Hopefully this hoohah will be it's death.
Dear Windows, OS X folks: Update Flash now. Or kill it. Killing it works
Adobe has published new versions of Flash to patch a vulnerability being exploited right now by hackers to hijack PCs and Macs. The APSB16-10 update addresses a total of 24 CVE-listed flaws, including one (CVE-2016-1019) that's been exploited in the wild to inject malware into Microsoft Windows and Apple OS X systems. Users …
COMMENTS
-
-
-
Friday 8th April 2016 20:46 GMT Shadow Systems
Re: Genuine query
Just don't install anything that can run Flash, then you won't have to worry if an exploit can ruin your day.
If your system can't run Flash, then all the exploits that rely on it to infect you have to go infect someone else. You can't run the container, thus the shit inside it can't splatter all over you.
Flash: just don't.
-
-
Friday 8th April 2016 20:44 GMT Steve Davies 3
Get the content producers to kill it
Otherwise it will linger on and on and on and on.
Come on people, stop producing content that needs Flash. Then it will go away.
Yes you, BBC and the rest... You know who you are.
It is all well and good saying that you are going to stop using it but when are we going to see some action eh?
My laptop does not and will never have flash installed. I've got rid, now it is your turn!
-
-
Friday 8th April 2016 22:23 GMT Mark 85
Re: Get the content^H^H^H^H^H^H^H producers to kill it
I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?
It wouldn't be until the heat death of the universe before that POS is secure... so they'll loose out on monies from the likes of McAfee and Yahoo....
-
Saturday 9th April 2016 00:44 GMT Captain DaFt
Re: Get the content^H^H^H^H^H^H^H producers to kill it
"I wonder why Adobe hasn't come clean and globally recommended that everyone uninstall Flash and wait until a secure version is released. Anyone have any ideas?"
Because by the time they had a reasonably bug-free version of flash ready, Everybody'd have moved on to using something else, and there'd be no market for it*?
*Or the heat death of the Universe will have happened first, and nobody'd be left to use it, a toss-up between the two, really.
-
Saturday 9th April 2016 10:15 GMT Ken Hagan
Re: Get the content^H^H^H^H^H^H^H producers to kill it
I wonder why Adobe doesn't just document Flash (ie, publish the source code, coz I'm sure that's the only accurate documentation there is by now) and leave it to others to produce a secure player.
They don't actually make any money selling the player, so this would reduce their costs and (if anyone managed it) might actually boost the market for the tools (which they do sell) to produce content.
-
Saturday 9th April 2016 11:40 GMT Steve Graham
Re: document Flash ie, publish the source code
The thing is that Flash Player isn't just a video player. It's an entire operating system (very minor exaggeration). Adobe do publish a partial spec of the SWF format.
There have been attempts to replicate the video-playing part, see for example, Gnash.
-
Sunday 10th April 2016 06:49 GMT Sebastian A
Re: Get the content^H^H^H^H^H^H^H producers to kill it
They don't make money off the player, but they make money with the bundled crapware it comes with. Two separate pieces of foistware today. Guess they're quite happy with frequent vulnerabilities. Makes people download their latest steaming pile more often. More chances to accidentally fail to deselect the shit they offer with it.
-
-
Friday 8th April 2016 21:16 GMT Andy Non
Re: Get the content producers to kill it
"BBC and the rest... You know who you are."
The Mrs called me over to look at her laptop the other day, she'd been googling something or other and ended up on the BBC site and was being prompted to install Flash. I explained that Flash was obsolete and a security nightmare and rather than her re-install Flash on her computer, the BBC needed to get their site up to date. She subsequently found what she was looking for on another site.
-
Saturday 9th April 2016 08:36 GMT To Mars in Man Bras!
Re: Get the content producers to kill it
*"...Yes you, BBC and the rest... You know who you are...."*
All the more annoying, given the BBC is quite happy to serve you up HTML5 Based iPlayer content, it you're using a mobile device.
