back to article Dear Windows, OS X folks: Update Flash now. Or kill it. Killing it works

Adobe has published new versions of Flash to patch a vulnerability being exploited right now by hackers to hijack PCs and Macs. The APSB16-10 update addresses a total of 24 CVE-listed flaws, including one (CVE-2016-1019) that's been exploited in the wild to inject malware into Microsoft Windows and Apple OS X systems. Users …

  1. Dieter Haussmann

    Hopefully this hoohah will be it's death.

  2. VinceH Silver badge

    We can but dream.

  3. Salts

    It's dead to me :-)

  4. Mitoo Bobsworth

    Genuine query

    I recently upgraded to a new machine & started with clean installs of everything, SANS Flash. However I still use chromium for the odd website & was wondering if pepper flash is as susceptible - I would like to keep my new setup free of cooties for as long as possible.

  5. Shadow Systems Silver badge

    Re: Genuine query

    Just don't install anything that can run Flash, then you won't have to worry if an exploit can ruin your day.

    If your system can't run Flash, then all the exploits that rely on it to infect you have to go infect someone else. You can't run the container, thus the shit inside it can't splatter all over you.

    Flash: just don't.

  6. joed Silver badge

    Re: Genuine query

    "Just don't install anything that can run Flash" - like Windows 10 (Flash included courtesy of wise folks at MS).

  7. Charlie Clark Silver badge

    Re: Genuine query

    However I still use chromium for the odd website & was wondering if pepper flash is as susceptible

    Yes, but an the update should be automatic.

  8. Steve Davies 3 Silver badge

    Get the content producers to kill it

    Otherwise it will linger on and on and on and on.

    Come on people, stop producing content that needs Flash. Then it will go away.

    Yes you, BBC and the rest... You know who you are.

    It is all well and good saying that you are going to stop using it but when are we going to see some action eh?

    My laptop does not and will never have flash installed. I've got rid, now it is your turn!

  9. JustNiz

    Re: Get the content producers to kill it

    This. Absolutely.

  10. Michael Thibault Bronze badge

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

  11. Andy Non
    Meh

    Re: Get the content producers to kill it

    "BBC and the rest... You know who you are."

    The Mrs called me over to look at her laptop the other day, she'd been googling something or other and ended up on the BBC site and was being prompted to install Flash. I explained that Flash was obsolete and a security nightmare and rather than her re-install Flash on her computer, the BBC needed to get their site up to date. She subsequently found what she was looking for on another site.

  12. gnasher729 Silver badge

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    iOS users will all install Flash when a secure version is released. They are wating for it since the first release of iOS.

  13. Mark 85 Silver badge

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?

    It wouldn't be until the heat death of the universe before that POS is secure... so they'll loose out on monies from the likes of McAfee and Yahoo....

  14. Captain DaFt

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    "I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?"

    Because by the time they had a reasonably bug-free version of flash ready, Everybody'd have moved on to using something else, and there'd be no market for it*?

    *Or the heat death of the Universe will have happened first, and nobody'd be left to use it, a toss-up between the two, really.

  15. To Mars in Man Bras!
    FAIL

    Re: Get the content producers to kill it

    *"...Yes you, BBC and the rest... You know who you are...."*

    All the more annoying, given the BBC is quite happy to serve you up HTML5 Based iPlayer content, it you're using a mobile device.

    Of course the simple answer is to use one of the many User-Agent spoofing extensions for both Firefox or Chrome, to pretend you're visiting on a mobile browser. Then, Auntie will quite happily serve you up Flash-free content on your desktop or laptop.

    In the past, I've written a couple of howtos on this:

    * iPlayer without Flash on OSX

    and

    * BBC Radio on Linux

    which may be useful to point your non-tecchy friends at, next time they ask about being able to do this.

  16. Ken Hagan Gold badge

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    I wonder why Adobe doesn't just document Flash (ie, publish the source code, coz I'm sure that's the only accurate documentation there is by now) and leave it to others to produce a secure player.

