back to article Adobe Flash: The most INSECURE program on a UK user's PC

Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. …

  1. Anonymous Coward
    Anonymous Coward

    Version 13?

    I'm still on version 11 due to Adobe being a feckless bunch of arseholes.

    1. Irongut Silver badge

      Re: Version 13?

      "I'm still on version 11 because I'm a feckless arsehole"

      Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security.

      1. Destroy All Monsters Silver badge

        Re: Version 13?

        It also says a lot about Adobe and their mad coding skillz that upgrades are necessary.

        And no "all software has bugs" just doesn't cut it. It's out there with "the dog ate my homework" bullshit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Version 13?

          >It also says a lot about Adobe and their mad coding skillz that upgrades are necessary.

          The runtime team is rumoured to be down to only 3 devs now (used to be 15-20), so actually amazing quality work when you think about it....

      2. ragnar

        Re: Version 13?

        It's probably because they stopped producing an updated Linux version.

      3. Anonymous Coward
        Anonymous Coward

        Re: Version 13?

        "Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security."

        As the previous poster surmised, it says that Adobe dropped support for Linux at version 11. As always the problem is that Flash still exists in the first place.

      4. Irony Deficient Silver badge

        Re: Version 13?

        Irongut, my money would be on Anonymous Coward being up-to-date on Linux with Flash Player Your comment certainly announced a thing or two about yourself.

    2. marcoose777

      Re: Version 13?

      Me too, I'm still on 11. The joy of nix

  2. Ross K

    Isn't it great...

    ...that they've included an auto-updater now so Flash can patch itself twice or three times a week without bothering you too much.

    Just like the Java Updater, more useless shite sitting in the system tray and consuming resources is just what we all need.

    I know Apple users have to update Flash regularly too, but what do linux users do? Has Flash been abandoned on that OS or is it still soldiering on bravely?

    1. Anonymous Coward
      Anonymous Coward

      Re: Isn't it great...

      It's been abandoned, however the update at least was native to Linux (for YUM* users at least, not sure about apt)

      *YUM is the auto-updater for most RPM based Linux distros (what is the plural of Linux?), Adobe provided an add-on repository for it Flash so it at least fit in nicely with the system standard way of installing/updating applications.

      1. Paul Crawford Silver badge

        Re: Isn't it great...

        Still getting the "security" updates for version 11x on Linux using apt-get (Ubuntu) as they never supported anything later. Unless of course it is embedded in Chrome for Linux (with added Google spy-ware).

        Adobe is such a crap company...

      2. Eddy Ito

        Re: Isn't it great...

        what is the plural of Linux?

        There isn't. Like 'fish' it is both singular and plural. Similarly, Linuxes, like fishes, can also be correct and I suspect that Linuxen would also pass in most circles. I'm against the latinized plural form, Linuces, simply because too many non-Latin words are hashed by people wishing to appear to be "learned folk".

        Anyway getting back to the article, isn't this news along the lines of the Pope is a Catholic who would shit bare - or something like that?

        1. Irony Deficient Silver badge

          Re: Isn’t it great…

          Eddy, given its roots, the plural for Linux should use the Finnish “instructive” declension — Linuxin — with tongue optionally implanted in cheek.

        2. tony2heads

          @Eddy Ito

          plural should be Linuces (like 'dux') or 'Linuxes'

    2. Flocke Kroes Silver badge

      Flash on Linux

      There is a free software implementation called gnash, so Linux users are not dependent on Adobe.

      1. Tom Chiverton 1

        Re: Flash on Linux

        Gnash fails to run just about every non-trivial Flash app I've slung at it.

        1. FrankAlphaXII

          Re: Flash on Linux

          Shumway, Mozilla's flash clone, also generally falls over if you throw something that Mozilla didn't make themselves as well. The thing is that its pre-alpha or just went into alpha, the only way to get it is by sideloading it from Mozilla's Github. I don't think the Nightlies or Aurora even ship with it yet though its a fairly important project going on over there.

          But Gnash is like a damned Greek tragedy to me. It should work fairly well at this point but it still doesn't which is kind a shame, Id rather use code that I could audit if I so choose as opposed to whatever Adobe's shipping.

