back to article Kill Flash Now: 78 bugs patched in latest update

Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in. The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute …

  1. ZSn

    Rid?

    It seems to be that it's more difficult to get rid of flash than a bad dose of the clap.

    1. big_D Silver badge

      Re: Rid?

      I deinstalled / disabled it in all browsers in January. I haven't felt tempted to re-install it since.

      1. ZSn

        Re: Rid?

        Yes, but my wife insists that at least one Linux box has this abomination so that the kids can play games. Sigh...

        1. Anonymous Coward
          Anonymous Coward

          Re: Rid?

          You might want to try Pepper Flash player instead.

      2. Anonymous Coward
        Anonymous Coward

        Re: Rid?

        "I deinstalled / disabled it in all browsers in January."

        Same here. January 1999.

    2. Donchik

      Re: Rid?

      So... What would a "Good" dose of the clap be like?

      1. ZSn

        Re: Rid?

        The sound of one hand...

  2. Ugotta B. Kiddingme

    Sigh...

    Why are we STILL having this conversation? I mean, really... Can't someone just put it out of our misery once and for all?

    1. Steve Davies 3 Silver badge

      Re: Sigh...

      Sadly no. Far too many sites demand to use Flash.

      Come on Beeb, make good your promise and move to HTML5. consign Flash to history.... Please.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh...

        Far too many sites demand to use Flash

        Because web designers are as bright as Donald J Trump.

        1. Vector

          Re: Sigh...

          I suspect, in very many cases, it's not the designers but their bosses who have the intelligence deficit. "Thatwouldcosttomuch" might just go away if they could be held responsible (say, legally) for using a plugin with a history of vulnerabilities.

          This should be particularly true in cases where use of flash is made mandatory, as in the case of some school systems mentioned when one of the last raft of vulns came to light.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            it's not the designers but their bosses

            Not necessarily. There's also the "I don't know anything but flash" type of web designers.

        2. a_yank_lurker Silver badge

          Re: Sigh...

          @ Ledswinger - The flash crew are actually rivaling Congress for the stupidity. It is probably driven mostly by PHBs who have not had the pleasure of a class action lawsuit or criminal investigation aimed at them.

          1. Kobus Botes

            Re: Sigh...

            @a_yank_lurker

            Double sigh here. Our institutional collector of funds (aka SARS) insists on living on the bleeding edge with Adobe (I sometimes think they must get some sort of kickback for testing Adobe's delightful products) - so much so that I have to use my better half's Windows machine, as Adobe does not update their Linux products anymore.

            Personally I would have thought that, being a public service and all (and we being mostly a third world country) that they would cater for the broadest demographic, not just the risk takers going after the latest shiny-shiny, but there you are.

            -------> for SARS (South African Revenue Services), obviously. Wish I could add the nuke icon for Adobe as well.

            1. Anonymous Coward
              Anonymous Coward

              Re: Sigh...

              >Adobe does not update their Linux products anymore

              Google update the Linux version of Player which they bundle in Chrome (Adobe shares the source code with them) - missing the newer Stage 3D stuff 12-on - but the security patches are all done.

        3. JF_au

          Re: Sigh...

          When I come across a site that uses Flash I always send them a quick email letting them know that the 400+ computers and users I control at work are unable to see their website's content because Flash is disabled across the corporation and won't be getting re-enabled.

      2. JoshOvki
        Stop

        Re: Sigh...

        Never mind the Beeb, what about El Reg?!

      3. DougS Silver badge

        Very few sites demand flash

        Those that do won't work on any iOS and most Android devices, which are a large and growing chunk of browsing activity today.

        I think you'll find that if you remove flash (don't just disable it with flashblock) most sites that use it when it is installed won't "demand" it but will instead use whatever they are using on mobile. It is only crappy sites that base the decision on whether to use flash based on browser/OS checks that will insist on it on non-mobile platforms based on a judgment that they "should" have flash installed. Vote with your feet by refusing to patronize them, and they'll either come around or die.

        1. Anonymous Coward
          Anonymous Coward

          Re: Very few sites demand flash

          "I think you'll find that if you remove flash (don't just disable it with flashblock) most sites that use it when it is installed won't "demand" it but will instead use whatever they are using on mobile. It is only crappy sites that base the decision on whether to use flash based on browser/OS checks that will insist on it on non-mobile platforms based on a judgment that they "should" have flash installed. Vote with your feet by refusing to patronize them, and they'll either come around or die."

