This is or isn't funny....
I just got the "This website wants to install Adobe Flash Player" from the ad at the top this article.... FAT CHANCE!!!!!!!!!!!!!!!
If you patched Adobe's screen door of the internet – its Flash plugin – last week, and thought you were safe, even for a few weeks, you were sadly mistaken. The Photoshop goliath is warning that yet another programming blunder in its code is being exploited in the wild, and says it won't have a patch ready to deploy until …
Perhaps you missed his saying his "ex-chromebook". The google Chrome browser on the Chromebook might have supported Flash but since he rooted and installed another OS, I guess it doesn't now. Much like my former Windows laptop that now runs a flavor of Ubuntu and has no flash installed.
just have click to play enabled (Chrome/firefox/opera only) and adblock and most issues are not there
if your using IE well you're a sitting duck sorry (no adblock or click to play flash)
i wonder how long its going to take chrome to treat Flash like Java (click to play is forced if java app wants to load in chrome)
one thing i have noticed most malware nowadays looks for vmware or sandboxie, if it detects them on your system it will not do stage 3 normally (drop the full payload onto your system) as its likely your a whitehat or company looking these droppers (most likely why i have never seen it on my system) as vmware or sandboxie is unlikely to be on an normal persons computer best to just not load droppers onto systems that have them tools on your system
This post has been deleted by its author
I have always disabled Flash entirely on my primary locked-down browser (Chrome), but the last incident made me reach my tipping point. My plan is to remove Flash entirely from my Mac, and leave it in a VirtualBox VM ghetto for when I absolutely need it. That way I won't have to restart all my browsers each time there is a security update, and the damage from compromise is contained.
The flaw in this plan is that Chrome bundles Flash, so there would still be the taint of Flash on the main OS X.
I have good news for you! While Chrome bundles Flash and enables it by default, it IS possible to turn it off completely.
To do this, go to settings > Privacy > content settings. There you can either block ALL plug-ins by default, or you can click the link below to disable individual plugins. Click that link, scroll down to Flash, click disable.
Your machine is now Flash free as far as the internet is concerned, since Chrome will no longer load the Flash libraries.
This is our last five Flash deployments along with their respective dates (and we typically patch within 48 hours following the availability of an update);
Adobe Flash Player v15.0.0.223 - 20141112
Adobe Flash Player v15.0.0.239 - 20141126
Adobe Flash Player v16.0.0.235 - 20141210
Adobe Flash Player v16.0.0.257 - 20150114
Adobe Flash Player v16.0.0.296 - 20150128
Really? Five fucking patches within a 77-day timeframe with the last patch issued less than a week ago and already there is another security advisory for this god damned excuse of a browser plugin which is once again demonstrated to contain more vulnerabilities and require more patching than entire bloody operating systems?
Just issued an enterprise-wide uninstall of this pile of crap. Should've done so ages ago and frankly speaking if Flash is a crucial and required component for the functionality of a given website then the webmaster really does have bigger concerns since mobile devices aren't exactly known to be very friendly towards Flash.
And while we're on the topic of Adobe being security-incompetent my reseller had once told me that they were given firm instructions by Adobe themselves to always claim that Adobe's products and services are "very secure". I cannot recall the exact phrase but it was along the line of "we were told to always claim that Adobe and Creative Cloud are "very secure" when asked."
Ha... ha... HA... HAHAHAHAHA.
Yeah. So "secure" indeed that my dedicated E-Mail alias for my Adobe ID is subject to spam attempts multiple (up to a dozen) times an hour because Adobe can't fucking "secure" their website and databases either. I have since changed said E-Mail alias but it continues to stick out like a sore thumb every single time I need to review my mail exchange logs.
News Flash Adobe...
"Security" is a little bit more than just pulling the word out of your arses.
This post has been deleted by its author
@xBr0k3n. So apparently I did. Sigh. Had to double-check my security advisory E-Mails.
Make that SIX fucking patches within a 77-day timeframe then.
Definitely an inexcusable oversight on my part however. But damn that's a lot of patching.
@John. No vSphere under my belt. Mercifully. We do have one brand of firewall appliance we're quite fond of however which did rely on Flash for its web interface until about a year ago when the last major version release finally got rid of it. It was tolerable originally however as I much preferred to install and utilize their dedicated management application instead.
It is used for very little aside from ads anymore, and I keep Chrome around as my "browse the occasional site that doesn't work right in Firefox, or has sketchy content" browser so I could use it if there is some backwater site that still hasn't got the memo and uses flash.
I think it is pretty much like when I dumped Java a few years ago, and Shockwave a decade ago. It will be a small inconvenience on the occasional site, but given the billion iOS devices browsing the web without flash any site that requires it isn't worth bothering with in 2015.
