Enough is enough: It's time to flush Flash back to where it came from – Hell If you patched Adobe's screen door of the internet – its Flash plugin – last week, and thought you were safe, even for a few weeks, you were sadly mistaken. The Photoshop goliath is warning that yet another programming blunder in its code is being exploited in the wild, and says it won't have a patch ready to deploy until …
Perhaps you missed his saying his "ex-chromebook". The google Chrome browser on the Chromebook might have supported Flash but since he rooted and installed another OS, I guess it doesn't now. Much like my former Windows laptop that now runs a flavor of Ubuntu and has no flash installed.
just have click to play enabled (Chrome/firefox/opera only) and adblock and most issues are not there
if your using IE well you're a sitting duck sorry (no adblock or click to play flash)
i wonder how long its going to take chrome to treat Flash like Java (click to play is forced if java app wants to load in chrome)
one thing i have noticed most malware nowadays looks for vmware or sandboxie, if it detects them on your system it will not do stage 3 normally (drop the full payload onto your system) as its likely your a whitehat or company looking these droppers (most likely why i have never seen it on my system) as vmware or sandboxie is unlikely to be on an normal persons computer best to just not load droppers onto systems that have them tools on your system
This post has been deleted by its author
I have always disabled Flash entirely on my primary locked-down browser (Chrome), but the last incident made me reach my tipping point. My plan is to remove Flash entirely from my Mac, and leave it in a VirtualBox VM ghetto for when I absolutely need it. That way I won't have to restart all my browsers each time there is a security update, and the damage from compromise is contained.
The flaw in this plan is that Chrome bundles Flash, so there would still be the taint of Flash on the main OS X.
I have good news for you! While Chrome bundles Flash and enables it by default, it IS possible to turn it off completely.
To do this, go to settings > Privacy > content settings. There you can either block ALL plug-ins by default, or you can click the link below to disable individual plugins. Click that link, scroll down to Flash, click disable.
Your machine is now Flash free as far as the internet is concerned, since Chrome will no longer load the Flash libraries.
This is our last five Flash deployments along with their respective dates (and we typically patch within 48 hours following the availability of an update);
Adobe Flash Player v15.0.0.223 - 20141112
Adobe Flash Player v15.0.0.239 - 20141126
Adobe Flash Player v16.0.0.235 - 20141210
Adobe Flash Player v16.0.0.257 - 20150114
Adobe Flash Player v16.0.0.296 - 20150128
Really? Five fucking patches within a 77-day timeframe with the last patch issued less than a week ago and already there is another security advisory for this god damned excuse of a browser plugin which is once again demonstrated to contain more vulnerabilities and require more patching than entire bloody operating systems?
Just issued an enterprise-wide uninstall of this pile of crap. Should've done so ages ago and frankly speaking if Flash is a crucial and required component for the functionality of a given website then the webmaster really does have bigger concerns since mobile devices aren't exactly known to be very friendly towards Flash.
And while we're on the topic of Adobe being security-incompetent my reseller had once told me that they were given firm instructions by Adobe themselves to always claim that Adobe's products and services are "very secure". I cannot recall the exact phrase but it was along the line of "we were told to always claim that Adobe and Creative Cloud are "very secure" when asked."
Ha... ha... HA... HAHAHAHAHA.
Yeah. So "secure" indeed that my dedicated E-Mail alias for my Adobe ID is subject to spam attempts multiple (up to a dozen) times an hour because Adobe can't fucking "secure" their website and databases either. I have since changed said E-Mail alias but it continues to stick out like a sore thumb every single time I need to review my mail exchange logs.
News Flash Adobe...
"Security" is a little bit more than just pulling the word out of your arses.
This post has been deleted by its author
@xBr0k3n. So apparently I did. Sigh. Had to double-check my security advisory E-Mails.
Make that SIX fucking patches within a 77-day timeframe then.
Definitely an inexcusable oversight on my part however. But damn that's a lot of patching.
@John. No vSphere under my belt. Mercifully. We do have one brand of firewall appliance we're quite fond of however which did rely on Flash for its web interface until about a year ago when the last major version release finally got rid of it. It was tolerable originally however as I much preferred to install and utilize their dedicated management application instead.
It is used for very little aside from ads anymore, and I keep Chrome around as my "browse the occasional site that doesn't work right in Firefox, or has sketchy content" browser so I could use it if there is some backwater site that still hasn't got the memo and uses flash.
I think it is pretty much like when I dumped Java a few years ago, and Shockwave a decade ago. It will be a small inconvenience on the occasional site, but given the billion iOS devices browsing the web without flash any site that requires it isn't worth bothering with in 2015.
