back to article Adobe Flash: The most INSECURE program on a UK user's PC

Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. …

  1. Anonymous Coward
    Anonymous Coward

    Version 13?

    I'm still on version 11 due to Adobe being a feckless bunch of arseholes.

    1. Irongut Silver badge

      Re: Version 13?

      "I'm still on version 11 because I'm a feckless arsehole"

      Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security.

      1. Destroy All Monsters Silver badge

        Re: Version 13?

        It also says a lot about Adobe and their mad coding skillz that upgrades are necessary.

        And no "all software has bugs" just doesn't cut it. It's out there with "the dog ate my homework" bullshit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Version 13?

          >It also says a lot about Adobe and their mad coding skillz that upgrades are necessary.

          The runtime team is rumoured to be down to only 3 devs now (used to be 15-20), so actually amazing quality work when you think about it....

      2. ragnar

        Re: Version 13?

        It's probably because they stopped producing an updated Linux version.

      3. Anonymous Coward
        Anonymous Coward

        Re: Version 13?

        "Fixed that for you. Your being 3 major versions out of date says nothing about Adobe but it speaks volumes about you and your lack of security."

        As the previous poster surmised, it says that Adobe dropped support for Linux at version 11. As always the problem is that Flash still exists in the first place.

      4. Irony Deficient

        Re: Version 13?

        Irongut, my money would be on Anonymous Coward being up-to-date on Linux with Flash Player 11.2.202.394. Your comment certainly announced a thing or two about yourself.

    2. marcoose777

      Re: Version 13?

      Me too, I'm still on 11. The joy of nix

  2. Ross K Silver badge
    Mushroom

    Isn't it great...

    ...that they've included an auto-updater now so Flash can patch itself twice or three times a week without bothering you too much.

    Just like the Java Updater, more useless shite sitting in the system tray and consuming resources is just what we all need.

    I know Apple users have to update Flash regularly too, but what do linux users do? Has Flash been abandoned on that OS or is it still soldiering on bravely?

    1. Anonymous Coward
      Anonymous Coward

      Re: Isn't it great...

      It's been abandoned, however the update at least was native to Linux (for YUM* users at least, not sure about apt)

      *YUM is the auto-updater for most RPM based Linux distros (what is the plural of Linux?), Adobe provided an add-on repository for it Flash so it at least fit in nicely with the system standard way of installing/updating applications.

      1. Paul Crawford Silver badge
        Unhappy

        Re: Isn't it great...

        Still getting the "security" updates for version 11x on Linux using apt-get (Ubuntu) as they never supported anything later. Unless of course it is embedded in Chrome for Linux (with added Google spy-ware).

        Adobe is such a crap company...

      2. Eddy Ito
        Linux

        Re: Isn't it great...

        what is the plural of Linux?

        There isn't. Like 'fish' it is both singular and plural. Similarly, Linuxes, like fishes, can also be correct and I suspect that Linuxen would also pass in most circles. I'm against the latinized plural form, Linuces, simply because too many non-Latin words are hashed by people wishing to appear to be "learned folk".

        Anyway getting back to the article, isn't this news along the lines of the Pope is a Catholic who would shit bare - or something like that?

        1. Irony Deficient

          Re: Isn’t it great…

          Eddy, given its roots, the plural for Linux should use the Finnish “instructive” declension — Linuxin — with tongue optionally implanted in cheek.

        2. tony2heads

          @Eddy Ito

          plural should be Linuces (like 'dux') or 'Linuxes'

    2. Flocke Kroes Silver badge

      Flash on Linux

      There is a free software implementation called gnash, so Linux users are not dependent on Adobe.

      1. Tom Chiverton 1 Silver badge

        Re: Flash on Linux

        Gnash fails to run just about every non-trivial Flash app I've slung at it.

        1. FrankAlphaXII

          Re: Flash on Linux

          Shumway, Mozilla's flash clone, also generally falls over if you throw something that Mozilla didn't make themselves as well. The thing is that its pre-alpha or just went into alpha, the only way to get it is by sideloading it from Mozilla's Github. I don't think the Nightlies or Aurora even ship with it yet though its a fairly important project going on over there.

          But Gnash is like a damned Greek tragedy to me. It should work fairly well at this point but it still doesn't which is kind a shame, Id rather use code that I could audit if I so choose as opposed to whatever Adobe's shipping.