Do it. I've been without Flash for a good four to five years now on my personal workstation and I haven't missed it a single bit. As a matter of fact it actually significantly improved by browsing experience as it got rid of the vast majority of highly annoying "flying across the screen"-style ads.
Back when I first dumped Flash (and mind you this was back in around 2011) I did feel the pinch a little. Certain websites wouldn't load and those which did would contain missing Flash elements. These days however it is extremely rare to be handicapped due to the absence of Flash.
Even CNN plays you videos without Flash.
Also one of the truly rotten aspects of Flash which a lot of individuals do not consider is that it is very often used to override any anti-cookie configuration you may have. Flash has its own data store which ad networks have been known to exploit to store unique identifiers as this data store is not cleared when you purge your browsing history. I'm not sure if this is still the case as I haven't had Flash installed for years and my enterprise configuration had a policy to disable this data store but given Adobe's lousy security track record I wouldn't be surprised if this little "feature" is still open to abuse.
"Even CNN plays you videos without Flash."
The BBC doesn't and when I tried to contact them about their reliance on Flash via their web form:
https://ssl.bbc.co.uk/faqs/forms/
I got this error message:
"An error occurred during a connection to ssl.bbc.co.uk. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response) "
It makes you wonder what they are doing with all the money that they forcibly extract from the viewers.
Oh, I still haven't worked out how you get in contact to ask them to ditch this piece of shit.
It makes you wonder what they are doing with all the money that they forcibly extract from the viewers.
The BBC is vastly underfunded for what we ask it to do. All of their awesome tech is delivered on a shoestring budget by people who should really be working elsewhere and making a whole lot more money. I don't like that they spend so much money on slebs and dancing shows, but it seems to be what people want to watch.
PS: Why does their OCSP list got out of date information? Probably because the person who is fixing that is fixing something more important at the minute. Particularly given that OCSP is a dog, doesn't serve its purpose (particularly in this scenario, no client certificates to revoke, so OCSP is controlling revoking the server certificate) and most browsers will silently ignore invalid OCSP information, I'd imagine its fairly low down the list.
Received the following from BBC regarding Flash on their website:
Thanks for contacting us regarding our use of Adobe Flash.
Flash was chosen for playback on bbc.co.uk in our embedded media player for several reasons.
Reach - Flash was the most effective way of delivering a high quality experience to the broadest possible audience. It provided DRM to enable us to negotiate rights for distributing programmes online and allowed us to affordably deliver an adaptive bitrate solution and live simulcasts of our TV channels.
You can read more about Flash, open standards and the BBC in the following blog.
http://www.bbc.co.uk/blogs/legacy/bbcinternet/2010/08/html5_open_standards_and_the_b.html
However, as Cathy Bartlett states in her blog below, we are looking to move a single player across platforms and devices. We'll be continuing to exploit modern ways of embedding and playing media in web pages, researching new streaming formats such as MPEG-DASH, as we move towards using a single player across platforms and devices.
http://www.bbc.co.uk/blogs/internet/entries/7185ad76-d3de-3df6-8641-975feed88091
So while Flash is commonly used now, we are looking into how best to deliver media going forward.
@Entrope. It is indeed still in use, and it is being used by the British government.
After completing my self-assessed tax return last week Ccleaner obligingly removed a Flash Cookie which was labeled as belonging to online.hmrc.gov.uk. Also it looks as though access to the online tax pages isn't possible unless scripts are enabled from Google Analytics.
Don't we pay the spooks at Cheltenham enough to avoid the need to offshore this?
@David. Thank you kindly for verifying!
LOL @ HMRC. And face palm. Does make you wonder though how many government websites would outright collapse overnight if Flash were to be suddenly flagged as a dangerous and dumped across the board by all browsers simultaneously.
it looks as though access to the online tax pages isn't possible unless scripts are enabled from Google Analytics
There were a few things I had to enable (noscript / ghostery blocked) but Google Analytics wasn't one of them. Don't think I've ever had to enable that to make something work...
M.
@Martin: Starting with a clean copy of Firefox portable, which did let me in, then loading addons one or two at a time, Ghostery and scripts from Google Analytics had been the only things I could see that were left to test before I gave up trying to find out what was blocking my access to the HMRC self assessment site. (Life is short, after all.)
Today I seem to be able to get in without any problem, and apparently without a Flash Cookie being planted; though I didn't enter any data. Ghostery showed 0 trackers on the self-assessment menu page. Maybe government techies do read El Reg after all, but I still haven't had an offer of employment.
