Adobe squashes TWO critical Flash vulnerabilities with emergency patches Adobe published a critical Flash Player update on Tuesday to fix three exploits, two of which are under active attack by hackers. Two of the three vulnerabilities are being used by nefarious folk, Adobe said, and one of these two explicitly targets the Firefox browser. Adobe introduced the Flash Player sandbox a year ago to …
FTFA - "Adobe classified the update with a priority rating of 1 (do it now if you value your computer) for Windows and Macintosh systems, and 3 (install at your discretion) for Linux kit."
When will the press finally acknowledge that Mac is not "safe by design", and in fact is performing no better from a security perspective than Windows? In fact, Win 8 appears to be more secure than Mac.
Macs *are* safer than PCs if you don't use dodgy software like Flash. And even if you do, Apple move with lightning speed to make sure that Safari can't use an out-of-date Flash plug-in.
I got down voted last week for saying the world would be a better place without Flash. I'm happy to repeat that here, and not at all fussed that I have it blocked on my machine.
"I got down voted last week for saying the world would be a better place without Flash."
Shame then that the browser developers are bickering about what to replace it with then, at least as far as video codecs are concerned. Nice to know they have their own interests at heart, not ours...
Also,
"Macs *are* safer than PCs if you don't use dodgy software like Flash."
could easily be re-written as "PCs *are* safer than Macs if you don't..."
Fixed it for you
PCs *are* safer than Mac PCs if you don't use dodgy software like Flash, Windows, MS Office, Linux, OSX, Open office, Autocad, firefox, safari, chrome etc etc., never use email or ever comnnect to the internet.
In fact, in order to keep your 'puter totally safe, don't ever take it out of the box....
>"Apple move with lightning speed to make sure that Safari can't use an out-of-date Flash plug-in."
But, Apple moves with glacial speed to address Java vulnerabilities. Flash is a small issue compared to the half-million-Mac botnet of systems that were compromised through the Java rootkit.
Actually Apple doesn't and I have been using Flash 10 and Firefox on Safari until today when it was squashed. Adobe upgraded to 11 saying it would work on all Apple Intel machines! It does not !
You cannot 'avoid' flash as most media use it all the time
Perhaps you'd be better off criticizing the Mac platform when it isn't mentioned *after* Windows in a vulnerability list and for a problem that is entirely the fault of a third-party anyway.
I'm not saying the Mac is invulnerable, just that obvious troll is obvious.
Personally I have never bought that "Mac is safe" line. SafeR, yes, but no platform is 100% safe - it just takes a lot less effort to keep it clean (no weekly GB sized patches, for instance). Having said that, MS has finally started to clean up - Win 7 is a lot better in that respect. This is why I do have a virus checker on the Mac, I like facts.
Looking back over the last couple of months, it appears avoiding Adobe and Microsoft products is a good way to cut down on risk - by installing those you end up with Windows levels of patching, and then there is that Java issue which is a mess pretty much shared between Windows and OSX.
Adobe gets in my book quite a raft of extra minus points for supplying a download agent instead of the real program, which means that you cannot properly virus check what it installs - you can only do that after the fact - and their "we ask you to accept our license but we will make it as difficult as possible for you to actually read it" approach to license statements. As a matter of fact, it is quite possible that this would fail under UK law.
Thankfully I don't need Photoshop, but the BBC using Adobe Air for its iPlayer was NOT a welcome idea.
Are those the fixes that introduced the new prompts like "Do you want to let this content play"?
They've broken one of my semi-automated tools that checks hobby web sites for specific content changes. The VBA application uses Excel 2007 with an embedded WebBrowser object. When the flash prompt appears it usually won't respond to mouse clicks to tell it to "continue". The WebBroser object is then frozen - and Task Manager has to be used to abandon the Excel session. At that stage the page is only being loaded - not processed by the VBA.
Adobe should have included a preset option in the "Advanced" settings to always be "No" so the prompt wouldn't need to appear. Not sure if their list of permitted files has any effect on this - especially as it is difficult to determine which element on a page is causing the prompt. An alligator in the swamp that is most unwelcome.
".. which, being based on VB and other Microsoft products, was pretty much hosed from inception.."
Hmm - the Excel VBA suite of apps has been working very usefully for getting on for 15 years through several Office/OS migrations. That's pretty good for the constant flux of the IT world. My Apple II and mainframe apps have long since become incompatible museum pieces.
Any IT development is hostage to an unexpected side-effect of an apparently innocuous change elsewhere - even if you write all the code yourself.
A strategy has already been designed into the application to cope with sites whose processing fails to complete in some way. C'est la vie, c'est la guerre. Je suis content.
Does anyone know for sure whether the Firefox Flashblock plug-in (which I use) is a generic fix for these problems in respect of any flash stuff that you don't actually choose to display? In other words does flashblock keep the flash data strictly away from the flash code until you click on the logo?
One that has been around since 2011 and has JUST decided to affect me is a bug where the audio of any flash video is automatically played at 100% which can be damaging to ones hearing. Pick another video and that is automatically played at 100%. There is no way to reduce the volume for subsequent videos without disabling protected mode.
Just in case anyone is wondering about Adobe and if they even intend to fix this bug:
https://bugbase.adobe.com/index.cfm?event=bug&id=3210127
The bug is listed as "Priority = 3-High", "State Closed", "Status Deferred".
Same bug in Firefox, IE, and Chrome.
I suspect that's "100% of the current system volume". Most players have a volume control that allows you to reduce or increase the volume of the audio within that limit as videos do not all have the same volume on them. Most also have the good grace to remember the setting last used when you fire them up.
I suspect that the sandboxing has rendered persistant setting difficult to achieve. Actually it should be impossible to achieve, as the very fact that the embedded player has stored something (its current volume setting) while in use on a page means that it has access outside the sandbox.
It is as if you go to Youtube (or anywhere else), load a video, and then slide the volume control on the Flash player to maximum. Every time. The most annoying part of this stupid bug is that it suddenly arrives of your PC. One minute everything plays OK then BANG (or other loud noise) every single flash video plays at maximum volume. Adobe have shelved the issue essentially saying it is not their problem and blaming the OS and browsers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
