Decision time: Uninstall Adobe Flash or install yet another critical patch Adobe has issued yet another update for Flash Player to patch a critical vulnerability revealed in documents leaked from spyware maker Hacking Team. The update patches 36 CVE-listed flaws, including the hacking Team's CVE-2015-5119 bug – which can be exploited by a malicious Flash file to run malware on a victim's system. Some …
Write a shim that goes between the browser and the Flash player, displaying appropriate things about the dangers associated with clicking the "view" button and the stupidity of the site that wants you to use Flash. Give it a password option so you can lock non-authorised users of the computer out of Flash.
Flashblock contains most of this functionality, apart from the insults (which might have to be lawyer-vetted).
.... and it might come to that, soon. A porn "actress" today is paid about 600 EUR for a shoot, the male performers about 200 EUR, Nobody on the consumer side pays for porn any more* so it is only a question of time before it has to be produced automatically in server farms to make a profit.
.... An extra "bennie" is that the high-end graphics cards of today at least can produce much more realistic looking people than the plastic surgeons can.
*) I suspect the money comes from ad-ware, spy-ware and whatever else they can shovel down the pipes on the porn sites; digital life is mimicking the biological: "You go and poke that ... aand you better see the doctor on Monday".
and it might come to that, soon
But surely there's hundreds of times more porn out there than any person could watch in a lifetime? So start recycling it, like rubbish.
about 600 EUR for a shoot
That's about sixty times the recently uprated minimum wage (1 hour shoot?), for which a tidal wave of illegal immigrants are trying to break into the UK. Methinks it's got a long way to fall yet.
Aren't there some strange folks who would pay the producers to be in a porn movie? Exhibitionists, I think they're called ....
I do enjoy Loius, and he did another episode on the US porn industry recently.
Hint: It takes quite a bit longer than 1 hour to produce a porn video and there are lots of production costs.
However, the porn surfers of the world are apparently satisfied with grainy 240p clips for free, free webcam girls and whatever else is shuffled down the pipe, rather than pay for quality productions. Porn as we we knew it is in decline, though IMHO they largely have themselves to blame with their incessant emphasis on over-large plastic tits, pumped up pouts and poorly dubbed soundtracks.
It does appear that Steve Jobs was right on this point.
Yeah, I know it sucks to say this but if you can have all those i{devices} working without flash then why on earth do we still need this POS elsewhere?
Come on Web Developers, we know you can make those sites work without Flash so just make your sites work for everyone the same way.
Flash, be gone. your time has passed.
At least MS seems to have thrown in the towel with Silverlight.
Whilst Flash is showing itself to be full of holes, we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows...
So when the next set of updates for Windows are released, can we expect the headline:
"Decision time: Uninstall Microsoft Windows or install yet another critical patch"
"we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows..."
You may want to address your attention span, clearly you have trouble getting more than a few lines in.
"Users of Flash Player for Windows, OS X, and Linux are all advised to update to the latest version of Flash, though the update is only considered a top priority for Windows and OS X users"
Re: You may want to address your attention span, clearly you have trouble getting more than a few lines in.
"Users of Flash Player for Windows, OS X, and Linux are all advised to update to the latest version of Flash, though the update is only considered a top priority for Windows and OS X users"
I was aware of the other versions, however, for the majority of Flash exploits, including this one, most of the security experts note that they tend to be very difficult to actually exploit on Linux. Also for many the payload is a Windows executable. Hence why I singled out Windows; but you are right the fact that all three OS's can be compromised does raise concerns.
My point was that the headline implied that Flash was especially bad code because it required the regular application of critical patches, yet the regular monthly rollout of critical patches for Windows doesn't receive a similar headline when reported in ElReg...
Interestingly, if you were already running Malware Bytes Anti Exploit Premium or Free (Windows XP/7/8) you were protected from this exploit. Which would suggest that there are things that could be done by the 'OS' to protect from this style of attack.
Personally, MS should include and enable EMET as standard and so require all vendors who don't want to comply with it's constraints to have to explicitly opt-out, with such exceptions being reported in the Windows Event Security Log. Yes some stuff will fail, but then it would be a relatively simple task to make the necessary changes, just as we had to do with firewall settings for HP All-in-one's before HP modified the installer.
> we shouldn't overlook the real problem, namely it is only being used as a route to exploit vulnerabilities in Windows...
It is so because 98% or so of the installed user base are running Windows. If you are in the business of desktop computer intrusion of course that's what you're going to target. Likewise, people trying to commandeer network servers go for Sendmail / Exim vulnerabilities instead, to put an example.
I don't know if you meant it this way, but your post sounds like one of those silly partisan rants about this or that product or operating system or whatever. Honestly dude, I haven't touched a Windows machine in years and I never owned one, but that's just what rocks my boat and I don't need to go preaching to other people about my this being better than your that. Do yourself a favour and get a life, will ya?
Speaking as someone using an iOS device (as I type) I think your definition of "working" would have to be a bit looser than mine. Safari over iOS is a distinctly less awesome experience than I was led to believe before I dipped my feet in the water. But then that has been my experience of just about every Apple device other than the original iPod Nano - people simply don't talk about the Apple horseshirt the way they do about the Windows version.
