Adobe Flash Remote Code Execution Flaw Exploited In the Wild 187
An anonymous reader writes "Adobe has released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux, and OS X, the exploitation of which can result in an attacker gaining remote control of the victims' systems. The flaw is being actively exploited in the wild, but apart from crediting its discovery to researchers Alexander Polyakov and Anton Ivanov of Kaspersky Labs, no details about the ongoing attack has been shared."
They even updated the explicitly unsupported NPAPI GNU/Linux version.
Shocking (Score:5, Funny)
Re: (Score:1)
The Internet is a security flaw.
Browsers are have security risks. The plugin model has security risks. Any client on an end-user's machine that runs code is a risk.
Is Flash really any worse? Is it any worse than any other plugin? Is it any worse than javascript? Any worse than the browser itself?
Nice to see Adobe releasing fixes and crediting the researchers at least.
Re:Shocking (Score:4, Informative)
I don't think Adobe could really just decide not to fix this and ignore the researchers who brought it up. Hardly something to praise.
Re:Shocking (Score:4, Funny)
Godwin in one, two -- three posts!
A winner!
Re: (Score:1)
It's ok, it's a fair comparison.
Devil's avocado (Score:2)
Comment removed (Score:4, Insightful)
Re: (Score:2)
Seriously try out any video in Flash+ VP6 and compare it to HTML V5 H.26x and disable hardware acceleration (which is a bandaid designed to cover up how big a pig H.26x is) and look at the numbers yourself.
So you're essentially saying that turning off hardware acceleration is going to require Core2 specs to play video?
Let's do this: play H.264 on an original iPhone (i.e., youtube app) and tell me why it's performant. That's a seriously slow (400mhz older ARM) processor compared to even a mid-decade Intel part.
How is any of this a good comparison? Your rant is not meaningful whatsoever.
Re: (Score:2)
The iPhone 2g has hardware h.264 acceleration. So why is its general purpose CPU speed relevant?
Re: (Score:2)
Consider:
Re: (Score:1)
Is Flash really any worse?
Yes.
Is it any worse than any other plugin?
Yes.
Is it any worse than javascript?
Yes.
Any worse than the browser itself?
Yes.
Any more questions? Yes!!!
Re: (Score:1)
Re: (Score:2)
As you know, Flash can be disabled (or at least set to Click-to-play) on any non-braindead browser. Because of that alone, Flash cannot be worse than any browser.
Meanwhile, Javascript allows instantly redirecting you from any page to today's "Your Flash Is Outdated" malware page - with the back button never bringing you back to the page you were reading.
Oh, and you haven't encountered IE's ActiveX plugins, which have less sandboxing than Flash.
Re: Shocking (Score:2)
Re: (Score:2)
Not much longer? (Score:3, Insightful)
Re: (Score:3)
Re: (Score:2)
Actually IE is the reason flash won't die! That and XP users who can't upgrade to a modern browser. As long as websites cater to them the longer they wont upgrade.
IE 6 lasted for 12 years as a result of this cycle back and forth waiting for the other to upgrade. Corps liked and locked them down and website makers worked for free for +10 years supporting them so why change?
If IE 8 gets below 5% then expect youtube and porn sites to phase out flash.Right now it is the worlds most popular browser thanks to Chi
Re: (Score:1)
Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.
I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, th
Re: (Score:2)
Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.
I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, that's right at the 0.30 mark, but it should be noted that we don't have a 1:1 people:computer ratio. I forget how many computers we have, but it's over 4,000.
From the website point of view, there's really no reason to hold out once Windows XP is phased out. All other systems can handle HTML 5(well, the systems with large enough market share to matter), which means all the website will have to do is put up a banner saying "You are missing the required plug-in, please click the following link to upgrade your browser." as opposed to "You are missing the required plug-in. Please click the following link to install flash."
