Adobe Flash To Be Top Hacker Target In 2010 180
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
I already see this happening (Score:2, Funny)
Sometimes when I go to a website, it will have Flash malware which forces me to download unwanted content and then plays it without my consent.
Damn you Youtube!!!
Re: (Score:1)
Sounds like someone's been a victim of one too many Rickrolls....
Re: (Score:3, Informative)
Tubestop [mozilla.org] is your friend (tm).
Re: (Score:2)
Why only stop Youtube videos? They're one of the few flash objects you might actually want to load (I keep youtube on my Flashblock whitelist). Plus, Flash-borne viruses are typically delivered as ads, which Tubestop won't block from loading.
Re: (Score:1)
It's like "when I'm drivin' in my car and a man comes on the radio, tellin' me more and more about some useless information supposed to fire my imagination."
Re: (Score:1)
Re:I already see this happening (Score:5, Funny)
Does anyone else see the irony that the white paper is in Adobe PDF format and most people will be reading about Adobe Reader vulnerabilities IN Adobe Reader?
Re: (Score:2)
Yuh huh (Score:3, Insightful)
Re: (Score:1, Interesting)
I dunno, but it just seems to me that embedding a Turing machine into a website is just a bad idea no matter what you call it.
Re: (Score:2, Interesting)
I don't see what Adobe's problem is with the security vulnerabilities. Don't trust data from the network, and don't ever use a variable/etc without bounds checking. How many versions, bugfixes, patches, and revisions does it take to get these two basic things right? Real question. I don't understand the difficulty here.
Re:Yuh huh (Score:5, Insightful)
At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...
Re: (Score:3, Informative)
That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...
At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...
Perhaps the OS deserves some blame (kneejerk types, note that some != all). On Windows there is no equivalent to the various centralized package managers that come with standard Linux distributions. You cannot go to one place and run one program and simultaneously update every last application installed. The biggest obstacle seems to be the copyright restrictions that prevent the redistribution of most Windows software. But for whatever reason, on Windows, every last application is on its own and must m
Re: (Score:2)
I think this is an issue that affects all operating systems essentially:
There needs to be a central place for programs to check versions, then be directed to their repositories. The checking would be done in SSL, the version numbers placed on the repositories would be signed.
And this doesn't have to be centralized. As part of a package's manifest, it would have a URL that the updater daemon would use and pull a signed list of latest versions. If the program isn't the latest, the OS update utility would b
Re: (Score:3, Informative)
You see, somehow this isn't an issue on other OSes. Why? Because there's an unified update mechanism that can be used by any program.
In addition, most of available software is packaged in a big repository with security support, and if you use third-party repositories, they can use the mechanism as well. On Windows, though, every program has to implement its own update -- some do, like Firefox, Thunderbird, WinAmp or Java, but the vast majority lacks it. And even those few with an auto-update function ha
Re: (Score:2)
Re: (Score:2)
“It’s a feature, not a bug.”
Re: (Score:3, Interesting)
This is about finding a common infection point (Score:4, Insightful)
With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
Re: (Score:1)
Re: (Score:2)
One of the managers in our office just bought an iPhone that came with Acrobat reader pre-installed.
Thanks for playing, though.
Re: (Score:2, Insightful)
Re: (Score:2)
Seeing as it's a closed source plugin that you can't fix yourself... what else can you do but complain about it?
It's also hard to argue that Flash on every platform other than 32-bit Windows is anything but badly coded software.
Re: (Score:2)
Try to get a standard on an alternative technology that has been around a while? If Oracle could update Java so it had better video processing, it could possibly go head to head with Flash for movies. Unlike Flash, Java has a decent security model so sandboxed stuff won't be jumping out to execute crap as a user, or perhaps as a superuser.
Also, unlike Flash, Java runs almost anywhere. Yes, there are JVM issues, but a Java applet can be coded to run on any platform. The only platform it doesn't work on t
Re: (Score:2)
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
Yes.
