back to article Kill Flash now. Or patch these 36 vulnerabilities. Your choice

Adobe has released an update for Flash that addresses three dozen CVE-listed vulnerabilities. The update includes a fix for the CVE-2016-4171 remote code execution vulnerability that is right now being exploited in the wild to install malware on victims' computers. Adobe is recommending that users running Flash for Windows, …

  1. edge_e
    Unhappy

    I'm starting to think the contents of ping pong balls are more interesting than hearing about flash exploits

    1. Michael Strorm

      A load of balls

      I'm starting to think that even these celluloid ping pong balls (#) are less of a safety risk than running Adobe Flash.

      (#) Offtopic, but since I mentioned it, if you *really* want to see how scarily flammable celluloid is, check out this video of some burning celluloid cinema film. The really interesting bit is at 4m37s, where the burning reel of film sounds like a jet engine taking off.

  2. Number6

    All the video stuff on the BBC website that I've tried insists on Flash being present. About time the Beeb updated its website to something more modern. I guess it'll happen sometime after they get IPv6 accessible.

    1. Anonymous Coward
      Anonymous Coward

      Absolutely correct -- and why one needs flash to access audio content on BBC is totally enraging.

      1. g00se
        Linux

        and why one needs flash to access audio content on BBC

        DRM?

    2. Zacherynuk

      Use Firefox / Waterfox or whatever. Install a user agent switcher (eg: "User Agent Switcher") - tell it to pretend to be IOS when browsing the BBC - et voila - video content is served in HTML5.

      Since this doesn't work for me... for some reason: http://www.bbc.co.uk/html5

      1. Anonymous Coward
        Anonymous Coward

        "User Agent Switcher" doesn't work here

        Tried on openSUSE and OS X. No joy.

        Die Flash, die!

      2. This post has been deleted by its author

    3. ScepticKev

      Beeb

      Unlikely the Beeb will give up flash as they have just moved to the platform, after the last disastrous tech flirtation with Real player turned out to be an unbelievably dud move.

      Moral -> Luvies don't do computers

  3. Mr Flibble

    Slash BBC Flash

    The BBC web site is the only good reason I have for keeping Flash around. They can't get rid of it too soon.

  4. Gray
    Facepalm

    Not just the BEEB

    Popular video streaming sites, such as Hulu, insist on Flash. Big headache. They also insist on flash plugin auxiliary stuff that isn't available for Linux ... so Windows is the only way to access my Hulu subscription. Big pain.

    WTF couldn't Adobe get it right? And HTF did Flash become so totally ubiquitous?

    1. Florida1920

      Re: Not just the BEEB

      Popular video streaming sites, such as Hulu, insist on Flash.

      Pandora, too. A real shame.

      1. Nolveys

        Re: Not just the BEEB

        Pandora, too. A real shame.

        Another big one is Happy Wheels.

    2. Crazy Operations Guy

      "HTF did Flash become so totally ubiquitous"

      Like every new technology on the internet: porn. It was the first platform on which video could be streamed piecemeal, and on a wide variety of platforms. It rose in popularity during the format wars of the 90's when watching a video online meant that you might need Real Player, Quicktime, or one of the dozens of other proprietary video codecs.

      1. earl grey
        Devil

        Re: "HTF did Flash become so totally ubiquitous"

        "Real Player, Quicktime...."

        Now go wash your mouth out. Ugh.

    3. a_yank_lurker Silver badge

      Re: Not just the BEEB

      Many news site insist on using Flash which I have set to run on demand.

  5. asdf

    completely irrelevent but love that movie

    That's right, this sweet baby was made in Grand Rapids, Michigan. Retails for about a hundred and nine, ninety five. It's got a walnut stock, cobalt blue steel, and a hair trigger. That's right. Shop smart. Shop S-Mart. You got that?

    1. asdf

      Re: completely irrelevent but love that movie

      Yes I know bad timing what with all the gun violence controversy (when isn't there?) but goddamn it I still get to enjoy that movie.

      1. VinceH

        Re: completely irrelevent but love that movie

        Brilliant film. And a good few years since I last watched all three. I have since picked up a cheap copy of the undoubtedly crap remake of the first (or is it the second, which was as much a remake of the first as it was a sequel) - so watching all four might be on the cards soon.

        Or I might hold off until I have my hands on the series.

  6. raving angry loony

    Killed.

    Killed it months ago. Haven't any problems except on two sites. One of those is the BBC. Wankers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Killed.

      Considering the very real possibility of Auntie charging to use iPlayer, either by subscription or tax, then surely they have some responsibility to make sure its safe to do so!!

      Killing flash is the ONLY way. Doubt the beeb will be in any hurry to do so though.

