You can't seem to code your way out of a wet paper bag.
The sooner HTML5 kills flash the better.
Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines. The use-after-free() programming flaws, for which no patches exist, are identified as …
One of the problems of an all pervasive item like Flash is that when a fault is found it affects massive numbers. It's one of the reason everyone slags Windows, because one flaws affects 95% of the world.
As the world converges on a standard, any flaw in the standard will have wider reaching implications. And there will be flaws. Expect more frequent updates with less rigorous but more frequent testing. As we abstract away from the OS to the browser, expect exploits on Linux (inc. Android) and Apple users to increase dramatically (and I'm not blaming the OS before you rush to defend the Fanbois and Fandroids). No longer will your choice of hardware influence your vulnerability.
I agree with the OP, not Velv's reply.
It is possible to code pretty damn good software. Software that is written understanding things like buffer overflows and freed-area reuse. The pervasiveness of use of a particular package should not be a license to write crappy code.
Adobe has had multiple problems with many of the products I've worked with. (Cold Fusion, Acrobat, Reader). They have chosen to not have good coding standards and probably to not thoroughly test their products before they spring them on their customers.
Of course that's possible, however it's incredibly uncommon and not just at Adobe, the OpenSSL bug last year was the same kind of bug. It might be perhaps telling that we've known about these kind of exploits for 40 years and yet they're still incredibly common in code. They're common because they're really easy mistakes to make.
Every single bit of non trivial code uses the kind of data structures that are vulnerable to exploits like this over and over again, because they're just that common. All it takes is missing a bounds check on one very specific way of accessing your code that you may never have thought of or saying "no one is ever going to access this code that way" once in a project to get a vulnerability and things like that happen way, way, way more often than once in a project.
I'll guarantee that if you're actually a developer you've written at least a hundred of them, mostly in little things, only intended to be used internally or only in a specific space. Or you've counted on a library to do something and the library's author has screwed it up.
Flash is of course particularly vulnerable because Flash was first and never died. It was made when the world was a very different place and all sorts of horrors had to be coded in to make it even remotely plausible. Every attempt at a replacement has failed to date, including the idea that HTML 5 will kill it, as if YouTube videos were the only reason anyone ever used flash.
Every attempt at a replacement has failed to date, including the idea that HTML 5 will kill it, as if YouTube videos were the only reason anyone ever used flash.
I wiped one of my home computers at the start of the year and didn't bother to install flash on it (the Linux version is old and only receives security updates anyway). Most websites have thankfully left behind the days of Flash based menus and I've never been fussed about Flash games so videos are the only things that really concern me.
It seems I can get by without Flash for the most part but there are some annoyances. The max res Youtube videos seem to offer is 720p. iPlayer refuses to work without Flash (despite the fact that get-iplayer will happily let me download mp4s from the BBC servers). Facebook also keeps telling me that I can't view videos without flash, however if I replace 'www.' in the url with 'm.' the video plays perfectly fine.
Progress is slow but these days I at least feel that I'm not losing access to half the web by foregoing Adobe's plugin.
Back when I could see to use it, I realized it was such a security cluster fuck that I utilized any means possible to mitigate it from running unless and until *I* wanted it to run. Once I went blind, there was *zero* reason to use it since I couldn't see anything it had to offer. So I uninstalled it, enabled HTML5 for Youtube (I like listening to music & Foamy the Angry Squirrel), and have never looked back.
It's a security nightmare, offers nothing sufficient to justify it's use, and isn't worth the "Oh hey look! A Zero Day Exploit given to us on the Fifth? Let's get around to patching that sometime ten days from now!" stupidity.
If Adobe doesn't Give A Fuck about the security of it's users to patch it faster than this, then WHY are any of you using it at all?
Rip that bastard out by the roots, weld shut that security backdoor, and reduce the number of anti-migraine pills you have to consume like Pez!
I also had it banned from all our websites (on account of not wanting to be part of the problem). It's actually a fun way to select bids for design - the word "Flash" means you're out in just that - a flash.
Bonus advantage: it stops stupid ads from appearing.
Any vendor that uses Adobe Flash for their UI or any control subsystem is instantly given a copy of the American's with Disabilities Act or the (DDA?) rules about Accessibility, a note that Flash *isn't*, and told to go fix it if they want our business.
VM Ware may be a monolith, but David slew Goliath with a mere rock. (I like to pull the pin on a HE Frag Grenade, drop it down their pants, & wedge the pin up their nose. The looks on their faces is priceless... or so I'm told.)
Seriously, if a company, ANY company, uses Adobe Flash as part of the UI or Control subsystems then they obviously don't know shit about Real Programming. If your idea of coding involves reliance on a product that's had more zero day exploits than a frisky crack whore has had tricks, then what's that say about your company?
