New Zero-Day Flash Bug Affects Windows, OS X, and Linux Computers 178
An anonymous reader writes "Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux. 'While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well.' Adobe has reportedly patched the bug for all platforms. Researchers first detected the bug from attacks performed on seven Syrian computers. The attacks seem to have been hosted on the Syrian Ministry of Justice website, which has led to speculation that these are state-sponsored vulnerability exploits. This speculation is further supported by evidence that one of the exploits was 'designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5x0 installed. The app is used to view documents and images during Web conferences.'"
Long story short (Score:5, Insightful)
flash is equally bad on all platforms web guys please stop using it.
Re:Long story short (Score:5, Funny)
flash is equally bad on all platforms web guys please stop using it.
Hey ... look at the upside, feature parity across Windows, OSX and Linux ... even for bugs and exploits.
Re: (Score:2)
Hah You should see my wine install. It only has IE6 and it's like a bug farm in there. Whenever something doesn't work in wine, I halfway suspect it has more to due with all the windows viruses it has collected than any actual problems with wine.
Re:Long story short (Score:5, Funny)
flash is equally bad on all platforms web guys please stop using it.
Will nothing please you whiners? The Adobe Exploit Runtime offers simultaneous support across Windows, OSX, and Linux for a cutting edge vulnerability, and do we hear even a whisper of credit?
Re: (Score:2)
Get real. The NSA isn't allowed to talk about this stuff. Doesn't mean it's not true.
Re: (Score:2)
Not so fast... most of us Linux users are falling behind in our access to cutting edge vulnerabilities.
Sure we still have plenty of the old ones to play with, so it isn't all bad.
flash is dead (Score:1)
- or should be - long live the open alts.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Here is a serious answer -> All iPads, iPhones and newer Macs don’t use Flash. You don’t even need a browser, but can download hundreds of games, many of them for free. Most of those free ones are far better than anything using Flash. Many of those games even work without an Internet connection, which none of the Flash-based games do.
Re: (Score:2)
Here is a serious answer -> All iPads, iPhones and newer Macs don’t use Flash. You don’t even need a browser, but can download hundreds of games, many of them for free. Most of those free ones are far better than anything using Flash. Many of those games even work without an Internet connection, which none of the Flash-based games do.
Adobe quite writing Flash for android a few years ago, youtube works just fine, it breaks some sites but in the long run better for it.
February 23, 2012
"Adobe has published roadmap for its Flash Player and its desktop counterpart, Adobe AIR. Overall the company expects Flash to cater predominantly to gaming and premium video markets. And as stated before, mobile version will no longer be developed."
Some replied to me about not being on a Win8 system as it was different somehow, the above was posted before M
Re: (Score:2)
Right, because Gecko and WebKit never have security vulnerabilities in them.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Right. And the only reason that the "desktop class" A7 isn't running Flash is because it's a threat to Apple's business model.
Re:Long story short (Score:4, Interesting)
Right. And the only reason that the "desktop class" A7 isn't running Flash is because it's a threat to Apple's business model.
Actually it was considered a massive security hole. This article seems to validate that opinion. Yeah, I know, there was ample evidence for that opinion back in the day too.
Re:Long story short (Score:5, Insightful)
One of the best things Steve Jobs ever did for the security of computing around the world is slowly crush Flash under his heel.
It's bad.
It's always been bad. Apparently, it will always be bad.
Just let it die. It's a CPU and memory hog (another good reason not to use it on mobile; the CPUs these days can handle it, but it's bad for battery life) and it's a massive security hole. Why in the world should it get a pass? Someone at Adobe should've nuked it from orbit years ago.
Re: (Score:2)
Apple for good reason does not allow Flash on any of their devices. I can still download it from Adobe for my Mac if I first change a setting in the control panel that by default prevents this. So far I have resisted the temptation. What do instead is fool the Flash infested websites, mostly videos, that I am using an iPad and then like magic the video usually works just fine. There are many YouTube videos that behave this way. I don’t play games, so Flash might as well not exist.
Re: (Score:2)
One of the best things Steve Jobs ever did for the security of computing around the world is slowly crush Flash under his heel.
It's bad.
It's always been bad. Apparently, it will always be bad.
Just let it die. It's a CPU and memory hog (another good reason not to use it on mobile; the CPUs these days can handle it, but it's bad for battery life) and it's a massive security hole. Why in the world should it get a pass? Someone at Adobe should've nuked it from orbit years ago.
The inefficiency seems to be getting worse with time. My 2007 PC used to be able to watch 480p Flash videos no problem. Now it studders and stalls, revving the CPU up to 100% while Flash draws in the 2D frame buffer with a crayon. And for inexplicable reasons there seems to be a memory leak: if I watch one Youtube video after another, eventually the Flash process approaches 2GB Working set, and crashes. Doesn't matter the browser.
If I download the raw FLV file and play it in VLC, MPC-HC, etc the CPU sips po
Re: (Score:2)
The output we see isn't in flash, it's just video.