    They don't actually make any money selling the player, so this would reduce their costs and (if anyone managed it) might actually boost the market for the tools (which they do sell) to produce content.

  17. Ken Hagan Gold badge

    Re: Get the content producers to kill it

    @To Mars in Man Bras!:

    Fantastic! Thanks. (To everyone else, the links describe how to get the (fixed) URLs that you can then use in (say) VLC. You only have to do the hard bit once.)

  18. Steve Graham

    Re: document Flash ie, publish the source code

    The thing is that Flash Player isn't just a video player. It's an entire operating system (very minor exaggeration). Adobe do publish a partial spec of the SWF format.

    There have been attempts to replicate the video-playing part, see for example, Gnash.

  19. Don Dumb
    Headmaster

    Re: Get the content producers to kill it

    @To Mars in Man Bras! - iPlayer works on HTML5 without Flash now.

    If you haven't got Flash it just works. If you do have flash, you can opt into their HTML5 beta and get the HTML5 feed instead. BBC News still uses mostly Flash though.

    Grateful for your guide but it hasn't been neccessary since they started the beta

  20. Dr Paul Taylor

    iPlayer Radio 4

    Clicking on some recent Radio 4 programmes, I get "This content cannot be played in our HTML5 Player - Download Flash Player now" (under Ubuntu/Firefox with various blockers like AdBlock, NoScript, Ghostery but no Flash).

    RadioTray only streams, it doesn't appear to play archived programmes. It doesn't come pre-configured with BBC Radio and it stops playing after a couples of minutes.

  21. Anonymous Coward
    Anonymous Coward

    Re: Get the content producers to kill it

    But for now many sites only use Flash for video streaming so it's use it or go without video.

  22. Sebastian A

    Re: Get the content^H^H^H^H^H^H^H producers to kill it

    They don't make money off the player, but they make money with the bundled crapware it comes with. Two separate pieces of foistware today. Guess they're quite happy with frequent vulnerabilities. Makes people download their latest steaming pile more often. More chances to accidentally fail to deselect the shit they offer with it.

  23. Anonymous Coward
    Anonymous Coward

    Re: Get the content producers to kill it

    me too.

    Binned off W10 at the weekend for Ubuntu, and didn't bother installing the F word.

    Thus far, not really noticed it apart from the exception of a few anachronistic cases. For those, I decided it wasn't really going to ruin my day to shrug, forget it, and move on somewhere else.

  24. To Mars in Man Bras!
    Alert

    Re: Get the content producers to kill it

    *"...If you haven't got Flash it just works..."*

    Not on Linux. You'll get the "You need to install Flash" error.

  25. Version 1.0 Silver badge

    Swiss Cheese

    Flash is like a block of Swiss cheese made by the Leonhard Euler company - it's "patched" by rotating it so that the holes move.

  26. JLV Silver badge
    Joke

    suggestion

    El Reg, I regret to say this, but you should concentrate on unexpected news.

    Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?

    p.s. wanted to cite Shannon's Theorem (?) about the value of a piece of information being inversely proportional to its probability, but I couldn't find the exact definition in plain English.

  27. Captain DaFt

    Re: suggestion

    "Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?"

    Easier to post a daily ">n< days with no new Flash vulnerabilities" notice, and then do a Special Report in the unlikely event >n< ever exceeded 30 days.

  28. Anonymous Coward
    Anonymous Coward

    Well, time to zap the blight

    It's time to run that experiment again: killing off Flash by properly removing it from the system and seeing which websites still work after that.

    I hope I find enough of them still working to leave flush Flash for good. Last time the result wasn't good :(.

  29. Old Handle

    Re: Well, time to zap the blight

    About the only thing (save the occasionally amusing flash game or animation) that anyone has used it for in the last 5 years is video, and it's finally obsolete for that too. You might still rarely come across a site needs it for video, but essentially all major sites support HTML video now. In short, it's time.

  30. Ken Hagan Gold badge

    Re: Well, time to zap the blight

    As far as I'm concerned, the BBC is the only one left. (That is, I've removed flash and the only site I care about that is broken by this is the beeb. Thanks to Man Bras!' comment above, I may not even care about that anymore.)