This feature was already turned on in Chrome (Windows); I had to enable HTML5 for YouTube in FF 35.01.
I spend a lot of time on YouTube listening to favorite music, but the videos I watch look just as good in HTML5 as in Flash. There just isn't anything I want to see anymore that requires Flash.
The slow death of Adobe Flash has been hastened — YouTube, which used the platform as the standard way to play its videos, has dumped Flash in favor of HTML5 for its default web player. The site will now use HTML5 video as standard in Chrome, Internet Explorer 11, Safari 8, and in beta versions of Firefox. YouTube engineer Richard Leider said the time had come to ditch the aging Flash in favor of HTML5 as the latter, used in smart TVs and other streaming devices, had benefits that "extend beyond web browsers."
YouTube's move highlights the shrinking relevance of Adobe Flash on the modern internet. Adobe itself has spent the last few years severing many of its ties with the product — the company's Flash 2012 Flash roadmap narrowed its focus to gaming and "premium" video, and in 2011, the company killed Flash Player for mobile, saying at the time that HTML5 was the "best solution for creating and deploying content in the browser across mobile platforms." In 2015, YouTube has realized that Flash is not the best solution for web video, full stop.
http://www.theverge.com/2015/1/27/7926001/youtube-drops-flash-for-html5-video-default
Games built on HTML 5, iOS or Android should provide your good lady wife with some distraction.
She might find a tablet - and we're hearing good things about inexpensive Android models these days - more convenient than a laptop for causal gaming / general messing around online. If she doesn't already have one, the 14th of February might give you an excuse to buy her a tablet.
" If she doesn't already have one, the 14th of February might give you an excuse to buy her a tablet."
My long experience of buying distaff side gifts tells me that an infinitesimal proportion of the female population would welcome a tech gift on that date. As an "out-of-the-blue" gift on a non-special day she'll be surprised and appreciative, but for birthdays and Valentines you may only be earning two weeks of bad tempered glaring and door banging. Stick to romantic meals, surprise weekends away, carefully chosen clothing, chocs and flowers. And just give her the tablet for the sake of it.
The question is, why did people even get the idea of using plugins?
I mean the WWW did have a promising start. HTML was a simple standard with a couple of tags telling the browser how the document was structured. The design aspects were entirely left to the browser. That's why you could set your fonts in early versions of Netscape.
What we need to do now is to kick out features of HTML. It was never made to provide "pixel perfect" GUIs. CSS has turned into a Turing-complete mess, and Javascript is abused more and more. Maybe we should replace HTML/HTTP with something new for "Web Applications", something that's been designed for it, allowing for simpler code on the browser and on the server.
"Please fix Real Player for the older computers. Real Player turned into such bloatware that it was useless but I never got a virus from it!."
Assuming you're not being sarcastic you do understand that you are literally the only person on the entire internet who wants that thing to come back, right?
>The question is, why did people even get the idea of using plugins?
It seems that Adobe (before they acquired Flash etc with Macromedia) wanted Netscape Navigator to render PDF files directly. Netscape proposed building PDF support into Navigator, but Adobe suggested that Netscape develop a system for supporting plugins, as Adobe themselves had done for Adobe Reader.
http://en.wikipedia.org/wiki/NPAPI#History
"That's why you could set your fonts in early versions of Netscape."
Both Firefox and IE (but not Chrome) still let you do this, and let you prevent those settings being overridden. Even today, I'd recommend at least trying it. It makes things a lot more readable (the same font on all sites is a lot easier on the eye), and generally fixes more than it breaks.
Indeed. People advocating for the ultimate quash of plugins are missing the point: the WWW itself was not intended to carry dynamic content at all. HTML has had a lot of stuff hacked in, from the hideous JavaScript to CSS and a lot of bloatware on top of that (AJAX! JSON!) to the point where JavaScript stuff has grown into being the same kind of bloatware that plugins have been anyway. There are sites which will make my smartphone hot just because of the crappy JavaScript stuff running in the background.
Plugins were made to add native programming functionality into websites, which can be good (Java), can be iffy (Flash), or can be downright hideous (ActiveX). The needs aren't going to go away just by banning plugins. Ideally we would have something better replace the WWW itself for "web app" stuff, but at the moment we have to work with what we have.
To be honest I see little difference between Java and ActiveX, both are horrible ideas just one is sand boxed a little bit better. Plugins are just a horrible way to solve such a problem.
Again for web apps, which use a completely different layouts than web pages, we should have gone for something completely different. Something that's essentially an intelligent terminal. Perhaps it could use Javascript or Lua for the bit of local processing you need, but something completely different for the GUI.
