back to article Adobe...sigh...issues critical patch...sigh...for Flash Player zero day

Adobe has pushed out a patch for 25 vulnerabilities in Flash Player, including one that is already being targeted in the wild. The latest fix for the internet's screen door includes a remedy for CVE-2016-4117, the remote code execution flaw that is already being exploited by criminals serving up malware-laden advertisements. …

Paris Hilton

The final countdown?

Surely, we must be near the end for this load of crap?

Paris : Well acquainted with flash, of one sort or another.

2
0

This post has been deleted by its author

Re: The final countdown?

I am completely sure that Adobe have fixed all the problems this time. They've had enough practice.

1
0
Paris Hilton

Re: The final countdown?

It's getting (or probably already has gotten) to the point that if you eliminate all the faulty code in Flash, nothing would be left (but hey, it would be clean code, eh?).

Might not be a bad thing after all.

Then again, same thing for windoze 1 0 and patch Tuesdays.

Yep, Paris. Here's her twin...

0
0

Why....

Is flash not withdrawn from use already?

3
0

Re: Why....

It has been, I make a point of uninstalling it from every PC I come into contact with.

4
0

Re: Why....

Stupid bloody "Web apps" that use it for the UI in my case. I'd love to get rid, but there's no way I can retire it as long as these things exist and we have to use them.

2
0
Anonymous Coward

What site that you can't just do without still uses Flash?

3
2
Silver badge

Hulu, I guess. Except that it's built right in to my TV, and is available for every streaming stick and box. So I don't really need the web site. But it is nevertheless a popular website under active development that seems still to be sticking with the olden days.

1
0

BBC - all the media there is still flash based.

Personally, I've set Flash to require action to run and found I'm not missing much online as a result. I also run Adblocker, mainly because malvertising seems to be one of the main avenues of attack.

10
0

Only my employer's site. So I treat my work laptop as something that I have to protect my home network from.

2
0

"What site that you can't just do without still uses Flash?"

http://circuitcellar.com/

http://www.siliconchip.com.au/ (offers low-resolution image based viewing if you don't have flash)

1
0
Silver badge

I was looking for information about Aerocool computer fans the other day, and their site's main menu didn't appear without Flash. I even tried changing my user-agent to that of an iPad to see if it would serve me a Flash-free version, but it was the same as before.

It doesn't meet the definition of a site I can't do without, of course... just an illustration that some idiot web designers out there still insist on Flash. Thankfully, that security nightmare known as Java has just about faded to total oblivion, and now it's time for Flash to follow.

1
0

BBC HTML5

@John Riddoch

Go to http://www.bbc.co.uk/html5 and switch to the HTML5 BBC player. Ther's also an Android HTML5 player avaliable.

They have been in beta since September last year, but still have not been pushed out as default. The new HTML5 player also uses MPEG-DASH and the avc3 codec, which is pretty cool.

BBC Research & Development have a load of really interesting blog posts on the work they have been putting into it.

4
0
Gold badge

Re: BBC HTML5

Doesn't work on all platforms. Doesn't give any reason why when it doesn't, beyond "Your platform is not supported.". Otherwise I'm sure it is fine and more power to their elbows etc.

2
0

Re: BBC HTML5

@Ken Hagan

BBC R&D published a blog post explaining the technologies the player uses and why they can't support some environments. It's linked from the main HTML5 page.

In summary:

- Safari on Mac OS X doesn’t support AVC3 via its Media Source Extensions implementation. The HLS implementation is also incomplete.

- In Firefox, the H.264 and AAC decoders are provided by the operating system. Currently, Firefox will only use decoders from Windows and OS X by default. On POSIX, you have to manually plug your own in.

- Old browser versions do not have support for HTML5 or MPEG-DASH (the MPEG-DASH standard was only published in 2012).

If you have any suggestions or other problems, drop the team an email at mediaplayer@bbc.co.uk.

0
0

Re: BBC HTML5

That blog post is IMO mostly bollocks as HTML5 video works fine if you spoof as an iPad or iPhone

0
1
Gold badge

Re: BBC HTML5

@Skoorb: Thanks for the link. My device probably falls into the category of "have to manually plug your own in" which means it'll have to wait until I have time to do the necessary googling, but at least I now have a lead to follow.

0
0
Silver badge

YouTube. About 75% of the vids play in HTML5 on Linux.

The rest seem to be "fragmented-mpeg" and Firefox just shits a brick.

Unfortunately I can't upgrade Firefox because I lose a lot of functionality.

0
0
Silver badge
Happy

Fla-what?

it's been so long I had it installed I forgot it exists

those were very blissful moments

1
1
Anonymous Coward

WTH

Ok, so what major porn sites require flash instead of HTML5? Porn has to be the driver, right? Otherwise this piece of crap would be long gone.

2
0

Re: WTH

Porn sites tend to want to keep their customers so are probably well ahead of the curve on HTML5 adoption, unlike ad agencies, Sage software type graphical interfaces and other companies who think they have a captive audience and therefore don't have to change.

