back to article The roots go deep: Kill Adobe Flash, kill it everywhere, bod says

Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers. Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE- …

  1. Tom Chiverton 1

    Mozilla announced no such thing.

    Also, why no Java bashing articles? Did you see the recent Oracle CPU?

    1. Stuart Castle Silver badge

      There seem to be a group of writers at El Reg who appear to have something against Flash Player. I see the same names cropping up again and again in articles condemning it as a bug ridden pile of hurt. I'm not saying Flash Player isn't a bug ridden pile of hurt. It is, and I would gladly get rid of it if I didn't have to use it to log on to the admin console for one of our VM clusters. Java, which seems to be largely ignored by the same people, is also a bug ridden pile of hurt..

      I know that El Reg has never even pretended to be a balanced news source, but this is getting ridiculous.

      And you are right. Mozilla have not announced they are dumpling Flash, merely disabling it by default, which is a good thing. Those who want flash animations to play can have them, but everyone else does not have to. I think other vendors should be doing the same, whatever product the flash movie is embedded within.

      1. This post has been deleted by its author

      2. Destroy All Monsters Silver badge
        Big Brother

        Your DailyKos message

        I see the same names cropping up again and again in articles condemning it as a bug ridden pile of hurt.

        IT'S A VAST RIGHT-WING CONSPIRACY!

        FLASH IS ACTUALLY GOOD FOR YOU!! KEEP IT TO WATCH MOVIES!!!!

        THE TRUTH SHALL PREVAIL!!!+!

        1. illiad

          Re: Your DailyKos message is wrong...

          YouTube DOES NOT need flash...

          Oh and note that JAVA is different from JavaSCRIPT... AFAIK... :)

      3. Sean Timarco Baggaley

        "I see the same names cropping up again and again in articles condemning it as a bug ridden pile of hurt."

        El Reg doesn't have a staff of hundreds of writers, so you're naturally going to see the "same names cropping up again and again". I'm curious as to why you think this is a surprise.

        And Flash is a bug-ridden piece of legacy code that should have been taken outside and put out of our misery a long time ago. I'd also be quite happy to see the same sentence passed on Java; I'm an equal opportunities hater of shit technology.

        1. Maventi

          "I'd also be quite happy to see the same sentence passed on Java; I'm an equal opportunities hater of shit technology."

          Agree if you refer to the browser plugin, which is where the big vulnerabilities are. Aside from that Java is actually a very useful platform, especially for cross-platform server apps.

          1. Sean Timarco Baggaley

            "Java is actually a very useful platform, especially for cross-platform server apps."

            Java is a massively bloated kludge. It's "cross-platform" in the way that a train is cross-platform when derailed at speed just before entering a station: the term technically applies, but it's definitely neither pretty nor elegant. Java reinvents every wheel common to every operating system, embeds these new wheels in a gargantuan virtual machine, then dumps that VM on top of the underlying operating system, effectively duplicating most of it. Now, instead of one vastly complicated source of potential security issues, we have two!

            Java is not cross-platform: it is its own platform.

            How the hell this mess ever managed to get anywhere at all boggles my mind, but then again, this is the same industry that thought nailing object-orientation onto a low-level portable assembly language was a good idea.

            Oh dear, I appear to have ranted all over this nice clean thread. Sorry.

            1. Anonymous Coward
              Anonymous Coward

              "Java is not cross-platform: it is its own platform.'

              Well guess what, if you truly want to be universally cross-platform in a world where nothing is guaranteed in any given OS, as the saying goes, "If you want something done right, you have to do it yourself." IOW, Sun pretty much had no choice; they couldn't rely on the OS makers to find common ground since they were competing against each other, so they either dictated terms or lose the vaunted goal of universality.

      4. Charles 9

        "And you are right. Mozilla have not announced they are dumpling Flash, merely disabling it by default, which is a good thing."

        Actually, Mozilla HAS announced an intention to eventually drop Flash. Project Shumway is intended to produce a replacement.

    2. Anonymous Coward
      Anonymous Coward

      Why no Java bashing articles

      Because no one has had a Java plugin installed in their browser for years. The use of Java is now limited to running Java applications shipped by reputable vendors, so while there are still security holes they aren't really all that big of a deal since you don't have to worry about malware related exploits delivered via web or email.

      1. Tom 13

        Re: Why no Java bashing articles

        That's funny!

