Adobe...sigh...issues critical patch...sigh...for Flash Player zero day Adobe has pushed out a patch for 25 vulnerabilities in Flash Player, including one that is already being targeted in the wild. The latest fix for the internet's screen door includes a remedy for CVE-2016-4117, the remote code execution flaw that is already being exploited by criminals serving up malware-laden advertisements. …
This post has been deleted by its author
It's getting (or probably already has gotten) to the point that if you eliminate all the faulty code in Flash, nothing would be left (but hey, it would be clean code, eh?).
Might not be a bad thing after all.
Then again, same thing for windoze 1 0 and patch Tuesdays.
Yep, Paris. Here's her twin...
@John Riddoch
Go to http://www.bbc.co.uk/html5 and switch to the HTML5 BBC player. Ther's also an Android HTML5 player avaliable.
They have been in beta since September last year, but still have not been pushed out as default. The new HTML5 player also uses MPEG-DASH and the avc3 codec, which is pretty cool.
BBC Research & Development have a load of really interesting blog posts on the work they have been putting into it.
@Ken Hagan
BBC R&D published a blog post explaining the technologies the player uses and why they can't support some environments. It's linked from the main HTML5 page.
In summary:
- Safari on Mac OS X doesn’t support AVC3 via its Media Source Extensions implementation. The HLS implementation is also incomplete.
- In Firefox, the H.264 and AAC decoders are provided by the operating system. Currently, Firefox will only use decoders from Windows and OS X by default. On POSIX, you have to manually plug your own in.
- Old browser versions do not have support for HTML5 or MPEG-DASH (the MPEG-DASH standard was only published in 2012).
If you have any suggestions or other problems, drop the team an email at mediaplayer@bbc.co.uk.
I was looking for information about Aerocool computer fans the other day, and their site's main menu didn't appear without Flash. I even tried changing my user-agent to that of an iPad to see if it would serve me a Flash-free version, but it was the same as before.
It doesn't meet the definition of a site I can't do without, of course... just an illustration that some idiot web designers out there still insist on Flash. Thankfully, that security nightmare known as Java has just about faded to total oblivion, and now it's time for Flash to follow.
Never had a problem with crashing video drivers. Must be your video card.
Flash worked absolutely fine and there were some truly incredible websites built with Flash. There were also loads of sites that were awful and ads that behaved ridiculously. I'm guessing the wide ranging functionality of it led to it being more open to exploits than other software that didn't try to do so many things.
You give people technology and a few use it to create great things, and unfortunately many use it to create awful things. That is not the fault of the tech itself.
There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative. Also it's obvious that a lot of you don't play browser based games as HTML5 is not even close to offering the same level of UI & UX.
There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.
I'm no so sure about that any more. It was maybe the case a few years ago but the modern browser runtimes no leave very little to be desired. What maybe missing are the relevant authoring tools.
Flash should be recognised for two things: a cross-platform graphical runtime for browsers when the only other alternative were Java applets; and ending the video player wars (remember RealPlayer vs. Quicktime vs. Windows Media Player?) Unfortunately, as the internet grew in importance, the problems inherent in the platform became more obvious.
Flash is now only kept around for sites wanting to use it for DRM which is why it's down to around 14 % of sites. More and more browsers, including all the mobile ones, don't have Flash so now only around 50 % of any sites visitors can actually see the Flash content. Most media sites are already piloting HTML5 video. I expect by the end of the year less than 10 % of sites will be using Flash and a majority of users won't have it installed.
Some examples:
1. Can't play sounds simultaneously in some browsers with HTML5. For games and interactive stuff this is a complete non-starter.
2. Video masking in HTML5 just isn't anywhere near what you can do.
3. Recently I was asked to animate a very simple intro logo for a website. I'll be the first to admit that I have no idea how to do this outside of Flash so I used it and exported to HTML5. The swf is just 15kb, but the export to js is 250kb. The technology/ or exporter is primative. It has a long way to go.
4. Syncing content - like sounds at particular points - this needs to be set on an event rather than a timer. I've had to use a timer on a recent project that doesn't always go at the right time. There may be a way to do this in jQuery - so forgive me if I just don't have the required knowledge on this one.
5. Just the overall compression Flash provided. On one particular forum I visit regularly, a lot of people have gif signatures and on some pages the browser will just freeze constantly. With flash you can have so much mixed-media content yet it's compressed and handled well by the browser. In HTML5 it really struggles at times. You shouldn't require your users to have 16GB, 16 core machines.
