You have to wonder why Microsoft has built it into it's desktop and server range...epic fail..or time for foil hat...
Adobe will next week emit patches to squash a security bug in Flash that can be exploited by malicious webpages and documents, when opened, to hijack and spy on vulnerable computers. The flaw is being abused right now by North Korean hackers to infect victims' PCs. You should update your browser or Flash installation – if you' …
Thursday 1st February 2018 22:47 GMT Anonymous Coward
"You have to wonder why Microsoft has built it into it's desktop and server range"
On Windows 10 Flash is only enabled by default on a list of trusted sites. And it doesn't run stand alone so this exploit will presumably only work via Excel on OSs that have the full Flash version from Adobe installed. On Windows server 2016 Flash is not enabled at all by default.
Friday 2nd February 2018 06:25 GMT JLV
But it cant be uninstalled from Edge so, if you're security conscious and still on Windows, it's hardly reassuring to have to rely on MS not dropping the ball.
It's pointless and has little place anywhere in 2018, least of all in a builtin browser (or on the BBC).
>On Windows server 2016 Flash is not enabled at all by default.
Really? The mind boggles what Flash should be doing preinstalled on a server in the first place.
Friday 2nd February 2018 08:08 GMT Anonymous Coward
Friday 2nd February 2018 08:09 GMT TheVogon
Here's how to disable Flash in Microsoft Edge:
Click the menu button in Edge. It's the three dots in the upper right corner.
Select Settings from the menu.
Click the "View advanced settings" button. You'll have to scroll down a little bit to find it.
Toggle "Use Adobe Flash Player" to off.
Monday 5th February 2018 06:07 GMT bombastic bob
"The mind boggles what Flash should be doing preinstalled on a server in the first place."
This entire situation boggles the mind!
Keep in mind that in S. Korea, they used to require ActiveX to do ANY kind of online banking. This is partially the fault of the USA, since prior to the late 90's, encryption technology stronger than 60-bit DES couldn't be exported. in the mean time, S. Korea developed its OWN system for banking, USING! ActiveX!! Yes, it's way MORE insecure than Flash.
And so I have to wonder whether or not, in 2018, banking transactions are STILL using something *like* ActiveX, but via Flash instead... and is THAT the target of the Nork cracking activity??
I'm being lazy and not googling for all of this, so my apologies ahead of time if I got any of these details wrong. Old brain cells sometimes have parity errors.
Thursday 1st February 2018 22:36 GMT Planetary Paul
Friday 2nd February 2018 00:47 GMT Ian Mason
Monday 5th February 2018 06:13 GMT bombastic bob
Re: Flash, begone in a flash
"I have been flash free for about a year now"
HTML5 has been around way longer, and I set "the default" in my browsers for it because I _had_ to. Flash plugins on FreeBSD have always been flaky and when some changes made GNASH stop working, and GNASH development was basically abandoned, I gave Flash the big middle finger and now disable it, everywhere. It's been several years, now... really since HTML5 was on Youtube.
[a 2015 article says that youtube "now streams HTML5 by default" and that youtube had support for HTML5 back in 2010 - that would be about right, yeah]
Thursday 1st February 2018 22:41 GMT DavCrav
Thursday 1st February 2018 23:14 GMT Lord_Beavis
Friday 2nd February 2018 07:40 GMT Anonymous Coward
Friday 2nd February 2018 08:20 GMT Anonymous Coward
Friday 2nd February 2018 11:07 GMT Anonymous Coward
(Seemingly there is no reason for these extraordinary intergalactical upsets)
(Ha Ha Ha Ha Ha Ha Ha)
(What's happening, Flash?) (note the extra comma)
(Only Doctor Hans Zarkhov, formerly at Adobe, has provided any explanation)
It's a miserable
(This morning's unprecedented adobe exploit is no cause for alarm)
Fix of the impossible
It's for every one of us
Crash for every one of us
He save with a mighty hand
Every man, every woman
Every child, with a crappy
(General Kala, Flash bug approaching.)
(What do you mean Flash Bug approaching? Open firewall! All weapons! Dispatch war rocket McAfee to bring back it's body)
It'll malware every one of us
Just an app
With an app's exploits
You know he's
Nothing but a app
And it can always fail
No one but the pure at heart
May find the Golden Grail
(Flash, Flash, I hate you, but we only have fourteen hours to patch the Earth!)
Friday 2nd February 2018 11:54 GMT Anonymous Coward
Monday 5th February 2018 06:19 GMT bombastic bob
if I had the time to devote to it I'd start on the guitar part right away, and add the 5 or 6 Freddy-like vocal tracks [I think Freddy used to do all of the harmonies himself]. Interesting thing I've discovered, Freddy's overbite was a key factor in his vocal sound. I've actually tried using an ace bandage around my lower jaw, to temporarily re-create the overbite, so I can do a good Freddy impersonation. it sorta works... but is painful.
(no, seriously, I _DID_ try that, with only limited success, and I'll never try it again).
This post has been deleted by its author
Friday 2nd February 2018 00:15 GMT Anonymous Coward
And the biggest offender Award goes to....
Govt agencies / Private Firms don't care, don't think about liability, don't have time / budget to go back and fix large programs of online courses and tests etc. Its a nightmare for me as its the area where my SO works....