          I'd still figure Java was a bigger problem than Flash though.

  3. Eponymous Cowherd
    Holmes

    No shit Sherlock

    That is all.

  4. phuzz Silver badge
    Trollface

    I can only imagine that this 'win' for Flash is because people have stopped installing Java.

    1. Steven Raith

      It's more like Alien Vs Predator - no matter who wins, we lose.

  5. Truth4u

    What IS Flash?

    Seems to have tens of thousands of features I'm sure no one ever uses. Why do I need all that animation crap in there if I only care about video? And all the other weird shit it can do, but if it ever did, I would close the browser faster than you would drop a ball of molten lead.

    1. Destroy All Monsters Silver badge

      Re: What IS Flash?

      Well, you can get it via PDFs, so Flash is PDFs or the converse, I am not sure.

    2. Peter2 Silver badge

      Re: What IS Flash?

      Adobe PDF reader also has the same issue, including features that let you compromise a system by simply opening a PDF file with PDF reader.

      It would be really nice if Adobe would include a "secure mode" whereby their plugins could be locked down to just being a video player, or just a PDF picture viewer instead of the security nightmares that they are at the moment.

      1. Stuart Halliday
        Facepalm

        Re: What IS Flash?

        Do people seriously still use Adobe PDF Reader!

        Let me reexamine the year on my calendar...

    3. John Brown (no body) Silver badge

      Re: What IS Flash?

      Saviour of the universe?

  6. Fuzz

    of course people aren't upgrading

    when you upgrade a point release of 13 it happens in the background without you doing anything, when 14 came out you are presented with an update wizard that takes you to the adobe website to download version 14. This all happens when you are logging in to your computer, how many people have time to download an install an update when they have just logged on to their computer. It's the second most stupid auto updater after the idiotic java which asks for elevated privileges before it asks if you'd like to install the update and only then does it go and download the actual update to install it along with the ask Jeeves toolbar.

    1. mark 63 Silver badge

      Re: of course people aren't upgrading

      my god that toolbar. You'd think Adobe was a big enough company what with ruling the worlds graphic design industry that they could lay off trying to sneakily inject bullshit toolbars and stuff along with their very regulular patches and updates. Isnt it them them that will put that mcaffee thing on at any opportunity unless you watch them like a hawk?

  7. GitMeMyShootinIrons

    Flash - saviour of the universe....

    Or not, as the case may be.

    But I digress. The revelation that there are insecure unpatched installations out there is a bit like making proclamations about the toilet habits of bears that frequent forested areas. Flash is very common on home devices, but probably less commonly used than it used to be. If its update function fails, most won't know/care. A bit like the free couple of months of Symantec abandoned on home PCs by users reluctant to pay for AV.

    It's no worse than Java, where old versions are often retained simply because backward compatibility is often a problem.

  8. Rol

    As always

    The marketing department insists the perfectly working software needs more glam, more pizazz, more flash.

    Eventually as a user I am forced into removing their blinged up garbage and have a need to find another provider, one that hasn't been around long enough to have a need for a marketing guru.

    Why anyone, other than a teenage chav wannabe would find a need for ninty percent of what Adobe shoehorns into its products is beyond reason.

    Oh and while I've got Adobe in my sights, your flash player, with all that extra gooeyness would be much improved if the moronic caption telling me the escape key will cancel full screen mode has a subtext telling me the caption which is currently ruining your viewing pleasure can be stopped forever by typing Yes, yes, I know already, otherwise please wait several lifetimes for the crappy message to go and then restart the video from the beginning.

  9. Anonymous Coward
    Anonymous Coward

    Patching in Global organisations

    "Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. Users had not updated to version 14."

    Hah - I work for a global organisation with thousands of PC's and being on FP13 would be a good step up - a lot of our work PC's are all still on Flash Player 10... our internal desktop support team don't like patching applications and like to bundle them in with the SOE image - once deployed they may not get updated for 4 or 5 years! Our internal security team doesn't mandate minimum application patching levels for internal PC's. Comparing the average PC corporate PC with MS Update online, we are a good 60+ patches down.

    Posting Anonymously to "protect" my current employer.

    I am still constantly disappointed/dismayed by the apathy within the IT support teams to do what should be a general housekeeping task. The other annoying thing is that the business doesn't understand the risk its in and therefore cannot help IT provide the adequate resourcing to address these concerns (if resourcing is an issue).