I'm not trying to support Flash here, but listen to yourselves for a minute.
Yes Flash has been around for a long time because Internet features has so far been unable to replicate the functions it offers, I hope that one day, Flash's features and performance can be replicated entirely in the browser without a plugin.
As this is a technical news site, I assume you people have some knowledge of how such things work. The writer here called out to a few sites that no longer uses Flash, one of which is Netflix, but that's pushing it too far. Netflix uses Silverlight which is Flash's direct competitor by Microsoft. It faces the same problems and it also has been patched a lot recently.
Fact is there *were* features people have enjoyed for a long time that is brought about by this plugin back from the Macromedia days but due to the mindless bashing of the press and fanatical followers of Steve Jobs, companies suddenly started running away from Flash like a plague. Good riddence, you might say, but these companies had to give up all interactive possibilities just because of an irrational fear created by the media and as a direct result of such mindless mobs, Adobe actually scaled back development of Flash.
If you are scared about contracting viruses from ads, use an ad-blocker, it'd do more than just stop viruses from spreading through one plugin.
Now the other thing, bugs doesn't just go away because you uninstall an offending plugin. What has happened is the codes and runtime support for the features in Flash is now essentially being ported right into your browser. The coders at Mozilla, Google etc.. will face the same implementation problems and will most likely encounter the same bugs, which is part of the reason why Firefox switched to a rapid release model.
What will happen in the future is clear, if there are 0-day security issues like this on any part of the browser that is only growing in bloated technologies by the day. More people than what is being infected now will be infected, and what's worst is there could be no way to simply disable a type of browser feature in order to stop an infection.
There are already issues with replacement technologies in javascript animations for example that Flash developers has moved onto that are hanging up and crashing entire browsers. This will only get worst as the Internet catches up with features pioneered and offered in Flash.
I seriously doubt any right-minded person simply uninstall or removes an item prone to infection just because news of it being exploited comes out and doesn't look for alternative remedies.
If you're serious about this type of mentality? Perhaps you should permanently glue and disable your USB and Thunderbolt ports too. Those as far as we know at the moment has the potential to completely compromise your machines to the point that re-installing wouldn't help. Oh you might also think about getting rid of OSX, Windows and Linux altogether as they've also been having their fair share of 0-day exploits within the past 60 days.
"Now the other thing, bugs doesn't just go away because you uninstall an offending plugin." - What uninstalling an utterly useless and offending plugin does do however is reduce the number of attack vectors without actually causing any real implications or inconveniences.
And one important aspect of security is to keep installations minimal. More applications, services and plugins equals to more code to exploit. If a given feature isn't required it shouldn't be there if it is within your capability to disable or fully eradicate it.
Seeing how Adobe finds it quite fit however to take its own sweet time to mend the vulnerability (note that a patch hasn't been released yet) despite evidence that said vulnerability is currently being exploited in the wild by a common exploit kit does make one quite inclined to proceed with the eradication route especially when the plugin in question is no longer as necessary to browse the internet as it used to be.
Don't get me wrong though. I do agree with some of your points. But as someone who has been without Flash on a personal level for quite some years I find it difficult to vouch for its usefulness. Yes, the majority of the attackers will be (or have already begun experimenting on) exploiting the "next big whatever" and that is when the evaluation of subsequent countermeasures should take place in order to minimize ones exposure to the vast majority of threats.
Terminating Flash isn't a permanent solution to staying safe online. But *right now* it isn't an unreasonable solution either.
The nice thing about plug-in's is that you can uninstall them; with FLASH equivalent functionality in HTML 5, your options to reduce attack surface are somewhat reduced.
Also "Even if Adobe put its top programmers working on Flash, a free piece of software, a lot of people around the world are very keen to find exploitable bugs in the plugin so they can break into victims' computers." can be simply rephrased, replacing FLASH with HMTL5 or whatever. Basically, if a lot of people are going to be using something, then it is going to attract people keen on finding exploits QED.
@ first AC: I didn't read your full comment, just up to the part where you said these companies had to give up all interactive possibilities... And that's a lie. Just ask The guys at Green Felt or Gopherwood Studios. They make excellent games with only a scary amount of JavaScript. No flash to be seen.
"They make excellent games with only a scary amount of JavaScript. No flash to be seen."
You should read further. He's saying JavaScript is just as bad.
But here's the rub. If you remove Flash and JS, what the heck do you use to code highly-interactive web content (that consumers actually want--just ask Facebook)? What can you use that's cross-platform and with fewer holes than a wheel of Emmentaler?
AC,
I expect you have never had the pleasure of seeing IE or Chrome use 99% CPU resources until you have closed the tab/s with Flash content on them and seen everything plummet to normal levels.