Flash should be relegated to "production tool only" status.
Video is inefficient (Score:2)
The output we see isn't in flash, it's just video.
And in an era of bandwidth caps not keeping up with advances in monitor resolutions, this transmission as video is an order of magnitude inefficient in bitrate. Why is it beneficial in the long run to just accept this gross inefficiency?
Re: (Score:2)
Unless you can force all the companies who manufacture video decoding ICs to also add Flash rendering capabilities to their chips, your argument is pointless.
How better than WebM? (Score:2)
Re: (Score:2)
Some do...
http://wiki.webmproject.org/ha... [webmproject.org]
Re: (Score:2)
Thanks; I wasn't aware that those existed. But among mass-market smartphones and tablets shipped in the past three years, how common are the SOCs with "Yes" in the "VP8 Decode" column? And what would keep a third-party SWF player from using OpenGL ES acceleration to render the vectors of an SWF?
Re: (Score:1)
They use Flash because for all the talk about alternatives to Flash, it's still *** BY FAR *** the best platform their is.
No, they use Flash because it's what they've used before, and because it's 'everywhere,' not because it's better.
Re: (Score:2)
Sure, you could download an exe file. No security risk there.
Re: (Score:2)
Re: (Score:2)
Surely there are cross-platform ways to deliver a game to a user without it running IN THE BROWSER, no?
I'll take you up on this deal. What might these "cross-platform ways" happen to be?
Re: (Score:3)
So, it's the least terrible solution (which is debatable) so therefore it's good?
Sorry, but Flash has been a giant security hole for about as long as it has existed.
You want to play casual games in Flash, that's your choice.
But I've been happily avoiding Flash for a decade or so, and have yet to find a single website I cared enough about to install Flash. Occasionally I need to use it for work, which means a very specific machine, running IE -- which is only used for these kinds of garbage that HR thinks I
Re: (Score:2)
More often than not you can fool most websites by telling them that you are using an iPad. That site will then happily show you the video. This works especially well on YouTube.
Re: (Score:2)
If I want games, I'll fire up a game console.
So what do you do when you see something like this?
Parent SHOULD NOT be modded flamebait (Score:4, Informative)
As unpopular as it is to say here on HTML-5-worshiping Slashdot, it's true. Flash can still do a lot of things that are either impossible on other platforms, or which suck on other platforms. Try implementing the average Flash game in HTML 5 (can't do it at all) or Java (can do it, but it will bring your system to a crawl) sometime.
Don't shoot the messenger just because you wish the message weren't true.
Re: (Score:3)
I just, like many others, wish someone would actually fucking *elaborate* on *concrete* *technical* hurdles of HTML5. We are not denying there are none, but just saying "you are clueless if you need to ask" is not going to help your position. We don't want to argue with you but we want you to actually explain yourselves. Gee, this thread is so frustrating.
SWF: 20 fps; SVG: 5 fps (Score:4, Informative)
I just, like many others, wish someone would actually fucking *elaborate* on *concrete* *technical* hurdles of HTML5.
HTML5 has no guaranteed audio or video codec. Some browsers support only free codecs from Xiph and On2, others only patented codecs from Dolby and MPEG-LA. HTML5 implementations in use provide no consistent way for the application to request access to the camera and microphone. Neither IE nor Safari implements the Stream API at all, and Firefox and Chrome implement prefixed (that is, proprietary) versions of it [caniuse.com]. And on my laptop in Firefox 28, this particle system [themaninblue.com] runs at 20 fps in Flash, 9 fps in HTML5 Canvas, and 5 fps in SVG. Unlike HTML5 JavaScript, ActionScript has static typing and class-style inheritance, and some developers prefer those. Finally, copies of old versions of Flash for making vector animations are sold on the secondary market; Edge Animate is available only on a rental basis through Creative Cloud. I'd be interested to see what workarounds you recommend for these.
Re: (Score:2)
Uh... what the hell is wrong with your laptop? That test is from 2010. I got 50FPS in HTML, 121 in Canvas, and 81 in SVG (rough averages, neither the highs nor the lows). I suppose I could try it in Flash but that would require enabling Flash, so no.
2-year-old Lenovo Thinkpad laptop, 1920x1080 display, Core i7 @ 2.5GHz, Windows 7, IE11.
Is your computer from a decade ago or something?MS has put a lot of effort into IE performance, but it's not supposed to be a factor of 12x-16x better than Firefox!
Re: (Score:2)
Uh... what the hell is wrong with your laptop?
Other than that it has an Atom N450 CPU?
Is your computer from a decade ago or something?
I bought it new in March 2010. The only laptops they had back then with a 10.1" screen had Atom CPUs.
Thinking Firefox 28 is at fault, I tried it in Chromium on the same laptop. HTML clocked in at 5-6 fps, Canvas at 18-22 fps, and SVG at 15 fps. Perhaps Firefox is a slow piece of you know what.