3
0

Re: WTH

Porn companies are flexible and will use HTML5 to gain customers. It's big companies with policies set in concrete who can't move from Flash. They don't make money with their videos they don't care if the customers are exposed.

1
0

Re: WTH

As a strictly research-driven activity, I can confirm that YouPorn does not require Flash.

2
0
Thumb Up

Re: WTH

Flexible... Exposed... I see what you did there.

0
0

We're way, way past the point of making fun of Adobe creating a bug-riddled mess, should we be actively making fun of web sites who still insist on using it?

17
0
Anonymous Coward

Keep The Faith

I think we can trust a major company like Adobe to sort this all out in short order.

11
0

Re: Keep The Faith

HAHAHAHA - nice piece of sarcasm there.

It was sarcasm, right?

0
0

Goodness! A flaw in Flash? That is unexpected.

(Just testing how sarcastic it's possible to be without the comment box exploding)

8
0
Silver badge

Another Day

One can barely get through a week without a Flash update. Time to terminate Flash with extreme prejudice.

0
0
Silver badge
FAIL

Amazing

According to ComputerWorld, Adobe patched 316 Flash bugs in 2015...6.1 bug fixes per week. And clearly there were more still lurking.

This, for software that has been around for almost two decades

One wonders: how did it ever work at all?

3
0

Re: Amazing

> "One wonders: how did it ever work at all?"

It didn't. Its always been a buggy piece of shit, prone to crashing video drivers and more. The sooner it dies, the better!

5
0

Re: Amazing

Before it was a crashing pile of bovine excretment, Flash was updated so often that I spent more time downloading (56k all the way) the player than watching the related video. It's been the nexus of bad experiences since Macromedia first built the pile.

2
0

Re: Amazing

Never had a problem with crashing video drivers. Must be your video card.

Flash worked absolutely fine and there were some truly incredible websites built with Flash. There were also loads of sites that were awful and ads that behaved ridiculously. I'm guessing the wide ranging functionality of it led to it being more open to exploits than other software that didn't try to do so many things.

You give people technology and a few use it to create great things, and unfortunately many use it to create awful things. That is not the fault of the tech itself.

There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative. Also it's obvious that a lot of you don't play browser based games as HTML5 is not even close to offering the same level of UI & UX.

2
5
Silver badge

Re: Amazing

"Flash worked absolutely fine..."

But then, Macromedia was acquired by Adobe Systems in 2005, and it's all been downhill ever since.

2
1
Silver badge

Re: Amazing

There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.

I'm no so sure about that any more. It was maybe the case a few years ago but the modern browser runtimes no leave very little to be desired. What maybe missing are the relevant authoring tools.

Flash should be recognised for two things: a cross-platform graphical runtime for browsers when the only other alternative were Java applets; and ending the video player wars (remember RealPlayer vs. Quicktime vs. Windows Media Player?) Unfortunately, as the internet grew in importance, the problems inherent in the platform became more obvious.

Flash is now only kept around for sites wanting to use it for DRM which is why it's down to around 14 % of sites. More and more browsers, including all the mobile ones, don't have Flash so now only around 50 % of any sites visitors can actually see the Flash content. Most media sites are already piloting HTML5 video. I expect by the end of the year less than 10 % of sites will be using Flash and a majority of users won't have it installed.

0
0
Anonymous Coward

Re: Amazing

> There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.

Well, IBM had a Flash-like technology called HotMedia back in the late '90's, which ran under Java. If IBM management hadn't had it-'s head up it's arse we all could have been using HM instead of Flash. That way instead of playing whack-a-mole with *TWO* bug-and-vulnerability-laden technologies (Flash and Java), we'd only have to be fighting with one. And for that matter, security *was* being thought of in HM even then.

But, as we all know, IBM suffers cranial-rectal insertion, so we know the outcome.

1
0

Re: Amazing

Some examples:

1. Can't play sounds simultaneously in some browsers with HTML5. For games and interactive stuff this is a complete non-starter.

2. Video masking in HTML5 just isn't anywhere near what you can do.

3. Recently I was asked to animate a very simple intro logo for a website. I'll be the first to admit that I have no idea how to do this outside of Flash so I used it and exported to HTML5. The swf is just 15kb, but the export to js is 250kb. The technology/ or exporter is primative. It has a long way to go.

4. Syncing content - like sounds at particular points - this needs to be set on an event rather than a timer. I've had to use a timer on a recent project that doesn't always go at the right time. There may be a way to do this in jQuery - so forgive me if I just don't have the required knowledge on this one.

5. Just the overall compression Flash provided. On one particular forum I visit regularly, a lot of people have gif signatures and on some pages the browser will just freeze constantly. With flash you can have so much mixed-media content yet it's compressed and handled well by the browser. In HTML5 it really struggles at times. You shouldn't require your users to have 16GB, 16 core machines.

That said... Flash is on it's way out and I've known that for years. The smartphone basically killed it. Thanks Steve...

0
0
Silver badge

Proves Quantum Theory

If you identify all the flaws you can't locate the program.