This is on a 12GB RAM, Core I7 930 - 8 cores with HT - so not exactly a slow machine.
Mozilla and Google run automatic checks against their code to pick up bugs which could be used for exploits in the future and correct them before they are. Every Chrome or Firefox release pre-emptively fixes possible exploit avenues.
Adobe just play whack-a-mole.
See the difference?
Mozilla and Google run automatic checks against their code to pick up bugs which could be used for exploits in the future and correct them before they are.
Mention the terms, 'coding to an interface', 'unit testing', or even 'bounds checking' to an Adobe programmer and I expect you will get nothing more than blank looks. Sadly, best practice is something often ignored by a lot of companies.
Odd, it works fine on my linux machine which has never seen Silverlight (or Mono)...
Chrome implemented the HTML5 DRM extensions that Netflix's HTML5 player requires, so if you're in Chrome it will work natively on Firefox. Before that became a thing, I was utilising a package within an Ubuntu repository which was basically a Windows version of Firefox and Silverlight pre-packaged to work under WINE. Worked pretty damn well, but native is nicer.
"Chrome implemented the HTML5 DRM extensions that Netflix's HTML5 player requires, so if you're in Chrome it will work natively on Firefoxlinux. Before that became a thing, I was utilising a package within an Ubuntu repository which was basically a Windows version of Firefox and Silverlight pre-packaged to work under WINE. Worked pretty damn well, but native is nicer."
Sorry -- but that was jarring to read. FTFY
You're basically wrong because you ignore the fundamental issue with Flash: it's humongously big and incorporates massive amounts of functionality which hardly anyone uses (or knows about).
If it was just a movie player, which is all that most people ever used it for, it wouldn't have been so difficult to make secure. Even Adobe might have been able to do it.
>Fact is there *were* features people have enjoyed for a long time....
Enjoyed by web-users, or by developers?
>... but due to the mindless bashing of the press and fanatical followers of Steve Jobs
As an Android / Windows user, I agree with Jobs on this - but I didn't need him to point out the high CPU load Flash inflicts on my laptop - the fan noise does that.
To simplify: The use of Flash can be roughly dived into three classes:
1, Video, for which HTML5 and hardware-accelerated codecs appears to the correct solution - even Adobe think so.
2, Games - for that sort of causal gaming experience, many people now play native Android or iOS games.
3, Animations - for which Flash is still the best solution. However:
As a consumer of content on the web, it seems to me that most Flash animation is not for my benefit - it is put to use in advertisements, or else in often-misguided attempts to make websites more interactive or visually interesting. [Web designers: if in doubt, Keep It Simple Stupid!] As a content consumer, 99% of the time I just want to read the text, look at the pictures and watch the video - ideally in a fairly standard way across websites. Only occasionally do I come across a a Flash element - say an interactive diagram with roll-over elements - that genuinely enhances my experience.
Adobe have made Edge Animate - a tool to create Flash-like animations using HTML 5 and CSS, but the consensus is that is not there yet - as the results are at the mercy of different implementations of in different browsers. Hopefully it will get there.
"Netflix uses Silverlight which is Flash's direct competitor by Microsoft. It faces the same problems and it also has been patched a lot recently."
Have to pull you up on this. Silverlight 5 for 32-bit Windows has been patched five times in its entire existence, from December 2011 (so a little over 3 years). Three were remote code execution issues, one could potentially allow information disclosure, and one was a defence-in-depth measure correcting a problem where other code could be attacked using Silverlight as a vector (it meant the location of attack code was predictable). The most recent patch was last March.
Adobe really should do the right thing and euthanize Flash, publicly and resolutely, on a short time scale. Else, there will be people hanging on to its long tail for years, the way people hung onto--and still hang onto--XP. Make a clean break, Adobe; stop playing with that thing, and just kill it. It's the best thing for all concerned.
"Make a clean break, Adobe; stop playing with that thing, and just kill it."
Why would they do that, when they make money from it? Having failed to invest in a secure solution thus far, they won't be doing so now, as HTML5 slowly eats their customer base. And the result is the lingering death that we continue to see. I think that will continue for several years yet, unless the exploits become corporate. A few unlucky grumble chasers getting their PC's owned won't persuade the world to move on. If a couple more Target-style data breaches occur that were linked to Flash, or a Sony Pictures style intrusion, then the corporates will start uninstalling Flash. When they're not paying then Adobe will have no revenues, "support" will end, and Flash can be put where it belongs, in a shallow grave.
Steve jobs was "right" only because he was a slimey vile worm, hell bent on binding the entire populous into the Apple App model.