Of course the simple answer is to use one of the many User-Agent spoofing extensions for both Firefox or Chrome, to pretend you're visiting on a mobile browser. Then, Auntie will quite happily serve you up Flash-free content on your desktop or laptop.
In the past, I've written a couple of howtos on this:
* iPlayer without Flash on OSX
and
which may be useful to point your non-tecchy friends at, next time they ask about being able to do this.
-
Saturday 9th April 2016 13:47 GMT Don Dumb
Re: Get the content producers to kill it
@To Mars in Man Bras! - iPlayer works on HTML5 without Flash now.
If you haven't got Flash it just works. If you do have flash, you can opt into their HTML5 beta and get the HTML5 feed instead. BBC News still uses mostly Flash though.
Grateful for your guide but it hasn't been neccessary since they started the beta
-
Saturday 9th April 2016 17:43 GMT Dr Paul Taylor
iPlayer Radio 4
Clicking on some recent Radio 4 programmes, I get "This content cannot be played in our HTML5 Player - Download Flash Player now" (under Ubuntu/Firefox with various blockers like AdBlock, NoScript, Ghostery but no Flash).
RadioTray only streams, it doesn't appear to play archived programmes. It doesn't come pre-configured with BBC Radio and it stops playing after a couples of minutes.
-
-
-
Monday 11th April 2016 10:03 GMT Anonymous Coward
Re: Get the content producers to kill it
me too.
Binned off W10 at the weekend for Ubuntu, and didn't bother installing the F word.
Thus far, not really noticed it apart from the exception of a few anachronistic cases. For those, I decided it wasn't really going to ruin my day to shrug, forget it, and move on somewhere else.
-
Friday 8th April 2016 21:43 GMT JLV
suggestion
El Reg, I regret to say this, but you should concentrate on unexpected news.
Might I suggest you run a monthly, nay, weekly, "no vulnerabilities found in Flash this week" column instead?
p.s. wanted to cite Shannon's Theorem (?) about the value of a piece of information being inversely proportional to its probability, but I couldn't find the exact definition in plain English.
-
-
Saturday 9th April 2016 02:05 GMT Old Handle
Re: Well, time to zap the blight
About the only thing (save the occasionally amusing flash game or animation) that anyone has used it for in the last 5 years is video, and it's finally obsolete for that too. You might still rarely come across a site needs it for video, but essentially all major sites support HTML video now. In short, it's time.
-
-
-
Saturday 9th April 2016 00:08 GMT David Pollard
Is anyone from MIT reading this?
https://scratch.mit.edu/projects/855598/
"Oh no! We're having trouble displaying this Scratch project.
If you are on a mobile phone or tablet, try visiting this project on a computer.
If you're on a computer, your Flash player might be disabled, missing, or out of date. Visit this page to update Flash."
-
Saturday 9th April 2016 02:09 GMT Ian Easson
Doesn't work
Flash stopped working for me yesterday, on all sites.
Details: Windows 10, both IE and Edge browsers.
So I went to the adobe help site for flash. It told me they can't determine what version of flash I am running. They said:
- I either don't have flash installed, or
- It is disabled.
Following their recommended procedure, I determined that flash is indeed installed and it is enabled. (Just as an experiment, I disabled it and re-enabled it.. No help.)
The next solution they suggested was to turn off ActiveX filtering on a site-by-site basis. I tried it. It didn't work.
The final proposed solution was to upgrade to the latest version.
When I went to their web site for this, it told me that flash is integrated into my browser, so I don't need to update it!
Colour me frustrated.
(And by the way, Adobe offers no support for flash other than their user forums.)
-
Saturday 9th April 2016 11:14 GMT Steve Davies 3
Re: Doesn't work
Just uninstall Windows 10. You now know from first hand experience just one of the reasons why people here don't want anything to do with W10.
There are other options you know.
As has been said, spoofing your browser can get most sites that need it to display the content in HTML5 rater then in Flash. Just watch out if you do do that on W10 as Microsoft seems to have started overwriting your user settings with updates.
{Posted from a Windows 10 and Flash free environment}
-
-
-
-
Sunday 10th April 2016 05:35 GMT P. Lee
Re: Trust? Adobe?!