The moment you believe securing your system is not an issue, that's exactly when it becomes an issue.
As Windows and Mac user, I don't trust either of my systems to be any more secure out-of-the-box than I can throw them. You don't get to ignore any responsibility for your system's security and have the privilege of being a link-clicking blind-downloader simply because you picked the "more secure" computer.
Re: (Score:2)
I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org].
Re:This is about finding a common infection point (Score:5, Informative)
I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org].
No joke. Even if they are absolutely equally secure, Gnash provides source code. You can build that source with SSP (or equivalent) [wikipedia.org]. You can also build it as PIC [wikipedia.org] and apply many other restrictions with a PaX [wikipedia.org] and/or Grsecurity kernel [wikipedia.org]. All of these will reduce the chances that a known vulnerability will lead to a successful exploit. Specifically, a known vulnerability that would normally allow an attacker to run arbitrary code stands a good chance of merely crashing the application.
You just don't have options like this with binary blobs. I really would like to see more development of Gnash, as it seems that Adobe Flash is on a downhill course in terms of security and will continue to be a problem. Source code is about freedom and control. With such control, you can take steps to manage a risk even if you cannot perfectly mitigate it.
Re: (Score:3, Insightful)
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
I can't speak for Macs or smartphones (who gloats over the security of smartphones? Things like the amount of iphone jailbreaking going on or the Tmobile sidekick crash make it pretty clear smartphones have issues...), but Linux is still more secure the Windows in this respect. There's numerous ways to isolate the damage that could be done from a hole in flash. MAC like SELinux or AppArmor are perfect for this, and Windows still doesn't have a competent MAC implementation (MIC is insufficient). There's
Re: (Score:3, Insightful)
Re: (Score:2)
Well, I don’t see that malware running on my custom-compiled system with unsupported 64-bit alpha of Flash anytime soon. ^^
Re: (Score:2)
They keep saying it, but it hasn't happened. How popular does my Mac OS have to get before I see real threat? How popular do smart phones have to become before a real threat? Or, perhaps the best way to infect the most machines is to attack the easiest to exploit, not the most prevalent.
Re: (Score:2)
Not until our kernel gets its own web browser too ;-)
Well, my prediction is Windows again (Score:2)
Unless crime gangs all went to some course learning to code massively multi platform, the "issue" will basically put some .exe file to users computer and run it. It won't be some amazingly universal binary which runs on ARM/x86/PPC/MIPS and dozen of different operating systems.
I understand your sarcasm and it is really alerting that there are like 10% of market who believes their platform is something like NSA Terminals we see at movies but Flash exploit isn't the one which the real doomsday for OS X will c
Quick fixes won't be enough. (Score:2)
People often just don't update Flash much. It's a little better for Adobe Reader from what I see; but just a little - automatic updates are treated more like a nuisance to hide, it seems.
Overall - good riddance. Simple & small PDF readers with scripting disabled are all almost anybody needs anyway. As for Flash - everybody here keeps whitelists of pages already, right? And perhaps those few whitelisted ones will feel the need to enable HTML5 video tag sooner.
Re:Quick fixes won't be enough. (Score:4, Interesting)
Even if they updated regularly, it would still be an easy target. Something like six of the top ten browser crasher bugs are in Flash plug-ins. There are so many crasher bugs that nobody can even keep count. When you realize that every single one of those is probably an exploitable attack vector, you quickly understand why I use click2flash. Swiss cheese belongs on sandwiches, not on the public Internet....
Re: (Score:2)
People often just don't update Flash much.
Except that Flash can be made to auto-update since around version 8.
So no, people don't update Flash. It updates itself!
Re: (Score:3, Informative)
You might update, but "people" are stupid and do not.