        Because the only reason I have to support those pieces (yes by policy were required to install both 32 and 64 bit versions) of shit is the multiple browser apps used at my work place. I suppose the internal group releasing their updates in nominally a "reputable firm" but given that until 2 months ago they insisted that unless you were running 7.49 they wouldn't provide troubleshooting support, that's a very, very broad definition of nominal. They did actually announce they were going to 8.51 about a month after .51 was released, so at least the frequency of their updates may be improving. But they still wouldn't help with .51 before the announced it.

    3. Trevor_Pott Gold badge

      http://www.theregister.co.uk/2012/09/03/java_cleanup/

      http://www.theregister.co.uk/2012/08/30/i_hate_java/

      FFS, how many times do I have to write "Java is a piece of shit stop using it unless there's a gun to your head making you do so"?

      There is no need for Java in the browser. Many/most people aren't installing it anymore. Bloody everyone is still installing flash. The drum needs banging until we treat the bug ridden piece of shit that is as being at least as toxic as the bug ridden piece of shit that is Java.

      1. illiad

        the problem with flash, it is like IE.... :( 90% haven't a clue, and most of these are managers, who never actually see a web-page.. Their secretary does that for them!!! (so they still think the 'net is 'wonderful' like MS keeps saying - that poor secretary has to task of 'getting their fancy video to work... :( )

        all the rest just think 'java' means good coffee!!!! 'oh, IE needs something! :E {blindly clicks every prompt}

    4. Tom 13

      Re: why no Java bashing articles?

      Because the exploit being covered in the article is Flash not Java.

      As for the lie that they haven't been bashing Java, well that's just an outright lie. For the last 6 months every time yet another Java exploit has been announced, there has been an article properly bashing Java.

  2. Steve Davies 3 Silver badge

    Yet...

    I still get asked if I want to allow MS Orifice to accept incoming requests after every update.

    Why would I want Powerpoint or word to accept external (off PC) operations?

    Isn't that just a security hold of equal magnitude to Flash?

    On the subject of Flash (shudder), can someone please bang a few heaads together at places like the Beeb and get them to stop using flash ASAP. Then it can be consigned to History

    1. My Coat

      Re: Yet...

      You can work around the BBC normally requiring Flash by changing the user agent of your browser to pretend to be an iPad. Doesn't work for Channel 4's on demand service though: that just asks you to install their app.

    2. Roq D. Kasba

      Re: Yet...

      What's the current alternative? We only get iPlayer because the Beeb can promise the rights holders that the programmes are DRM lockdowns. Some programmes are available for a week, some for a month, some eternally depending on the deal they could do, so it shows the will is there, just the technical alternatives that allow the same control aren't getting and centre yet.

      1. This post has been deleted by its author

    3. ailing

      Re: Yet...

      They claim to be working on it. Part of a reply to a complaint I made last week...

      Fortunately, we’re in the process of updating our systems to enable us to stop using Adobe Flash for video playback on computers. Instead we’ll be moving to the HTML 5 format. When this happens, the experience to users should be seamless for all new content. But we will update our help site to advise of the changes.

    4. Anonymous Coward
      Anonymous Coward

      Re: Yet...

      With mandatory W10 updates who knows what other stupidity Microsoft will force on you ?

    5. illiad

      Re: Yet...

      MS Orifice : It seem on the Mac, it's a security thing to check other users, to see if the licence is the same?? Haven't seen it on a PC, unless its some fancy/idiot feature like 'load an online webpage into word'???

      I think Apple has been 'helping' £££ the BBC so their webs work !... :P :) found this addon to make it look like IPad!! :E

      https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/?src=search

      The new w10 'Edge' browser has this strange Useragent... :O

      Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10162

      ailing: what company would that be??

  3. theOtherJT Silver badge

    User pushback

    I'm sure part of the problem here is the users. Don't get me wrong, Flash is an open wound, but it's only installed on any of my machines because of the incessant braying from office staff if I take it away from them. Some of those staff out rank me and I have to comply, but nothing here NEEDS the bloody thing.

    We're going to struggle to make this go away until we can properly educate people about what a terrible idea it is having it in the first place. Sadly it's not people like you and me who get to chose if we run it or not. We _know_ how bad it is. We need to do a better job of getting that message over to everyone else.

    1. Anonymous Coward
      Anonymous Coward

      Re: User pushback

      Some of those staff out rank me and I have to comply, but nothing here NEEDS the bloody thing.

