I'm still on version 11 due to Adobe being a feckless bunch of arseholes.
Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. …
"Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security."
As the previous poster surmised, it says that Adobe dropped support for Linux at version 11. As always the problem is that Flash still exists in the first place.
...that they've included an auto-updater now so Flash can patch itself twice or three times a week without bothering you too much.
Just like the Java Updater, more useless shite sitting in the system tray and consuming resources is just what we all need.
I know Apple users have to update Flash regularly too, but what do linux users do? Has Flash been abandoned on that OS or is it still soldiering on bravely?
It's been abandoned, however the update at least was native to Linux (for YUM* users at least, not sure about apt)
*YUM is the auto-updater for most RPM based Linux distros (what is the plural of Linux?), Adobe provided an add-on repository for it Flash so it at least fit in nicely with the system standard way of installing/updating applications.
what is the plural of Linux?
There isn't. Like 'fish' it is both singular and plural. Similarly, Linuxes, like fishes, can also be correct and I suspect that Linuxen would also pass in most circles. I'm against the latinized plural form, Linuces, simply because too many non-Latin words are hashed by people wishing to appear to be "learned folk".
Anyway getting back to the article, isn't this news along the lines of the Pope is a Catholic who would shit bare - or something like that?
Shumway, Mozilla's flash clone, also generally falls over if you throw something that Mozilla didn't make themselves as well. The thing is that its pre-alpha or just went into alpha, the only way to get it is by sideloading it from Mozilla's Github. I don't think the Nightlies or Aurora even ship with it yet though its a fairly important project going on over there.
But Gnash is like a damned Greek tragedy to me. It should work fairly well at this point but it still doesn't which is kind a shame, Id rather use code that I could audit if I so choose as opposed to whatever Adobe's shipping.
I'd still figure Java was a bigger problem than Flash though.
Seems to have tens of thousands of features I'm sure no one ever uses. Why do I need all that animation crap in there if I only care about video? And all the other weird shit it can do, but if it ever did, I would close the browser faster than you would drop a ball of molten lead.
Adobe PDF reader also has the same issue, including features that let you compromise a system by simply opening a PDF file with PDF reader.
It would be really nice if Adobe would include a "secure mode" whereby their plugins could be locked down to just being a video player, or just a PDF picture viewer instead of the security nightmares that they are at the moment.
when you upgrade a point release of 13 it happens in the background without you doing anything, when 14 came out you are presented with an update wizard that takes you to the adobe website to download version 14. This all happens when you are logging in to your computer, how many people have time to download an install an update when they have just logged on to their computer. It's the second most stupid auto updater after the idiotic java which asks for elevated privileges before it asks if you'd like to install the update and only then does it go and download the actual update to install it along with the ask Jeeves toolbar.
my god that toolbar. You'd think Adobe was a big enough company what with ruling the worlds graphic design industry that they could lay off trying to sneakily inject bullshit toolbars and stuff along with their very regulular patches and updates. Isnt it them them that will put that mcaffee thing on at any opportunity unless you watch them like a hawk?
Or not, as the case may be.
But I digress. The revelation that there are insecure unpatched installations out there is a bit like making proclamations about the toilet habits of bears that frequent forested areas. Flash is very common on home devices, but probably less commonly used than it used to be. If its update function fails, most won't know/care. A bit like the free couple of months of Symantec abandoned on home PCs by users reluctant to pay for AV.
It's no worse than Java, where old versions are often retained simply because backward compatibility is often a problem.
The marketing department insists the perfectly working software needs more glam, more pizazz, more flash.
Eventually as a user I am forced into removing their blinged up garbage and have a need to find another provider, one that hasn't been around long enough to have a need for a marketing guru.
Why anyone, other than a teenage chav wannabe would find a need for ninty percent of what Adobe shoehorns into its products is beyond reason.
Oh and while I've got Adobe in my sights, your flash player, with all that extra gooeyness would be much improved if the moronic caption telling me the escape key will cancel full screen mode has a subtext telling me the caption which is currently ruining your viewing pleasure can be stopped forever by typing Yes, yes, I know already, otherwise please wait several lifetimes for the crappy message to go and then restart the video from the beginning.
"Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. Users had not updated to version 14."
Hah - I work for a global organisation with thousands of PC's and being on FP13 would be a good step up - a lot of our work PC's are all still on Flash Player 10... our internal desktop support team don't like patching applications and like to bundle them in with the SOE image - once deployed they may not get updated for 4 or 5 years! Our internal security team doesn't mandate minimum application patching levels for internal PC's. Comparing the average PC corporate PC with MS Update online, we are a good 60+ patches down.
Posting Anonymously to "protect" my current employer.
I am still constantly disappointed/dismayed by the apathy within the IT support teams to do what should be a general housekeeping task. The other annoying thing is that the business doesn't understand the risk its in and therefore cannot help IT provide the adequate resourcing to address these concerns (if resourcing is an issue).
This is the third global organisation I have worked for, and only 1/3 had a holistic approach to security, and even that one had some gaping holes (but at least it was going through a process of addressing them all). There is a lot of talk about securing countries and organisations from Electronic Warfare and hackers, if we can't do simple patch management, what hope do we have?
