back to article Adobe: Two critical Flash security bugs fixed for the price of one

Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation. At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants …

  1. Anonymous Coward
    Anonymous Coward

    Philosophical question

    is it really still the same flash due to the number of patches and fixes it's had?

    1. Anonymous Coward
      Anonymous Coward

      Re: Philosophical question

      Hasn't been the same flash since the codebase moved to a certain sub continent.

    2. ThomH

      Re: Philosophical question

      If the original Flash was an intricate 1/200 scale papier mache model of Xanadu and each patch is a piece of masking tape cut just large enough to cover a dent or crack, Flash is now a perfect sphere approximately the size of Europe.

    3. DJV Silver badge

      Re: Philosophical question

      It's a bit like Trigger's broom - they just remove one bug and patch it with another similar one. And that's probably the complete history of Flash since it started.

    4. Christian Berger

      It probably is, at its core

      I mean we are talking about 1990s software dealing with ill-defined binary formats here. It has to deal with all the workaround of bugs in the software creating Flash files. It has to be able to parse long dead file formats in order to maintain compatibilty. All of that was written in the 1990s with its typical code quality. I'm sure that the current developers are scared about touching it, as it might bring weird side effects as bugs in that code might have been used by some files out there.

  2. Mystic Megabyte
    FAIL

    Urgh!

    I just watched a BBC video about their new weather forecast. Guess what? It still uses Flash :(

    http://www.bbc.co.uk/news/uk-42945763

    BTW I came here at this late hour to comment on the successful Falcon Heavy launch. Maybe Vulture South is on the case.

    1. handleoclast

      Re: Urgh!

      BTW I came here at this late hour to comment on the successful Falcon Heavy launch. Maybe Vulture South is on the case.

      I just watched it on the BBC website.

      It was impressive seeing both boosters land simultaneously. Without falling over or exploding.

    2. Don Dumb
      Facepalm

      Re: Urgh!

      FFS! - Remove Flash from your browser and, guess what, it works fine.

    3. Anonymous Coward
      Anonymous Coward

      Re: Urgh!

      It uses flash because you have it installed. It uses something called EndSlatePluginHTML to play here (as I do not let flash on my system), which I'm guessing is one of the billion javascript/html5 players that all duplicate the exact same functionality as each other.

  3. Mayday
    Flame

    C'mon, seriously?

    Shirley Adobe should just end support for Flash, like now, not in two years or whatever.

    All of these issues/CVEs that seem to appear more than once a week must not only be a risk and embarrassing, but must cost $$$ in dev to patch and fix just in time for the next one to rear its head in time for the weekend. Doesnt't seem logical at all to keep this up for this "free" software.

    Seriously Adobe, kill it. Do it now and save all of us, and you, all of these problems.

    1. Sandtitz Silver badge

      Re: C'mon, seriously? @Mayday

      "Seriously Adobe, kill it."

      How would Adobe do it - by stopping all support immediately and let the bugs roam free? What would that accomplish - millions of never to be patched browser/plugin combos?

      Since there is no kill switch (or perhaps the final update will disable it or prompt?) the only way to "kill" Flash in even remotely well handled manner was for Adobe to inform that support will end by the end of 2020 and to honor that commitment. Yes, the development on a dead-end technology for almost 3 years now costs money to Adobe but for me that is praiseworthy whereas pulling the rug from under it is something more associated with e.g. Apple which may inform *afterwards* that 'by the way, Safari and QT haven't been supported for some time now.'

      Since there are still plenty of Flash based services available (someone mentioned BBC) it will take time to move. Whether because of transcoding the movies, music etc. media to something more suitable for HTML5 presentation or for whatever reason (DRM?). HTML has only in the last few years caught up with the capabilities Flash had 20 years ago.

    2. big_D Silver badge

      Re: C'mon, seriously?

      I haven't installed it on any computer for around 3 or 4 years. The first thing I do in IE / Edge on a new machine is disable it.

      1. GrapeBunch
        Windows

        Re: C'mon, seriously?

        The first thing I do in IE / Edge on a new machine is disable it.

        Exactly. The first thing I do on a new computer is delete IE and Edge, or at least delete their shortcuts, which is usually enough to encourage the user to browse with something else.

        1. Sandtitz Silver badge
          Joke

          Re: C'mon, seriously?

          "The first thing I do on a new computer is delete IE and Edge, or at least delete their shortcuts, which is usually enough to encourage the user to browse with something else."

          If the user doesn't have the blue 'e' icon on the desktop he won't be able to download that other browser. Worst case scenario: he still has an old CD from the ISP welcome package and you'll find him browsing with NN 3.02 when you're next time checking the computer!

        2. Anonymous Coward
          Anonymous Coward

          Re: C'mon, seriously?

          "delete IE and Edge, or at least delete their shortcuts, which is usually enough to encourage the user to browse with something else."

          IE, sure, but Edge is faster and has had way fewer holes than most other obvious choices like Chrome. And it's not spyware by design either.

  4. REZIN8

    I was a flash developer for over a decade, stopped using the day Apple blocked the plugin on iOS.

    Nobody develops for flash, but AIR is still used heavily. AIR is built on flash for mobile apps so good to patch bugs still, but seriously Adobe needs to stop supporting the browser plugin. I don't understand why they still do?????

    They bought it from Macromedia and then turned it into garbage anyway. Just let go adobe. Let go....

    1. nijam Silver badge

      > ...bought it from Macromedia and then turned it into garbage...

      No effort was required to turn a Macromedia product into garbage.

  5. Anonymous Coward
    Anonymous Coward

    Why doesn’t Microsoft grow a pair, and ban all flash/plugins, etc. from running on Windows?

    Suddenly, all the remaining shithole sites (that still use it) will upgrade or disappear, and the world will be a better (safer) place.

    1. Anonymous Coward
      Anonymous Coward

      It's not just websites though, is it? There are plenty of devices out there, notably consumer webcams, that have embedded webservers reliant on Flash. Bricking otherwise functional hardware that poses no risk to the user (from Flash, anyway) really isn't a great idea.

      1. Anonymous Coward
        Anonymous Coward

        Are trying to save devices from a decade ago? In exchange for putting (millions?) at risk?

  6. FuzzyTheBear
    FAIL

    again ?

    What's this ? swiss cheese ? Hope we get rid of it sooner than later.

  7. EnviableOne

    Roll on 2020

    The whole web will be safer when it's gone

    1. Bronek Kozicki

      Re: Roll on 2020

      Yes, well, assuming it is actually removed from users' computers ... especially those whose owners never bother with patches anyway.

  8. shifty_powers

    Handy

    Well at least this prompted me to remember to uninstall it from my main laptop.

  9. adam payne

    Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.

    We don't need you to acknowledge that Flash security is terrible Adobe, we already know.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like