          I'd still figure Java was a bigger problem than Flash though.

  3. Eponymous Cowherd

    No shit Sherlock

    That is all.

  4. phuzz Silver badge

    I can only imagine that this 'win' for Flash is because people have stopped installing Java.

    1. Steven Raith

      It's more like Alien Vs Predator - no matter who wins, we lose.

  5. Truth4u

    What IS Flash?

    Seems to have tens of thousands of features I'm sure no one ever uses. Why do I need all that animation crap in there if I only care about video? And all the other weird shit it can do, but if it ever did, I would close the browser faster than you would drop a ball of molten lead.

    1. Destroy All Monsters Silver badge

      Re: What IS Flash?

      Well, you can get it via PDFs, so Flash is PDFs or the converse, I am not sure.

    2. Peter2 Silver badge

      Re: What IS Flash?

      Adobe PDF reader also has the same issue, including features that let you compromise a system by simply opening a PDF file with PDF reader.

      It would be really nice if Adobe would include a "secure mode" whereby their plugins could be locked down to just being a video player, or just a PDF picture viewer instead of the security nightmares that they are at the moment.

      1. Stuart Halliday

        Re: What IS Flash?

        Do people seriously still use Adobe PDF Reader!

        Let me reexamine the year on my calendar...

    3. John Brown (no body) Silver badge

      Re: What IS Flash?

      Saviour of the universe?

  6. Fuzz

    of course people aren't upgrading

    when you upgrade a point release of 13 it happens in the background without you doing anything, when 14 came out you are presented with an update wizard that takes you to the adobe website to download version 14. This all happens when you are logging in to your computer, how many people have time to download an install an update when they have just logged on to their computer. It's the second most stupid auto updater after the idiotic java which asks for elevated privileges before it asks if you'd like to install the update and only then does it go and download the actual update to install it along with the ask Jeeves toolbar.

    1. mark 63 Silver badge

      Re: of course people aren't upgrading

      my god that toolbar. You'd think Adobe was a big enough company what with ruling the worlds graphic design industry that they could lay off trying to sneakily inject bullshit toolbars and stuff along with their very regulular patches and updates. Isnt it them them that will put that mcaffee thing on at any opportunity unless you watch them like a hawk?

  7. GitMeMyShootinIrons

    Flash - saviour of the universe....

    Or not, as the case may be.

    But I digress. The revelation that there are insecure unpatched installations out there is a bit like making proclamations about the toilet habits of bears that frequent forested areas. Flash is very common on home devices, but probably less commonly used than it used to be. If its update function fails, most won't know/care. A bit like the free couple of months of Symantec abandoned on home PCs by users reluctant to pay for AV.

    It's no worse than Java, where old versions are often retained simply because backward compatibility is often a problem.

  8. Rol

    As always

    The marketing department insists the perfectly working software needs more glam, more pizazz, more flash.

    Eventually as a user I am forced into removing their blinged up garbage and have a need to find another provider, one that hasn't been around long enough to have a need for a marketing guru.

    Why anyone, other than a teenage chav wannabe would find a need for ninty percent of what Adobe shoehorns into its products is beyond reason.

    Oh and while I've got Adobe in my sights, your flash player, with all that extra gooeyness would be much improved if the moronic caption telling me the escape key will cancel full screen mode has a subtext telling me the caption which is currently ruining your viewing pleasure can be stopped forever by typing Yes, yes, I know already, otherwise please wait several lifetimes for the crappy message to go and then restart the video from the beginning.

  9. Anonymous Coward
    Anonymous Coward

    Patching in Global organisations

    "Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. Users had not updated to version 14."

    Hah - I work for a global organisation with thousands of PC's and being on FP13 would be a good step up - a lot of our work PC's are all still on Flash Player 10... our internal desktop support team don't like patching applications and like to bundle them in with the SOE image - once deployed they may not get updated for 4 or 5 years! Our internal security team doesn't mandate minimum application patching levels for internal PC's. Comparing the average PC corporate PC with MS Update online, we are a good 60+ patches down.

    Posting Anonymously to "protect" my current employer.

