back to article Dear Windows, OS X folks: Update Flash now. Or kill it. Killing it works

Adobe has published new versions of Flash to patch a vulnerability being exploited right now by hackers to hijack PCs and Macs. The APSB16-10 update addresses a total of 24 CVE-listed flaws, including one (CVE-2016-1019) that's been exploited in the wild to inject malware into Microsoft Windows and Apple OS X systems. Users …

Hopefully this hoohah will be it's death.

10
0
Silver badge

We can but dream.

4
0

It's dead to me :-)

11
0

Genuine query

I recently upgraded to a new machine & started with clean installs of everything, SANS Flash. However I still use chromium for the odd website & was wondering if pepper flash is as susceptible - I would like to keep my new setup free of cooties for as long as possible.

0
0
Silver badge

Re: Genuine query

Just don't install anything that can run Flash, then you won't have to worry if an exploit can ruin your day.

If your system can't run Flash, then all the exploits that rely on it to infect you have to go infect someone else. You can't run the container, thus the shit inside it can't splatter all over you.

Flash: just don't.

9
1
Silver badge

Re: Genuine query

"Just don't install anything that can run Flash" - like Windows 10 (Flash included courtesy of wise folks at MS).

17
3
Silver badge

Re: Genuine query

However I still use chromium for the odd website & was wondering if pepper flash is as susceptible

Yes, but an the update should be automatic.

0
0
Silver badge

Get the content producers to kill it

Otherwise it will linger on and on and on and on.

Come on people, stop producing content that needs Flash. Then it will go away.

Yes you, BBC and the rest... You know who you are.

It is all well and good saying that you are going to stop using it but when are we going to see some action eh?

My laptop does not and will never have flash installed. I've got rid, now it is your turn!

40
0

Re: Get the content producers to kill it

This. Absolutely.

7
1
Bronze badge

Re: Get the content^H^H^H^H^H^H^H producers to kill it

I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

6
1
Meh

Re: Get the content producers to kill it

"BBC and the rest... You know who you are."

The Mrs called me over to look at her laptop the other day, she'd been googling something or other and ended up on the BBC site and was being prompted to install Flash. I explained that Flash was obsolete and a security nightmare and rather than her re-install Flash on her computer, the BBC needed to get their site up to date. She subsequently found what she was looking for on another site.

12
1
Silver badge

Re: Get the content^H^H^H^H^H^H^H producers to kill it

iOS users will all install Flash when a secure version is released. They are wating for it since the first release of iOS.

4
1
Silver badge

Re: Get the content^H^H^H^H^H^H^H producers to kill it

I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

It wouldn't be until the heat death of the universe before that POS is secure... so they'll loose out on monies from the likes of McAfee and Yahoo....

7
0
Silver badge

Re: Get the content^H^H^H^H^H^H^H producers to kill it

"I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?"

Because by the time they had a reasonably bug-free version of flash ready, Everybody'd have moved on to using something else, and there'd be no market for it*?

*Or the heat death of the Universe will have happened first, and nobody'd be left to use it, a toss-up between the two, really.

2
0
FAIL

Re: Get the content producers to kill it

*"...Yes you, BBC and the rest... You know who you are...."*

All the more annoying, given the BBC is quite happy to serve you up HTML5 Based iPlayer content, it you're using a mobile device.

Of course the simple answer is to use one of the many User-Agent spoofing extensions for both Firefox or Chrome, to pretend you're visiting on a mobile browser. Then, Auntie will quite happily serve you up Flash-free content on your desktop or laptop.

In the past, I've written a couple of howtos on this:

* iPlayer without Flash on OSX

and

* BBC Radio on Linux

which may be useful to point your non-tecchy friends at, next time they ask about being able to do this.

12
0
Gold badge

Re: Get the content^H^H^H^H^H^H^H producers to kill it

I wonder why Adobe doesn't just document Flash (ie, publish the source code, coz I'm sure that's the only accurate documentation there is by now) and leave it to others to produce a secure player.

They don't actually make any money selling the player, so this would reduce their costs and (if anyone managed it) might actually boost the market for the tools (which they do sell) to produce content.

1
0
Gold badge

Re: Get the content producers to kill it

@To Mars in Man Bras!:

Fantastic! Thanks. (To everyone else, the links describe how to get the (fixed) URLs that you can then use in (say) VLC. You only have to do the hard bit once.)

1
0

Re: document Flash ie, publish the source code

The thing is that Flash Player isn't just a video player. It's an entire operating system (very minor exaggeration). Adobe do publish a partial spec of the SWF format.

There have been attempts to replicate the video-playing part, see for example, Gnash.

1
0
Headmaster

Re: Get the content producers to kill it

@To Mars in Man Bras! - iPlayer works on HTML5 without Flash now.

If you haven't got Flash it just works. If you do have flash, you can opt into their HTML5 beta and get the HTML5 feed instead. BBC News still uses mostly Flash though.

Grateful for your guide but it hasn't been neccessary since they started the beta

0
0

iPlayer Radio 4

Clicking on some recent Radio 4 programmes, I get "This content cannot be played in our HTML5 Player - Download Flash Player now" (under Ubuntu/Firefox with various blockers like AdBlock, NoScript, Ghostery but no Flash).

