About to?
By the end of the year is a long moment.
Google's Chrome web browser could be disabling all Flash content by default before the year's out. El Reg has learned that developers with the Chromium Project are working on a new feature known as 'HTML5 by Default'. The move could help to keep users safe by locking off a favorite target for web-based malware exploits. As …
Till then set Chrome to ask before running plugins i.e. flash
This option is cunningly hidden under settings/advanced settings/Privacy/Content settings/Unsandboxed plug-in access.
After that you only run flash when you really want to by right clicking the flash and selecting run. Disabling the flash plugin works too but I found my self forgetting to disable it again after visiting one of the very few sites where I tolerate flash.
So the Almighty Jobs killed Flash on mobile back in 2011, and Google is set to do the same on the desktop in 2016. All I can say is, it is about bloody time!
Flash has been a security joke forever. The numbers there amaze even me, 314 vulnerabilities in 2015? You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.
That said, the Flash plague will probably haunt the Internet for at least another 5 years until Microsoft finally kills it in an undocumented "functional" update to Windows 10. This nonsense about exempting the top 10 Flash domains seems like it could extend the nightmare for a bit.
To be fair, its bug count or frequency isn't worse than any of the major browsers. They are all, universally, major security jokes, in case someone hasn't noticed. The advantage of Flash is that you can actually turn it off, unlike all the Web3.0 hipster crap in modern browsers.
And just to be picky - while it for obvious reasons is unlikely to get targeted by some Russian exploit pack nowadays, Windows 98 in its heyday happily downloaded and ran ActiveX controls automatically. At most displaying a message along the lines or "Are you sure you wanted to run this ActiveX control?"
And not sure whether Windows 98 is vulnerable to the MDAC bugs, but those (applies to NT/2K and XP up to some service pack) were actually a staple in above mentioned exploit packs for many years, and let attackers simply tell it to run any command.
Finally - 98 has no ASLR/DEP (not that it would save you from those), sandboxing, permissions/user control, or even real ring3/0 separation, so any bug - memory corruption or not - and you're hosed.
patrickstar spake:
To be fair, its bug count or frequency isn't worse than any of the major browsers.
No argument, but its line of code count should be less than a browser and its stated set of functions certainly is smaller. Just because someone else writes terrible code does not mean you are excused for doing the same.
Forgive me for using hyperbole to make my original point. I am not revising history to gloss over the atrocious lack of security controls in Windows 98, but given the choice between the two terrible alternatives I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash. Adobe seems to keep including bugs in each Flash release that allow for sundry nastiness despite OS security enhancements
I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash
Really? Win 98 is just DOS which has absolutely no protection against permission escalation because it doesn't have permissions: find any exploit and get pwned.
I think Flash suffered from feature creep. Remove the video stuff and you could probably tighten it up. In the meantime "press to play" and the improved plugin architecture do significantly reduce the attack area. Better still just deactivate it and hassle any websites that tell you Flash is required. Anything that depends on ads or subscription will switch pretty quickly.
It's less, yes, but there is a significant degree of overlap in the functionality exposed to hostile content.
Flash has something corresponding to all the basic components and APIs except the whole user interface thing.
Most importantly, it has all the parts that tend to be where exploitable browser bugs actually are.
To be fair, 1+1 = 2
i.e. if you have a browser with a vuln quotient of x and then you add the y from Flash, you have x+y exposure instead of plain x. Note that in this equation, Flash's y is neither 0 nor negative. I would argue it is pretty high for its functionality compared to the Swiss Army knife of a modern browser.
Additionally, you can run NoScript quite effectively to harden your browser to random JS. And it's not like white-listing automatically makes NoScript happy - it's often that it whines, justifiably or not, for a white-listed site's JS doing something it thinks fishy.
In fact, as someone else mentioned a few days back, I tend to run FF w NoScript and fall back to Chrome when I can't be arsed to figure out what is irking NoScript on a site that I actually use.
Flash content is opaque in that regard and I would rather concentrate on just dealing with JS vulns, thank you very much.
Thank you, Chrome, anything that gets laggards like the BBC and CBC off Flash is most welcome. I haven't used Flash for years and I mostly don't miss it anywhere except for the 2 above. And that certainly includes YouTube which works fine without it.
p.s. one exception - Joel Spolsky's otherwise excellent FogBugz service has a estimates-vs-actual time feature that I would love to use, but is based on Flash for its reporting (hello, D3, please).