Flash allowed creators some freedom to break that restrictive model.. But as it turns out, Flash has become a lumbering pig, long overdue a bullet to the skull.
Throw it into the same hole Jobs is decomposing in. Both were a pox upon this good earth.
That was a bit vicious. The reason I discount the whole "Jobs was right" thing is two-fold:
1) He was stating the bloody obvious. HTML5 was being implemented at the time and its enhancements were fully intended by all parties to replace needless Flash installations. Now every time someone says "Flash is shite" everyone yells "seeJobswasrightomgwhatanamazingvisionary" when no-one was arguing that point.
2) He was only making his super-amazing-wise proclamations in response to people bugging him about why iOS didn't have Flash. He decided to point the finger at Adobe and get on a high-horse about how making things worse for the end-user was actually a feature - something they eagerly lapped up - rather than admit his devices were deficient compared to their competitors.
Re: (2); Jobs' letter came two months before Adobe finally managed to launch a preview version of Flash for Android — three years of bickering, when doing so would have been a major PR coup, and Adobe still hadn't managed to produce anything. That says as much about the death of Flash as anything. It clearly wasn't ready when mobile devices came of age. Jobs couldn't have had it if he'd wanted it.
The letter was score settling for the atrocious Mac implementation though, I'm sure.
Re: (2); Jobs' letter came two months before Adobe finally managed to launch a preview version of Flash for Android
I keep hearing over and over the claim from his open letter that Flash "still wasn't running on Android". Ask anyone who owned an Android phone at the time - we had Flash. The N900 had Flash. Flash was on mobile. I really don't get what that whole thing was about. Had every version of Flash on Android before then been a beta or something?
"It's the Lego brick in your foot when you're feeling your way through a dark kitchen at 3am."
Love the simile! The writer has kids, too, I guess.
Incidentally, I'm planning to upgrade the laptop whom I maintain for a totally computer-illiterate auntie type person, who needs it mostly for online banking. It certainly would be safest to leave Flash out of it this time, but I must first test who many of her favourite sites it would affect (resulting in a call to me about the computer being broken...).
Yes, but unlike flash, Lego is the best thing in the world.
Sure! Except when you step on it. And especially if the brick is upside down. An event like this in my childhood caused me to learn just how thick the epidermis is under the foot. The brick sliced a neat sample of it.
But a 3-pin plug, pins up, is measurably worse. The CIA have BS1363 plugs flown into Gitmo and other dark sites especially, so they can leave suspected terrorists barefoot in dark rooms with the things liberally scattered on the floor. After a few hours fruitlessly and painfully trying to reach the bed, the toilet or the feeding hatch, the victims always confess.
Unfortunately, flash is required for the vCentre web client. While the web client is a total abortion and I try to avoid using it wherever possible, I have some vmx-10 virtual machines I have to wrangle. I have to use it for these since the VI client can no longer edit the VM configuration of vmx-10 machines.
Please VMware, remove this flash dependency, then I can be rid of it.
"Cisco's servers require Flash to manage them too. When I first complained to Cisco about it, they said "Meh." When I pointed out other server vendors manage to write management interfaces without Flash, they just shrugged their shoulders."
Possible riposte. Tell Cisco that if they get pwned because of the need for Flash, the potential financial liability due to lawsuits and so on will be for more than it would cost your firm to do a top-down Cisco-free overhaul of the infrastructure. "A little pain now to dodge a lot of pain later" is at least something bean counters would understand, and few things will make a firm like Cisco take notice is the threat of a defection (and all the viral bad press that entails).
Mine is 'a differential' is when someone means 'a difference'. We don't hear people using 'a sequential' when they mean 'a sequence', 'a torrential' when they mean 'a torrent', or 'a cyclical' when they mean 'a cycle', so why the constant of misuse of 'differential' by people who should know better?
'A differential gearbox' and 'a differential analysis' are fine.
FFS, we've been through this before.
To leverage something is to use it to maximum advantage.
There are more important things to worry about.
Here's the thing - and this is what makes all of this truly sad and depressing - the only reason people keep using Flash is that there really isn't anything to replace it. HTML5? No - it doesn't because apparently the W3C thinks Flash == YouTube and so only worried about video streaming.
Which they didn't get right anyway.
What's been needed for a decade is a modern infrastructure that tames the Wild West mess that is the web and brings in a consistent, advanced *modern* platform based on a bytecode system like Java or .Net - in fact, .Net even has the advantage of being relatively language agnostic.
The horrible dog's breakfast that is HTML/CSS/Javascript gets left behind when you have better things to do than reinvent the wheel every ten minutes, fight endless package conflicts, have to deal with 'flavour of the week' and develop with tools that make emacs look good again.