Do it. I've been without Flash for a good four to five years now on my personal workstation and I haven't missed it a single bit. As a matter of fact it actually significantly improved by browsing experience as it got rid of the vast majority of highly annoying "flying across the screen"-style ads.
Back when I first dumped Flash (and mind you this was back in around 2011) I did feel the pinch a little. Certain websites wouldn't load and those which did would contain missing Flash elements. These days however it is extremely rare to be handicapped due to the absence of Flash.
Even CNN plays you videos without Flash.
Also one of the truly rotten aspects of Flash which a lot of individuals do not consider is that it is very often used to override any anti-cookie configuration you may have. Flash has its own data store which ad networks have been known to exploit to store unique identifiers as this data store is not cleared when you purge your browsing history. I'm not sure if this is still the case as I haven't had Flash installed for years and my enterprise configuration had a policy to disable this data store but given Adobe's lousy security track record I wouldn't be surprised if this little "feature" is still open to abuse.
"Even CNN plays you videos without Flash."
The BBC doesn't and when I tried to contact them about their reliance on Flash via their web form:
https://ssl.bbc.co.uk/faqs/forms/
I got this error message:
"An error occurred during a connection to ssl.bbc.co.uk. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response) "
It makes you wonder what they are doing with all the money that they forcibly extract from the viewers.
Oh, I still haven't worked out how you get in contact to ask them to ditch this piece of shit.
It makes you wonder what they are doing with all the money that they forcibly extract from the viewers.
The BBC is vastly underfunded for what we ask it to do. All of their awesome tech is delivered on a shoestring budget by people who should really be working elsewhere and making a whole lot more money. I don't like that they spend so much money on slebs and dancing shows, but it seems to be what people want to watch.
PS: Why does their OCSP list got out of date information? Probably because the person who is fixing that is fixing something more important at the minute. Particularly given that OCSP is a dog, doesn't serve its purpose (particularly in this scenario, no client certificates to revoke, so OCSP is controlling revoking the server certificate) and most browsers will silently ignore invalid OCSP information, I'd imagine its fairly low down the list.
Received the following from BBC regarding Flash on their website:
Thanks for contacting us regarding our use of Adobe Flash.
Flash was chosen for playback on bbc.co.uk in our embedded media player for several reasons.
Reach - Flash was the most effective way of delivering a high quality experience to the broadest possible audience. It provided DRM to enable us to negotiate rights for distributing programmes online and allowed us to affordably deliver an adaptive bitrate solution and live simulcasts of our TV channels.
You can read more about Flash, open standards and the BBC in the following blog.
http://www.bbc.co.uk/blogs/legacy/bbcinternet/2010/08/html5_open_standards_and_the_b.html
However, as Cathy Bartlett states in her blog below, we are looking to move a single player across platforms and devices. We'll be continuing to exploit modern ways of embedding and playing media in web pages, researching new streaming formats such as MPEG-DASH, as we move towards using a single player across platforms and devices.
http://www.bbc.co.uk/blogs/internet/entries/7185ad76-d3de-3df6-8641-975feed88091
So while Flash is commonly used now, we are looking into how best to deliver media going forward.
@Entrope. It is indeed still in use, and it is being used by the British government.
After completing my self-assessed tax return last week Ccleaner obligingly removed a Flash Cookie which was labeled as belonging to online.hmrc.gov.uk. Also it looks as though access to the online tax pages isn't possible unless scripts are enabled from Google Analytics.
Don't we pay the spooks at Cheltenham enough to avoid the need to offshore this?
@David. Thank you kindly for verifying!
LOL @ HMRC. And face palm. Does make you wonder though how many government websites would outright collapse overnight if Flash were to be suddenly flagged as a dangerous and dumped across the board by all browsers simultaneously.
it looks as though access to the online tax pages isn't possible unless scripts are enabled from Google Analytics
There were a few things I had to enable (noscript / ghostery blocked) but Google Analytics wasn't one of them. Don't think I've ever had to enable that to make something work...
M.
@Martin: Starting with a clean copy of Firefox portable, which did let me in, then loading addons one or two at a time, Ghostery and scripts from Google Analytics had been the only things I could see that were left to test before I gave up trying to find out what was blocking my access to the HMRC self assessment site. (Life is short, after all.)
Today I seem to be able to get in without any problem, and apparently without a Flash Cookie being planted; though I didn't enter any data. Ghostery showed 0 trackers on the self-assessment menu page. Maybe government techies do read El Reg after all, but I still haven't had an offer of employment.
