laptop does not and will never have flash installed. I've got rid, now it is your turn!

    1. JustNiz

      Re: Get the content producers to kill it

      This. Absolutely.

    2. Michael Thibault

      Re: Get the content^H^H^H^H^H^H^H producers to kill it

      I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

      1. gnasher729 Silver badge

        Re: Get the content^H^H^H^H^H^H^H producers to kill it

        iOS users will all install Flash when a secure version is released. They are wating for it since the first release of iOS.

      2. Mark 85

        Re: Get the content^H^H^H^H^H^H^H producers to kill it

        I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

        It wouldn't be until the heat death of the universe before that POS is secure... so they'll loose out on monies from the likes of McAfee and Yahoo....

      3. Captain DaFt

        Re: Get the content^H^H^H^H^H^H^H producers to kill it

        "I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?"

        Because by the time they had a reasonably bug-free version of flash ready, Everybody'd have moved on to using something else, and there'd be no market for it*?

        *Or the heat death of the Universe will have happened first, and nobody'd be left to use it, a toss-up between the two, really.

      4. Ken Hagan Gold badge

        Re: Get the content^H^H^H^H^H^H^H producers to kill it

        I wonder why Adobe doesn't just document Flash (ie, publish the source code, coz I'm sure that's the only accurate documentation there is by now) and leave it to others to produce a secure player.

        They don't actually make any money selling the player, so this would reduce their costs and (if anyone managed it) might actually boost the market for the tools (which they do sell) to produce content.

        1. Steve Graham

          Re: document Flash ie, publish the source code

          The thing is that Flash Player isn't just a video player. It's an entire operating system (very minor exaggeration). Adobe do publish a partial spec of the SWF format.

          There have been attempts to replicate the video-playing part, see for example, Gnash.

        2. Sebastian A

          Re: Get the content^H^H^H^H^H^H^H producers to kill it

          They don't make money off the player, but they make money with the bundled crapware it comes with. Two separate pieces of foistware today. Guess they're quite happy with frequent vulnerabilities. Makes people download their latest steaming pile more often. More chances to accidentally fail to deselect the shit they offer with it.

    3. Andy Non Silver badge
      Meh

      Re: Get the content producers to kill it

      "BBC and the rest... You know who you are."

      The Mrs called me over to look at her laptop the other day, she'd been googling something or other and ended up on the BBC site and was being prompted to install Flash. I explained that Flash was obsolete and a security nightmare and rather than her re-install Flash on her computer, the BBC needed to get their site up to date. She subsequently found what she was looking for on another site.

      1. To Mars in Man Bras!
        FAIL

        Re: Get the content producers to kill it

        *"...Yes you, BBC and the rest... You know who you are...."*

        All the more annoying, given the BBC is quite happy to serve you up HTML5 Based iPlayer content, it you're using a mobile device.

        Of course the simple answer is to use one of the many User-Agent spoofing extensions for both Firefox or Chrome, to pretend you're visiting on a mobile browser. Then, Auntie will quite happily serve you up Flash-free content on your desktop or laptop.

        In the past, I've written a couple of howtos on this:

        * iPlayer without Flash on OSX

        and

        * BBC Radio on Linux

        which may be useful to point your non-tecchy friends at, next time they ask about being able to do this.

        1. Ken Hagan Gold badge

          Re: Get the content producers to kill it

          @To Mars in Man Bras!:

          Fantastic! Thanks. (To everyone else, the links describe how to get the (fixed) URLs that you can then use in (say) VLC. You only have to do the hard bit once.)

        2. Don Dumb
          Headmaster

          Re: Get the content producers to kill it

          @To Mars in Man Bras! - iPlayer works on HTML5 without Flash now.

          If you haven't got Flash it just works. If you do have flash, you can opt into their HTML5 beta and get the HTML5 feed instead. BBC News still uses mostly Flash though.

          Grateful for your guide but it hasn't been neccessary since they started the beta

          1. Dr Paul Taylor

            iPlayer Radio 4

            Clicking on some recent Radio 4 programmes, I get "This content cannot be played in our HTML5 Player - Download Flash Player now" (under Ubuntu/Firefox with various blockers like AdBlock, NoScript, Ghostery but no Flash).

            RadioTray only streams, it doesn't appear to play archived programmes. It doesn't come pre-configured with BBC Radio and it stops playing after a couples of minutes.