The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it! Yet another reason to hate Windows 10, as though there aren't enough reasons already. Curiously it isn't even listed as a plugin on Firefox on Windows 10 so I don't know if Flash is active or not via that browser? She never uses Edge or IE.
"The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it!"
See if you have Wild Tangent Games installed - I found Flash on my Win8 computer, and IIRC it was pre-installed with that.
Just checked and no "Wild Tangent Games" installed. Ideally I'd like to remove Flash from the PC, we haven't used Flash for years and hate the way Microsoft appear to have hidden it inside Windows 10. If I can't get rid of it I'd like to be sure that Firefox isn't using it; it isn't listed as a plugin so I don't know.
Odd. If you go into Firefox on the Add-ons manager page and look under Plugins, you should find something there (on my Linux installation it shows up as "Shockwave Flash", it also shows up that way on Windows 7). On Windows you will probably find it in Programs and Features - removing any instance from that point will also remove it from Firefox. Bear in mind though that there are different versions of Flash - the ActiveX version and the NPAPI version. If the latter is missing then Firefox isn't using it. Both versions will appear in Programs and Features if installed.
I'd suggest that if you think that you don't use Flash anymore, then uninstall it anyway and see what happens. Installing it again should you really need it isn't difficult but chances are that you won't.
Windows 8 and 10 included the Flash plugin and it's kept up-to-date with Windows Update.
To disable it in IE: disable ActiveX. The Edge browser has a simple on/off setting for it.
The built-in Flash plugin doesn't work with any other browsers, so her Firefox is safe in that regard.
yes, BUT what if websites NEED FLASH???? the BBC still needs it, but Apple must be paying them something so that it does not need flash??? YES, I once 'spoofed' Firefox the look like Ipad, and HTML5 worked!!! :) but then they changed it, does not work any more...
Edge does not support plugins, but has a heavily-sandboxed implementation of Flash built-in. That'll be what's updating.
The fact that it does update like that proves it's the internal MS version. Look on the bright side, if you were using the official Adobe version she'd have had Chrome and the Google toolbar installed on the qt as well.
"The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed"
M$ : This has nothing to do with you, it's our OS not yours. If you don't like it you know what to do.
Assume the position.
So the Almighty Jobs killed Flash on mobile back in 2011
Only because, by then, enough had been done that Apple could get people to move from the Adobe walled garden to their own. This was pretty much also the time when Apple stopped contributing significantly to WebKit. And, wasn't there a note recently about Apple not giving a shit about the holes in Quicktime?
If it was YouTube that helped Flash to dominance, it was Google that really pushed for HTML5 video being both free to use and free to create. Otherwise content providers would be paying both Adobe and MPEG licences to encode.
The important thing will be to fail on feature detection so that the <video> tag gets precedence and offer "press to play" functions where this isn't possible.
Google could most usefully show leadership by making sure that all the videos on Youtube are available as HTML5, and should preferably remove the Flash version each time they convert a video to HTML5. A quick check of four or five old favourites showed that all of them are still Flash, so YouTube have got work to do.
On the web browser front, Firefox is in the lead: it canned Flash many releases ago, yet strangely El Reg didn't mention that.
Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...
http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/
Imsgine if they had flash , they would be the unstoppable leader in vulnerable software by a large margin
Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...
Oh hello Microsoft Statistics guy, haven't heard from you for a while after I left your last attempt to be creative with statistics in a large smoking hole. I wonder how much are you paying Venturebeat to keep this (rather obvious) attempt at rigging statistics on their pages.
Let's just line up the shot to kick you back into that hole then, shall we?
From the page you supplied:
OSX vulnerabilities: 384
Windows vulnerabilities: (adding up ALL VERSIONS of Windows as you have to do to get the OSX numbers) 151 + 147 + 146 + 135 = 579, and that's leaving out the Server editions and RT.
But that's only one third of the story. After all, it was you who wanted to play with statistics. Let's look at the whole timespan.
OSX was introduced in 1999. That would bring the total of reported OSX CVEs to 1484, but guess what would happen to the Windows total? You'd have to include
Win 98SE : 61
Win 2000: 507
Win XP: 726
.. which brings our jolly total up to 1873 - and I still have left the server totals out of it (because Apple's isn't exactly in heavy use and I want to give the Microsofties at least the sporting chance they never give Apple). Still advantage Apple, and I'm not done yet.
There's more embarrassment waiting in the wings - onwards to the last part of the story.