The app I had only one moan about, the music player, was just updated under me. It now has controls you'd have to have electron microscope eyeballs to find, let alone use and defaults to a splash screen trying to trick me into trying a "free" trial of their "radio" service instead of using an ounce of user-friendliness and taking me to the 80+ gigs of music I have in my library. Now, to play an album I have to wake up the app, fight my way free of the iTunes store and its free trial bullshirt, locate the album, then swipe upward to try and get the iPad control panel to appear - and sometimes the gesture doesn't work properly so several attempts must be made.
So thanks, Apple, for moving to the Microsoft model of unwanted and unhelpful software changes foiisted on an unwilling audience, you almighty pricks.
the music player, was just updated under me. It now has controls you'd have to have electron microscope eyeballs to find, let alone use and defaults to a splash screen trying to trick me into trying a "free" trial of their "radio" service instead of using an ounce of user-friendliness and taking me to the 80+ gigs of music I have in my library. Now, to play an album I have to wake up the app, fight my way free of the iTunes store and its free trial bullshirt, locate the album, then swipe upward to try and get the iPad control panel to appear - and sometimes the gesture doesn't work properly so several attempts must be made.
I've been hesitating to update iOS for a number of reasons and you've just given me another one.
Thanks for the heads up - the extant version of the music player is perhaps the least frustrating app I use regularly.
Jobs wanted rid of Flash for two reasons: better battery life and promoting his walled garden. Quicktime and Safari have both had more than their own fair share of bugs and Apple's speed at patching them is far from ideal.
Kudos to Adobe for getting these patches out so quickly. Flash remains far from ideal and we can thank Jobs for promoting the idea of avoiding Flash but we shouldn't be so foolish as to think the replacements are much better. If you want good performance on a device you normally want unhindered access to the hardware. This almost inevitably introduces security risks. As I'm sure we'll see ass we move from Flash and Silverlight-based to HTML DRM extensions.
Adobe Flash... pretty sure it serves a useful purpose, somewhere, for someone. Come to think of it, for me it does serve a purpose. It spares me from seing the most useless parts of the terwebz. I just see a "Flash is a small install from Adobe, please click 'yes' to install it in order to view this slideshow of domesticated felines" which is definitely an improvement over the intended content.
I do wget a few .flv clips that I play in mplayer, from time to time, though.
I'm starting to think that they are faulty by design ?
Only starting to think so?
I've thought that since about a year after flash first arrived on the scene. Only thing I'm not sure, is whether the faulty design is by incompetence or by malice.
Windows is also faulty by design, ever since MS broke the NT 3.5 kernel's designed-in security on purpose. Again, incompetence or malice? You decide.
On this Ubuntu box I uninstalled Flash and installed youtube-dl and mpv. In BBC iPlayer I can right click and select "Play with MPV", it works fine. However it will not play the Flash videos that are on the BBC news site.
Someone please tell the BBC to stop using Flash! If I wanted to "steal" their content I could just record it from the TV or radio. Broadcasting, the clue is in the name.
Given the audience for this e-rag, do we really need the statement of the bleeding obvious re: not using Flash in every single article about another exploit being found? Can't we assume that if someone at the level of IT graspitude to be reading here is using Flash they have a good reason to be doing so?
As a general comment (i.e., not related to Flash in particular, and not considering its merits or lack thereof), frequent patches are not a sign of a bad product--on the contrary, it means there is someone out there who cares enough about the product to fix problems as they appear or as they are discovered.
Remember, especially those of you in the corporate scene: just because a product does not receive frequent patches it doesn't mean it's secure. It means that either its bugs have not been discovered yet, or they haven't been fixed.
I understand that Flash may be a product with a bit of "baggage", but let us not extrapolate from there.
Whilst many of your points are vaild, what pisses me off is that there is what seems a reducing period between Flash updates. This means that almost as soon as you have applied one update, another is waiting for you.
If it wasn't so bug ridden this would not be needed.
This endless patching is a PITA.
Like IE6, Flash should be consigned to the scrapheap ASAP.
I disagree, they are a sign of both a bad product AND someone out there who cares enough about the product to fix problems as they appear.
Or more like, in the case of flash, if they didn't "care" enough to release patches in response to exploits the product would be immediately finished.
Just say 'No', Fool*.
Many, many, sites do not use Flash. Many more will work just fine without you having the plugin. Yes, news sites like the BBC are still stuck in Flash land, but only for some of their videos. Just like Java applets, once you get rid of them, you realize how the risks far outweigh the benefits.
* Sorry, didn't mean to be rude. I did have to channel Mr. T too, hence "Fool".
** google "Mrs. Reagan sitting on Mr. T's lap". disturbing.
Heh.
Nicely spotted. I should have formatted it 'p(r)ick'
- although what you find on the BBC news site to 'fondle yourself' over scares me...
(can't be George Osbourne... - or at least I hope not, 2nd day in a row that smug get is 'covergirl')
...better stop now before my good-taste filter chip burns out...
'You may need to rest'...
Maybe Adobe realise that in this day and age, anybody installing flash is either...
an ignorant 'kid' who still needs naps in between tantrum inducing angry birds (or whatever) sessions.
or an 'ole fella' who still thinks flash is the 'must have' for internet , (along with realplayer and quicktime + insert anything else from the 90's I may have forgotten in my dotage) and who insists the family all sit down to watch panorama because 'it's important to take an interest in current affairs' but will fall asleep almost as soon as the programme titles finish.
Joke alert - in case peeps don't realise... (some truth in jest though)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