      1. Don Dumb

        Re: Killed.

        "possibility of Auntie charging to use iPlayer...Doubt the beeb will be in any hurry to do so though."

        Sigh, again with this.

        iPlayer does have an HTML5 feed, you don't need flash for iPlayer. It's the BBC News videos that are unwatchable without Flash.

        That they don't extend HTML5 to news is utterly baffling, considering that they have actually done this for mobile apps.

        1. Rob D.

          Re: Killed.

          Allegedly it is because the change will "require a great deal of technical development work to our current systems and there are technical challenges around the ability to secure video streams in HTML 5".

          It would seem that these challenges have been around and acknowledged for a good five or six years though so perhaps the underlying problem is just a lack of sufficient focus on this area of BBC content delivery.

          See http://www.bbc.co.uk/news/help-36551036 and http://www.bbc.co.uk/blogs/bbcinternet/2010/08/html5_open_standards_and_the_b.html respectively.

        2. Anonymous Coward
          Anonymous Coward

          Re: Killed.

          iPlayer does have an HTML5 feed, you don't need flash for iPlayer.

          And, sigh, again, with this. Only for the usual half-handful of browsers.

      2. Anonymous Coward
        Anonymous Coward

        Re: Killed.

        Bear in mind that iPlayer must also support smart TVs, which almost all use embedded flash. As a result it would be difficult for the BBC to completely do away with flash support. However for the major browsers that support HTML 5, it does seem baffling that it defaults to flash when the alternative stream is available...

  7. Crazy Operations Guy

    "as well as Cold Fusion"

    Cold Fusion is still around?! What a blast from the past...

  8. Charles 9 Silver badge

    Still Gonna Be Rough

    For all those enterprises that have very expensive gear that REQUIRES Flash to control. If only there was a way to pressure those manufacturers to replace the interfaces on their dime...

    1. Anonymous Coward
      Anonymous Coward

      Re: Still Gonna Be Rough

      I've not come across any that use Flash...Java yes, but Flash?

      That said, nothing would surprise me.

  9. gobaskof Silver badge

    US Goernment also hooked on flash

    I am currently working across the pond at a US Federal government institute. On one hand they talk the talk about how all the computers must be super secure, on the other hand all of their IT security training (and all other online training) is only accessible with Flash.

    1. Anonymous Coward
      Anonymous Coward

      Re: US Goernment also hooked on flash

      Yup and all of Corporate's "training" videos are Flash-based.

  10. Wensleydale Cheese

    Adobe *still* can't get the name of Apple's OS right

    From the Adobe Security Advisory

    "A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS."

    1. chivo243 Silver badge

      Re: Adobe *still* can't get the name of Apple's OS right

      Thank you +1 for you, the current os name would be OS X. Apple's next os will be macOS. And Safari 10 will not run any of the crud(java, flash, silverlight etc) unless explicitly enabled by the user.

      Right, there was an piece here on El Reg:

      http://www.theregister.co.uk/2016/06/15/safari_10_will_put_flash_java_silverlight_quicktime_in_the_bin/

    2. Rob D.

      Re: Adobe *still* can't get the name of Apple's OS right

      They could save themselves some effort with a little editing to cover all current and future situations.

      "A critical vulnerability exists: Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS."

      1. JLV

        Re: Adobe *still* can't get the name of Apple's OS right

        better:

        "A critical vulnerability exists: Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS."

  11. Anonymous Coward
    Facepalm

    ¡Ay, caramba!

    People are still installing Flash? In 2016?

    1. Charles 9 Silver badge

      Re: ¡Ay, caramba!

      Yes, and often not by choice. What do you do when the one and only way to control your expensive piece of kit REQUIRES Flash?

      1. raving angry loony

        Re: ¡Ay, caramba!

        If the one and only way to control your expensive piece of trash REQUIRES Flash...

        ... it's time to take that expensive piece of track and wrap it around the head of the head the company making it. And perhaps the person who approved its purchase. With mechanical assistance of a crowbar and fireaxe, if necessary. There's exactly no excuse of any kind for requiring the use of Flash to administer expensive kit.

        1. Charles 9 Silver badge

          Re: ¡Ay, caramba!

          There IS one excuse, a very CRITICAL one: amortization. The highly expensive piece of kit has already been bought. The costs are sunk and can never be retrieved. They're a big strain on the business, trying to obtain another so soon will literally kill it. So basically, you MUST live with it. And leaving the company may not be an option as (a) no one else is hiring or (b) they're in the same boat, saddled with expensive kit they MUST use.

          Put it this way. If you're out in the middle of the shark-filled ocean and the only possession to your name apart from your clothes is a leaky raft...well, all you can do is start bailing.