RadioTray only streams, it doesn't appear to play archived programmes. It doesn't come pre-configured with BBC Radio and it stops playing after a couples of minutes.

1
0
Anonymous Coward

Re: Get the content producers to kill it

But for now many sites only use Flash for video streaming so it's use it or go without video.

1
0

Re: Get the content^H^H^H^H^H^H^H producers to kill it

They don't make money off the player, but they make money with the bundled crapware it comes with. Two separate pieces of foistware today. Guess they're quite happy with frequent vulnerabilities. Makes people download their latest steaming pile more often. More chances to accidentally fail to deselect the shit they offer with it.

2
0
Anonymous Coward

Re: Get the content producers to kill it

me too.

Binned off W10 at the weekend for Ubuntu, and didn't bother installing the F word.

Thus far, not really noticed it apart from the exception of a few anachronistic cases. For those, I decided it wasn't really going to ruin my day to shrug, forget it, and move on somewhere else.

1
0
Alert

Re: Get the content producers to kill it

*"...If you haven't got Flash it just works..."*

Not on Linux. You'll get the "You need to install Flash" error.

0
0
Silver badge

Swiss Cheese

Flash is like a block of Swiss cheese made by the Leonhard Euler company - it's "patched" by rotating it so that the holes move.

12
0
JLV
Silver badge
Joke

suggestion

El Reg, I regret to say this, but you should concentrate on unexpected news.

Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?

p.s. wanted to cite Shannon's Theorem (?) about the value of a piece of information being inversely proportional to its probability, but I couldn't find the exact definition in plain English.

5
0
Silver badge

Re: suggestion

"Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?"

Easier to post a daily ">n< days with no new Flash vulnerabilities" notice, and then do a Special Report in the unlikely event >n< ever exceeded 30 days.

5
0
Anonymous Coward

Well, time to zap the blight

It's time to run that experiment again: killing off Flash by properly removing it from the system and seeing which websites still work after that.

I hope I find enough of them still working to leave flush Flash for good. Last time the result wasn't good :(.

1
0

Re: Well, time to zap the blight

About the only thing (save the occasionally amusing flash game or animation) that anyone has used it for in the last 5 years is video, and it's finally obsolete for that too. You might still rarely come across a site needs it for video, but essentially all major sites support HTML video now. In short, it's time.

4
0
Gold badge

Re: Well, time to zap the blight

As far as I'm concerned, the BBC is the only one left. (That is, I've removed flash and the only site I care about that is broken by this is the beeb. Thanks to Man Bras!' comment above, I may not even care about that anymore.)

0
0

Is anyone from MIT reading this?

https://scratch.mit.edu/projects/855598/

"Oh no! We're having trouble displaying this Scratch project.

If you are on a mobile phone or tablet, try visiting this project on a computer.

If you're on a computer, your Flash player might be disabled, missing, or out of date. Visit this page to update Flash."

7
0

Re: Is anyone from MIT reading this?

They picked the wrong time to go to Flash. Not that the previous choice, Java was so great either, but at least there are other legitimate geeky reasons for having that one installed.

1
0

Doesn't work

Flash stopped working for me yesterday, on all sites.

Details: Windows 10, both IE and Edge browsers.

So I went to the adobe help site for flash. It told me they can't determine what version of flash I am running. They said:

- I either don't have flash installed, or

- It is disabled.

Following their recommended procedure, I determined that flash is indeed installed and it is enabled. (Just as an experiment, I disabled it and re-enabled it.. No help.)

The next solution they suggested was to turn off ActiveX filtering on a site-by-site basis. I tried it. It didn't work.

The final proposed solution was to upgrade to the latest version.

When I went to their web site for this, it told me that flash is integrated into my browser, so I don't need to update it!

Colour me frustrated.

(And by the way, Adobe offers no support for flash other than their user forums.)

2
0
Silver badge

Re: Doesn't work

Just uninstall Windows 10. You now know from first hand experience just one of the reasons why people here don't want anything to do with W10.

There are other options you know.

As has been said, spoofing your browser can get most sites that need it to display the content in HTML5 rater then in Flash. Just watch out if you do do that on W10 as Microsoft seems to have started overwriting your user settings with updates.

{Posted from a Windows 10 and Flash free environment}

1
1

How can I tell all my cousins to update Flash when Adobe insists on putting random spammy 'offers' on their update site that they ought to untick, but never do? If Adobe want their nasty technology to survive, they should at least develop a reputation for trust.

5
0
Silver badge

Trust? Adobe?!

You're funny

0
0
Silver badge

Re: Trust? Adobe?!

How about the OS?

Surely what we should be aiming for is an OS which can contain malicious software. What we really want is an OS which can be told to lock the about-to-be-executed process in solitary confinement.