That said... Flash is on it's way out and I've known that for years. The smartphone basically killed it. Thanks Steve...
> There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.
Well, IBM had a Flash-like technology called HotMedia back in the late '90's, which ran under Java. If IBM management hadn't had it-'s head up it's arse we all could have been using HM instead of Flash. That way instead of playing whack-a-mole with *TWO* bug-and-vulnerability-laden technologies (Flash and Java), we'd only have to be fighting with one. And for that matter, security *was* being thought of in HM even then.
But, as we all know, IBM suffers cranial-rectal insertion, so we know the outcome.
One of the chief IT officers of my company (large American industrial company) is due to give an online talk on the cyber security challenge. The site used to host this talk requires the use of Flash Player. We'll have to bypass our browser's security settings to attend this talk. *sigh*.
Anything Oracle or Adobe related isn't worth using.
Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.
At first people were worried that customers and vendors would have a fit if we rejected all PDFs, but it's amazing how smoothly it's gone. Not to mention the relief for patch testing and worried application owners.
It's amazing how secure an environment gets when you stop using Oracle (anything) on the network, and stop using Apache for public facing web sites. For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.
Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.
I was just revisiting Linux databases, and came across MariaDB (yes, I know I'm late in this, I've been busy) - the main driver appears to have been Oracle's direction. I installed it and so far so good, no MySQL using applications have noticed anything amiss :).
For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.
Still, these sort of remarks are bad practice. It's the sysadmin equivalent of sticking a big "please kick me, hard" on your back. Besides, pen tests are a function of the capabilities of the red team and their tools at one point in time - it's not a guarantee that some girl in Russia is not capable of walking past your defences with a APT sequence as if they don't exist. Do those attempts at least trigger your network intrusion detection? Do you spot these people in your log file reviews?
Never go smug - the Net has a habit of adjusting that sort of attitude, harshly.
Here's a challenge for an El Reg writer...I'd love to know just how this complete clusterfuck of a piece of software happened...what was the original design, what language was it written in, how did something get released on to the world that has proved so impossible to clean up ? Was it just a bizarre twist of fate that meant that a piece of software that should have been retired after two years happened to survive for 20 as an undead bearer of bugs ? Can you find the some of the original devs/management ? What do they say ?
Because it's staggering just how long this has been going on for.
Wikipedia has some historical remarks. It does appear that the product went through several names and companies as its owners decided what they wanted it to be for. Since its origins are around 1990, I imagine the implementation language was originally C, but back then it was easy (almost too easy) to flick a switch and start compiling your code as C++ in order to use lots of shiny language extensions, so I would also imagine it has been C++ for most of its life. ActionScript was apparently bolted on the side about 10 years after the original design.
In competent hands, this would mean that the product has been polished and refined over a quarter of a century and is now an absolutely fucking awesome model of how software should be constructed. (It is a pity that the product has to remain closed-source for commercial reasons, because it would be sooo cool to publish it.) Ports to other architectures have been reduced to switch-flicking. Any architectural flaws in the original design have been swept away and the development team probably still contains one or two of the original developers because why would you walk away from an easy job curating your very own cash cow?
The evidence suggests that it is more like the unwanted runt of the litter that was abused by various different groups, none of whom ever bothered to learn what they actually had before attempting major modifications. It's probably still written in 1990-style C and contains the left-overs of attempts to port to several new architectures that didn't quite work out. The current maintainers weren't even born when it was created and aren't really familiar with C programming, but fortunately it's a bit like Java so they are managing to get along.
It happened because web developers were generally lazy and unskilled and wanted their cake and to eat it too. Don't get me wrong, there were and are some really good web developers out there but the trend was always for them to be people who were "a bit creative" and "a bit computery" and wanted to make a lot of money so they used Flash as an easy way to make impressive sites for customers who didn't know any better.
A similar thing happened with online games -- rather than writing games in real programming languages people made them in Flash because it was easier to be cross-platform and took less time to develop.
Flash has always been dodgy cludge of a toy for playing with and doing fun and cool things with but, sadly, people who didn't know better or didn't care used it for things they shouldn't and became dependent upon it.
Then there are the "But... But... But... We wouldn't be able to do X without Flash." crowd who don't understand that this means "We can't do X.". You know, the kind of people who demand that the laws of physics don't apply to them.
In short, Flash is still here because some people are too stupid to be let loose on computers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