The real fun starts when you go back to the beginnings and remember why the author made this "comparison": it was to observe security trends for making choices.
A CVE entry is a warning signal which may or may not result in exposure. You'll find that actual exposure data in the "vulnerability" column, which is the real thing you want to pay attention to if you're serious about risk management (you weren't, but I am and these BS stories do not help).
Here is the data as of today:
OSX CVE entries: 1484 Vulnerabilities: 73 Patches: 128
I am going to add up patches and vulnerabilities together because both indicate something grave enough to warrant effort., so for OSX it means that 14% of CVE entries were a risk, grave enough to warrant corrective action by Apple.
Now let's go to Microsoft Windows.
Win 98SE 61;145;14
Win 2000 507;667;97
Win XP 726;968;192
Win Vista 670;538;123
Win 7 560;436;92
Win 8 254;182;0
Win 8.1 254;129;0
Adding that up demonstrates that over almost 3 times the number of vulnerabilities in the same time span (3032) there were actually more risks addressed than formally reported (118%). In other words, they quickly banged out fixes for thing they didn't even tell you about and hoped you weren't watching the numbers properly. Yup, those are the people you should trust.
So:
1 - based on the bare numbers, OSX is SIGNIFICANTLY less risky than Windows
2 - Apple seems to address issues that have as yet not resulted in exposures in the wild
See you in a few months, I guess?
Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.
Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.
Well, it appears the same happens when you lump all versions into one "OSX" entry, so I guess that balances out.
"A CVE entry is a warning signal which may or may not result in exposure. "
Weird, as all the Android scare stories, and nothing actually occuring here in the real world, that suggests warnings are as good as exploits when it comes to writing clickbait.
Typical upset apple fanboy that has dounke standards ...
Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)
Was. It's already gone...
Adobe can play that game too: it's called HTML5. To be fair, Microsoft accidentally started it with an undocumented feature called XMLRPC (AJAX), and the Canvas API came from Apple, but a huge chunk of Web 3.0 crap is basically a Javascript port of Flash. (No wonder it's crap)
You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.,
Oh come on, it is not that bad surely? Then again you are dealing with a monolithic corporation that is highly protective of its product, regularly threatens anyone finding bugs (and there are a LOT of bugs) with both civil and criminal action yet steadfastly refuses to fix any issues raised by the community as a whole. No, not Microsoft … Adobe.
... plan to exempt the top 10 domains that use Flash for one year in order to concentrate the focus of, and increase the effectiveness of, any new exploits.
Plain-Speaked That For You
Euthanise Flash Now! The pain has to end. Make it quick.
You are very wrong, Youtube has been working impeccably well WITHOUT flash for years.
I have gotten rid of Flash 5 years ago on all my PCs (running Linux) and there is no problem whatsoever with Youtube. By the fact they have been phases :
- many years ago it was "all flash"
- then they "experimented" HTML5 playback (meaning Flash was always the default but you could opt in HTML5)
- then they made HTML5 the default and flash only a fall-back for old browsers that still don't support HTML5 video (some IE6 out there!?)
And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.
@Anonymous Vulture: "All I can say is, it is about bloody time!"
Indeed!
On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.
Sounds like Flash is able to use hardware acceleration and your browser isn't. Hardware acceleration is very dependent upon browser and OS.
And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.
With more recent versions of Firefox you will find that YouTube will force the browser to try to run with HTML5 first by default. It has been this way for a few months now though it will fall back to Flash if HTML5 isn't working or if you have an add-in that forces Flash to be used (yes, they exist).
Photoshop, if I've got my history on it right, is something that started in-house. Flash and ColdFusion to give another example of historically vulnerable software were created by Macromedia. (I used to beta Dreamweaver and its antecedents for them way back when.) Adobe bought them and aside from Dreamweaver (I think) the rest of the products have been exercises in patch, patch, and patch again since. I'm maligning ColdFusion a bit but when it demonstrates real doozys when they turn up.
Photoshop was actually developed externally and first? available as a BarneyScan XP, which came with the BarneyScan film scanner.
Adobes problem is that their products reached maturity years ago, and have been adding bloat in order to (try to) justify their upgrades.
ColdFusion to give another example of historically vulnerable software were created by Macromedia.
Nah, ColdFusion was developed by Allaire and subsequently bought by Macromedia. A lot of people were really sad that Adobe canned Freehand which many thought was better than Ilustrator.