          From my experience some of the largest users of Flash are jewelry and European motorcycle kit manufacturers . It really peeves me, when I go to so many of their web sites, how utterly dysfunctional they are without Flash activated; for many, you get not much more than a header and an otherwise blank screen.

          As a hard-core rider I can't begin to count how many of these Flash-enabled product websites I encounter. Why do the manufacturers do this? Because they feel that it makes their web site more "copyright protected" - right-clicking an image to downloading and save is, of course, impossible, so I'm stuck using them (and I then make sure that my company's web site, for which I am responsible, demands as little as possible from the visitor).

        2. Adam 52 Silver badge

          Re: Very few sites demand flash

          I've asked this question before but whenever I disable Flash YouTube stops working (this is Firefox on Windows 7/8). Is there some magic to persuade it to work or is this just fallout of a codec war?

          1. Test Man

            Re: Very few sites demand flash

            "I've asked this question before but whenever I disable Flash YouTube stops working (this is Firefox on Windows 7/8). Is there some magic to persuade it to work or is this just fallout of a codec war?"

            That can't be right, YouTube already switched to HTML5 a while back. It should be serving up HTML5-based videos to you - only serving up Flash if you specifically asked for it, or when using a browser that doesn't support the relevant HTML5 elements.

            Go to https://www.youtube.com/html5 and follow the instructions.

      4. This post has been deleted by its author

    2. Chris Daemon

      Re: Sigh...

      Got a call from a friend's parents "Our plugin needs updating!" I assumed (correctly) it was Flash, and I showed them where to go and how to upgrade it. This was after we had a fruitless discussion about removing it completely - "Oh no, I need Flash to play my [card and casino] games..."

      Most people who just have a computer for plain home use (online games, browsing, email, shopping) have no concept of how to keep their machines secure, or even updated. That's a reality, and certainly/sadly not new.

      Would it be apropos to say: You are to dumb for a real computer, get an iPad/Fire/Galaxy/etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh...

        You are to dumb for a real computer, get an iPad/Fire/Galaxy/etc.

        Yep. Whenever someone asks for a computer recommendation, I hardly ever recommend Windows any more... it's just too hard for them.

    3. Michael Wojcik Silver badge

      Re: Sigh...

      It's required for a large corpus of electronic literature. That may not be of interest to the general populace (though some titles have large and enthusiastic audiences), but it's quite important to some readers, literature scholars, librarians, historians, and so on.

      Alternative implementations, such as Mozilla's Shumway, may eventually be viable replacements for the "real" Flash player, and - who knows? - might even be less insecure. But for now, people with a serious interest in e-lit pretty much have to keep using Flash, hopefully judiciously with whitelist blocking.

      1. Kiwi Silver badge

        Re: Sigh...

        But for now, people with a serious interest in e-lit pretty much have to keep using Flash,

        I was fortunate to inherit some material. I have a rediculously stupidly large collection of ebooks, plus subscriptions to a few libraries. I could finish a couple of novels a day and not need to add to the collection before I die (someone I knew was an obsessive collector).

        .lit, pdf, txt, html, doc(x), and a couple of formats I haven't looked at yet. Not one bit of flash. Over 30k files (note the books in html format are often a chapter per file and some have extras like images, so it's not quite 30k titles - then again their's things like Chronicles of Narnia and the Darkwar stuff all in a single file).

        Not one bit of flash. Not for the collection I have, and not for the libraries I visit (rarely nowadays)

  3. Matt Collins

    Really?

    Why does it seem like there have been more holes patched in Flash than in Windows? Was it written by monkeys?

    1. Tom Chiverton 1

      Re: Really?

      No, Microsoft doesn't care enough to tell you.

    2. John Tserkezis

      Re: Really?

      "Why does it seem like there have been more holes patched in Flash than in Windows? Was it written by monkeys?"

      No. Monkeys would do a far better job.

  4. elDog Silver badge

    OK, it's been proven. There are more patches to Flash than there are lines of code.

    This has got to be a record (except for Perl obfuscation) for the number of bugs you can stick in a single line of code.

