The best bit is....
the BBC are reporting it...
They BBC, you know, one of the worst offenders out there!.
Oh the hypocrisy.
Mozilla has temporarily blocked Flash in Firefox while waiting for Adobe to release patches to fix yet more serious security holes in the Swiss-cheese-like plugin. These holes can be exploited by criminals to hijack PCs and infect them with malware; details of the bugs emerged from leaked Hacking Team files. Firefox began …
This post has been deleted by its author
"Next you'll be saying they have insecure sign in pages, 3rd party tracking cookies, missing Alt tags from images, not using https to protect privacy......"
Using Flash on a website does not make that website insecure.
Flash insecurity goes from nasty guys using nasty flash on their nasty websites to you and your browser. Flash insecurity does not go up from those nasty guys to regular otherwise properly secured websites that happen to be using flash. If you're not surfing random porn or torrent tracker or conspiracy sites built by who knows who then you are 99% OK. Besides bad actors on advertising networks you are completely fine with Flash enabled on BBC or CBC or government websites or our very own El Reg. Flash can be a tool for hijacking browsers, not for compromising web servers.
That said Flash is stupid and should die a slow painful death like it is doing, but keep it in perspective people.
Using https on a public website of static pages does not make that website private, nor does it help in any way whatsoever to hide the fact if you visit that website.
Insecure login pages are a major problem for banking websites, but who the fuck cares for a simple discussion forum 8+ characters including upper and lower case and a number and a special character and no dictionary words is simply infuriating.
3rd party tracking cookies are pure evil. Easily blocked, tell all your friends.
Missing image alt tags are quite annoying to the sight impaired, but I can see fine so I only notice them at all on xkcd.
That is all.
Yes it does. Infected ad networks are, in fact, a thing.
Indeed.
As are MiTM injection attacks. They're very much a thing too.
I wonder why the downvotes. One category of websites which refuses to get on the html5 video bandwagon is news sites. BBC and CBC foremost. These are well-funded operations and surely they have the technology in 2015 to use something else than Flash, yet they persist in using it. Crib from YouTube if you need to.
I bet newsites are also one of the biggest reasons why Jane Average user, if she is aware of Flash's putrid security model, decides to stick with Flash after all. As soon as she turns Flash off she'll get all sorts of "not working" crud from news sites, that she trusts. So presumably she needs it after all.
Sure, there are tons of other sites using Flash for various reasons. But not many have the level of average user visibility along with trust factor of news sites.
Really, large non-profits and government-backed public sites should be more responsible in phasing Flash out.
I will also nominate Google Finance to this hall of shame - "For the ubercool interactive charts, you need to install the Adobe Flash Player". d3.js, anyone?
p.s. El Reg doesn't really impress here either true, but not many users will re-activate a plugin to avoid missing ads. More like an unexpected benefit.
@ Trevor_Pott - Isn't that putting the cart before the horse? The advertisement houses want to buy the ad space. If a major news site stopped supporting flash, the ad houses would fall into line.
Also, I don't think the BBC are using flash because they want the ad revenue.
>would you prefer a news service that hushed up stories?
No, I had not thought of that angle at all and I don't suppose the OP did either. I do understand support for the reporter however.
I don't mind the BBC's reporting in the matter. It's ballsy, if anything, not to sweep this under the rug. Kudos to the reporter and editors.
I do, very much, mind the fact that the BBC's IT department is clueless enough to still use a video technology that puts their users at risk and has been known to do so for, oh, at least 5 or 6 years.
DRM, as suggested? It's a news site, not Netflix. They produce and own the content. Besides, even if DRM is a driving factor, take inspiration of big html 5 video sites for content protection (and ad-serving). Or, start using the DRM support in the browsers, if you really, really feel like you need to (that is not me voicing support for DRM, especially not in the context of a news site).
But don't serve videos with Flash. End of story. The BBC, and CBC, are funded, at great expense, by the taxpayers of their respective countries. They have no business putting those same taxpayers at risk needlessly by following fundamentally insecure web practices.