So I'm constantly fighting the decisions her organization takes. Flash is needed on every machine and often for new unexpected sites too. So white-listing isn't the savior you'd hope for. They even use Googhoul-docs for everything. Welcome to slurp-ville folks! How f'in lazy is that! It gets worse too.. They insist that students install Java as a prerequisite... But they haven't audited their courses in years to see which actually need it. 99% of courses don't. So WTF??? Wake up education tech support!
Education bodies are often government run / sponsored as well, so you can imagine, changing hearts and minds, or creating awareness, isn't something that's comes easily. My workaround so far, has been to dual-boot Mint, and seal-off the Windows partition by hibernating it. This has drawbacks obviously, you can't share your old files etc.
Plus the Mint's + Adobe flash downloader doesn't work and is seriously out of date anyway (had to stumble around looking for old canonical links as Mint's Software Manager doesn't help here). I can nuke Mint occasionally if it catches something, that is unless its rootkit based, then I'm probably screwed!....
Friday 2nd February 2018 02:53 GMT veti
Re: And the biggest offender Award goes to....
Makes sense. It's a sector where people are most likely to be encouraged/forced to use shit that they personally had no hand in making, that's never been properly vetted or audited, and doesn't even have any proper trail of accountability showing who chose it in the first place.
As a result of which, if a teacher does have reservations about a particular course or resource, there are many lines of resistance to challenging it that kick in automatically, quite regardless of what it is:
1. That's mandated by (insert agency here). Or at least we think it is, frankly the guidance is so vague it's very hard to tell, but we know that if we get it wrong we'll be subject to months of inspections and possibly loss of funding, so how strongly do you feel about this exactly?
2. That was licensed back in 2013, we don't have the budget to review or replace it
3. That is approved by (insert agency here), it represents the latest and best thinking and it knows far better than you do (pleb)
4. All our other course materials are designed around that. Taking it out would leave a hole that would take months of work to plug, and nobody has time for that.
5. Yes, we hate that too, but Mr Awkward the deputy head likes it and if we try to scrap it, he'll retaliate by pulling our licenses for these other resources and demanding a full review
6. I've only been doing this job a couple of years, I don't know which of (1-5) applies in this case, but I'm pretty sure at least one of them does.
Friday 2nd February 2018 00:39 GMT thames
Does it even work on Linux?
El Reg said: "The Photoshop maker said that – so far – only Windows machines have been attacked, although Windows, Macintosh, Linux, and Chrome OS systems are potentially vulnerable."
I'm using Ubuntu 16.04. I just had a look in the user reviews in the Ubuntu Software Centre (software installation manager) and most of them are saying it doesn't work. I looked at quite a few reviews, but found only two who said it worked (the most recent from a year and a half ago), but they didn't have anything positive to say about it. I think the ones who did have it were using Ubuntu 14.04, so I have serious doubts that many Linux users these days have Flash installed.
I haven't had Flash installed in many years, and it is very rare that I see any web sites that make any use of it at all. For some years now the main laggards still using it tended to be ads, and quite frankly I didn't miss them at all.
If you've got it installed, you can almost certainly just delete it (if you can) without missing anything of value. For the very, very, few people who have a legitimate application for it, you're going to have to find another solution before too long anyway when Adobe finally pulls the plug on it and all the browser vendors blacklist it from being installed at all.
Friday 2nd February 2018 07:11 GMT Voland's right hand
Re: Does it even work on Linux?
I just had a look in the user reviews in the Ubuntu Software Centre (software installation manager) and most of them are saying it doesn't work.
Works here (100% Debian household). I have to keep it because of several education sites that still rely on it.
It will be gone the moment 3PLearning finally switches to HTML5.
Friday 2nd February 2018 02:30 GMT Michael Thibault
Unfortunately, the bullet intended for Flash...
is moving slowly; it will take 1000+ days for it to arrive.
If Adobe were a tad more responsible they'd make the imminent demise of Flash a visible, obvious part of the update process. And start stripping functionality from it with each iteration. And build into it a suicide gene that completely erases the f*in' thing after the last day of 2020. And let users know that that's the future.
Friday 2nd February 2018 08:29 GMT Anonymous Coward
Accumulated cost of Adobe vulns
Given the long and shameful history of code vulnerabilities in Flash and Acrobat, I idly wondered what the aggregate global costs were of Adobe's repeated failure to fix their shonky software. So that'c the cost of clean up efforts, IP losses, fraud enabled by Adobe,
I'm guessing of the order of high double digit billion dollars wasted, just because of one tosspot company. Maybe Adobe should register the slogan "Internet scumbags: Powered by Adobe".
Friday 2nd February 2018 08:39 GMT Mr Dogshit
Friday 2nd February 2018 09:20 GMT Anonymous Coward
I am not particularly fond of flash, but I can't understand this long standing flash-bashing. Have you actually suffered (or know of one who did) a loss due to a flash vulnerability? Or is it just news stories of "north Korean hackers did it somewhere"?
or how about the other "scare story du jour", spectre and the rest of it, we have a whole industry in turmoil just because of a theoretic threat that will not touch 99% of people's computers
give bugbears a rest, register et al!
Friday 2nd February 2018 09:53 GMT wolfetone
This line I found ammusing:
"The flaw is being abused right now by North Korean hackers to infect victims' PCs."
When you consider one of the software titles released under the Vault 7 leaks allowed the NSA to "spoof" the location of attacks, it makes one wonder whether North Korea are doing these attacks at all and not someone else.
Friday 2nd February 2018 17:03 GMT Anonymous Coward