    Mind you this only counts real LOC, not comments and testing harness stuff (what's that, they say).

    Now that the Adobe have decided to focus on HTML5 (with Flash riding alongside) I expect to see them expose some vulnerabilities in that spec too.

    1. Anonymous Coward
      Anonymous Coward

      Re: OK, it's been proven. There are more patches to Flash than there are lines of code.

      >Now that the Adobe have decided to focus on HTML5 (with Flash riding alongside) I expect to see them expose some vulnerabilities in that spec too.

      I challenge the proposition they have any kind of focus. I'd wager at exec level you wouldn't find a single person who could even match all their current product line to broad functionality.

      Everyone focused on the rebrand of Pro Studio to Animate CC [HTML5 there is basically banner ad creation, there's practically no interaction support and maybe 5% of the functionality of AIR/Flash] but failed to notice they've just canned all their new HTML5 tools - Edge etc at the same time.

      There's no compelling reason for developers to use any Adobe tools - beyond the 'from my cold dead hands' attitude of designers to PhotoShop/Illustrator. Someone will say PhoneGap I'm sure, but look at their app showcase before you do.

  5. Mark 85 Silver badge
    WTF?

    What really gets to me....

    I ran this for a "friend" who insists on using it. He called me because VoodooShield found one of the components (gcheck.exe) to be "unsafe". WTF, Adobe???? It's supposedly something from ask.com.

    Anyway, the friend got what he wanted... I'm not sure why and didn't ask. I just said, I'm not supporting Flash for anyone after today... friends, relative, etc. as it is crap and will increase your odds of getting malware.

    1. Anonymous Coward
      Anonymous Coward

      Re: What really gets to me....

      What really gets to me....

      "I ran this for a "friend" who insists on using it. He called me because VoodooShield found one of the components (gcheck.exe) to be "unsafe". WTF, Adobe???? It's supposedly something from ask.com.".

      "Just said, I'm not supporting Flash for anyone after today... friends, relative, etc. as it is crap and will increase your odds of getting malware".

      Using ask.com along with Adobe, is just increasing the odds 100% of getting malware.

  6. Anonymous Coward
    Anonymous Coward

    Connection failure

    The last two updates I've tried to run have been met with a connection failure to Adobe's servers, followed by the deletion of the executable file, requiring you to download it again!

    The solution used to be to visit this page: https://www.adobe.com/in/products/flashplayer/distribution3.html

    ...and grab the offline installer. Now though I see this message:

    "WARNING

    This page and the download links will be decommissioned on January 22nd, 2016."

    So Adobe, do you have to work at being the biggest bunch of cunts on the planet, or does it just come naturally?

  7. Anonymous Coward
    Anonymous Coward

    78 bugs? How can a 20 year old program still have 78 bugs that can be squished in one go? The source code must comtain more buggy lines than safe lines.

  8. earl grey Silver badge
    FAIL

    no, they're cunts all right

    They have already taken away the easy download links for reader and other products... guess i'll have to find another PDF reader since i don't like those little "loader" downloads. Adobe, you suck; and not in a good way.

    1. Anonymous Coward
      Anonymous Coward

      Re: no, they're cunts all right

      Personally I switched to Sumatra a long time ago...

      1. DropBear Silver badge

        Re: no, they're cunts all right

        "Personally I switched to Sumatra a long time ago..."

        Smart choice. It's the _only_ thing I know of that actually can load in a timely fashion hundreds of megabyte's worth of those stupid image-laden PDF product catalogues some firms insist on having. Now, imagine my surprise when just the other day it actually failed to display a few pages in a fairly small PDF (only a few pages, but all of them horrendously large images)...

  9. Anonymous Coward
    Anonymous Coward

    One to go

    Of all the web content I oversee, I have 1 solitary SWF object left.

    Do you think the owner will spend the $ to change it?

    No.

    This, despite 50% of their customers not being able to run Flash.

  10. Michael Thibault

    Flash needs a Nexus 7 treatment

    And a self-deleting installer, so that any installation of Flash definitively undoes itself after a short time--a month, say. That way, anyone intent on using it has expressly to go to adobe.com to get one of the ever-thinning options for re-installing it, fresh from the latest bug-fixing. No matter what, though, Flash is going to have a long tail-off. That is now the issue. Over to you, Adobe...