Either way, it's one click, one download, and one install. People who are smart enough to install flash should also be smart enough to install a browser that supports HTML 5, even if they don't know what HTML 5 is or understand why their current browser can't support it.
Conversely, just because IE 6 or 8 has x% of market, doesn't mean all of those machines need or require flash.
Alternatively, other platforms that people are familiar with, like smart phones, consoles, tablets, are all HTML 5 compatible. If they get used to seeing HTML 5 features, like stopping a .gif, they'll get to a point where they need/severaly want that feature. That alone will drive them to update their desktop web browser.
Very little is corporate now. Most have already upgraded or in the final stages of phasing out the XP boxen from the internet all together.
The majority now are grandmas and Chinese with pirated copies with Windows Update disabled and IE 6 for the latter in Asia. Home users do not know any of this and are sitting ducks with no IT department to protect them.
I really wish MS would give a friendly polite warning to let them know support is ending soon and you have a few weeks to upgrade before security updates
Re: (Score:2)
Re: (Score:2)
We're, at the very least, seventy three libraries of congress away.
Re: (Score:1)
How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?
When most of the popular casual games are non-Flash.
Even knowing all the evils and dangers of Flash, if I for some reason were forced to stop using most websites and had to chose only a few to continue using, this [flasharcade.com] would be on that list of what to keep (I'm a tower defense game addict).
Casual games for mobile platforms (Score:2)
Use HTML5 instead (Score:2)
[Availability of mobile games] doesn't change anything when people are on their PC
The Android SDK includes a device emulator that lets the user use a mouse to generate touch events. But more importantly, any 2D Flash game can be recreated in HTML5 unless a developer expects a lot of players stuck on IE 8 with no privileges to install Chromium or Firefox, and with Windows XP becoming officially insecure in 61 days, that's set to decline rapidly. Cookie Clicker is HTML5, as are most of the incremental games inspired by it.
or don't have a large screen tablet with keyboard and mouse accessories (many games categories are not suitable for mobile screen, or touch).
It doesn't have to be a full alphabetic keyboard accessory; it can a
Re: (Score:2)
Didn't we already pass critical mass? I uninstalled Flash from my system over a year ago and don't run into Flash very often these days. If you're using a Flash blocker, you may have an inflated sense of how many sites still rely on Flash, since many of them will detect that you have Flash installed and will attempt to serve up a Flash version of the page (which your blocker will then block). In contrast, if you outright uninstall Flash, they'll serve up a Flash-free version of the page.
At this point, the o
Adobe Flash now rendering beta.slashdot.org! (Score:2)
Slashdot has taken the obvious next step and adopted Flash as the new interface for beta.slashdot.org [slashdot.org]! Adobe, the Industry leader of web technologies, hailed Dice Holdings, Inc. on their commitment to innovation and is in works with Dice to create a premium Dice Toolbar [TM] to further enhance the two companies' browsing authority.
Re: (Score:3)
Re:Not much longer? (Score:5, Funny)
Yet more arguments against having Flash, then.
Re: (Score:3)
Yet more arguments against having Flash, then.
Quite a...wait for it....Zynger! :)
Re: (Score:2)
Exactly. And nothing of value was lost. :-)
Re: (Score:2)
Geez, have to explain everything here
Re: (Score:2)
Re: (Score:3)
This is simply untrue. This is the experience if you have Flash unavailable on a desktop browser but plug that same URL into, for example, an iPhone and an iPad and the desired content ALWAYS loads.
The failure to deliver HTML5-compliant content on YouTube to desktop browsers is a strategy on Google's part and has nothing to do with the availability of HTML5 content.
Re: (Score:2)
What is this strategy accomplishing?
Videos unavailable on mobile (Score:2)
plug that same URL into, for example, an iPhone and an iPad and the desired content ALWAYS loads.
Not always. When I navigate to some YouTube videos on my first-generation Nexus 7 tablet, sometimes I get "The content owner has not made this video available on mobile. Add to playlist to watch it later on a PC." This is even more common on Vimeo.