Antivaxxers? Well, I guess one kind of closed-mindedness rationalises another...
It wasn't so much that video streaming was the only thing they bothered with as video was the only thing they could come to an agreement. When it comes to more interactive elements, there are such entrenched interests that consensus was impossible As it is now. What are you going to use to replace Flash that (a) isn't buggier then Flash (that removes JS and Java, both error-prone), (b) that everyone will agree to, and (c) won't get hijacked by some entrenched interest down the road?
Java is probably the one language/platform that should (theoretically) be ready for distributed application deployments. They have all the stuff for clientside, serverside, and client/server support with a robust middleware tier for complex stuff. The problem has been that for many years, Java was seen as "slow" and "unsexy", so many web devs have jumped into other stuff, or use JS to fill the gaps. So we probably will need something as good as Java, but without the security issue stigma that Java got. Ideally I'd propose Java, but I doubt people will want it as the main option for this, given its reputation.
I was going to say imagine how much money Adobe would make if they came up with a tool that their designers that knew the Flash Pro environment could just make content with their old flash files. I had remembered Adobe acknowledging flashes days were numbered.
http://helpx.adobe.com/flash/using/creating-publishing-html5-canvas-document.html
Don't disagree with the sentiment - baggsie first in line to beat the tobacco juice out of it - but what are you going to replace it with? It's very ubiquity is the biggest hurdle here; some flash bastard (pun intended) needs to come with something new *and* get the market penetration that Flash has before Flash can be retired (with extreme prejudice, hopefully).
When will people learn that providing masses of power with bad security design is a gift to the hackers.
Microsoft learned that lesson with ActiveX, Adobe are trying to fix a product that is fundamentally flawed from the ground up.
Next is Google Android with it masses of features and rather shitty permissions system.
We have mandatory training, which is built using flash. Some of it is years old, but some of it is new in the last few months. We bitch and moan because a lot of us don't use windows or have flash, but the only answer is to get a VM up and running with XP or Windows 7 so we can use IE for these mandatory training courses. New stuff is *still* being rolled out which requires Internet Explorer and/or flash.
Shitty.
Certainly better than the horrible (but geek-chic-trendy) HTML5 player when using Youtube. I use an extension to prefer Flash rendering, and this is a fast desktop PC with all the bells and whistles. I 'get' it Flash can be an issue, but HTML5 isn't production-environment ready despite the hype.
I don't understand what people have against flash. Sure it has a few secuity holes, but I've always maintained that a good secuity program will mitigate this. Sure it used to be a resource hog, but since I got my current laptop (i7-2760qm 16gb ram) I've never noticed performance issues related to flash, so I think it just needed computers to catch up to it.
There are many sites that still rely on flash especially since I can't stand Firefox past v20 or so so most of the html5 video etc doesn't work properly. As long as you have a decent computer and security I don't see it as a problem. I do however agree there is no need for it on business computers.
"Sure it has a few secuity holes, but I've always maintained that a good secuity program will mitigate this. "
A few? 390 so far to be exact, the vast majority of which rate 10.0 on the severity scale. 12 of which have been in January 2015 alone. It is an abysmal,appalling piece of software that makes the Java Runtime look safe.
...everything I've read about DRM has made me cautious and skeptical.
I have FlashBlock installed on both browsers I use -- Firefox and SeaMonkey -- with a blocklist as long as my arm, along with AdBlockPlus and NoScript.
All I really use Flash for these days is watching YouTube footage, that's pretty much it. For all other Flash content, my browsers have standing orders to "shoot on sight".
I'm down with you in principle, but I think you're being a little bit rough.
After all, there are the people who worked on Illustrator and Photoshop, a couple of genuinely well-done and indespensible applications in my line of work -- and, btw, two of the only three (?) applications developed by Adobe in-house, not assets acquired from other companies, like InDesign (formerly PageMaker, developed by long-gone Aldus) and Flash (ex-Macromedia).
But, anybody who worked on Flash? Yeah, sure, chase 'em out of the building with tire irons and baseball bats.
"In its day, Flash was the kind of product Adobe does so well; like Reader, so handy and straight forward they become near-ubiquitous"
In their day, macromedia flash and adobe reader were small, tightly written programs which did one function.
Adobe kept bloating their featureset and adding more bugs.
WRT gripes about the BBC, recall how long it took for them to support MP3 instead of proprietary-codec-only broadcasts (do they broadcast in ogg yet?)
IE users can selectively block Flash and other plug-ins loaded by pages using the ActiveX Filtering feature. This has been part of IE since IE9. Click the gear icon at the right-hand end of the tab bar, go to Safety, then check ActiveX Filtering.