I am sure the techies at BBC know how to ditch Flash (the CBC I am somewhat less confident about). So one can only suppose it comes from clueless top management and perhaps the legal dept not wanting to lose whatever control they think they get from Flash.
And, Flash ads? By all means, keep them if you wanna. That doesn't interfere with serving contents without Flash. Again though, it is 2015, and advertisers must know that audiences are gradually tuning outta Flash.
This is a dumb question I suspect. How does Firefox know that, as of today (or yesterday, or whenever it was) it should block flash? There hasn't been a new version in the last couple of days, so the only way I can see that it's doing this is by, reasonably frequently, asking Mozilla. While I don't mind that (I have it check for updates and send health reports anyway), I bet there are people who do: even if it isn't sending any real information (which it doesn't need to) it is pretty much inherently sending stuff like IP address information and so on. There doesn't seem to be any really obvious way of preventing it doing this.
Firefox periodically phones home to check for updates. It's simple enough to imagine that, besides version update notices, it can receive blacklist notifications for plugins and certificates.
And it checks for updates even if you have "check for updates" disabled.
I have an older version of FF and I'm very happy with it. It's stable and I have my browser set up exactly as I want it. Regardless, Firefox feels it knows what's best for me and constantly nags me to upgrade with two types of popup screens. And now it checks to protect me from myself on Flash.
Firefox is the "nanny browser".
Which older version of FF are you running?
I'm running v28. The security issues for this version are totally inconsequential, especially when compared to more recently releases. I've got the full menu and status bars and the plugins I need.
I no longer have the time to tweak Firefox with each new update. I've also lost patience with how Firefox changes the UI and is no longer compatible with certain plugins.
To me the browser is a means to an end. It should not be my hobby to constantly tweak it because Mozilla thinks it knows better than me what I want.
You do know that there's a fair chance any new bugs are also in older versions. That's one reason it keeps checking, in case the version is flagged as insecure. Software of any walk is likely to be insecure unless you institute draconinan restrictions that may not be practical (seL4 is claimed to be formally-proved, but only on the condition that it's the only kernel-level process running. That means no DMA, so performance is an issue). So you takes your chances. Stick behind and risk getting pwned by unpatched vulnerabilities, upgrade and lose desired features, or roll the dice and try an alternative browser with its own quirks.
I'm running v28. The security issues for this version are totally inconsequential, especially when compared to more recently releases. I've got the full menu and status bars and the plugins I need.
You're aware that a lot of the bugs affecting versions 29 to 39 probably also affect version 28, right?
You're aware that a lot of the bugs affecting versions 29 to 39 probably also affect version 28, right?
No. Not at all. You are speculating without facts, right?
In any case, FF is constantly adding new bugs with every release. It's like Mozilla is playing wack-a-mole, trying to squash their bugs as soon as they release them. Why do you think they are constantly updating the browser?
Security by obscurity is a much better system. Thieves go after the most popular browsers, ignoring older browsers because they are so rare.
Until I moved to another house two years ago I used to have some older laptops with 2GHz single-cores & Outpost Firewall that I used as file servers for music, videos, etc. These slow laptops ran a very old Firefox 3.0.28. I once got into a debate on a forum with people flaming that I'm "sabotaging" these laptops, lousy security, etc. So to counter the insults I offered an escrow bet, $500 or so (I can't remember the exact amount) to anyone who could craft a webpage that would infect the laptop through the browser, and $100 to me if they failed. After two weeks I had no takers.
I'm running v28. The security issues for this version are totally inconsequential
SPLUTTER
I do hope you are running in a VM, dude.
Or do are your really sure that all of these in now way affect the codebase of 28.
Protip: The fact that no-one in a shitty forum takes you up on your offer to hack an exploit for your venerable codebase browser means nothing.
Security by obscurity is a much better system.
Is this like whitey playing it cool in the ghetto?
SPLUTTER
:
Is this like whitey playing it cool in the ghetto?
Your ugly racial comment notwithstanding, you haven't written anything of any technical consequence, including your linking to a Firefox general bug list that I'm pretty sure you don't understand. But I think your last sentence says it all for you.