Why do so many websites including large parts of YouTube's content require this POS? YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?
I'm travelling right now, but wanted to see some World Cup matches. But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers, I've had a few hairy moments wondering if my machine is going to be pwned...
"YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?"
You answer your own question with this:
" But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers,"
Implementing inline ads (and, additionally, encryption on streams for DRM) is tricky with HTML5 video, and the DRM part is poltically sensitive as they 'need' proprietary stuff in there which (rightly) sticks in the craw of the open source peeps - Mozilla, IIRC, eventually capitualated, but large chunks of the Linux world can't include that sort of thing by default.
In short it's all down to those slimy cunts in marketing and advertising - as it usually is. Come the revolution, and all that.
I installed FlashBlock in Firefox to see if I could manage without Flash (having realised a while back that there was no good reason to have Java any longer) and the only time I noticed anything being blocked was when trying to view video on YouTube and the BBC news site (I block ads so I'm not exposed to that nonsense). Is there any way to view video on YouTube and BBC news without Flash? I'd dearly love to un-install it...
YouTube has video in a large range of formats, it's the luck of the draw whether any particular vid you want to see is served as Flash.
This video claims to show you how to view almost all of YouTube without Flash at all. I can't vouch for the content, because ironically I can't view it on my current 'puter...
Is there any way to view video on YouTube and BBC news without Flash?
There are many, at least for youtube. I am not sure about BBC. VLC can play many url videos including youtube. Totem on GNU/Linux can do it too. There is also a python program youtube-dl . As the name suggests it can download video from youtube, it can also downlaod videos from other websites. You can try youtube-dl BBC too, try vlc for it too. I myself cannot, I am in the US. wireshark might be another possibility.
For non youtube movies, you might simply examine a page source, when it's hidden, I use tcpdump to determine the url
To legitimately access BBC iplayer without flash, google 'get_iplayer'
To legitimately access it when it appears you are not in the UK when really you are, (e.g. the multinational you work for peers outside the UK) a cheap UK proxy/vpn (or even set one up on your home machine) would work fine, because the actual raw rtmp streams are not regionally restricted, so can be accessed directly (courtesy of your local akamai or limelight CDN) once you know the stream rtmp url. (But why such content can be accessed in California [just tried it and it worked - rtmp server 1ms ping from my server there] is anybodys guess, though I assume it's cache on request at least)
"To legitimately access BBC iplayer without flash, google 'get_iplayer'"
Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash.
I sometimes use my fileserver as a proxy when I'm traveling - it usually worked very well.
" Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash."
Ah yes, sorry, I misread the post.
But when he said 'view video on YouTube and BBC news', just in case he meant :
(view video on YouTube), and BBC news
view (video on YouTube and BBC news)
(ahhhh, the ambiguous wonders or the English language!) get_iplayer can be used to view or record the live channels too.
I had to uninstall Flash from my PC yesterday as it was crashing with Firefox every minute (massive list of FF crash logs) and locking up my entire PC 3 times a week. Been through the reinstall cycle previously btw. The discussion forums on a solution go round in circles, one thing is sure: It's FF and Flash together, plus maybe some interaction with 64 bit OS and video drivers that lock up a machine. One of the warning signs of trouble is a jumping cursor.
What will happen , as before is that eventually I'll hit a site - be it internal corporate (e.g. interactive training) or an external essential service - that demands Flash. So will have to switch to IE for those reluctant moments.
Flash, begone forever out of my life (I wish).
I never updated it ever since I got Chrome.
It seems Chrome does it for me. And for the Flash running for other browsers, it tries to update whenever I reboot the machine, which only happens when Microsoft tells me to, after every Patch Tuesday. But oh, do I feel tempted to just skip the damned warning.
Why don't they auto-update silently like Chrome ON FREAKING DEMAND, instead of running a bloody TSR?
So, yes the bloody thing is updated, but it didn't update itself silently like everything else. Java is another bothersome POS, but at least it will only ask for update when you are actively trying to use its features.
it is incorrect to say that adobe flash player 13 is "EOL".. flash player 13 is an ESR version:
so, just because someone is using FP 13, that doesn't mean it is outdated and unpatched.. FP 13 is a ESR version which will continue to be patched, for years to come..
many people choose to use ESR versions in order to try to avoid having problems.. i myself used the ESR versions of "flash player" for several years (ever since FP 11.x was first released).. it was only last month that i decided to go ahead and install FP build 18.104.22.168, instead of using the ESR version (since there isn't that much difference between FP 13 and FP 14).. and, yes, i have FP build 22.214.171.124, now..
i don't like that the article says that FP is the most insecure program on people's computers.. that statement is misleading, suggesting that using FP is the greatest security-risk to computer-users.. i don't think that you can blame FP for malware-infections, any more than you can blame the browser, or the OS.. the end-user is the problem.. people need to be conscious of the malware-threat and take measures to avoid having their computers infected with malware.. don't blame flash player (or the browser, or the OS)..
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.
Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.
Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.
If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.
First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.
Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.
Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.
Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.
In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.
A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."
QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.
The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.
The previous attacks occurred in January, March, and May.
Biting the hand that feeds IT © 1998–2022