Kill Flash now. Or patch these 36 vulnerabilities. Your choice Adobe has released an update for Flash that addresses three dozen CVE-listed vulnerabilities. The update includes a fix for the CVE-2016-4171 remote code execution vulnerability that is right now being exploited in the wild to install malware on victims' computers. Adobe is recommending that users running Flash for Windows, …
I'm starting to think that even these celluloid ping pong balls (#) are less of a safety risk than running Adobe Flash.
(#) Offtopic, but since I mentioned it, if you *really* want to see how scarily flammable celluloid is, check out this video of some burning celluloid cinema film. The really interesting bit is at 4m37s, where the burning reel of film sounds like a jet engine taking off.
Popular video streaming sites, such as Hulu, insist on Flash. Big headache. They also insist on flash plugin auxiliary stuff that isn't available for Linux ... so Windows is the only way to access my Hulu subscription. Big pain.
WTF couldn't Adobe get it right? And HTF did Flash become so totally ubiquitous?
Like every new technology on the internet: porn. It was the first platform on which video could be streamed piecemeal, and on a wide variety of platforms. It rose in popularity during the format wars of the 90's when watching a video online meant that you might need Real Player, Quicktime, or one of the dozens of other proprietary video codecs.
Brilliant film. And a good few years since I last watched all three. I have since picked up a cheap copy of the undoubtedly crap remake of the first (or is it the second, which was as much a remake of the first as it was a sequel) - so watching all four might be on the cards soon.
Or I might hold off until I have my hands on the series.
"possibility of Auntie charging to use iPlayer...Doubt the beeb will be in any hurry to do so though."
Sigh, again with this.
iPlayer does have an HTML5 feed, you don't need flash for iPlayer. It's the BBC News videos that are unwatchable without Flash.
That they don't extend HTML5 to news is utterly baffling, considering that they have actually done this for mobile apps.
Allegedly it is because the change will "require a great deal of technical development work to our current systems and there are technical challenges around the ability to secure video streams in HTML 5".
It would seem that these challenges have been around and acknowledged for a good five or six years though so perhaps the underlying problem is just a lack of sufficient focus on this area of BBC content delivery.
See http://www.bbc.co.uk/news/help-36551036 and http://www.bbc.co.uk/blogs/bbcinternet/2010/08/html5_open_standards_and_the_b.html respectively.
Bear in mind that iPlayer must also support smart TVs, which almost all use embedded flash. As a result it would be difficult for the BBC to completely do away with flash support. However for the major browsers that support HTML 5, it does seem baffling that it defaults to flash when the alternative stream is available...
I am currently working across the pond at a US Federal government institute. On one hand they talk the talk about how all the computers must be super secure, on the other hand all of their IT security training (and all other online training) is only accessible with Flash.
From the Adobe Security Advisory
"A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS."
Thank you +1 for you, the current os name would be OS X. Apple's next os will be macOS. And Safari 10 will not run any of the crud(java, flash, silverlight etc) unless explicitly enabled by the user.
Right, there was an piece here on El Reg:
http://www.theregister.co.uk/2016/06/15/safari_10_will_put_flash_java_silverlight_quicktime_in_the_bin/
If the one and only way to control your expensive piece of trash REQUIRES Flash...
... it's time to take that expensive piece of track and wrap it around the head of the head the company making it. And perhaps the person who approved its purchase. With mechanical assistance of a crowbar and fireaxe, if necessary. There's exactly no excuse of any kind for requiring the use of Flash to administer expensive kit.
There IS one excuse, a very CRITICAL one: amortization. The highly expensive piece of kit has already been bought. The costs are sunk and can never be retrieved. They're a big strain on the business, trying to obtain another so soon will literally kill it. So basically, you MUST live with it. And leaving the company may not be an option as (a) no one else is hiring or (b) they're in the same boat, saddled with expensive kit they MUST use.
Put it this way. If you're out in the middle of the shark-filled ocean and the only possession to your name apart from your clothes is a leaky raft...well, all you can do is start bailing.
interestingly, I have a similar issue on my printer, a Brother with wifi capability. Configuring the wifi access password requires you to plug in a USB cable and then run their config utility which is ... Java based. Once the wifi login info is entered, you can delete the whole thing.
I avoid Java whenever possible and Java on Mac does not uninstall at all. And it actually also chokes on just turning off the Java applet capability, insisting that you need to be an admin to do it on other users' accounts. Never mind that I am the admin, using sudo. Instead of installing Java, I was thinking of launching the java configuration from a Ubuntu vm but there is no Brother config app for Linux.
However, I saw a Linux-oriented posting where someone saw that the printer actually runs an http server and you can you just enter the wifi info using a browser (if you are connected by wired at the time), bypassing the need for their config app. It's complicated, but it works. Need to try it on my printer.
Lesson learned? - sometimes what the config client talks to is still http/html-based, under the covers.
"Just how is it that Flash is so relentlessly shit and never seems to improve any?"
Maybe Adobe is incompetent at producing any reasonably secure software? I've heard it said that over the years almost every alternative to Acrobat has been more secure than the Adobe product, and I decided years ago to avoid all use of Acrobat and stick to Foxit for viewing and printing PDF. If I could avoid all use of Flash I would.
In fact I would like to be completely Adobe free.
So I decided to update. On their site I needed first to enable Flash, and Java. Then negotiate a download, then untick a preticked 'optional' random payload (just WHY?), then restart the browser. Not too hard, but I'll never get my many cousins each to do it to theirs without Teamviewer one by one. What a pain
Every time you have to update the latest security failure in Flash you have to look around for, find and uncheck that optional extra program that Flash has bundled with the update.
Assuming the makers of that extra program pay Flash for bundling the software along with the update, it would seem that for Flash producing software with security holes must be quite the money-spinner.
If people don't need the patches, they don't download the extra software. Call me cynical, but if making a more secure product will cost the makers lots of money, expect an insecure future.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