With Flash I think it's worth remembering that it and Shockwave were originally developed as authoring tools for CD and DVDs. They were fine at this and adapting the runtimes to become browser plugins wasn't too hard. Of course, the internet has since become a much nastier place.
Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator. Pagemaker was ok with Aldus, but certainly not so afterwards; but then Indesign *sort* of made up for it. Dreamweaver was fantastic if only because it made Adobe trash the truly awful experience of GUI editors - GoLive.
The crock of Trump in all of this is Flash. Under Macromedia's umbrella Flash was actually pretty stable, regularly maintained and you didn't get the weekly 'Flash Installer needs your attention', which to me is the new MS Word paperclip. Since then, well ...
But thanks anyway Adobe: if it had not been for GoLive I might never have gone onto using BBEdit so quickly in the late 1990's..
Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator.
You may want to keep a beady eye on the guys from Serif who are developing the Affinity products. It's not exactly hard to detect that Affinity Designer and Affinity Photo are very accurately focused on the Illustrator/Photoshop audience that is planning to walk from Adobe because of their licensing change, and possibly those who currently use pirated versions because the Affinity software comes at a far more palatable price.
I already licensed both :).
I'm sure that if Photoshop automatically loaded media off web sites and was deployed on a large chunk of Internet connected PCs, we would be having this discussion about it instead...
Flash at its heyday was, and to some extent still is, a really good tool/environment from the content author/software developer viewpoint. Covers everything from simple interactive 2D vector stuff to high-performance bitmapped 2D graphics as well as 3D (with or without acceleration) and everything in between. Either as part of a web site interacting with the rest of it, loaded from a web site, or a standalone application. And works really well while doing so, provided that the developer actually knows what he/she is doing (admittedly, your average Flash developer should be dragged out and shot, but that applies even more so to web developers in general). With a nice API and a rich ecosystem including very good third-party toolchains and libraries. Etc.
Too much focus on making it nice, pretty and nifty and too little focus on security.
Almost sage-like..
"On April 29, 2010, Steve Jobs, the co-founder and chief executive officer of Apple Inc., published an open letter called "Thoughts on Flash" explaining why Apple would not allow Flash on the iPhone, iPod touch and iPad. He cited the rapid energy consumption, poor performance on mobile devices, abysmal security, lack of touch suppor."
>I wonder if anyone at Adobe is ever kept awake at night wondering how the hell they managed to inherit one of the Internet's most hated products.
It was cutting edge when they inherited it from Macromedia and for several years after - they failed to invest in and evolve it. Java has suffered exactly the same fate. HTML5 is fine for web games and wrapping video - but replacing Flash (& Java) with DHTML 4.0.2.0 is hardly a recipe for restful nights.
I guess the BBC better get off their lazy, incompetent technical heinies then and move away from Flash, because at the moment they're the only news organization that I read that uses that piece of crap.
@JLV: I don't think the CBC doesn't use flash, since I've managed to make their videos work once and I don't have flash installed anywhere. What they are using is an in-house player that only works if you aren't blocking some of the most intrusive and harmful advertising servers in the business. Into which they wrap YouTube and other videos that they've stolen and re-packaged so they could put their ads on them. I haven't been able to get their videos to work with even minimal blocking, and stopped trying years ago.
Depends on the browser . In the desktop version of Firefox I use "User-Agent Switcher" by Linder rather than editing the about: config settings. Whenever Auntie kicks off about media not playing, tell it you're using an iPad, refresh the page and carry on watching. It's pretty much the only website that I use regularly which needs this workaround.
The sad thing is if Adobe wasn't malicious or stupid -- likely both -- they could have avoided all this by eliminating some of the more ludicrous capabilities of flash, keeping it simple and small and relatively easy to verify and relatively hard to hack.
When their product manager said "sure, let's enable camera and microphone access by default for all apps", if there was a responsible executive anywhere in the company that never would have happened. Same for the notorious secret settings-web-page that for years they didn't even advertise as a way to control how flash apps behave for a given user.
These people are either criminals or cretins.
From a poster on our outhouse wall when I was a kid.
"If builders built buildings the way programmers write programs then the first woodpecker to come along would destroy civilization."
I think they foresaw flash with that one.
I sit here on a wineless linux box so the "click here to install our codecs.exe" pop-ups don't work even if I was stupid enough to try. (I've yet to see a "click here to sudo our .sh") Without having ever installed a flash plugin and using Firefox with all the almost pre-requisite blockers installed just so I can browse the damned web without needing a re-install by the end of the week.
Beer, because it IS the end of the week.
