back to article Weaponised Flash flaw can pinch just about anything from anywhere

Get cracking with the latest Flash upgrade, because the vulnerability it patches is a peach, allowing a cross-site request forgery (CSRF) attack for stealing user credentials. According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack …

  1. Anonymous Coward
    Anonymous Coward

    Every time these stories come out, I become just slightly more smug that I deleted Flash about a year ago.

    1. Anonymous Coward
      Anonymous Coward

      .... or you could keep your important data backed up, update whenever a patch is released, surf with NoScript/AdBlock/etc and carry on as normal without blighting your life worrying about relatively unlikely threats... and still get to enjoy content that depends upon Flash.

  2. Michael Habel Silver badge

    Them 'Lumpa's sure aren't playing 'round....

    According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack included various Google domains, YouTube, Twitter, Instagram, Tumblr and eBay.

    I was not aware that the Ompa-Lumpa's had recently snapped up Twitter, Instagram and Tumblr much less Fleebay.... Does this bode well that Google might consider using PayPal someday?!

    1. frank ly Silver badge

      Re: Them 'Lumpa's sure aren't playing 'round....

      That's a comma, not a colon.

    2. petur

      Re: Them 'Lumpa's sure aren't playing 'round....

      FYI, Google does accept paypal, at least for media (and I think apps). Not for devices. Go figure...

  3. Anonymous Coward
    WTF?

    WTF?

    ".....a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site...."

    I'll just pass that info on to my mum and dad so they are aware.

  4. Anonymous Coward
    Anonymous Coward

    Just me?

    Anyone sick of trying to explain to users why flash, java, browsers etc pose security risks so should be updated as critical patches come along?

    "But we only updated that last week!", "I'm too busy"

    FFS, yes we did, and we'll be doing the same next week, month, year until what users have to steal is worth less than the effort of finding the holes, I'm sorry.

  5. Nick Ryan Silver badge

    I'm actually rather thankful that Apple kick started the (not fast enough) demise of Flash on the web...

    It's still occasionally a PITA where some sites still insist on using it (looking at you, BBC) but I am surviving quite well these days without it installed on my home PC. Now if I could just do the same with .PDF files which really shouldn't need entire embedded executable environments inside a document...

    1. cyclical

      Now if only the various browser companies could stop having slappy-fights over HTML5 web video & audio formats and DRM and we can give silverlight etc the boot as well, and live happily ever after.

      1. Anonymous Coward
        Anonymous Coward

        Give it a couple of decades

        1. moiety

          May I submit ActiveX to the hitlist as well?

          1. Destroy All Monsters Silver badge

            Doktor King Schultz will be in touch shortly.

    2. JLV Silver badge
      Unhappy

      >looking at you, BBC

      Oh, CBC is _much_ more of a a Flash fan than BBC. Almost all their vids require it.

  6. Malcolm 5

    Is it only me that visits

    https://www.adobe.com/uk/software/flash/about/

    and is told they have .145 and the latest version available is .125?

    1. Anonymous Coward
      Anonymous Coward

      That's odd. It definitely said .145 was the latest available on Tuesday morning, but I'm now seeing .125 listed as the latest version too.

    2. Anonymous Coward
      Anonymous Coward

      That UK field in the URL must be pointing at an old version

      https://www.adobe.com/software/flash/about/ shows 14.0.0.145 as the latest version

  7. Arachnoid
    Joke

    Ming the Merciless

    Failed to kill off Flash NOoooooooo!!!!!!!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019