          2. To Mars in Man Bras!
            Alert

            Re: Get the content producers to kill it

            *"...If you haven't got Flash it just works..."*

            Not on Linux. You'll get the "You need to install Flash" error.

        3. Anonymous Coward
          Anonymous Coward

          Re: Get the content producers to kill it

          But for now many sites only use Flash for video streaming so it's use it or go without video.

    4. Anonymous Coward
      Anonymous Coward

      Re: Get the content producers to kill it

      me too.

      Binned off W10 at the weekend for Ubuntu, and didn't bother installing the F word.

      Thus far, not really noticed it apart from the exception of a few anachronistic cases. For those, I decided it wasn't really going to ruin my day to shrug, forget it, and move on somewhere else.

  4. Version 1.0 Silver badge

    Swiss Cheese

    Flash is like a block of Swiss cheese made by the Leonhard Euler company - it's "patched" by rotating it so that the holes move.

  5. JLV
    Joke

    suggestion

    El Reg, I regret to say this, but you should concentrate on unexpected news.

    Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?

    p.s. wanted to cite Shannon's Theorem (?) about the value of a piece of information being inversely proportional to its probability, but I couldn't find the exact definition in plain English.

    1. Captain DaFt

      Re: suggestion

      "Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?"

      Easier to post a daily ">n< days with no new Flash vulnerabilities" notice, and then do a Special Report in the unlikely event >n< ever exceeded 30 days.

  6. Anonymous Coward
    Anonymous Coward

    Well, time to zap the blight

    It's time to run that experiment again: killing off Flash by properly removing it from the system and seeing which websites still work after that.

    I hope I find enough of them still working to leave flush Flash for good. Last time the result wasn't good :(.

    1. Old Handle

      Re: Well, time to zap the blight

      About the only thing (save the occasionally amusing flash game or animation) that anyone has used it for in the last 5 years is video, and it's finally obsolete for that too. You might still rarely come across a site needs it for video, but essentially all major sites support HTML video now. In short, it's time.

    2. Ken Hagan Gold badge

      Re: Well, time to zap the blight

      As far as I'm concerned, the BBC is the only one left. (That is, I've removed flash and the only site I care about that is broken by this is the beeb. Thanks to Man Bras!' comment above, I may not even care about that anymore.)

  7. David Pollard

    Is anyone from MIT reading this?

    https://scratch.mit.edu/projects/855598/

    "Oh no! We're having trouble displaying this Scratch project.

    If you are on a mobile phone or tablet, try visiting this project on a computer.

    If you're on a computer, your Flash player might be disabled, missing, or out of date. Visit this page to update Flash."

    1. Old Handle

      Re: Is anyone from MIT reading this?

      They picked the wrong time to go to Flash. Not that the previous choice, Java was so great either, but at least there are other legitimate geeky reasons for having that one installed.

  8. Ian Easson

    Doesn't work

    Flash stopped working for me yesterday, on all sites.

    Details: Windows 10, both IE and Edge browsers.

    So I went to the adobe help site for flash. It told me they can't determine what version of flash I am running. They said:

    - I either don't have flash installed, or

    - It is disabled.

    Following their recommended procedure, I determined that flash is indeed installed and it is enabled. (Just as an experiment, I disabled it and re-enabled it.. No help.)

    The next solution they suggested was to turn off ActiveX filtering on a site-by-site basis. I tried it. It didn't work.

    The final proposed solution was to upgrade to the latest version.

    When I went to their web site for this, it told me that flash is integrated into my browser, so I don't need to update it!

    Colour me frustrated.

    (And by the way, Adobe offers no support for flash other than their user forums.)

    1. Steve Davies 3 Silver badge

      Re: Doesn't work

      Just uninstall Windows 10. You now know from first hand experience just one of the reasons why people here don't want anything to do with W10.

      There are other options you know.

      As has been said, spoofing your browser can get most sites that need it to display the content in HTML5 rater then in Flash. Just watch out if you do do that on W10 as Microsoft seems to have started overwriting your user settings with updates.

      {Posted from a Windows 10 and Flash free environment}

  9. Steve 114

    How can I tell all my cousins to update Flash when Adobe insists on putting random spammy 'offers' on their update site that they ought to untick, but never do? If Adobe want their nasty technology to survive, they should at least develop a reputation for trust.