  31. David Pollard

    Is anyone from MIT reading this?

    https://scratch.mit.edu/projects/855598/

    "Oh no! We're having trouble displaying this Scratch project.

    If you are on a mobile phone or tablet, try visiting this project on a computer.

    If you're on a computer, your Flash player might be disabled, missing, or out of date. Visit this page to update Flash."

  32. Old Handle

    Re: Is anyone from MIT reading this?

    They picked the wrong time to go to Flash. Not that the previous choice, Java was so great either, but at least there are other legitimate geeky reasons for having that one installed.

  33. Ian Easson

    Doesn't work

    Flash stopped working for me yesterday, on all sites.

    Details: Windows 10, both IE and Edge browsers.

    So I went to the adobe help site for flash. It told me they can't determine what version of flash I am running. They said:

    - I either don't have flash installed, or

    - It is disabled.

    Following their recommended procedure, I determined that flash is indeed installed and it is enabled. (Just as an experiment, I disabled it and re-enabled it.. No help.)

    The next solution they suggested was to turn off ActiveX filtering on a site-by-site basis. I tried it. It didn't work.

    The final proposed solution was to upgrade to the latest version.

    When I went to their web site for this, it told me that flash is integrated into my browser, so I don't need to update it!

    Colour me frustrated.

    (And by the way, Adobe offers no support for flash other than their user forums.)

  34. Steve Davies 3 Silver badge

    Re: Doesn't work

    Just uninstall Windows 10. You now know from first hand experience just one of the reasons why people here don't want anything to do with W10.

    There are other options you know.

    As has been said, spoofing your browser can get most sites that need it to display the content in HTML5 rater then in Flash. Just watch out if you do do that on W10 as Microsoft seems to have started overwriting your user settings with updates.

    {Posted from a Windows 10 and Flash free environment}

  35. Steve 114

    How can I tell all my cousins to update Flash when Adobe insists on putting random spammy 'offers' on their update site that they ought to untick, but never do? If Adobe want their nasty technology to survive, they should at least develop a reputation for trust.

  36. Richard 12 Silver badge

    Trust? Adobe?!

    You're funny

  37. P. Lee Silver badge

    Re: Trust? Adobe?!

    How about the OS?

    Surely what we should be aiming for is an OS which can contain malicious software. What we really want is an OS which can be told to lock the about-to-be-executed process in solitary confinement.

    Internet browsers do not need access to all the files under a user's account. Even if the flash executable is full of holes, browser should have asked the OS to jail that tab (all new tabs by default) so that it can't output to anything but the screen. The browser itself should be launched in a jail. How often do you need to pass data from your filesystem (outside your own browser cache) to a browser. I'd suffer per tab caches if that meant extra security. If you do need to pass a file to a browser, the browser should ask the OS for access and the OS should ask the user. The browser process should not have general access to the file system. Why can't the OS have a high-security prison where even saving files to disk goes through a secure request mechanism: "I'd like to save some data to disk, here's what mime-type it is, here's what I think the name should be, and here's the data, please ask the user where it should go and put it there."

    The days of "it runs as user X, it has all privileges of user X" should be well and truly over. Drive-by download compromises should be a thing of the past.

    I seem to think elreg mentioned that MS had done quite a bit of work on this for W8, but only for store apps... and then they undid it for W10. Doh!

    Even swiss-cheese software should not be a problem. That is the point of an OS.

  38. Charles 9 Silver badge

    Re: Trust? Adobe?!

    Guess you never heard of a sandbox escape exploit. Even if you jail the process, the right exploit can allow the malicious process to jailbreak out into the OS itself, where a privilege escalation exploit takes care of the rest. And no, you cannot make a practical OS airtight without sacrificing something else the user demands like performance (example, seL4 is ONLY secure when DMA is turned off: kinda important for performance-intensive stuff like graphics and low-latency networking).

  39. Charles 9 Silver badge

    Re: Trust? Adobe?!