    1. Anonymous Coward
      Anonymous Coward

      Re: Flash needs a Nexus 7 treatment

      >No matter what, though, Flash is going to have a long tail-off.

      They just need someone with the balls to Open Source Player - they did it with Flex, it's not unimaginable. The only practical obstacle was hard cash from premium video and they've all but lost that battle now. It remains a vastly superior platform technically to the horrors of HTML5/JS - it's rendered appalling only by a failure to secure and support it.

  11. Anonymous Coward
    Anonymous Coward

    Are they still pushing Adobe Air though?

    They might be deprecating Flash, but some places seem to be advocating strongly for Adobe Air still.

    Adobe Air is really Flash in it's own executable environment (non-browser), with bundled extensions. Seems to be vulnerable to many of the same bugs, though not by browser vector.

    1. Stevie Silver badge

      Re: Are they still pushing Adobe Air though?

      Adobe Air sits on the JVC which means that if you have (say) a copy of the complete National Geographic and if (say) you rebuild your machine after a couple of years, your CNG won't work after Java updates itself on installation. Nothing you can do will fix it either.

      Given the piss-poor implementation of the reader the loss is debatable.

      Adobe Air also uses a proprietary document format. Anyone know how to port these to pdf format, because I'd like to have access to those magazines again.

      1. Joe User

        Re: Are they still pushing Adobe Air though?

        Adobe Air also uses a proprietary document format. Anyone know how to port these to pdf format, because I'd like to have access to those magazines again.

        How to convert a AIR file to a PDF file

        https://en.pdf24.org/air-2-pdf.html

        1. patrickstar

          Re: Are they still pushing Adobe Air though?

          That's some autogenerated spam pages to get people to download their, probably ad/malware laden, PDF software..

          AIR files are ZIP files with some AIR-specific metadata, so converting that to a PDF would mean... what exactly? Producing a PDF version of the list of files?

      2. patrickstar

        Re: Are they still pushing Adobe Air though?

        Adobe Air has nothing to do with Java. It's basically Flash Player + APIs for stuff like unrestricted filesystem access + packaging.

        Considering a whole lot of tools for targeting it are open source that should be a good starting point for any Flash/Air-associated formats. If that doesn't help, chances are they rolled their own or are using some obscure 3rd party lib.

  12. patrickstar

    HTML5 more secure?

    Flash actually comes with an important security advantage: It can be disabled, click-to-played, enabled on a case-by-case basis, etc. Now, thanks to this "great" idea called "HTML5" (+supporting technologies) you now have a huge, immensely complex, attack surface in every major browser and no comparable way to get rid of it. At most you can disable some of the worst ideas like WebGL one by one, but just like what happened with JS I bet a lot of sites will start assuming it's always there. And nowadays having any JS functionality at all enabled means exposing approximately one gazillion lines of extremely complex heavily optimized utterly unsafe code even when you'd be just fine with a simple interpreter.

    So even if browsers magically have an order of magnitude less bugs than Flash, everyone is still worse off.

    1. HAL-9000
      Paris Hilton

      Re: HTML5 more secure?

      Correct me if I'm wrong, but isn't html 5 just an open web standard, as such it simply defines a set of interfaces; nothing to be afraid of there? HTML 4 etc were like wise just standards. It's the flash implementation that causes issues, being closed source and full to the rafters with bugs it is widely regarded as somewhat problematic. Problems with HTML 5 code will arrise, some will be caused by numpty web designer/developers using implementations incorrectly, and some by poor implementation in vendor specific browsers.

      To surmise:

      flash bugs + browser bugs + web bugs > browser bugs + web bugs (we hope ;) )

      PS The ability to slightly control flash behaviour is probably about as much use as a tin foil hat

      1. patrickstar

        Re: HTML5 more secure?

        HTML5 and the associated technologies is a huge, immensely complex beast. Implementing them means an immensely increased attack surface. Even with far better practices, coding standards, review/audit processes, etc than any browser vendor maintain you are bound to end up with a _lot_ of issues.

        If I could turn all that new stuff geared at rich-internet-application-stuff off, fine. But I can't. At most I can run an ESR release or whatever. Unlike Flash, which I can disable/enable completely as needed. And disabling/click-to-play'ing it isn't exactly "slightly control[ing] flash behaviour".