How about the OS?
Surely what we should be aiming for is an OS which can contain malicious software. What we really want is an OS which can be told to lock the about-to-be-executed process in solitary confinement.
Internet browsers do not need access to all the files under a user's account. Even if the flash executable is full of holes, browser should have asked the OS to jail that tab (all new tabs by default) so that it can't output to anything but the screen. The browser itself should be launched in a jail. How often do you need to pass data from your filesystem (outside your own browser cache) to a browser. I'd suffer per tab caches if that meant extra security. If you do need to pass a file to a browser, the browser should ask the OS for access and the OS should ask the user. The browser process should not have general access to the file system. Why can't the OS have a high-security prison where even saving files to disk goes through a secure request mechanism: "I'd like to save some data to disk, here's what mime-type it is, here's what I think the name should be, and here's the data, please ask the user where it should go and put it there."
The days of "it runs as user X, it has all privileges of user X" should be well and truly over. Drive-by download compromises should be a thing of the past.
I seem to think elreg mentioned that MS had done quite a bit of work on this for W8, but only for store apps... and then they undid it for W10. Doh!
Even swiss-cheese software should not be a problem. That is the point of an OS.
-
Sunday 10th April 2016 06:59 GMT Charles 9
Re: Trust? Adobe?!
Guess you never heard of a sandbox escape exploit. Even if you jail the process, the right exploit can allow the malicious process to jailbreak out into the OS itself, where a privilege escalation exploit takes care of the rest. And no, you cannot make a practical OS airtight without sacrificing something else the user demands like performance (example, seL4 is ONLY secure when DMA is turned off: kinda important for performance-intensive stuff like graphics and low-latency networking).
-
-
-
Sunday 10th April 2016 20:30 GMT Charles 9
"Adobe want their nasty technology to survive, they should at least develop a reputation for trust."
Who needs trust when you have a captive market? Sure, video can pass, but Flash is more than video, and many things are used everyday and are Flash-ONLY (including very expensive enterprise stuff).
-
-
Saturday 9th April 2016 12:52 GMT Anonymous Coward
Does not compute
I completely uninstalled Flash on my Mac over a year ago and haven't missed it. In fact the only site I've noticed where I can't get all the content is of course the BBC news site, and let's face it, there's enough written content on that site that missing the odd video doesn't matter.
-
Saturday 9th April 2016 13:31 GMT dajames
Rule of Law
Asking users of your website to install Flash to view it, these days, is tantamount to asking them to invite a drive-by exploit from the next site they visit. It's almost as though those sites that (still) require Flash were in league with the malware peddlers.
That being so, perhaps the best approach (in the UK, at least) would be to identify all those sites that require flash and threaten to prosecute their owners with conspiracy to commit a breach of the Computer Misuse Act 1990.
-
Saturday 9th April 2016 15:57 GMT Anonymous Coward
Simples, all browsers should disable auto-play for all plug-ins and media!
The microsoft edge Flash changes didn't go nearly far enough (I'm loath to use it anyway), all browsers should disable /all/ plug-in auto-play by default (yes Silverlight too for corp-tard Visio), and have blacklists for the worst sites to block native-browser, are-you-sure, click-to-play prompts.
Flash is not just a security risk, I regularly see it significantly worsen browser responsiveness and increase CPU use, so it urgently needs to become end-of-life and only temporarily loaded/started (then unloaded/stopped) for legacy content, which retarded sites (including legacy corporate intranet content) can't or are too lazy to transcode to MP4 or HTML 5.
It is frankly unacceptable for any site (internet or intranet) to still host Flash or other plug-in media, it should all be standard audio/video codecs like MP3, FLAC, MP4 or MKV, and not stupid junk like wav, mov, avi, wmv or any non-standard Cisco codecs.
-
Sunday 10th April 2016 07:51 GMT Charles 9
Re: Simples, all browsers should disable auto-play for all plug-ins and media!