Re: (Score:2)
That really doesn't answer GP's question ;)
Re: (Score:2)
http://www.youtube.com/html5 [youtube.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Wait are you talking about Flash, or HTML5, because you seem very confused.
Re: (Score:2)
Re: (Score:2)
It does NOT do the same jobs that Flash did, especially web animation and gaming
In what way? As far as gaming is concerned Stage3D and WebGL are very similar but native is further ahead as you can take advantage of specific platform and hardware features.
What has HTML V5 given us? It has given us a billion proprietary apps to allow the same content that before could have been accessed by any browser with Flash
But that would mean that you couldn't make use of any platform-specific features or hardware optimizations until Adobe added them to Flash, that's a horrible situation to be in. For example Stage3D does not support OpenGLES 3.0 but the iPhone5s does as does particular hardware on Android 4.3+. Not to mention there would be no consisten
Re: (Score:3)
Thank your corporate IT masters for using IE 8.
As long as IE 8 is still supported webmasters will refuse to let flash die. Since they support IE 8 it gives no incentive to the corps for leaving IE 8 and it is a cycle all over again where IE 8 is the IE 6 of this freaking decade.
Also 5 years ago is when youtube first supported HTML 5 h.264 videos. Still to this day 50% of the videos wont work without flash. Sigh. Worse if you try to go in without it a big red banner saying "FLASH NEEDED". Ignorant computer u
Re:Not much longer? (Score:5, Funny)
Because he'll save every one of us!
For crying out loud ... (Score:3)
Adobe Flash has been a security hole for at least 10 years now.
That people still use it (or install it) boggles the mind.
I won't even install it on my machines.
Re: (Score:2, Interesting)
But iDevices couldn't view "the whole web" (though Android can't either now) because Apple wouldn't let this exploit vector on iOS. Seems Steve Jobs really was pretty smart to tell Adobe to fuck off with their bloated malware
Re:For crying out loud ... (Score:5, Interesting)
Agree.
I'm a long time apple hater, but when I read that letter regarding flash, I was nodding the whole time.
Flash is a pile of junk, and if they are going to go all walled garden, flash seems a great thing to keep out of said garden.
Re: (Score:3)
Seems Steve Jobs really was pretty smart to tell Adobe to [expletive] off with their bloated malware
Or, maybe he was just smarting from Adobe's prior treatment of Apple, as Walter Isaacson and others [businessinsider.com] have reported.
Re: (Score:3)
Re: (Score:2)
You know, I have yet to find more than a few places where I truly don't have a choice. And all of those are work-related and maybe only 2-3 times/year.
For those, my work laptop with IE is what gets used. But there is little else that I discover which uses that. Certainly nothing I voluntarily use for my own purposes -- my current desktop is 5+ years old and has never had Flash on it.
I've only used VMWare workstation, not the web c
Re: (Score:2)
Re: (Score:2)
LOL, oh god, I am most definitely not claiming to be an authority on VMWare (or anything else for that matter).
I'm saying that for me, in my experience with the web, Flash is useless crap that I have no interest in. That I've successfully avoided using it for most of the last decade tells me that, for me, it's hardly indispensable.
2-3 times a year something work re
Re: (Score:2)
VMWare apparently wants more people to start paying for vSphere, so the ESXi 5.5 client supports basic features, but not the new stuff. Want that, you have to do a web client install, which means having vSphere up and running (and licensed.)
It would be nice if they dispensed with Flash as well.
Re: (Score:2)
It's kind of funny that VMware seems to be pushing for less dependence on Windows, yet I think you need flash in your browser even if you want to use the web client that's part of the linux-based appliance.