    1. Richard 12 Silver badge

      Trust? Adobe?!

      You're funny

      1. P. Lee

        Re: Trust? Adobe?!

        How about the OS?

        Surely what we should be aiming for is an OS which can contain malicious software. What we really want is an OS which can be told to lock the about-to-be-executed process in solitary confinement.

        Internet browsers do not need access to all the files under a user's account. Even if the flash executable is full of holes, browser should have asked the OS to jail that tab (all new tabs by default) so that it can't output to anything but the screen. The browser itself should be launched in a jail. How often do you need to pass data from your filesystem (outside your own browser cache) to a browser. I'd suffer per tab caches if that meant extra security. If you do need to pass a file to a browser, the browser should ask the OS for access and the OS should ask the user. The browser process should not have general access to the file system. Why can't the OS have a high-security prison where even saving files to disk goes through a secure request mechanism: "I'd like to save some data to disk, here's what mime-type it is, here's what I think the name should be, and here's the data, please ask the user where it should go and put it there."

        The days of "it runs as user X, it has all privileges of user X" should be well and truly over. Drive-by download compromises should be a thing of the past.

        I seem to think elreg mentioned that MS had done quite a bit of work on this for W8, but only for store apps... and then they undid it for W10. Doh!

        Even swiss-cheese software should not be a problem. That is the point of an OS.

        1. Charles 9

          Re: Trust? Adobe?!

          Guess you never heard of a sandbox escape exploit. Even if you jail the process, the right exploit can allow the malicious process to jailbreak out into the OS itself, where a privilege escalation exploit takes care of the rest. And no, you cannot make a practical OS airtight without sacrificing something else the user demands like performance (example, seL4 is ONLY secure when DMA is turned off: kinda important for performance-intensive stuff like graphics and low-latency networking).

        2. Charles 9

          Re: Trust? Adobe?!

          "Internet browsers do not need access to all the files under a user's account."

          PS. The browser DOES need write access to user account storage. Otherwise, it has no capacity to download anything.

    2. Charles 9

      "Adobe want their nasty technology to survive, they should at least develop a reputation for trust."

      Who needs trust when you have a captive market? Sure, video can pass, but Flash is more than video, and many things are used everyday and are Flash-ONLY (including very expensive enterprise stuff).

  10. Anonymous Coward
    Meh

    Does not compute

    I completely uninstalled Flash on my Mac over a year ago and haven't missed it. In fact the only site I've noticed where I can't get all the content is of course the BBC news site, and let's face it, there's enough written content on that site that missing the odd video doesn't matter.

  11. dajames

    Rule of Law

    Asking users of your website to install Flash to view it, these days, is tantamount to asking them to invite a drive-by exploit from the next site they visit. It's almost as though those sites that (still) require Flash were in league with the malware peddlers.

    That being so, perhaps the best approach (in the UK, at least) would be to identify all those sites that require flash and threaten to prosecute their owners with conspiracy to commit a breach of the Computer Misuse Act 1990.

    1. Charles 9

      Re: Rule of Law

      Trouble is, that does squat for all the foreign websites out there, unless you're saying the UK can start blocking those sites like they at least try for The Pirate Bay.

  12. Anonymous Coward
    Anonymous Coward

    Simples, all browsers should disable auto-play for all plug-ins and media!

    The microsoft edge Flash changes didn't go nearly far enough (I'm loath to use it anyway), all browsers should disable /all/ plug-in auto-play by default (yes Silverlight too for corp-tard Visio), and have blacklists for the worst sites to block native-browser, are-you-sure, click-to-play prompts.

    Flash is not just a security risk, I regularly see it significantly worsen browser responsiveness and increase CPU use, so it urgently needs to become end-of-life and only temporarily loaded/started (then unloaded/stopped) for legacy content, which retarded sites (including legacy corporate intranet content) can't or are too lazy to transcode to MP4 or HTML 5.

    It is frankly unacceptable for any site (internet or intranet) to still host Flash or other plug-in media, it should all be standard audio/video codecs like MP3, FLAC, MP4 or MKV, and not stupid junk like wav, mov, avi, wmv or any non-standard Cisco codecs.

    1. Charles 9

      Re: Simples, all browsers should disable auto-play for all plug-ins and media!