This feature was already turned on in Chrome (Windows); I had to enable HTML5 for YouTube in FF 35.01.
I spend a lot of time on YouTube listening to favorite music, but the videos I watch look just as good in HTML5 as in Flash. There just isn't anything I want to see anymore that requires Flash.
The slow death of Adobe Flash has been hastened — YouTube, which used the platform as the standard way to play its videos, has dumped Flash in favor of HTML5 for its default web player. The site will now use HTML5 video as standard in Chrome, Internet Explorer 11, Safari 8, and in beta versions of Firefox. YouTube engineer Richard Leider said the time had come to ditch the aging Flash in favor of HTML5 as the latter, used in smart TVs and other streaming devices, had benefits that "extend beyond web browsers."
YouTube's move highlights the shrinking relevance of Adobe Flash on the modern internet. Adobe itself has spent the last few years severing many of its ties with the product — the company's Flash 2012 Flash roadmap narrowed its focus to gaming and "premium" video, and in 2011, the company killed Flash Player for mobile, saying at the time that HTML5 was the "best solution for creating and deploying content in the browser across mobile platforms." In 2015, YouTube has realized that Flash is not the best solution for web video, full stop.
http://www.theverge.com/2015/1/27/7926001/youtube-drops-flash-for-html5-video-default
Games built on HTML 5, iOS or Android should provide your good lady wife with some distraction.
She might find a tablet - and we're hearing good things about inexpensive Android models these days - more convenient than a laptop for causal gaming / general messing around online. If she doesn't already have one, the 14th of February might give you an excuse to buy her a tablet.
" If she doesn't already have one, the 14th of February might give you an excuse to buy her a tablet."
My long experience of buying distaff side gifts tells me that an infinitesimal proportion of the female population would welcome a tech gift on that date. As an "out-of-the-blue" gift on a non-special day she'll be surprised and appreciative, but for birthdays and Valentines you may only be earning two weeks of bad tempered glaring and door banging. Stick to romantic meals, surprise weekends away, carefully chosen clothing, chocs and flowers. And just give her the tablet for the sake of it.
The question is, why did people even get the idea of using plugins?
I mean the WWW did have a promising start. HTML was a simple standard with a couple of tags telling the browser how the document was structured. The design aspects were entirely left to the browser. That's why you could set your fonts in early versions of Netscape.
What we need to do now is to kick out features of HTML. It was never made to provide "pixel perfect" GUIs. CSS has turned into a Turing-complete mess, and Javascript is abused more and more. Maybe we should replace HTML/HTTP with something new for "Web Applications", something that's been designed for it, allowing for simpler code on the browser and on the server.
"Please fix Real Player for the older computers. Real Player turned into such bloatware that it was useless but I never got a virus from it!."
Assuming you're not being sarcastic you do understand that you are literally the only person on the entire internet who wants that thing to come back, right?
>The question is, why did people even get the idea of using plugins?
It seems that Adobe (before they acquired Flash etc with Macromedia) wanted Netscape Navigator to render PDF files directly. Netscape proposed building PDF support into Navigator, but Adobe suggested that Netscape develop a system for supporting plugins, as Adobe themselves had done for Adobe Reader.
http://en.wikipedia.org/wiki/NPAPI#History
"That's why you could set your fonts in early versions of Netscape."
Both Firefox and IE (but not Chrome) still let you do this, and let you prevent those settings being overridden. Even today, I'd recommend at least trying it. It makes things a lot more readable (the same font on all sites is a lot easier on the eye), and generally fixes more than it breaks.
Indeed. People advocating for the ultimate quash of plugins are missing the point: the WWW itself was not intended to carry dynamic content at all. HTML has had a lot of stuff hacked in, from the hideous JavaScript to CSS and a lot of bloatware on top of that (AJAX! JSON!) to the point where JavaScript stuff has grown into being the same kind of bloatware that plugins have been anyway. There are sites which will make my smartphone hot just because of the crappy JavaScript stuff running in the background.
Plugins were made to add native programming functionality into websites, which can be good (Java), can be iffy (Flash), or can be downright hideous (ActiveX). The needs aren't going to go away just by banning plugins. Ideally we would have something better replace the WWW itself for "web app" stuff, but at the moment we have to work with what we have.
To be honest I see little difference between Java and ActiveX, both are horrible ideas just one is sand boxed a little bit better. Plugins are just a horrible way to solve such a problem.
Again for web apps, which use a completely different layouts than web pages, we should have gone for something completely different. Something that's essentially an intelligent terminal. Perhaps it could use Javascript or Lua for the bit of local processing you need, but something completely different for the GUI.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
