The very fact that
every patch for this dog egg is rated as "Critical" highlights exactley how seriously Adobe take the security of its users. It is time for flash to expire and to remain so.
Adobe insists it is working hard to boost the security defenses in its pilloried Flash Player. The Photoshop giant, based in San Jose, California, says it is making an "extensive" push to secure its plugin before another wave of vulnerabilities are revealed in the software. We're told that, as a result of "recent developments …
'There are extensive efforts underway internally'
They have changed the coffee machine and are now using a stronger Robusta mixture...
Seriously though, this is not a new problem for Adobe, it has only been like this for the last 5 years or so.....Is the company run by ostriches ?
+1 for the comment relating to a "dog egg", it's the first time that I have heard the expression, made me laugh this morning which is always a good thing..far better than having to install an adobe product.
Some companies must have bought high page ranking for whatever you type into your search engine. As a result, I know where I can buy dog eggs, and where to find out how to cook them.
It is hard to decide which made me laugh louder, that or: "Adobe insists it is taking the security of its Flash Player seriously."
As for flash, I have never used it. If a site requires flash, my search engine can find me a different site.
Actually, I think the critical wrinkle for Adobe was pioneered by Microsoft. Take a quick look at your legal remedies if some MS software causes you some damage. The answer may surprise you.
Just kidding. Of course you know that Microsoft is completely free from any liability for any mistakes, incompetence, or downright negligence, and Adobe just followed along that well worn trail.
Personally, I think we would have rather better software if the companies were also liable for their mistakes. If you added in some punitive damages, Microsoft would have gone bankrupt long ago.
> Why not Windows or even Linux?
I just wondered that too... considering the close POSIX similarities between the two... it looks like the reason boils down to lack of (informed?) interest... perhaps compounded by inappropriately offhand "moderation"...
> Why not Windows or even Linux?
I just wondered that too... considering the close POSIX similarities between the two.
What do you think POSIX has to do with it? If it's using QT then its probably reasonably portable, but if they're using MacOS' own libraries then it's much less so.
The Linux market for paid for desktop apps remains tiny. See if you can get a Kickstarter for the $500,000 mentioned.
Choices...choices... A never-ending subscription for Photoshop, or an excellent alternative for a one-off payment of £30?
Great to hear that Serif have finally started developing for MacOS! Been using PagePlus off and on for over 20 years.
Another good alternative to Photoshop for different platforms is Photoline: http://www.pl32.com/. However, it's difficult to dislodge Adobe from their perch. For many companies the cost of subscription is small compared to any possible loss of productivity that might accompany retraining.
Mind you, I don't think Adobe see Flash as anything like as important as Photoshop, Illustrator and InDesign. Wouldn't surprise me if they drop the runtime if they can get into the business of DRM for browsers. The development tools are the money spinner and can already produce HTML5 content. Flash is important for media rights management.
"...Choices...choices... A never-ending subscription for Photoshop, or an excellent alternative for a one-off payment of £30?..."
Or just keep using CS3 ... CS6 [whichever you're currently on]
Photoshop has been feature complete for years. New versions just add automagic tools which don't work very well or, in the case of CC, a pointless 'cloudy' way of making you rent your software, instead of owning it.
We need to be honest about this. Without seeing the code it's very difficult to tell about the quality of the code. Given the frequency, and severity, of exploits, there are obviously some problems. The ability to escalate an exploit in Flash to gain control of the machine is, however, as much a problem with the architecture of the OSes as it is with Flash. Of course, for certain things like video-conferencing access to hardware is required. But this is a key thing: is it possible to develop a restricted version of the software that does not need admin permissions to install?
Adobe doesn't just write Flash (based on a codebase that Macromedia developed). but a whole load of other programs. I note that their also using Coverity. Would be interesting to know if this includes Flash and what the reports come up with.
Flash player must surely be the project Adobe foists on its work experience newbs.
"OK here's your desk next to that bunch of filing covered in dust that has never been done, oh coffee machine is there and if you have any questions, ask someone other than myself, I have meetings for the whole of this week then I'm on annual leave for the following month, good luck".
"your parents use it, your children use it, admit it – you use it"
Not anymore! I've already said on another thread that since it wouldn't even install anymore - I'm ridding myself of it. Mind you, I'm pissing a couple of hundred bucks of subscriptions that I can't get anymore up the wall, but truth be said, I'm glad, and I wouldn't have done it were it not for Adobe forcing my hand.
So I'm free of it forever. It's quite liberating actually, kinda like swimming naked. (so I've been told)
I got a brand-new, pristine PC about four months ago now. Hard disc completely blank. Installed Windows 8.1, then as much other software as I've (so far) wanted, all manually - so I'm pretty damn' sure that no version of either Flash or Java exists anywhere on it.