    I am still constantly disappointed/dismayed by the apathy within the IT support teams to do what should be a general housekeeping task. The other annoying thing is that the business doesn't understand the risk its in and therefore cannot help IT provide the adequate resourcing to address these concerns (if resourcing is an issue).

    This is the third global organisation I have worked for, and only 1/3 had a holistic approach to security, and even that one had some gaping holes (but at least it was going through a process of addressing them all). There is a lot of talk about securing countries and organisations from Electronic Warfare and hackers, if we can't do simple patch management, what hope do we have?

    1. king of foo

      Re: Patching in Global organisations

      I mirror your frustration.

      XP. Check.

      Ie6. Check.

      Flash player 10. Check.

      Java 6. Check.

      FTSE 50.

      I'm amazed we haven't had any problems. Yet. Websense can't be a complete waste of money.

      1. kororas

        Re: Patching in Global organisations

        Just pray you don't get targetted specifically.

  10. veti Silver badge

    People still use Flash?

    I thought that died when the iPad came out.

    No, seriously. What do we need it for anymore? There are dozens of video formats out there, and plenty of amusing cats/pr0n available in just about all of them.

    1. Anonymous Coward
      Anonymous Coward

      Re: People still use Flash?

      VMware quite recently moved their client to Flash, so quite a lot of admins need it now :( Well, when I say "need" I'm ignoring the fact that a lot of those admins are now moving to Hyper-V :)

  11. Anonymous Coward
    Anonymous Coward

    "Adobe Flash Player was the most insecure program installed on UK computer users PCs"

    Why do so many websites including large parts of YouTube's content require this POS? YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?

    I'm travelling right now, but wanted to see some World Cup matches. But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers, I've had a few hairy moments wondering if my machine is going to be pwned...

    1. Steven Raith

      Re: "Adobe Flash Player was the most insecure program installed on UK computer users PCs"

      "YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?"

      You answer your own question with this:

      " But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers,"

      Implementing inline ads (and, additionally, encryption on streams for DRM) is tricky with HTML5 video, and the DRM part is poltically sensitive as they 'need' proprietary stuff in there which (rightly) sticks in the craw of the open source peeps - Mozilla, IIRC, eventually capitualated, but large chunks of the Linux world can't include that sort of thing by default.

      In short it's all down to those slimy cunts in marketing and advertising - as it usually is. Come the revolution, and all that.

  12. Anonymous Coward
    Anonymous Coward

    BBC and YouTube without Flash?

    I installed FlashBlock in Firefox to see if I could manage without Flash (having realised a while back that there was no good reason to have Java any longer) and the only time I noticed anything being blocked was when trying to view video on YouTube and the BBC news site (I block ads so I'm not exposed to that nonsense). Is there any way to view video on YouTube and BBC news without Flash? I'd dearly love to un-install it...

    1. veti Silver badge

      Re: BBC and YouTube without Flash?

      YouTube has video in a large range of formats, it's the luck of the draw whether any particular vid you want to see is served as Flash.

      This video claims to show you how to view almost all of YouTube without Flash at all. I can't vouch for the content, because ironically I can't view it on my current 'puter...

    2. eulampios

      Re: BBC and YouTube without Flash?

      Is there any way to view video on YouTube and BBC news without Flash?

      There are many, at least for youtube. I am not sure about BBC. VLC can play many url videos including youtube. Totem on GNU/Linux can do it too. There is also a python program youtube-dl . As the name suggests it can download video from youtube, it can also downlaod videos from other websites. You can try youtube-dl BBC too, try vlc for it too. I myself cannot, I am in the US. wireshark might be another possibility.

      For non youtube movies, you might simply examine a page source, when it's hidden, I use tcpdump to determine the url

      1. Jamie Jones Silver badge

        Re: BBC and YouTube without Flash?

        To legitimately access BBC iplayer without flash, google 'get_iplayer'

        To legitimately access it when it appears you are not in the UK when really you are, (e.g. the multinational you work for peers outside the UK) a cheap UK proxy/vpn (or even set one up on your home machine) would work fine, because the actual raw rtmp streams are not regionally restricted, so can be accessed directly (courtesy of your local akamai or limelight CDN) once you know the stream rtmp url. (But why such content can be accessed in California [just tried it and it worked - rtmp server 1ms ping from my server there] is anybodys guess, though I assume it's cache on request at least)

        1. Chemist

          Re: BBC and YouTube without Flash?

