Patch now! Flash-exploitin' PC-hijackin' attack spotted in the wild by Huawei bods Adobe has issued new versions of Flash to patch a load of security flaws – one of which is being exploited in the wild. Curiously, that particular vulnerability (CVE-2015-8651) was reported to the Photoshop giant by Kai Wang and Hunter Gao of Huawei's IT security department. Could the Chinese tech goliath have caught …
@Rusty 1
Short story for ya...
A guy walks into the psychiatrist's office and says "you gotta help me doc, I'm really depressed." The doctor says, "You know I have the best solution for you, the circus is in town, go have a good time. See Grimaldi the clown, he'll lift your spirits!"
The guy says "But doc! I'm Grimaldi!"
The only metric you need to look at to see how terrible their code is is the number of use after free() issues. I'd suggest running Purify against their code, but if they did it would probably flag thousands of errors. They've probably decided they will only fix memory errors that result in known security exploits, so they will be forever chasing their tail.
If ever a list of fixes ever showed why no one should be using Flash, it is this one (maybe they all show many use after free() and I haven't noticed, but I did this time and it certainly caught my attention!)
I do like very much that Firefox is almost completely open source, and that ssllabs.com has a high opinion of it.
That being said, critical Firefox vulnerabilities are issued for my Linux distro at LEAST once a quarter, and more commonly once a month.
https://linux.oracle.com/pls/apex/f?p=105:21:0::NO:RP:P21_ADVISORY_TYPE,P21_RELEASE:SECURITY,7
If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review. There should be sound reasons why a user community should endure a stampede of exploitable flaws - reasons that pass the muster of an independent review.
(This does seem to include the Linux kernel itself.)
"If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review."
Perhaps I should direct your attention to some goverment departments? You know, get the important ones taken care of first, then worry about the rest...
...Perhaps I should direct your attention to some goverment departments? You know, get the important ones taken care of first, then worry about the rest...
When you have an efficient government, you have a dictatorship. -Harry S Truman (for a small subset of dictatorships).
>If a piece of software has had 5+ critical vulnerabilities in a calendar year, then it's time to halt development for a security architecture review.
Windows development would halt, then, in January of each year until June or July ...
For the Linux kernel it is different, because, well, the Linux kernel is 99% drivers, most of which are compiled into kernel modules in most distributions. When a flaw in Windows affects 100% of the Windows customer base, a flaw in a driver in Linux kernel might affect 0.0001%. I am pretty sure that security issues found in drivers in Windows are reported against the hardware manufacturer who wrote the driver, not Microsoft ...
And Linux supports all hardware supported by Windows 95+, a number of drivers from the Windows 3.x days have been deprecated in Linux. Windows 7 had deprecated drivers from Windows XP era ... my Chinese noname webcam no longer worked on Windows 7....
Oh, and Edge had its first critical flaw in September 2015, +/- a month after release. Note that Edge was written by the SAME NUMPTIES who designed/developed flash ... ;-)
"For the Linux kernel it is different, because, well, the Linux kernel is 99% drivers"
But the vast majority of Linux kernel vulnerabilities are not driver related, and the Linux kernel still manages to accumulate lots more documented holes than the Windows kernel.
"I am pretty sure that security issues found in drivers in Windows are reported against the hardware manufacturer who wrote the driver, not Microsoft ..."
No - even Flash vulnerabilities show as Microsoft when it's an included version of Flash...
"Note that Edge was written by the SAME NUMPTIES who designed/developed flash"
Utter rubbish.
Yes. The level of how much I detest BOTH Adobe and McAfee for this can not be measured on any scale in the known universe. I recently was had when I was sure I had ALL the install boxes unchecked as well.
This is an absolutely CERTAIN way to wreck any computer which already has another brand of Anti Virus software on it. It's an incredible irresponsibility on the part of Adobe to include McAfee in the install at all.
Voice of experience speaking: "the browsers all suck"
I wouldn't touch SVG for games, when there's an immediate-mode equivalent: Canvas API. For a stupid web game that doesn't push the performance limits of a phone/tablet, it's fine. The bigger obstacle for most people coming to HTML5 from Flash is async resource loading. You can punt by embedding all your resources in one HTML file (audio+images in base64 data:// urls) but if that ends up being more than a few MBs in size, give up.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