Re: (Score:2)
Re: (Score:2)
Do you think your browser is secure? every Firefox and Chrome feature releases contain critical security fixes [mozilla.org] and I don't hear people giving them the same treatment Flash get. I am not a Flash fan, but It is not fair how browser vendors are not blamed too for their bugs with the same emotion people talk about other technologies. Every time a Slashdot post talk about a new browser release never mention the security bugs, only the nice things
Re: (Score:2)
Hell no. Which is precisely why I have Noscript, disable 3rd party cookies, use a hosts file to block stuff, don't have Flash installed on my machine, use Ghostery and several other things to block as much crap as possible.
I don't trust the interwebs at all -- which is precisely why I refuse to allow arbitrary code to be executed by any random web site I hit.
Do I think that I'm 100% secure as a result of that? Nope. Do I think I've minimized the risk by disabling/unins
Re: (Score:2)
If I -have- to use Flash, I fire up a VM that has a normal (no admin access) user account and run it under a sandboxed Web browser. That way, if/when an exploit happens, it would have to be a very good one to get out of the sandbox and a full context as a user, get Administrator rights, then bash the hypervisor to get out of that.
Not 100%, but it is easy to use, and when done, a closing of the VM rolls all changes back.
Re: (Score:2)
Totally agree.
A have a Linux Mint VM which I use for such things, a completely unprivileged user and the user name is set to be fairly meaningless.
I treat Flash like a pointy object which needs to be handled with care.
Re: (Score:1)
> I won't even install it on my machines.
My sentiments exactly. One of the reasons I use Chrome: Don't have to install's Adobe's bloatware for Flash and/or PDFs. If a browser has security issues with plugins then you know there are bigger problems. :-)
Re: (Score:2)
Adobe Flash has been a security hole for at least 10 years now.
I keep wondering how something on the limited scale of Flash could still have an ongoing stream of security issues after all these years. Is there something about its design that's just inherently unsecure?
flashblock, ghostry, adblock, noscript, etc (Score:3)
+ standard user account and stop using XP.
Common sense folks.
Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.
Chrome is nice in that its flash in Pepper has extra protection as well.
I recommend flashblock. I can still watch videos on youtube. I just need to click on it.
Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.
I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.
Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.
Re: (Score:2)
Re: (Score:2)
Unfortunately this is unreasonable to go in there everytime you need to watch a video from a site.
The good news adblock has an IE add-on which blocks most of the bad flash sites from hacked advertisers. [adblockplus.org]
Re: (Score:2)
I take the opposite approach. Most websites do not need Java for what I am using them for. But I have no interest in multimedia, mostly just the text parts.
For a very specific site for a specific task I'm willing to manually (temporarily) allow Javascript -- but my default position is not to allow it.
For me, I find there's very few contexts w
Re: (Score:2)
And style and preference too.
I find adblock and flashblock work extremely well. Modern browsers with lowrights mode sandbox the javascript fairly well and even IE 8 now supports XSS protection thankfully.
I also use Norton DNS which filters out known bad domains. While my system is not 100% perfect it is pretty darn secure with Avast running as well.
Choose software freedom. (Score:2)
Recommending any proprietary software to do any task is recommending a security hole. It's trivially easy for any proprietor to include code that spies on you, as computer programmers have long known and Edward Snowden has shown us again. No amount of experience running proprietary software will tell you what you need to know to fix its problems, share your fixes with others, hire others you have good reason to trust to fix problems on your behalf, or even allow someone you have good reason to trust to insp
Re: (Score:2)
No, it doesn't. It's the difference between a toddler who puts everything into his mouth, and an adult who only puts food from the A-list into her mouth.
Granted, one can die from taking contaminated pill from a legitimate bottle of Tylenol. But generally one doesn't die from visiting name brand w
PGP web of trust (Score:2)
Man, and about those third-party gate crashers. Mind if I bring a friend? How about a friend of a friend? How about a friend of a friend of a friend of a friend? Don't worry, he won't do drugs [...] Does anyone who ever attended high school think this is a good security model?
PGP fans seem to think so, and they call it the "web of trust".