    "Internet browsers do not need access to all the files under a user's account."

    PS. The browser DOES need write access to user account storage. Otherwise, it has no capacity to download anything.

  40. Charles 9 Silver badge

    "Adobe want their nasty technology to survive, they should at least develop a reputation for trust."

    Who needs trust when you have a captive market? Sure, video can pass, but Flash is more than video, and many things are used everyday and are Flash-ONLY (including very expensive enterprise stuff).

  41. Andy Towler
    Meh

    Does not compute

    I completely uninstalled Flash on my Mac over a year ago and haven't missed it. In fact the only site I've noticed where I can't get all the content is of course the BBC news site, and let's face it, there's enough written content on that site that missing the odd video doesn't matter.

  42. dajames Silver badge

    Rule of Law

    Asking users of your website to install Flash to view it, these days, is tantamount to asking them to invite a drive-by exploit from the next site they visit. It's almost as though those sites that (still) require Flash were in league with the malware peddlers.

    That being so, perhaps the best approach (in the UK, at least) would be to identify all those sites that require flash and threaten to prosecute their owners with conspiracy to commit a breach of the Computer Misuse Act 1990.

  43. Charles 9 Silver badge

    Re: Rule of Law

    Trouble is, that does squat for all the foreign websites out there, unless you're saying the UK can start blocking those sites like they at least try for The Pirate Bay.

  44. Anonymous Coward
    Anonymous Coward

    Simples, all browsers should disable auto-play for all plug-ins and media!

    The microsoft edge Flash changes didn't go nearly far enough (I'm loath to use it anyway), all browsers should disable /all/ plug-in auto-play by default (yes Silverlight too for corp-tard Visio), and have blacklists for the worst sites to block native-browser, are-you-sure, click-to-play prompts.

    Flash is not just a security risk, I regularly see it significantly worsen browser responsiveness and increase CPU use, so it urgently needs to become end-of-life and only temporarily loaded/started (then unloaded/stopped) for legacy content, which retarded sites (including legacy corporate intranet content) can't or are too lazy to transcode to MP4 or HTML 5.

    It is frankly unacceptable for any site (internet or intranet) to still host Flash or other plug-in media, it should all be standard audio/video codecs like MP3, FLAC, MP4 or MKV, and not stupid junk like wav, mov, avi, wmv or any non-standard Cisco codecs.

  45. Charles 9 Silver badge

    Re: Simples, all browsers should disable auto-play for all plug-ins and media!

    What about all that Flash stuff that ISN'T about media files but about interactive control panels and the like? You know, the kind of stuff that's hosted on corporate intranets and can't be removed without writing off a very expensive and business-critical piece of hardware that runs it all?

  46. Anonymous Coward
    Anonymous Coward

    It's all about the DRM

    The reason that Flash still remains for video is because content producers require broadcasters to implement DRM when streaming material to customers. We all know just how easy DRM is to circumvent and how obstructive it is as a technology, however the big media companies still think it's the answer to their dreams. Until someone can demonstrate a viable and secure content delivery mechanism, we'll be stuck with Flash and all of the security holes it introduces.

  47. Anonymous Coward
    Anonymous Coward

    Re: It's all about the DRM

    It's not so much the stuff of their dreams but the demand of their investors, without which they may as well just pack it up and call it a night. So they really don't have a choice in the matter: it's DRM or Bust. And if the media companies start going bust, where will we get our content from in future?

  48. Captain Queeg

    Uninstalled :-)

    I feel clean.

    Now, if only I could see Java off...

  49. EveryTime Silver badge

    Google "zero days since last accident"

    I've tried deleting Flash, but there is always some vital website that needs it.

  50. John Jc

    The number of time a story like this appears just amazes me. Forget FLASH - this is just an application. Why on earth does the underlying OS (and this applies to Windows and IOS) allow an APPLICATION to do this?

    REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to. Then someone created Operating Systems for the masses! There is the concept of an Administrator and a User , but if a user runs some carefully crafted applications, they can be Administrator. Pah!

    Jc

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018