One nice thing about having Flash content is that you can tell your browser not to run it. This avoids all those shouty, distracting things. Once in a while, when you actually do want to see something animated, you can click to run.
Is there a simple, practical way to turn off HTML5 animation or make it click to run the way you do with Flash?
"...NoScript. It'll turn off 80% of HTML5 and break 99% of websites, and it's not exactly easy to selectively unblock scripts. Yep, it's 1999 all over again."
If you have to unblock Javascript just to view the page content, then they're doing it wrong. The good thing about 1999-2009 was that a good website just needed HTML for markup and CSS for styling, everything worked in virtually all browsers and building sites that adapted to different displays was simple.
Then some hipster had the idea of using Javascript to turn websites into ~applications~ so you get served a blank page if you don't enable JS. The trouble with that is you go all-or-nothing and enabling it on example.com allows scripts loaded from example.com to pull in everything from spyware to malvertising.
I'm not convinced that Angular.JS is all that much different from Angler Exploit Kit, these days a modern website has all the hallmarks of a malware slinger with obfuscated JS included.
"If you have to unblock Javascript just to view the page content, then they're doing it wrong."
WELL SAID!
A couple of years ago, things worked fine if you used noscript and 'gnash' (it's a POSIX thing) rather than Adobe's plugin. Gnash being open source was LESS likely to do evil things, and it had the extra interesting capability of doing automatic stream captures to a directory of your choice. Unfortunately gnash is behind the latest moving target on FLASH specs, and didn't work last time I tried it.
So now I happily disable all flash plugins, on everything, period (even gnash). And I use 'noscript'. It's like "safe surfing". It's amazing how many viruses and hijacks will NOT happen if you block javascript and flash. [and I have others do the same, and it works, even on a Vista system]
And blocking HTML5 content by default, particularly ads - that is *EXACTLY* what *I* want to do! More people should do the same. If *EVERYBODY* does this, then it would force ad servers to use static content again. And, NO SCRIPTING.
/me pointing out that you can make a nice, readable web page by using '<table>' to size columns. I like making the content 85% of the screen width so it's easier on the eyes. no need for script. drop-down menus are overrated.
>turn off 80% of HTML5 and break 99% of websites
Your mileage. Not mine. If you don't want to use it, that is entirely your choice. But your claims are somewhat overblown.
Yes, it kills some sites, but not that many. Most sites work fine in degraded mode without their JS.
It's not that difficult to grant a temporary "all js for this page". And maintaining the whitelist is not that hard either. The only thing that's really hard is some/all of the advanced settings stuff. I usually don't bother by that point and just Chrome it. FB, which I rarely use, only works with Chrome at this point.
As a bonus, google analytics and its kin never quite made it onto my whitelist.
i.e. you don't like NoScript and I respect that. It's not for you. However, don't give everyone the idea that it won't work for them either. IMHO, it's a significant contributor to web-facing security for those who can be bothered to use it.
It's all very well to start blocking flash because of it's security risks - unfortunately a lot of business systems still rely on it (and java).
At work, we use VMware - on newer versions some of the functionality has been shifted from the .net client into the web client, which is flash based. They started development of an html5 client, then stalled it - they announced in a blog post this week that a new html5 client is starting to roll out now, but with limited functionality. But not there yet.
Java is a similar thing - a lot of system admin tools are based on it, but the support levels are ridiculous, meaning we need to have several java versions installed, and remember which version is needed per application (or include specific wrappers round them).
>>Java is a similar thing - a lot of system admin tools
Yes what a pain. Tools for legacy applications based on java = a lot of hoop jumping on newer servers.
>> flash
Sometimes I look back fondly on the days before browsers when I was using Director and loving it.
I did try Flash off and on but never really warmed up to that. Just never seemed to reach a point where is was really practical. Now I avoid/block whenever possible and will be so glad when it has finally been eliminated completely.
Just for thesakeof a little honesty, this is less about security and more about banning a platform that provides competition to apps and games. We saw this on iPhone and Android.
Now that there is the chrome store flash to to much competition.
Html 5 on mobile does not function like a desktop browser. Performance is sub par. And they still banned flash. The security argument is just the selling point.
Flash is still heavily used in educational sites. To the extent that Flash not working in Chrome would be the end of us supporting Chrome in school here.
Every online testing site we've ever used here uses Flash. BBC Bitesize uses Flash. Cool math 4 kids uses Flash. Gridclub etc... The list goes on.