      2. JLV

        Re: ¡Ay, caramba!

        interestingly, I have a similar issue on my printer, a Brother with wifi capability. Configuring the wifi access password requires you to plug in a USB cable and then run their config utility which is ... Java based. Once the wifi login info is entered, you can delete the whole thing.

        I avoid Java whenever possible and Java on Mac does not uninstall at all. And it actually also chokes on just turning off the Java applet capability, insisting that you need to be an admin to do it on other users' accounts. Never mind that I am the admin, using sudo. Instead of installing Java, I was thinking of launching the java configuration from a Ubuntu vm but there is no Brother config app for Linux.

        However, I saw a Linux-oriented posting where someone saw that the printer actually runs an http server and you can you just enter the wifi info using a browser (if you are connected by wired at the time), bypassing the need for their config app. It's complicated, but it works. Need to try it on my printer.

        Lesson learned? - sometimes what the config client talks to is still http/html-based, under the covers.

  12. Anonymous Coward
    Anonymous Coward

    i say we take off and nuke the site from orbit....

    It's the only way to be sure.

    1. Charles 9 Silver badge

      Re: i say we take off and nuke the site from orbit....

      Even then it's not guaranteed. Something may survive a nuke, you don't know...

      1. Jeffrey Nonken

        Re: i say we take off and nuke the site from orbit....

        "Something may survive a nuke, you don't know..."

        The cockroaches, no doubt.

    2. Anonymous Coward
      Anonymous Coward

      This morning's unprecedented solar eclipse is no cause for alarm

      Since we're playing movie quotes what about

      "Flash, Flash I love you, but w.... no, wait, I don't."

  13. Captain Queeg

    Why?

    Not being a coder, can I ask some wise heads here what I know is a naive question.

    "Just how is it that Flash is so relentlessly shit and never seems to improve any?"

    Logic suggests that as holes are plugged it should get better but it never seems to - why?

    1. Tom -1

      Re: Why?

      "Just how is it that Flash is so relentlessly shit and never seems to improve any?"

      Maybe Adobe is incompetent at producing any reasonably secure software? I've heard it said that over the years almost every alternative to Acrobat has been more secure than the Adobe product, and I decided years ago to avoid all use of Acrobat and stick to Foxit for viewing and printing PDF. If I could avoid all use of Flash I would.

      In fact I would like to be completely Adobe free.

  14. FlamingDeath Silver badge

    Flash - steady on

    Isn't the word flash a term used for exposing yourself in public?

    The irony

    1. Anonymous Coward
      Anonymous Coward

      Irony?

      You keepa using that word.. I do not think it means what you think it means.

  15. Ken Moorhouse Silver badge

    BT Wholesale's Broadband Speed Tester

    Another culprit

    You want to prove to your ISP how bad your broadband is and you have to download and install flash in order to do so. There's a hole in my bucket dear Liza.

  16. azaks

    >> giving the update the "Priority 1" ranking

    I gave avoiding Flash a priority 0 ranking a couple of years ago. Nothing to see here. moving on...

    1. Charles 9 Silver badge

      Re: >> giving the update the "Priority 1" ranking

      Trouble is, controlling critical enterprise equipment, the ONLY way possible is by Flash, tends to get a Priority -1, as in "Do This Or You'll Never Work in This Town Again."

      1. John Tserkezis

        Re: >> giving the update the "Priority 1" ranking

        by Flash, tends to get a Priority -1, as in "Do This Or You'll Never Work in This Town Again."

        I choose never to work in this town again. In other words, I don't know who is going to screw up, but it won't be me.

        1. Charles 9 Silver badge

          Re: >> giving the update the "Priority 1" ranking

          So how do you put food on the table then, especially when every other town is in the same boat AND they talk to each other?

  17. Steve 114

    Tedious

    So I decided to update. On their site I needed first to enable Flash, and Java. Then negotiate a download, then untick a preticked 'optional' random payload (just WHY?), then restart the browser. Not too hard, but I'll never get my many cousins each to do it to theirs without Teamviewer one by one. What a pain

  18. Maty

    Why is Flash so relentlessly crap ...?

    Every time you have to update the latest security failure in Flash you have to look around for, find and uncheck that optional extra program that Flash has bundled with the update.

    Assuming the makers of that extra program pay Flash for bundling the software along with the update, it would seem that for Flash producing software with security holes must be quite the money-spinner.

    If people don't need the patches, they don't download the extra software. Call me cynical, but if making a more secure product will cost the makers lots of money, expect an insecure future.

  19. Anonymous Coward
    Anonymous Coward

    Just Die you Security Hole-Ridden Flash. You've been around way too long!.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021