Now, when a site tries to load any ActiveX object - including Flash and Java applets - it will silently ignore them. You'll get a blue circle icon with a diagonal line through it, just to the left of the reload icon. If you want to re-enable for that site, click the icon, then click "Turn off ActiveX Filtering". Despite the name, it only operates for that site.
The blue icon will also appear in the top-left of any placeholder areas where the control would have loaded.
On any page on that site which loads an ActiveX control in future, you'll see a grey icon instead of the blue one (same shape). Click the grey icon then click "Turn on ActiveX Filtering" to filter out again.
On Windows 8 and 8.1, Metro IE does not have any UI to control ActiveX Filtering - since it won't load any ActiveX control barring Flash - but it does obey the filtering rules. To turn it on and off, and control it for a site, open the page in desktop IE.
I've been using OpenBSD quite a lot lately where Flash is not available due to the security implications, which is quite sensible.
However, you still have sites like the BBC iPlayer that still require you to use Flash to watch anything, so I suspect it is going to be around for a while yet...
WTF?
"In its day, Flash was the kind of product Adobe does so well"
Incorrect!. It was originally from Macromedia NOT Adobe. Adobe bought the company and got Flash with it.
"This latest security vulnerability is, as always, triggered when the plugin tries to play a malicious Flash file – allowing hackers to download malware onto PCs and effectively hijack the computers so passwords and more can be stolen."
This is because all those morons abuse Flash to build application-like code! Flash wasn't intended to build apps but to make interactive and active (read: animated) webpages. If you use flash like it should then there aren't any problems at all.
"...it's time to take the software round the back of the shed and shoot it... "
Big talk from an online "tech-"magazine that's lost a lot of credibility the last few years. Due to spilling nonsense like this. The only thing you do with articles like this, is spread FUD!
If Flash is used like should be and for what is was intended then there's no problem with Flash. Something everyone with enough common sense knows (or should know).
"...Even if Adobe put its top programmers working on Flash, a free piece of software, a lot of people around the world are very keen to find exploitable bugs in the plugin so they can break into victims' computers..."
Not to mention that spreading FUD like this only makes matters worse instead of ease the situation. Sure El Reg, we got it... YOU hate Flash... blablabla.
"Many netizens have recognized that Flash is too old and doddery ..."
You mean the gullible ones that take these articles seriously?
"The fact is, Flash is just not fit for purpose."
No it is PERFECTLY fit for the purpose it was intended! To build animated and interactive webpages! It's NOT fit to build applications and games.
"The worst, very worst, part of it all is that Steve Jobs was right."
No he wasn't! The reasons Jobs didn't want Flash had a more personal nature than he obviously wanted to admit. He used "security" as a sophism. But you are free to believe what you will. Fact is parroting Apple's specious arguments isn't helping anyone.
So stop spreading FUD and write some REALLY interesting tech-articles.
Spent some time looking at artists', architects' and musicians' sites today. Whoa! FLASH FLASH FLASH. Sure, you can step past it, but they paid for that glitter and by gee they want you to see it. There's money to be made reworking those pages, once John Q Public wises up. I won't hold my breath while I drink my beer, though.
Many visual artists are just unable get the notion that in the online world, they cannot completely control what the viewer sees, even if they try their best (even if the display size and resolution happens to be exactly the same that the artist had, the colour rendering is off, unless you have a calibrated display!). That explains the obsession with Flash, which seems on the surface to do what they want. I know an artist, well-regarded in his field, whose web site is a huge Flash application that simulates a book, down to requiring navigation by "turning pages".
Just ask The guys at <a href='http://webofsolitaire.com/Solitaire-FreeCell-Game' title = 'freecell solitaire greenfelt'>freecell solitaire greenfelt</a>
or [url=http://webofsolitaire.com/Solitaire-FreeCell-Game]freecell solitaire greenfelt[/url]
Studios. They make excellent games with only a scary amount of JavaScript. No flash to be seen.
Not to mention MUCH more dificult for a web-"designer".
Because lets be honest, some of us aren't programmers and became webdesigners when we were doing graphic design work for printing. Back then program's like Dreamweaver were great and fun to use as well.
"...It's time to flush Flash back to where it came from..."
Oh please. If those website designers used Flash for what it was intended (dynamic webpages) instead of abusing it to build apps then there are no problems!
But it's always the same. Something is invented for certain stuff, people use it for something else and then complain that it's the worst.
BTW. Flash didn't came from Hell but from Macromedia. And macromedia made some great stuff before it was bought by Adobe. I didn't see you lot complain then!