One wonders just what else Mozilla are switching on and off behind the user's back. At the very least there should have been an explanation for the reason behind this block in the UI. Instead you were just given the generic "plugin out of date, go update it" warning, which at the time was invalid since the patched version of Flash was not yet available. I thought something had gone awry with my installation.
Just update to 18.0.0.209 and it runs fine again, the previous version 18.0.0.203 brings up the security warning. I have removed Flash from my laptop at home though, I just miss "Comedians in cars getting coffee" but nothing else really.
Is HTML5 more hardware intensive? The fan on my very old laptop does pickup when I go to Youtube now.
Its Firefox on my laptop, I think I actually switched to Youtube.com/HTML5 before I removed Flash a couple of weeks ago. More than likely though, its just the age of my laptop, Core 2 Duo, I keep trying to watch stuff in HD and it fails miserably most of the time and the fans speed increases.
Probably time to upgrade, roll on Black Friday or maybe even Amazon Prime day!
"Amazon Prime day"
Yeah, Amazon are really trying to shove that down our throats and in every other orifice as well, aren't they?
"More deals than Black Friday"? More obnoxious, cram-it-in-your-face hype than Black Friday as well.
Looks like it's working though.
Anyway, can't stand here all day, I have to rush off and sign up with Amazon Prime in case I miss out on a big deal on some 4K camera. They won't tell me what it is, but it must be big because it's bigger than Black Friday and if I don't rush and sign up I'll miss out.
Did I mention Amazon Prime? >:-(
"Thank you"
"You're welcome"
"Wow, your coffee robot is really cool and polite to boot" slurp, slurp. "and really good coffee"
"Yeah, I got it last week and I've never looked back"
"Err, where's it going?"
"Oh it's off to clean the toilet"
"The toilet, but why?"
"Well the makers realised that coffee drinkers tend to have more bowel movements than most and saw fit to make the coffee robot provide a fully comprehensive service"
Splutter, "Please tell me it disinfects it's stirring probe after cleaning around the rim?"
"You know, I can't say I've ever noticed"
mozilla should sort they`re heads out, and quit pissing up everyones browser, the internet is crap without flash, and goes back to the 1990s
there arn`t even any proper hackers in the world, they are script kiddies that take 2 years to make a botnet with aload of help on forums
buy a proper firewall like zonealarm that ask`s you for every connection
avira free, monitors registry and boot sectors
meh, if mozilla arn`t complaining about flash and blocking, then its java, every 2 months
besides a few news sites, the whole of the internet would`nt work, and all the middleclass who can`t live iwthout it will have to live without it, and all they`re kids will have to play the same rubbish nintendo game day in day out
bots are more coherent, they have to sit in hacker channels for 15 years for them to make a trojan like subseven
if mozilla cares that much, firefox would make a ramdisk for its browser cache and run it as a sandbox as default
they should pay more attention to it, 5 years ago https://wiki.mozilla.org/Security/Sandbox
Isn't Java supposed to run in a sandbox...and wasn't Java one of the first sandboxed environments to be on the receiving end of a sandbox bypass exploit? IOW, sndboxing isn't all it's cracked up to be for the effort required?
Put it this way. If you want a practical, real-world bug-free application, you'll have better luck chasing down a unicorn without help from a virgin.
not really about bugs, its about exploits, and installing malware, mozilla complains every 2 months, they drop making firefox run in a sandbox 5 or so years ago, and now its back
in all that time, there has been no major computer take overs, malware is installed with php exploits and simple stuff, nothing else
to actually hack a server box for backend control, takes a proper hacker and going through bins to find ip addresses
if you just run a port scan, the admin will know about it, and will just change all the port over a coffee
I remember reading stories from when M$ first had machines with Win8 and IE11 for demo and some web site developers complained because Flash was not enabled by default.
M$ should have outright told them to STFU and learn to create sites properly instead of being lazy like a fair percentage of the coders I've met over the years.
We've had HTML5 enabled browsers for years now, kill Flash once and for all and get rid of one of the biggest security riddled products there is.
This post has been deleted by its author