    This is the third global organisation I have worked for, and only 1/3 had a holistic approach to security, and even that one had some gaping holes (but at least it was going through a process of addressing them all). There is a lot of talk about securing countries and organisations from Electronic Warfare and hackers, if we can't do simple patch management, what hope do we have?

    1. king of foo

      Re: Patching in Global organisations

      I mirror your frustration.

      XP. Check.

      Ie6. Check.

      Flash player 10. Check.

      Java 6. Check.

      FTSE 50.

      I'm amazed we haven't had any problems. Yet. Websense can't be a complete waste of money.

      1. kororas

        Re: Patching in Global organisations

        Just pray you don't get targetted specifically.

  10. veti Silver badge

    People still use Flash?

    I thought that died when the iPad came out.

    No, seriously. What do we need it for anymore? There are dozens of video formats out there, and plenty of amusing cats/pr0n available in just about all of them.

    1. Anonymous Coward
      Anonymous Coward

      Re: People still use Flash?

      VMware quite recently moved their client to Flash, so quite a lot of admins need it now :( Well, when I say "need" I'm ignoring the fact that a lot of those admins are now moving to Hyper-V :)

  11. Anonymous Coward
    Anonymous Coward

    "Adobe Flash Player was the most insecure program installed on UK computer users PCs"

    Why do so many websites including large parts of YouTube's content require this POS? YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?

    I'm travelling right now, but wanted to see some World Cup matches. But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers, I've had a few hairy moments wondering if my machine is going to be pwned...

    1. Steven Raith

      Re: "Adobe Flash Player was the most insecure program installed on UK computer users PCs"

      "YouTube still requires Flash even if you have a HTML5 capable browser... Does anyone know why?"

      You answer your own question with this:

      " But many of the websites hosting games force you to use Flash, and with all the popup ads to dodgy Ad brokers,"

      Implementing inline ads (and, additionally, encryption on streams for DRM) is tricky with HTML5 video, and the DRM part is poltically sensitive as they 'need' proprietary stuff in there which (rightly) sticks in the craw of the open source peeps - Mozilla, IIRC, eventually capitualated, but large chunks of the Linux world can't include that sort of thing by default.

      In short it's all down to those slimy cunts in marketing and advertising - as it usually is. Come the revolution, and all that.

  12. Anonymous Coward
    Anonymous Coward

    BBC and YouTube without Flash?

    I installed FlashBlock in Firefox to see if I could manage without Flash (having realised a while back that there was no good reason to have Java any longer) and the only time I noticed anything being blocked was when trying to view video on YouTube and the BBC news site (I block ads so I'm not exposed to that nonsense). Is there any way to view video on YouTube and BBC news without Flash? I'd dearly love to un-install it...

    1. veti Silver badge

      Re: BBC and YouTube without Flash?

      YouTube has video in a large range of formats, it's the luck of the draw whether any particular vid you want to see is served as Flash.

      This video claims to show you how to view almost all of YouTube without Flash at all. I can't vouch for the content, because ironically I can't view it on my current 'puter...

    2. eulampios

      Re: BBC and YouTube without Flash?

      Is there any way to view video on YouTube and BBC news without Flash?

      There are many, at least for youtube. I am not sure about BBC. VLC can play many url videos including youtube. Totem on GNU/Linux can do it too. There is also a python program youtube-dl . As the name suggests it can download video from youtube, it can also downlaod videos from other websites. You can try youtube-dl BBC too, try vlc for it too. I myself cannot, I am in the US. wireshark might be another possibility.

      For non youtube movies, you might simply examine a page source, when it's hidden, I use tcpdump to determine the url

      1. Jamie Jones Silver badge
        Angel

        Re: BBC and YouTube without Flash?

        To legitimately access BBC iplayer without flash, google 'get_iplayer'

        To legitimately access it when it appears you are not in the UK when really you are, (e.g. the multinational you work for peers outside the UK) a cheap UK proxy/vpn (or even set one up on your home machine) would work fine, because the actual raw rtmp streams are not regionally restricted, so can be accessed directly (courtesy of your local akamai or limelight CDN) once you know the stream rtmp url. (But why such content can be accessed in California [just tried it and it worked - rtmp server 1ms ping from my server there] is anybodys guess, though I assume it's cache on request at least)

        1. Chemist

          Re: BBC and YouTube without Flash?