And so far, I haven't missed either one. Sure, occasionally - quite rarely - there'll be a video that doesn't play, in which case it might take me all of 30 seconds to find one that does. And that's about it.
Free yourself. Flash and Java are as bad as each other, and unless you're developing in one or the other - in which case you're part of the problem - you don't need either one.
If you don't want to outright uninstall or disable Flash (because you want to watch BBC iPlayer, non-HTML5 YouTube or Twitch.tv videos, or play poker online, or something like that) consider telling your browser to only run Flash files when you tell it to – "click to play" in other words.
Finally, some sensible advice. Flash is everywhere because it's useful, for varying definitions of usefulness. Nevertheless, the best thing is have it deactivated by default. Of course, the vast majority of users won't bother, just as they don't bother with most other security issues.
Disclaimer: I don't write Flash and am not a fan of it. But I know how difficult it is to do cross-platform video. Would we really be safer in a world of Windows Video, Quicktime, OpenVLC, an other plugins? And how are the media rights extensions working for you?
I use Firefox and I haven't updated Flash. Every time a website wants to run Flash, I get a message about a vulnerable plug-in. That is my click-to-play. Unless I really really trust a website, I will not click that link. Ghostery blocks the tracking Flash ads, Firefox blocking a vulnerable plug-in blocks the accursed auto-play videos.
Said the Adobe drone: "There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help KEEP our products and our users safe."
There's the problem right there... spot the word "keep"? They think their products are already good, that the flaws that get announced on a constant basis are things that have just recently crept in, or didn't exist for goodness knows how many years beforehand.
Seriously, Adobe, you should have recognised there was a major problem three years ago and done something about it then. Not work on the basis that the just announced flaw was the last there would ever be, fix that one and then stick your head in the sand... until the next announced flaw... rinse and repeat...
That would still be a useful approach if their fixes indeed addressed vulnerabilities. As far as I can tell their fixes simply open up holes elsewhere - a bit like digging a hole to fill another one.
It makes you wonder what sort of approach to coding makes you end up with a game of security whack-a-mole.
Unless, of course, the original intention was indeed to code a game of whack-a-mole :)
"Last year, Adobe's chief security officer Brad Arkin said he wanted to make life much harder for attackers who try to exploit programming cockups, rather than spend all day finding and fixing bad code hidden in millions of lines of source."
So how exactly does he plan to make life much harder for them, except by fixing the software?
Fixing the software is exactly what needs to be done in order to make the attackers life harder!
The mitigation they are talking about is like sticking a band-aid on a bullet wound to stop any more bullets going in.
They could recode the Flash runtime in Java.
Then one would only have ONE sandbox to worry about. Plus Flash would be able to auto-install on need (and you would profit from a new search bar!!)
Unfortunately it would mean Oracle and Adobe would enter into the HYPERCLASH OF THE IP
This may be a silly question - but how does Adobe benefit from the existence of Flash?
It's free to the end-users, but do people creating Flash content pay Adobe for the privilege?
Do Adobe get a cut whenever a server delivers a flash file?
Why do they bother when they could still make cash out of Photoshop and its siblings after killing Flash?
I know that things are difficult for you at the moment but please find the resources to migrate iPlayer off Flash.
I wrote to you direct once and you said it provided a secure platform to provide protected content.
The secure thing is not true and there are other means of providing protected content whatever that means.
Every update to Flash that I get told to download always addresses two issues:-
It improves performance (apparently)
It makes it more secure (allegedly).
I have just invented Moore's law for Flash...... "evey year Flash gets twice as fast and four times more secure than the previous year". Yes I believe it! Any day now it will be so fast it will start launching animations before I have so much as thought about clicking my mouse, and it will stop hackers from even thinking about developing new ways to steal my money.
My thoughts exactly.
Flash is free, so there is no dip in revenue.
Flash security is hopelessly undermined, and Adobe obviously cannot hire anybody with the skills needed to clean it out, so farm the thing to the Internet where skilled people exist and are certainly willing to take a gander.
Be serious guys, if you're still chasing after use_after_free() bugs, it's high time you stop thinking of yourselves as capable of programming. Leave that to the experts.
I find it mystifying as to quite why Adobe can't at least reduce the nastiness to manageable levels given the insane amount of patching they're forced to do.
that (according to an article published here on El Reg) in 2014 Chrome, Firefox and (no surprise) IE all had more vulnerabilities than Flash.
So everyone complaining about the dangers of running Flash - maybe you need to switch to a Mac running Safari too as that was the only major browser that had fewer vulns than Flash did....
If Adobe can't write secure code (and, it's becoming rather obvious that they can't), they why don't they just open source Flash Player? Sure, attach some provisions to it that guarantees their ability to suck the updated source back in and use it for their other stuff. But, surely open source people could do a better job of maintaining it than they've been doing.
Biting the hand that feeds IT © 1998–2019