Internet browsers do not need access to all the files under a user's account. Even if the flash executable is full of holes, browser should have asked the OS to jail that tab (all new tabs by default) so that it can't output to anything but the screen. The browser itself should be launched in a jail. How often do you need to pass data from your filesystem (outside your own browser cache) to a browser. I'd suffer per tab caches if that meant extra security. If you do need to pass a file to a browser, the browser should ask the OS for access and the OS should ask the user. The browser process should not have general access to the file system. Why can't the OS have a high-security prison where even saving files to disk goes through a secure request mechanism: "I'd like to save some data to disk, here's what mime-type it is, here's what I think the name should be, and here's the data, please ask the user where it should go and put it there."

The days of "it runs as user X, it has all privileges of user X" should be well and truly over. Drive-by download compromises should be a thing of the past.

I seem to think elreg mentioned that MS had done quite a bit of work on this for W8, but only for store apps... and then they undid it for W10. Doh!

Even swiss-cheese software should not be a problem. That is the point of an OS.

2
0
Silver badge

Re: Trust? Adobe?!

Guess you never heard of a sandbox escape exploit. Even if you jail the process, the right exploit can allow the malicious process to jailbreak out into the OS itself, where a privilege escalation exploit takes care of the rest. And no, you cannot make a practical OS airtight without sacrificing something else the user demands like performance (example, seL4 is ONLY secure when DMA is turned off: kinda important for performance-intensive stuff like graphics and low-latency networking).

1
0
Silver badge

Re: Trust? Adobe?!

"Internet browsers do not need access to all the files under a user's account."

PS. The browser DOES need write access to user account storage. Otherwise, it has no capacity to download anything.

0
0
Silver badge

"Adobe want their nasty technology to survive, they should at least develop a reputation for trust."

Who needs trust when you have a captive market? Sure, video can pass, but Flash is more than video, and many things are used everyday and are Flash-ONLY (including very expensive enterprise stuff).

0
0
Meh

Does not compute

I completely uninstalled Flash on my Mac over a year ago and haven't missed it. In fact the only site I've noticed where I can't get all the content is of course the BBC news site, and let's face it, there's enough written content on that site that missing the odd video doesn't matter.

2
0
Silver badge

Rule of Law

Asking users of your website to install Flash to view it, these days, is tantamount to asking them to invite a drive-by exploit from the next site they visit. It's almost as though those sites that (still) require Flash were in league with the malware peddlers.

That being so, perhaps the best approach (in the UK, at least) would be to identify all those sites that require flash and threaten to prosecute their owners with conspiracy to commit a breach of the Computer Misuse Act 1990.

0
0
Silver badge

Re: Rule of Law

Trouble is, that does squat for all the foreign websites out there, unless you're saying the UK can start blocking those sites like they at least try for The Pirate Bay.

0
0
Anonymous Coward

Simples, all browsers should disable auto-play for all plug-ins and media!

The microsoft edge Flash changes didn't go nearly far enough (I'm loath to use it anyway), all browsers should disable /all/ plug-in auto-play by default (yes Silverlight too for corp-tard Visio), and have blacklists for the worst sites to block native-browser, are-you-sure, click-to-play prompts.

Flash is not just a security risk, I regularly see it significantly worsen browser responsiveness and increase CPU use, so it urgently needs to become end-of-life and only temporarily loaded/started (then unloaded/stopped) for legacy content, which retarded sites (including legacy corporate intranet content) can't or are too lazy to transcode to MP4 or HTML 5.

It is frankly unacceptable for any site (internet or intranet) to still host Flash or other plug-in media, it should all be standard audio/video codecs like MP3, FLAC, MP4 or MKV, and not stupid junk like wav, mov, avi, wmv or any non-standard Cisco codecs.

0
0
Silver badge

Re: Simples, all browsers should disable auto-play for all plug-ins and media!

What about all that Flash stuff that ISN'T about media files but about interactive control panels and the like? You know, the kind of stuff that's hosted on corporate intranets and can't be removed without writing off a very expensive and business-critical piece of hardware that runs it all?

0
0
Anonymous Coward

It's all about the DRM

The reason that Flash still remains for video is because content producers require broadcasters to implement DRM when streaming material to customers. We all know just how easy DRM is to circumvent and how obstructive it is as a technology, however the big media companies still think it's the answer to their dreams. Until someone can demonstrate a viable and secure content delivery mechanism, we'll be stuck with Flash and all of the security holes it introduces.

0
0
Anonymous Coward

Re: It's all about the DRM

It's not so much the stuff of their dreams but the demand of their investors, without which they may as well just pack it up and call it a night. So they really don't have a choice in the matter: it's DRM or Bust. And if the media companies start going bust, where will we get our content from in future?

0
0

Uninstalled :-)

I feel clean.

Now, if only I could see Java off...

3
0
Silver badge

Google "zero days since last accident"

I've tried deleting Flash, but there is always some vital website that needs it.

0
0

The number of time a story like this appears just amazes me. Forget FLASH - this is just an application. Why on earth does the underlying OS (and this applies to Windows and IOS) allow an APPLICATION to do this?

REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to. Then someone created Operating Systems for the masses! There is the concept of an Administrator and a User , but if a user runs some carefully crafted applications, they can be Administrator. Pah!

Jc

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018