          "To legitimately access BBC iplayer without flash, google 'get_iplayer'"

          Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash.

          I sometimes use my fileserver as a proxy when I'm traveling - it usually worked very well.

          1. Jamie Jones Silver badge

            Re: BBC and YouTube without Flash?

            " Whilst I agree with you about get_iplayer the poster was asking about BBC news videos, presumably from their web-pages.Those are flash."

            Ah yes, sorry, I misread the post.

            But when he said 'view video on YouTube and BBC news', just in case he meant :

            (view video on YouTube), and BBC news

            rather than:

            view (video on YouTube and BBC news)

            (ahhhh, the ambiguous wonders or the English language!) get_iplayer can be used to view or record the live channels too.

    3. Jess

      Re: BBC and YouTube without Flash?

      I have a rather nice G5 which obviously has no current flash support (though there is a current firefox port, called tenfour fox)

      This (plus grease monkey) allows me to watch youtube on it:

      http://isebaro.com/viewtube/?ln=en

  13. johnwerneken

    free software

    Free software from commercial teams tends to be worth the price charged. This is particularly true when the whole idea is an attempt at monopoly, as is the case with flash/reader and quite a few others. Ubiquity being the driving goal, all else is basically shoddy.

  14. Anonymous Coward
    Anonymous Coward

    The only secure flash plugin

    Is one that isn't installed. Seriously, why even bother? Nowadays it's mostly used for advertisements anyway.

  15. Nifty

    I had to uninstall Flash from my PC yesterday as it was crashing with Firefox every minute (massive list of FF crash logs) and locking up my entire PC 3 times a week. Been through the reinstall cycle previously btw. The discussion forums on a solution go round in circles, one thing is sure: It's FF and Flash together, plus maybe some interaction with 64 bit OS and video drivers that lock up a machine. One of the warning signs of trouble is a jumping cursor.

    What will happen , as before is that eventually I'll hit a site - be it internal corporate (e.g. interactive training) or an external essential service - that demands Flash. So will have to switch to IE for those reluctant moments.

    Flash, begone forever out of my life (I wish).

  16. Cuddles

    Maybe if the updater didn't constantly try to foist malware on you on the rare occasions it actually works at all, people would be a little more inclined to actually use it.

  17. Anonymous Coward
    Anonymous Coward

    Flash player?

    I never updated it ever since I got Chrome.

    It seems Chrome does it for me. And for the Flash running for other browsers, it tries to update whenever I reboot the machine, which only happens when Microsoft tells me to, after every Patch Tuesday. But oh, do I feel tempted to just skip the damned warning.

    Why don't they auto-update silently like Chrome ON FREAKING DEMAND, instead of running a bloody TSR?

    So, yes the bloody thing is updated, but it didn't update itself silently like everything else. Java is another bothersome POS, but at least it will only ask for update when you are actively trying to use its features.

  18. Anonymous Coward
    Anonymous Coward

    Flash?

    use links: no f'@ing Flash, no ads, no waiting for the content you want.

  19. redwolfe_98

    it is incorrect to say that adobe flash player 13 is "EOL".. flash player 13 is an ESR version:

    http://blogs.adobe.com/flashplayer/2014/03/upcoming-changes-to-flash-players-extended-support-release.html

    so, just because someone is using FP 13, that doesn't mean it is outdated and unpatched.. FP 13 is a ESR version which will continue to be patched, for years to come..

    many people choose to use ESR versions in order to try to avoid having problems.. i myself used the ESR versions of "flash player" for several years (ever since FP 11.x was first released).. it was only last month that i decided to go ahead and install FP build 14.0.0.125, instead of using the ESR version (since there isn't that much difference between FP 13 and FP 14).. and, yes, i have FP build 14.0.0.145, now..

    i don't like that the article says that FP is the most insecure program on people's computers.. that statement is misleading, suggesting that using FP is the greatest security-risk to computer-users.. i don't think that you can blame FP for malware-infections, any more than you can blame the browser, or the OS.. the end-user is the problem.. people need to be conscious of the malware-threat and take measures to avoid having their computers infected with malware.. don't blame flash player (or the browser, or the OS)..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like