Re: (Score:2)
User account control is pretty much useless in a single-user machine. It's a holdover from multi-user UNIX mainframes, where it perhaps worked, but we desperately need a good, convenient way to isolate individual programs and program instants run by the same user from each other. Maybe make every process run as a root of its own VM and only merge changes upstream when an upstream process requests it?
Re: (Score:2)
I know it is not cool to praise a Windows tidbit, but one interesting security benefit of Windows Vista and higher is it does tokens. Also lowrights mode as well with ACL. So in essence with UAC you send a token to wininet to run it on another account. With a standard account this is removed and you manually have to enter a password. This is useful for alot of XP and IE 6 related trojans that target users with a local admin account.
Just switching to a standard account even in XP hugely cuts down malware if
Re: (Score:3)
Complete FUD.
Yes by default it lets some non intrusive ads with a good security record. Follow the link above and it will disable all ads. I will let some in that I know that are safe to make sure websites get their bills paid. Just not ones that blast commercials and install malware.
Re: (Score:3)
here [adblockplus.org].
Basically by default it filters the bad ads. However you can filter all ads if you wish and that option is there. I like this method as to reward SOME advertisement if done properly to support websites.
Also the bad guys can simply get another host so your hostfile will always be out of date.
Re: (Score:2)
Is that you, Steve Gibson?
update-manager (Score:2)
Looks like it's already out for Ubuntu
to check and see your version:
http://www.adobe.com/software/... [adobe.com]
Why If I install it I tend to Click to Play Option (Score:1)
Its all been said before (Score:1)
PC editors (Score:2)
"They even updated the explicitly unsupported NPAPI GNU/Linux version. "
Afraid of pissing off one of the GNU zealots?
GNU/Linux as opposed to Android (Score:2)
Re: (Score:3)
It's simply a wrong comment. The NPAPI version of Flash is _NOT_ unsupported. 11.2 is the last version that will be made available as an NPAPI Linux plugin, but Adobe plans to keep fixing security issues in the 11.2 version plugin indefinitely.
---linuxrocks123
All software is buggy (Score:2)
No software in common use today is mathematically proven to be correct; therefore, all software is buggy.
The most likely place for bugs is in error handling code, because no matter how many tests you write it is impossible to simulate every possible error condition.
We hope that everyone walking into a store doesn't steal something. Only a tiny minority do but a much larger number could get away with it.
The same goes for software. Any halfway decent programmer can find bugs in error handlers. If he chooses t
Re: (Score:1)
Error Handling is one of the most annoying things to do in programming. Some people hate the whole exception handling mechanisms some languages have (be it for code elegance or performance), but I dread to think how to architecture system without those. Even with them it is still very annoying. I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.
Re: (Score:2)
Funny error handling and throwing an exception is the number 1 area used to 0wn Windows machines. The debugger will run the overflow at ring 0 everytime. It has been fixed for Windows 7 but IE 8 and XP you just need to crash IE to 0wn the system.
Re: (Score:2)
> I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.
That would be extremely nice; In the past I would of argued TINSTAAFL but now that 4-core 2.x GHz is starting to get common switching away from the fundamental root problem of "von Neumann architecture" might be an option. However I don't see anyone switching to the Harvard Architecture anytime soon which means yet another 40+ years of buff
That'd ban JIT (Score:2)
However I don't see anyone switching to the Harvard Architecture anytime soon
Modern processors already run a "modified Harvard architecture" with separate instruction and data caches. A purist would not even allow code to be copied from storage into RAM. A strict W^X policy, such as that implemented in iOS, would ban any JIT engine. And besides, executing code from the stack or heap is old and busted; a newer practice is return-oriented programming [wikipedia.org], which uses the "return from subroutine" instruction as a threaded code interpreter. All code in a return-oriented program runs from exe
Re: (Score:2)
Absence of proof is not proof of absence. Yes, very little code can be mathematically proven to be correct, but there’s still some room for either getting lucky, or having enough skill to recognize the portions of the code which are exposed to outside control and exercising extreme care & diligence in crafting that code to ensure that it can safely respond to every possible input.