        (For the record, click-to-play with Java has turned out not to be 100%, but AFAIK Flash has a simpler model without Webstart et al.)

      2. Charlie Clark Silver badge

        Re: HTML5 more secure?

        flash bugs + browser bugs + web bugs > browser bugs + web bugs

        Jury's out on that. Fact is all the browsers are more robust than they used to be and the plugin architecture is on the way out. But the same multimedia that provides such a rich vein of attack vectors for Flash may also turn out to be useful for anything accelerated API that is more than likely being given privileged access to hardware (codecs, openGL, etc.). Quicktime and Windows Media Player in the past have had their own share of bugs and they are still providing part of the services for the new browsers.

        My guess is that the new attack toolkits just aren't as sophisticated yet as they are for Flash, et al. True the new browsers have been hardened in a way that Macromedia could never have thought of when it was adding the bells and whistles, but who knows if that'll be enough? The browsers have one thing going for them in that they don't publish implementation APIs so that are freer to replace an implementation if it turns out to be a turkey. This comes at on overhead of having to agree the API with other interested parties and then make it work. Flash is a victim of backwards compatibility. Back in the day that meant it could add features quickly and keep developers happy and it effectively ended the "install a plugin to what this video" malarkey we had for much of the first decade of this millennium.

  13. Anonymous Coward
    Anonymous Coward

    bleedy aunty

    trouble is the bleedy Beeb still require it! If they'd ditch it I'd be disabling it on our network like a shot

  14. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    British Open?!?!

    No such tournament exists.....

    See -> https://en.wikipedia.org/wiki/The_Open_Championship

  16. Anonymous Coward
    Anonymous Coward

    FFS

    78 NEW vulnerabilities, from the LAST lot of (supposedly) fixed code borks..

    For fucks sake, how is it possible to write (or fix) code so effing badly that 78 NEW separate exploitable bugs exist in a fucking piece of software that has been around for the last decade and a half and has had more holes than a colander...

    KILL

    FLASH

    NOW.

    1. patrickstar

      Re: FFS

      Where does it say that they are actually exploitable? Adobe seems to list anything crashy as potentially exploitable, which may or may not be the right thing to do. False negatives are rare but really nasty - classic example of this would be apache-scalp from the early 2000's.

      However, judging by the number of actual Flash exploits in the wild, the vast majority of the bugs are at the very least not wild-grade.

      "Multi-million line software with a 20MB executable contains 78 unfixed bugs" certainly doesn't sound very dramatic, or (sadly) out of the ordinary.

      Unfortunately with all web-stuff nowadays the {performance,features}/{reliability,security} tradeoff is heavily weighed towards the former.

  17. HAL-9000
    Flame

    Mutually exlusive

    You say "Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools "Animator" and encouraging a move over to HTML5. ®"

    They say Adobe is also doing its best to ensure the continued use of Flash on the new web. Flash dominated on PCs as a medium for serving media and ads.

    Who's right, I wished flash would just curl up and die either way

  18. nilfs2
    Terminator

    The problem with Flash is the same problem with Cisco and Microsoft

    Web developers get taught how to work on Adobe products since day 1, same way people learning networking get taught to use Cisco products since day 1 and server administrators and desktop app developers get taught to use Microsoft tools since day 1; those companies have taken universities and main learning centers as hostages so students won't learn alternative ways to do stuff and only use their products.

  19. LINCARD1000
    Facepalm

    I want to cry...

    While it's not on my personal machines at home, we are forced to have it on the comps we have at work for some business critical applications (payroll and vehicle booking). The people who make decisions here didn't even consult and the PHB didn't think to object either when these solutions were implemented.

    1. patrickstar

      Re: I want to cry...

      Unless it's heavily intertwined with the web site (like calls Javascript on the pages to do stuff) you should be able to run the SWF in the standalone player just fine, although you need to do some voodoo to let it do networking stuff. It's been ages since I fiddled with anything Flashy, but http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html# might be what you need.

      1. LINCARD1000

        Re: I want to cry...

        In this instance it's two external vendor sites, so nothing we've got any active control over.

        I've tried just about every kind of voodoo short of gutting a live chicken on the boss' desk to find a work-around as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019