          "To legitimately access BBC iplayer without flash, google 'get_iplayer'"

          Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash.

          I sometimes use my fileserver as a proxy when I'm traveling - it usually worked very well.

          1. Jamie Jones Silver badge

            Re: BBC and YouTube without Flash?

            " Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash."

            Ah yes, sorry, I misread the post.

            But when he said 'view video on YouTube and BBC news', just in case he meant :

            (view video on YouTube), and BBC news

            rather than:

            view (video on YouTube and BBC news)

            (ahhhh, the ambiguous wonders or the English language!) get_iplayer can be used to view or record the live channels too.

    3. Jess

      Re: BBC and YouTube without Flash?

      I have a rather nice G5 which obviously has no current flash support (though there is a current firefox port, called tenfour fox)

      This (plus grease monkey) allows me to watch youtube on it:

  13. johnwerneken

    free software

    Free software from commercial teams tends to be worth the price charged. This is particularly true when the whole idea is an attempt at monopoly, as is the case with flash/reader and quite a few others. Ubiquity being the driving goal, all else is basically shoddy.

  14. Anonymous Coward
    Anonymous Coward

    The only secure flash plugin

    Is one that isn't installed. Seriously, why even bother? Nowadays it's mostly used for advertisements anyway.

  15. Nifty Silver badge

    I had to uninstall Flash from my PC yesterday as it was crashing with Firefox every minute (massive list of FF crash logs) and locking up my entire PC 3 times a week. Been through the reinstall cycle previously btw. The discussion forums on a solution go round in circles, one thing is sure: It's FF and Flash together, plus maybe some interaction with 64 bit OS and video drivers that lock up a machine. One of the warning signs of trouble is a jumping cursor.

    What will happen , as before is that eventually I'll hit a site - be it internal corporate (e.g. interactive training) or an external essential service - that demands Flash. So will have to switch to IE for those reluctant moments.

    Flash, begone forever out of my life (I wish).

  16. Cuddles Silver badge

    Maybe if the updater didn't constantly try to foist malware on you on the rare occasions it actually works at all, people would be a little more inclined to actually use it.

  17. Anonymous Coward
    Anonymous Coward

    Flash player?

    I never updated it ever since I got Chrome.

    It seems Chrome does it for me. And for the Flash running for other browsers, it tries to update whenever I reboot the machine, which only happens when Microsoft tells me to, after every Patch Tuesday. But oh, do I feel tempted to just skip the damned warning.

    Why don't they auto-update silently like Chrome ON FREAKING DEMAND, instead of running a bloody TSR?

    So, yes the bloody thing is updated, but it didn't update itself silently like everything else. Java is another bothersome POS, but at least it will only ask for update when you are actively trying to use its features.

  18. Anonymous Coward
    Anonymous Coward


    use links: no f'@ing Flash, no ads, no waiting for the content you want.

  19. redwolfe_98

    it is incorrect to say that adobe flash player 13 is "EOL".. flash player 13 is an ESR version:

    so, just because someone is using FP 13, that doesn't mean it is outdated and unpatched.. FP 13 is a ESR version which will continue to be patched, for years to come..

    many people choose to use ESR versions in order to try to avoid having problems.. i myself used the ESR versions of "flash player" for several years (ever since FP 11.x was first released).. it was only last month that i decided to go ahead and install FP build, instead of using the ESR version (since there isn't that much difference between FP 13 and FP 14).. and, yes, i have FP build, now..

    i don't like that the article says that FP is the most insecure program on people's computers.. that statement is misleading, suggesting that using FP is the greatest security-risk to computer-users.. i don't think that you can blame FP for malware-infections, any more than you can blame the browser, or the OS.. the end-user is the problem.. people need to be conscious of the malware-threat and take measures to avoid having their computers infected with malware.. don't blame flash player (or the browser, or the OS)..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • That critical vulnerability might not be the first you should patch
    Startup Rezilion suggests enterprises should change prioritization strategies

    Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

    Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

    Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022