The entirety
Formal verification (Score:2)
So how vuln are systems /w up-to-date browsers? (Score:2)
Are the browsers providing sufficient sandboxing, or is the situation the same as its been for the last 10 years? Does this flash vulnerability require another vulnerability in the browser ecosystem that has already been blocked in current versions?
And if nothing whatsoever has been fixed... (Score:2)
Is Flash -designed- to be impossible to sandbox? Cannot the browser vendors force adobe to bend and setup their plugin to be easier to sandbox? I don't understand why this is still a problem after all these years.
Re: (Score:2)
Flash is native executable code. It’s not encumbered by any sandboxing function in the browser. That’s by design.
Browser plugins are intended to be allowed unfettered access to the system so that they can accomplish tasks not normally possible within a browser. The only sandbox provided by most browsers relates specifically to JavaScript, and as far as I can tell, this is unrelated to JavaScript at all.
It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linu
If there's no fork_in_jail() (Score:2)
It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linux AppArmor, SELinux, etc.) might be able to contain an exploit within Flash, limiting it to a user account or a directory; but that would take some careful crafting in terms of OS sandbox configuration.
Then I guess exploits like these are the operating system publisher's fault for not exposing an API that lets a web browser program create and configure a suitable jail for its plug-ins.
I'm already updated? (Score:2)
Interesting. I just checked: the Flash bundled with my Chrome is the older version (but it's sandboxed to some extent). So then I opened up Firefox and checked the plugin version, and discovered it was already at the newest patched version. I don't recall any update, so I guess the Flash Player plugin updated itself in the background without me noticing, and actually managed to do that faster than Chrome did. Impressive!
Re: (Score:2)
Or you're already hacked...
This is ridiculous (Score:2)
It's pretty obvious that Flash has become one of those legacy products where there are only two guys in the entire company that know their way around the codebase. Both have developed chronic alcoholism from maintaining this disaster of a product for so long.
We need an alternative to Flash. An open source alternative which can be forked and maintained by anyone for years and years to come. Something without royalties, patents trademarks and is free to use and modify by whoever wants to and can be implemente
Cookie Clicker (Score:2)
2) Start Cookie Clicker [dashnet.org], play for a while, hire a couple grandmas, open the menu, and click "Export save". What you see is a JavaScript prompt box, which your web application can create using code like the following. Try it now by copying it into your browser's JavaScript console:
window.prompt("Copy this and paste it somewhere safe","Nobody desires pain for the sake of pain, but people endure it as part of seeking pleasure.");
One limit is that a prompt box does not support newlines; you'll need a custom
Re: (Score:2)
Let's just stop bagging on Adobe... At the least they are taking ownership of the issues they have
Are they? Have they run the Flash codebase through any of the half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities? Are they being proactive at all?
It's closed source, so we don't know, but perhaps a third-party could certify their efforts and we really could become Adobe supporters.
Re: (Score:2)
There’s a word for that, and “proactive” isn’t the word. Close, but off by three letters.
I certainly can’t prove they haven’t taken these steps, but considering Microsoft made a BigThing years ago when they sent all their developers to security school and focused on Windows security (for what that was worth), you’d think Adobe might also want to highlight the fact
Re: (Score:2)
> Let's just stop bagging on Adobe...
1. When I have to work around some bullshit because the image editor I paid for (b)locks me from even viewing what it thinks are high resolution scans of money ... Adobe can fuck off.
* https://www.google.com/search?... [google.com]
* http://en.wikipedia.org/wiki/E... [wikipedia.org]
* http://www.rulesforuse.org/pub... [rulesforuse.org]
2. When they start charging "rent" for software as a service ... Adobe can fuck off.
IE and Safari do not support Stream API (Score:2)