"People" tend to minimize or close anything that pops up in between start up and opening the app that one started the computer to use. Whether it be windows update, virus scan update, or updates of nagging software. Of those three the updates of nagging software will be the most likely to just be closed without any update taking place.
isn't Flash content in the cloud? (Score:1, Funny)
i expect a fix in 5 minutes. everyone knows that anything delivered from the cloud is highly secure and easy to fix if problems arise
WTF (Score:3, Informative)
Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.
Re: (Score:3, Informative)
Don't be silly, buffer overflows can happen anywhere. Hell, IE has been compromised thanks to a b0rked JPEG decoder in GDI+, ffs.
That said, Adobe has certainly made their job harder by including a full-blown ECMAScript engine in acroread. But even without that, the ubiquity of Flash and Reader makes them ideal targets for hackers, thus further illustrating why software monoculture is a bad thing.
Re: (Score:2)
Well I certainly understand that, but why aren't hackers targeting Notepad then? That's definitely a software monoculture. ;) How much more complex is it parsing ASCII than a PDF format? Is there anything inherent in the PDF format that makes software implementations inherently more buggy, other than just the simple fact it's a more complex format? Or does Adobe just suck? I can understand something like JPG where you have compression vs a simple uncompressed image format which should be trivial to guard ag
Re: (Score:2)
Re: (Score:2)
How much more complex is it parsing ASCII than a PDF format?
*Vastly*. At it's core, PDF is compressed PostScript, and PostScript is a turing complete functional programming language. On top of that, you have complex font handling and embedding, the rendering core itself, image handling, etc, etc. That, in and of itself, makes for a pretty large surface area that could be exploited. 'course, for good or ill, Adobe then threw ECMAScript, PDF Forms, annotations, and a whole raft of other functionality on t
Re: (Score:2)
Looking at the wiki page describing PDF it may not be Turing complete as it only includes a subset of Postscript which excludes if and loop statements.
Re: (Score:2)
I'm much more of a hardware (chip) guy than I'll ever be a software guy. I'd like to ask (honestly), how can Flash remain such a security nightmare? After all this time, all of the preceding versions of flash, how can vulnerabilities continue to be found in light of more scrutiny by the developers (code audits, bounds checkers, etc.)? I realize no complex piece of software is bug-free, but Flash (and of course, Acrobat Reader) have continuous vulnerability discoveries... must it be so forevermore?
Re: (Score:2)
Your argument would make sense if Flash was a product in maintenance mode, where no new substantial development was being done, and only bug fixes and security enhancements were being applied. But, of course, that's not at all the case. New features, performance enhancements, and god knows what else, show up in every rev of Flash, and that means new potential security vulnerabilities.
Hell, by your argument, Firefox should be virtually bug free by now...
Re: (Score:2)
If I could ask for one thing with Flash, I wish it had a security model where on operating systems that supported it, it could run the foreign .swf containers either jailed or with highly restricted permissions. For example, a YouTube vid might need access to a shared object to set video preferences, but it needs no access other than that, or perhaps a way to connect back to YouTube to rate stuff or get the next video in a series.
This isn't hard in Windows. IIRC, one can create a restricted hToken, then u
Re: (Score:2)
“Virtually” bug-free may still be an appropriate description of my user experience if the bugs that remain in the application are only very rarely ever encountered.
Re: (Score:2)
First of all, "nightmare" is hyperbole. Maybe it isn't as bad as Chicken Little says.
Re: (Score:2)
Re: (Score:2)
I think they are assuming that exploits in Adobe Acrobat Reader would not work if you use OSX Preview instead. Even though they view the same file, the way they go about it may (maybe, I don't know) prevent an exploit from working on Preview.
Acrobat and Flash (Score:5, Informative)
Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.
For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.
Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.
I really hope HTML 5 phases out the popularity of Flash.
Re: (Score:1)
How about Silverlight or Moonlight?
Re: (Score:2)
he said GOOD alternatives. Silverlight and Moonlight are not.
Whatever happened to applets and javascript?