      What about all that Flash stuff that ISN'T about media files but about interactive control panels and the like? You know, the kind of stuff that's hosted on corporate intranets and can't be removed without writing off a very expensive and business-critical piece of hardware that runs it all?

  13. Anonymous Coward
    Anonymous Coward

    It's all about the DRM

    The reason that Flash still remains for video is because content producers require broadcasters to implement DRM when streaming material to customers. We all know just how easy DRM is to circumvent and how obstructive it is as a technology, however the big media companies still think it's the answer to their dreams. Until someone can demonstrate a viable and secure content delivery mechanism, we'll be stuck with Flash and all of the security holes it introduces.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's all about the DRM

      It's not so much the stuff of their dreams but the demand of their investors, without which they may as well just pack it up and call it a night. So they really don't have a choice in the matter: it's DRM or Bust. And if the media companies start going bust, where will we get our content from in future?

  14. Captain Queeg

    Uninstalled :-)

    I feel clean.

    Now, if only I could see Java off...

  15. EveryTime

    Google "zero days since last accident"

    I've tried deleting Flash, but there is always some vital website that needs it.

  16. John Jc

    The number of time a story like this appears just amazes me. Forget FLASH - this is just an application. Why on earth does the underlying OS (and this applies to Windows and IOS) allow an APPLICATION to do this?

    REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to. Then someone created Operating Systems for the masses! There is the concept of an Administrator and a User , but if a user runs some carefully crafted applications, they can be Administrator. Pah!

    Jc

    1. illiad

      why does an OS allow it???

      Simple. companies with LOTS of money and investments, *blindly* going with the 'industry standard' ..

      (clueless MGR : "Its adobe, they are a big company working with MS for YEARS, why would I get *anything* that *MS* does not use????" "Linux??? WHY would I get that, ALL our budgets are spent on MS support!" )

      webdevs have all their support, paid for by MGR, to do fancy looking pages with ADOBE..

      Likewise clueless users... they can just about install windows, dont realise the default is 'administrator'...

      Many dont know what things are , quite often it's NOT 'the blue thingy' due to it being modified by their ISP... :(

      At least BBC is *starting* its HTML5 project..

    2. Charles 9

      "REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to."

      But that was before the hacker culture turned mainstream. Now you have people that dedicate significant parts of their lives to finding chinks in the armor not just of the applications, not just of the OS's but even of the hardware. Think of that: exploits in silicon. And given humans aren't perfect and the hackers only need to be lucky once, it's basically a siege situation: sooner or later, either someone cracks it or it loses the value that made it worth attacking.

  17. RNixon

    Old Flash Stuff

    The problem with just killing Flash is that there's a lot of older content out there that needs it.

    Some of which is fairly nifty stuff. Independent animations especially.

    I keep it installed but set to click-to-run.

    Now if I could only find a way to prevent HTML5 video from autoplaying. All the plugins I've tried that claim to do that don't work.

  18. Falken

    Patch Mgmt

    Use PatchMyPC dot com to keep your software up-to-date.

  19. Anonymous Coward
    Anonymous Coward

    It's been days now and still no Windows Update. Windows 10 that has no schedule for patches. The ones you didn't know you wanted arrive silently killing your machine and the ones you are looking for don't materialise. How positively 21st century.

  20. Anonymous Coward
    Anonymous Coward

    HR produces almost all content via Flash

    All their (required) "training" videos, their content-delivery systems, and so on. The only time that I allow it to run is when connected to HR websites.

  21. Uncle Ron

    Sick and Tired

    I'm so sick and tired of Flash. I can't understand why it wasn't abandoned YEARS ago. It is bloatware, unbelievably buggy, stunningly insecure and destructive and dangerous, constantly being patched--it's just a piece of junk. I'd like to see some sort of Emperor Mandate that requires it's death by a date certain. Let's just say, on July 1, 2016, Adobe Flash or Shockwave Flash or whatever the heck it is, be disabled and trashed and no code will or can either require or use it. RIP.

    1. Charles 9

      Re: Sick and Tired

      Trouble, some of the things using it are very expensive enterprise hardware. Such a mandate could easily kill businesses, and I'm not talking about the manufacturers. It's a lot like those man/machine interface computers that have to still use Windows XP because it uses antiquated hardware that Vista and above dropped support. Many people are kinda stuck with it, to the tune of hundreds of thousands if not millions of dollars which they'll never be able to get back as the cost is already sunk.

  22. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like