1
0
Anonymous Coward

Bypassing security

One of the chief IT officers of my company (large American industrial company) is due to give an online talk on the cyber security challenge. The site used to host this talk requires the use of Flash Player. We'll have to bypass our browser's security settings to attend this talk. *sigh*.

2
0
Anonymous Coward

Oh my God ..

.. soooo many problems I've missed out on by ripping Flash wholesale from my systems.

That's bad planning - what am I going to blame a breach on now?

(yes, I'm channeling a bank director right now)

0
0
Linux

Did you all miss the fact...

That l Reg is using Flash on this very forum? I keep getting a notice from Firefox that it is being blocked.

Or is it maybe the ads... (that I have blocked as well).

0
0
Gold badge

Re: Did you all miss the fact...

I keep getting a notice from Firefox that it is being blocked.

Well, at least that's easy to fix: just uninstall Flash. No more pesky messages :).

0
0
Bronze badge

FugginLameAzzSHeet

Anything Oracle or Adobe related isn't worth using.

Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.

At first people were worried that customers and vendors would have a fit if we rejected all PDFs, but it's amazing how smoothly it's gone. Not to mention the relief for patch testing and worried application owners.

It's amazing how secure an environment gets when you stop using Oracle (anything) on the network, and stop using Apache for public facing web sites. For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.

1
1
Anonymous Coward

Re: FugginLameAzzSHeet

Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.

I was just revisiting Linux databases, and came across MariaDB (yes, I know I'm late in this, I've been busy) - the main driver appears to have been Oracle's direction. I installed it and so far so good, no MySQL using applications have noticed anything amiss :).

For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.

Still, these sort of remarks are bad practice. It's the sysadmin equivalent of sticking a big "please kick me, hard" on your back. Besides, pen tests are a function of the capabilities of the red team and their tools at one point in time - it's not a guarantee that some girl in Russia is not capable of walking past your defences with a APT sequence as if they don't exist. Do those attempts at least trigger your network intrusion detection? Do you spot these people in your log file reviews?

Never go smug - the Net has a habit of adjusting that sort of attitude, harshly.

1
0

HoHum

Spent the afternoon checking computers for Flash Player. Only found a few remaining and those are required, for now.

0
0
Anonymous Coward

Just how did this happen ?

Here's a challenge for an El Reg writer...I'd love to know just how this complete clusterfuck of a piece of software happened...what was the original design, what language was it written in, how did something get released on to the world that has proved so impossible to clean up ? Was it just a bizarre twist of fate that meant that a piece of software that should have been retired after two years happened to survive for 20 as an undead bearer of bugs ? Can you find the some of the original devs/management ? What do they say ?

Because it's staggering just how long this has been going on for.

1
0
Gold badge

Re: Just how did this happen ?

Wikipedia has some historical remarks. It does appear that the product went through several names and companies as its owners decided what they wanted it to be for. Since its origins are around 1990, I imagine the implementation language was originally C, but back then it was easy (almost too easy) to flick a switch and start compiling your code as C++ in order to use lots of shiny language extensions, so I would also imagine it has been C++ for most of its life. ActionScript was apparently bolted on the side about 10 years after the original design.

In competent hands, this would mean that the product has been polished and refined over a quarter of a century and is now an absolutely fucking awesome model of how software should be constructed. (It is a pity that the product has to remain closed-source for commercial reasons, because it would be sooo cool to publish it.) Ports to other architectures have been reduced to switch-flicking. Any architectural flaws in the original design have been swept away and the development team probably still contains one or two of the original developers because why would you walk away from an easy job curating your very own cash cow?

The evidence suggests that it is more like the unwanted runt of the litter that was abused by various different groups, none of whom ever bothered to learn what they actually had before attempting major modifications. It's probably still written in 1990-style C and contains the left-overs of attempts to port to several new architectures that didn't quite work out. The current maintainers weren't even born when it was created and aren't really familiar with C programming, but fortunately it's a bit like Java so they are managing to get along.

2
0

Re: Just how did this happen ?

It happened because web developers were generally lazy and unskilled and wanted their cake and to eat it too. Don't get me wrong, there were and are some really good web developers out there but the trend was always for them to be people who were "a bit creative" and "a bit computery" and wanted to make a lot of money so they used Flash as an easy way to make impressive sites for customers who didn't know any better.

A similar thing happened with online games -- rather than writing games in real programming languages people made them in Flash because it was easier to be cross-platform and took less time to develop.

Flash has always been dodgy cludge of a toy for playing with and doing fun and cool things with but, sadly, people who didn't know better or didn't care used it for things they shouldn't and became dependent upon it.

Then there are the "But... But... But... We wouldn't be able to do X without Flash." crowd who don't understand that this means "We can't do X.". You know, the kind of people who demand that the laws of physics don't apply to them.

In short, Flash is still here because some people are too stupid to be let loose on computers.

2
0

vCenter and Pandora

VMware vCenter and Pandora run in Flash. Sigh.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018