What about all that Flash stuff that ISN'T about media files but about interactive control panels and the like? You know, the kind of stuff that's hosted on corporate intranets and can't be removed without writing off a very expensive and business-critical piece of hardware that runs it all?
-
-
Saturday 9th April 2016 18:35 GMT Anonymous Coward
It's all about the DRM
The reason that Flash still remains for video is because content producers require broadcasters to implement DRM when streaming material to customers. We all know just how easy DRM is to circumvent and how obstructive it is as a technology, however the big media companies still think it's the answer to their dreams. Until someone can demonstrate a viable and secure content delivery mechanism, we'll be stuck with Flash and all of the security holes it introduces.
-
Sunday 10th April 2016 08:23 GMT Anonymous Coward
Re: It's all about the DRM
It's not so much the stuff of their dreams but the demand of their investors, without which they may as well just pack it up and call it a night. So they really don't have a choice in the matter: it's DRM or Bust. And if the media companies start going bust, where will we get our content from in future?
-
-
Sunday 10th April 2016 09:17 GMT John Jc
The number of time a story like this appears just amazes me. Forget FLASH - this is just an application. Why on earth does the underlying OS (and this applies to Windows and IOS) allow an APPLICATION to do this?
REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to. Then someone created Operating Systems for the masses! There is the concept of an Administrator and a User , but if a user runs some carefully crafted applications, they can be Administrator. Pah!
Jc
-
Sunday 10th April 2016 10:20 GMT illiad
why does an OS allow it???
Simple. companies with LOTS of money and investments, *blindly* going with the 'industry standard' ..
(clueless MGR : "Its adobe, they are a big company working with MS for YEARS, why would I get *anything* that *MS* does not use????" "Linux??? WHY would I get that, ALL our budgets are spent on MS support!" )
webdevs have all their support, paid for by MGR, to do fancy looking pages with ADOBE..
Likewise clueless users... they can just about install windows, dont realise the default is 'administrator'...
Many dont know what things are , quite often it's NOT 'the blue thingy' due to it being modified by their ISP... :(
At least BBC is *starting* its HTML5 project..
-
Sunday 10th April 2016 20:26 GMT Charles 9
"REAL Operating Systems [I worked with VMS for many , many years] worked hard to ensure user code couldn't do damage outside areas it was allowed to."
But that was before the hacker culture turned mainstream. Now you have people that dedicate significant parts of their lives to finding chinks in the armor not just of the applications, not just of the OS's but even of the hardware. Think of that: exploits in silicon. And given humans aren't perfect and the hackers only need to be lucky once, it's basically a siege situation: sooner or later, either someone cracks it or it loses the value that made it worth attacking.
-
-
Monday 11th April 2016 00:16 GMT RNixon
Old Flash Stuff
The problem with just killing Flash is that there's a lot of older content out there that needs it.
Some of which is fairly nifty stuff. Independent animations especially.
I keep it installed but set to click-to-run.
Now if I could only find a way to prevent HTML5 video from autoplaying. All the plugins I've tried that claim to do that don't work.
-
Tuesday 12th April 2016 01:58 GMT Uncle Ron
Sick and Tired
I'm so sick and tired of Flash. I can't understand why it wasn't abandoned YEARS ago. It is bloatware, unbelievably buggy, stunningly insecure and destructive and dangerous, constantly being patched--it's just a piece of junk. I'd like to see some sort of Emperor Mandate that requires it's death by a date certain. Let's just say, on July 1, 2016, Adobe Flash or Shockwave Flash or whatever the heck it is, be disabled and trashed and no code will or can either require or use it. RIP.
-
Tuesday 12th April 2016 04:41 GMT Charles 9
Re: Sick and Tired
Trouble, some of the things using it are very expensive enterprise hardware. Such a mandate could easily kill businesses, and I'm not talking about the manufacturers. It's a lot like those man/machine interface computers that have to still use Windows XP because it uses antiquated hardware that Vista and above dropped support. Many people are kinda stuck with it, to the tune of hundreds of thousands if not millions of dollars which they'll never be able to get back as the cost is already sunk.
-
-
This post has been deleted by its author