      Ah, that's actually where the problem lies - some do. Some websites unfortunately still need Flash to work, and not all of them are avoidable due to services they offer or other reasons. If everyone could just tell sites with Flash to come back when they have a safer idea to offer service, fine, but some have a position where they hold all the cards.

      1. Charles 9

        Re: User pushback

        Like INTRANET control sites. And since they're attached to high-ticket still-being-amortized hardware, you're basically up the creek. You wither put in Flash or find somewhere else to work.

    2. Tom 13

      Re: We're going to struggle to make this go away

      No, you're going to struggle with it until somebody comes up with a replacement that actually works as well as Flash does. Granted, the biggest part of that is the ubiquity of Flash, but them's the breaks.

  4. Peter Gathercole Silver badge

    Well, I can't be pwned from Word and Powerpoint....

    Because Microsoft don't make them for Linux!

    From other things, well, maybe.

  5. This post has been deleted by its author

    1. Michael Thibault
      1. Destroy All Monsters Silver badge

        Ahhhh ... echos of A.K. Dewdney's "Computer Recreations"....

        Clark recalls that Animal was such a popular game that eventually every directory in the company system contained a copy. "Furthermore, as employees of the company were transferred to other divisions...they took Animal as well, and thus it spread from machine to machine within the company." The situation would never have become serious had it not been for the fact that all those copies of this otherwise innocuous game began to clog the disk memory. Only when someone devised a more "virulent" version of the game was the situation brought under control. When the new version of Animal was played, it copied itself into other directories not once but twice. Given enough time, it was thought, this program would eventaully overwrite all the old versions of Animal. After a year had passed, a certain date triggered each copy of the new Animal program. "Instead of replicating itself twice whenever it was invoked, it now played one final game, wished the user 'goodbye' and then deleted itself. And thus Animal was purged from the system."

  6. Dick Emery

    Flash Bang Wallop What a Picture!

    I really don't understand why Flash cannot be run in a sandbox from now on. There are TONS of creative things made from Flash (animations and interactive games etc). For them to be wiped out overnight because they want to ban Flash means the loss of a large chunk of our online creative culture and heritage. If it's such a security risk just sandbox that sucker!

    1. Sorry that handle is already taken. Silver badge

      Re: Flash Bang Wallop What a Picture!

      To lose Zombo.com would be tragic.

    2. Charles 9

      Re: Flash Bang Wallop What a Picture!

      Because sandboxes don't offer up much protection, especially when it by necessity has to interact with the system. Look at Java. It was supposed to be in a sandbox until someone wrote a bypass exploit. Flash would be in the same boat.

      1. Destroy All Monsters Silver badge

        Re: Flash Bang Wallop What a Picture!

        Because sandboxes don't offer up much protection, especially when it by necessity has to interact with the system.

        It depends on the sandbox...

        In-program permission verification on legacy system with all the warts < Virtual machine < Another machine < Another universe

        But flash should simply be ported to Java.

        Then there would be only one problem.

        1. Anonymous Coward
          Anonymous Coward

          Re: Flash Bang Wallop What a Picture!

          As mentioned before, sandbox bypass exploits already exist. There are also exploits to bypass permission verification. The next logical step (we're not there yet thankfully) would be a Redpill exploit, allowing a program in a VM to escape to the hypervisor.

          1. Destroy All Monsters Silver badge

            Re: Flash Bang Wallop What a Picture!

            allowing a program in a VM to escape to the hypervisor

            These may very well not exist because the isolation of the hypervisor is easier to verify, and can possibly be verified formally.

            1. Anonymous Coward
              Anonymous Coward

              Re: Flash Bang Wallop What a Picture!

              What makes the hypervisor easier to verify than a sandbox?

        2. Tom 13

          Re: Then there would be only one problem.

          You know, squaring infinity doesn't reduce the magnitude of the problem.

  7. Anonymous Coward
    Anonymous Coward

    The real question is...

    ...does the patches that were just issued, actually provide the proper protection?

    1. Destroy All Monsters Silver badge

      Re: The real question is...

      Wanna make a bet?

  8. LaeMing
    Happy

    Just wiped out flash on my home system.

    Biggest surprise is I haven't yet found any of my regular entertainment sites give a rather. Apparently they are all ready HTML5 savy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like