Re: (Score:2)
Wait, because, unlike Silverlight and Flash, Applets and Javascript are somehow magically free of vulnerabilities?
Careful, your prejudices are showing...
Re: (Score:2)
What the hell are you talking about? I said NOTHING about vulnerabilities. Perhaps it is your prejudices that are showing.
Silverlight fails at cross platform use, and can break previously working and unrelated software when installed. Moonlight is a half implementation of Silverlight that cant even get its errors right. Applets and javascript play nicely in comparison, though javascript is a pain in the ass with its browser incompatibility issues.
Re: (Score:2)
What the hell are you talking about? I said NOTHING about vulnerabilities. Perhaps it is your prejudices that are showing.
Well, given the article is about *security vulnerabilities*, it stands to reason that when one is discussing viable replacements for Flash, one might be specifically referring to, you know, security vulnerabilities.
Silverlight couldn't be a Flash rival,thanks to MS (Score:2)
As Silverlight's vendor was busy with feeding that once famous, now puppet idiot and his gang, their V2 dropped support for PowerPC macs which several people, including their market uses. No, PowerPC Macs didn't explode and reject to turn on when Apple announced Intel transition. They are in use by schools, people who keeps hardware which works, musicians (as 12" PB is still waiting for replacement), company terminals which does nothing than mailing and browsing.
In Silverlight V3, things getting even more c
Re: (Score:3, Interesting)
their V2 dropped support for PowerPC macs which several people
So Silverlight can't possibly compete with flash because it doesn't support a hardware platform that hasn't been produced in 5 years now and already has negligible market share?
In Silverlight V3, things getting even more complex as the Win32/64 Silverlight V3 has more features than OS X 32/64 one
The only differences I'm aware of between mac and windows silverlight 3 are quite trivial [microsoft.com]
While mentioned, where is the iPhone/Symbian and even Windows Mobile support?
In the works [silverlight.net]. Admittedly, MSFT is dissapointingly behind schedule on this front.
Some of your complaints with Silverlight have merit. It isn't perfect yet, but it has made remarkable progress in the 2 years it has been out and most certail
Do you actually believe their claims? (Score:2)
Let me say, as a TV professional, I know another TV who spent millions in infrasacture and software/servers to offer Windows Media DRM based paytv/prime content even while the entire scene, including their rivals called the idea "stupid" and they better stick with standards.
Today, their webmaster stares to 40% of hits coming from Apple OS X and iPhone OS X based clients while they have nothing to serve to them. The reason? MS took their toys and went home, they stopped maintaining Windows Media Player for O
Re: (Score:2)
It isn't just PPC
From the post to which you responded:
Today, their webmaster stares to 40% of hits coming from Apple OS X and iPhone OS X based clients while they have nothing to serve to them.
OK, it should have been "stares at" instead of "stares to", but how good is Silverlight on Mac OS X?
No, it doesn't. (Score:2)
Re: (Score:2)
That is what I meant. For a user, if they want to go to Youtube, they can't simply uninstall Flash and make the site work with Silverlight.
Flash is so utterly predominant on the web, that most users feel it is necessity.
Flash will stay, what matters is the openness (Score:2)
Even if Adobe rolls over and dies tomorrow, the Flash is so needed that some major .edus may give huge help to Gnash project to make it actually replace Flash, at least to the point until V10. It would be some service to the web and even World economy.
I can't imagine the price required to replace Flash on entire web including old sites and multi billion dollar occasional games industry which is dominated by Flash thanks to stupid Sun.
Besides people dreaming H264/AAC getting open, is the Flash open enough fo
Re: (Score:2)
Well, you could start here:
http://hg.mozilla.org/tamarin-central [mozilla.org]
http://www.mozilla.org/projects/tamarin/ [mozilla.org]
What are you going to target... (Score:2)
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7. Both have excellent patching mechanisms that consumers use regularly.
Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system
Re: (Score:2)
The users aren't as focused on security because the OS is seen as traditionally secure. I love Linux. I advocate Linux as a safer way to browse the web.
Flash exploits on a web site are going to target Windows, as opposed to the small Linux market.
However, Flash exploits do exist.
My original point is that this is an odd prediction saying that Flash will become an issue in 2010, when I already think it was the biggest issue in 2009.
Re: (Score:2)
In what way is security an "afterthought" on these systems? Both have stronger measures to keep exploits from infecting the core system than Windows7.
Is that really true? Both have inferior ASLR to Windows 7, for example.
Both have excellent patching mechanisms that consumers use regularly.
I don't see any way in which Apple's patching mechanism is superior to Windows'. Also, the way Apple uses it is inadequate; for example, they are very bad about updating OSS components of the OS, and you will find tragically old versions of perl libraries &c.
Furthermore, let's say you are a virus writer, and you take advantage of a Flash exploit. OK, now you have native code running - just which system calls are you going to start making? Linux? Mac? Hardly.
AFAICT this is the only meat in your comment sandwich.
Good luck with million hour video downgrades (Score:5, Interesting)
Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.
It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.
For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.
HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.
Re: (Score:2)
Perhaps if the holders of H264 patents granted royalty free rights for foss implementations of their codecs everyone could have their cake and eat it too.
Re: (Score:2)
Actually, nobody cares if H.264 is “protected by anything”. We all have pulled stuff off of bittorrent, loaded some cracks, or had someone do that for us. I don’t remember seeing any computer without “illegal” software in the last 10 years. Even in companies!
Like with GIF.
The joke is, that YouTube already uses H.264. Someone at Google should offer a Firefox extension that simply implements H.264 for the video tag. :)
You can't wake up one day and upload h264 to sf (Score:2)
Well, what I say is, VP3 is a freaking outdated piece of junk abandoned and got donated to open source community.
If Google has balls to donate the real deal (VP7,8) or even IF it is possible, things may change. Why IBM , big blue with army of lawyers couldn't open OS/2? Why some abandonware can't open their source but gives away free license instead? Why some can't? Because it is how such huge things work. All parties, including the companies, TV stations, TV industry organisations must agree that they will
Do the hacks exploit buffer overflow issues? (Score:2)
Do the hacks exploit buffer overflow or wilder pointer issues? anyone knows?
Re:Do the hacks exploit buffer overflow issues? (Score:4, Interesting)
The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.
i can has FOSS Flash Replacement? (Score:2)
It's time to start seriously chipping away at Adobe's stranglehold on multimedia. Or at least give it some serious competition that will inspire them to work harder.
As someone else has mentioned, this might be HTML 5's time to step up.
How are Linux users affected by this? (Score:2)
Are there Flash-based keyloggers or bots?
Re: (Score:2)
Re: (Score:2)
assuming Flash and Adobe Reader vulnerabilities allow code to be executed like in Windows
Native code (which is what your comment implies, and means you'd have to "know your target", have 3 different payloads -- one each for Windows, OSX and Linux -- and a very intelligent installer), or interpreted code running in the Flash engine which would go away as soon as you close your browser (which I rarely do)?
Re: (Score:2)
Oh, the irony! (Score:5, Funny)
Re: (Score:2)
"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
It seems to be a standard PDF file that opens just fine in other PDF readers. What did you try opening it with? Or do you mean because you don't know there are other PDF readers you, personally, have to use Acrobat Reader?
Re: (Score:2)
"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
Fortunately this vendor (who conveniently sells security products) allowed us to view their press release on Slashdot using HTML.
There is already a solution (Score:2, Insightful)
"Flash" is often sold. (Score:2)
As long as IT salesmen sell "flashy" sites and bleat that it is professional to put a flash lock on your site, developers will have to build it.
As you already say that most things can be done in javascript, I don't see that HTML5 support would hurt the use of flash.