And aren't you the clever one?
While I am actually impressed by the speed at which Adobe is releasing patches for these bugs – faster than say Microsoft of Apple for similar issues – I'm not defending them. But the root cause for our vulnerability is a dependence upon browser plugins for features that browsers don't have but that we users want.
"features that browsers don't have but that we users want."
OK, I'll start.
I can't think of any Flash-only features that I want.
And that's based on
1) Flash discrimination against those with limited sight (it's the law, not just in the USA)
2) Flash features that I need (there aren't any)
I.E. before taking account all the risks that come with Flash.
I can think of lots of Flash-dependent websites that need fixing.
Anyone else got anything they *need* from Flash ?
That even p0rn sites don't use Flash-only for vids all that much any more :)
Makes sense if the apple fondleslabbers couldn't get in on the action otherwise.
For sites that still flash their privates, dya think surfing shady websites with a known infection vector a good idea? LOL
Totally hearsay guv.
Well it is definitely frustrating that only half the story is being publicised.
From what I can gather from two websites:
Existing (Windows) users of MalwareBytes Anti-Exploit are protected from (ie. no update required):
CVE-2015-5119 - Fixed in Flash version 188.8.131.52.
CVE-2015-5122 - Flash v184.108.40.206 is vulnerable
They've yet to report on CVE-2015-5123, which has distinct differences to the above and so it would not be wise to assume anything.
Users of Trend Micro's Browser Exploit Prevention feature in the Endpoint Security component of their Smart Protection Suite, are protected from:
With CVE-2015-5122, Trend Micro advise users to disable Flash.
Whilst it seems neither of these products presently totally secure's a system against all three, (although both will run happily on a W7 system), we do have here clear evidence for the value of these browser monitoring/hardening tools.
So if you need Flash, there are good third-party tools out there that will help you to increase the security of systems you lock down.
if you have Chrome: Open Settings -> click on Advance Settings -> click on the Content settings button -> scroll to the Plugins section -> Select "Let me choose when to run plugin content" -> click on Done -> Close the tab and restart the browser just to make sure.
If you have Firefox: follow these instructions.
All other browsers: reconsider your life choices.
I had hundreds of dollars invested in two longer term online magazines that were delivered by flash and flash only.
This last installment of flash refuses to install into my copy of Firefox (both offline and onine installers) so that broke the camel's back. Especially since older versions of flash will not work.
So that's it. Any site that requires flash is going to go without me seeing it ever again. Good fucking riddance, and don't let the door hit your arse on the way out.
You've brought up another one of my angers/frustrations about the use of Flash. When a site decides to use it as the delivery mechanism for their content, it *deliberately* excludes the Visually Impaired from accessing it at all. Even if the article authors were writing about Accessibility with the intent on as wide a distribution as possible, the fact that none of the buttons let us know what they're for (assuming we can get to them at all), none of the controls let us know what they do (ditto), and the only way we have to "interact" with it is to kill the page/tab/program that spawned it, it makes me want to drag the folks at Adobe out into the parking lot & beat the shit out of them with a very large clue.
"But it can be made Accessible!"
Really? And in what percentage of all the instances of Flash content out there, in what electronmicroscopicly miniscule proportion of those were so much as the tiniest fraction of the beginning of the spark of the inkling of the thought towards Accessibility was it given? And of those what THREE whole instances, how many of them carried through on it? Oh yeah. NONE. So if the default isn't Accessible out of the box, & the vast majority of the uses of the product are not, then the rare instances of someone having actually gone ahead & activated the Accessibility bits is the exception not the rule. If a car manufacturer claims that their cars "Can go over 200!" but it takes having the engine retuned with the "speed options" enabled, activated, & tweaked to actually WORK, then the claim of 200+ may be technicly true but the average user/driver will never ever ever get their car to go that fast, then it's still BullShit. If you want to claim that Flash is Accessible then make it that way out of the box, not after enabling a zillion hidden options, forcing the content authors to consciously, intentionally build Accessibility into their creations, and make it a major migraine for us to... oh, I dunno... USE THE BLOODY PROGRAM?
Anyway, thanks John for pointing that out & giving me another chance to vent my spleen at Adobe. If you give me a second I'll go fetch a squeegee & some towels to clean off the vitriol off your shoes.
I've searched the web including the forums and read the detailed report about the newly found holes and privilege escalation.
However, as regards Mint 17 and Firefox it all seems a bit vague especially when the write up includes referencing Kernel32.dll to exploit the code
It seems to me that this exploit can only crash the Flash player in Mint and not escalate privileges.
Anyone got the definitive answer or a pointer? Thanks
Biting the hand that feeds IT © 1998–2019