Re:There is already a solution (Score:5, Interesting)
There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework.
The problem with your statement is you assume the Flash content creators are programmers with enough free time. In reality, many of them have degrees in communications or visual arts or are just programmers who want a quick and easy tool for throwing together some quick video/UI content for the Web. From what I've seen, the decently made tools to create such content are mostly created by Adobe and focused on Flash. Unless a company steps up and creates equivalent tools for HTML5 and javascript and those tools gain a significant market share and momentum and ecosystem, I see Flash remaining dominant, with MS gobbling up a smaller share.
Re: (Score:2)
Yeah, I hear JavaScript has great video codec support. And webcam/mic support. And audio playback support. And all that is pretty much uniform across major browsers.
Re: (Score:2)
In HTML 5, yes [youtube.com].
No, it doesn't! (Score:2)
selling a product (Score:2)
McAfee, of course, has a product to sell.
For Adobe Reader, the solution is really easy. Either install something faster and more secure as your browser's PDF plugin, or disable javascript in Adobe Reader. All the security vulnerabilities in AR have been related to javascript, which is a feature that almost nobody wants or needs in pdf files anyway.
I'm skeptical about any risk from flash. Flash apps run in a sandbox. Are they referring to things like malicious facebook apps? That seems like a relatively
Re: (Score:2)
> I'm skeptical about any risk from flash. Flash apps run in a sandbox.
Flash apps should run in a sandbox - but the recent vulnerabilities are ways to break out of the sandbox.
Of course any plugin should run in a sandbox, but I think only Google Chrome actually does that. It may be a consequence of the Radioactive X disaster - just download and execute anything - which Microsoft introduced in the late 90s.
Preferred way to update Flash? (Score:2)
If Adobe doesn't do cleanup, God help us (Score:5, Interesting)
Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.
First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called
This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.
Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.
No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.
So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.
PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.
get to work on gnash, then (Score:2)
Bad headline (Score:2)
"Flash to be top hacker target" has a far different connotation than "we anticipate...".
Every now and then... (Score:2)
Every now and then, some writer tosses up some words like "Cybercriminals have long targeted xyz products due to their popularity". They don't. Criminals are lazy. They attack weak and easy spots first. It has nothing to do with "popularity". If it were, apache http servers would be the most attacked server application of them all - and they aren't.
Packaging... (Score:2)
Currently I have to wade through a bunch of retarded forms and sign a corporate distribution agreement and wait a few hours so they will send me a link to an MSI so I can update flash.
Put an MSI on your home page that I can download in a few clicks and push out via Group Policy.
With a deb, I can update all the linux systems I manage using cssh, wget to grab the deb, and 'dpkg -i' to install.
If they're not will
Re: (Score:2)
They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.
They have packages. Check www.adobe.com and look under Linux.
Re: (Score:2)
They could start by releasing a *&^#@ MSI file for Windows and a deb/tar/rpm for Linux.
They have packages. Check www.adobe.com and look under Linux.
Are they finally up to date? I remember a year or so back that they were slightly outdated.
But the one that really hurts is no Windows MSI. I can easily install a deb to 500 linux machines using cssh. I can't easily install some stupid EXE with lots of clicky installer bullshit to 500 machines without going insane. When managing a large Windows network, I've found you *must* have MSIs to mass-install software. That's the whole reason we aren't using Firefox anywhere. Can't easily deploy it.
Re: (Score:2)
FrontMotion (http://www.frontmotion.com/Firefox/) keeps (fairly) updated copies of Firefox on their website ready to push in .MSI format. They are also signed.
This may not be something usable in a lot of places (Frontmotion isn't a company that everyone knows, so people would be leery of trusting their signatures), but it can be useful in some cases.
Re: (Score:2)
Now you want them to buy another computer and set up a KVM switch so they can use both on the same desk and actually remember which one is which and why they need to do this?
It's not going to happen.