Thinking my machine is at fault, I went and tried it again in Chrome on a newer machine, a first-generation Nexus 7 tablet from mid-2012. Canvas and SVG tied at 16-20 fps, a
Re: (Score:2)
150-160 HTML, 120 canvas, 200-ish SVG.
1920x1080, Pentium G3420 $70 CPU, Ubuntu 14.04, Chrome. I am surprised how much better my numbers are.
Bigger PC (Score:2)
Re: (Score:2)
Re: (Score:2)
There is nothing that Flash can do on the millions of iPads, iPhones and modern Macs, because it won’t run on any of them. On the rest of the devices out there, such as Android and Windows, Flash can be and often has been a fabulous way for malware writers to infiltrate your device.
Re: (Score:2)
"Also, please elaborate on the massive HTML5 problems."
The fact that you're asking why HTML5 isn't usable for games just shows that you're really not familiar with either platform.
Please tell me you're not actually trying to make the case that HTML5 is usable for video game development.
Nature abhors a vacuum Lorizean. HTML5 sure isn't being ignored because it hasn't been hyped enough yet. As the other poster said, "show me Kingdom Rush written in HTML5 and I'll begin to think you're not a troll".
Cookie Clicker (Score:3)
Re:Cookie Clicker (Score:4, Interesting)
What sort of monster links people to Cookie Clicker without so much as a warning!
[I have 2M HC's.]
Re: (Score:2)
Re: (Score:2)
Good lord you're a maniac.
Re: (Score:2)
curse you for reminding me that exists i'm going to be wrangle gramas for weeks now
i've seen quite a few html5 games over the years, lemmings was one of them i can't really think of any else off hand, hell i remember seeing decent games back when it was called dhtml and the celeron 300A was around
anyway got hooked on fricken cookie clicker again before i even finished making this post so again curse you
Re: (Score:2)
Re: (Score:2)
Maybe only on a relative scale.
Like politicians.
Or actual piles of shit.
Re: (Score:2)
No. Software can actually be good.
Flash isn't, never has been, and probably never will be.
Re: (Score:1)
The problem is Adobe Co. They have zero desire to build anything proper.
Re: (Score:2)
There's definitely no argument there.
Re: (Score:2)
But, wait, didn't Adobe develop... oh, yeah, that's awful. But what about...? No, you're right, it's a usability nightmare. But you have to admit... no, wait you don't.
I give up. You're right. Adobe has all of the arrogance and user-hostility of Microsoft, but without the smart people that you can actually find at Microsoft.
Read your own link (Score:2)
The link you posted says it's fallacious to point out that SOMETHING is worse, that the thing under discussion isn't the WORST choice. That's a mistake because we should be looking for the BEST choice, not merely avoiding the worst one.
GP is arguing that Flash is the BEST choice in some scenarios, that ALL options are worse. That's fundamentally different from arguing that SOME options are worse. GP's argument is perfectly logical. Whether or not all of the alternatives actually ARE worse is another que
Re: (Score:3, Insightful)
Yawn... "another HTML5 is almost there" post. Technology is either here or it's vapor. .. And it's not here.
Re: (Score:2)
No, in between vapor and not vapor ... we have alpha and beta builds as intermediate states.
Of course, it can transition to either vapor or not vapor from those. I've seen a couple of alpha builds turn back into vapor in my time, and I've seen Google have stuff in beta for years.
Re: (Score:2)
For too many software development companies, "alpha" now means, "Hop on board now because this is the next new hotness, and you can be one of the cool kids." "Beta" now means, "We're bored with this and have moved on to something else."
Nobody ever finishes anything any more.
Re: (Score:1)
Dude is probably a flash 'developer' and doesn't wanna see his lively hood dry up.
2012 was, when most new CPUs ran Linux (Score:2)
Starting in April 2012, most new systems had Linux pre-installed. Not coincidentally, that same year most new systems were pocket sized.
Re: (Score:2)
Re: (Score:2)
You know it's funny, but I do take issue with the suggestion that shadertoy is written in javascript. It's not, it's written in whatever they call that shader language these days. The javascript just ships a bunch of shader code onto the graphics card, and then sits back and takes the credit. It's not even really HTML5 either, it's just a bunch of code running on your graphics card.
If you were to attempt to write an actual game in HTML5, with things like physics and opponent AI and all the stuff we've grown
Re: (Score:2)
Compared to Windows. All comparisons to product security are inherently compared to the most commonly used piece of software in the world, MS Windows. Microsoft in recent years has created a strong security culture, deploying patches rapidly and in a consistent manner.
Adobe, their collective soul to the devil, has not done this, despite being on many many platforms. A few years ago when the US DoHS went after Java for being having awful security, the one they should have been targeting was Adobe. Both F
I never installed flash ... (Score:2)
It does not seem that difficult to go without flash and it is getting easier every day.
Re: (Score:2)
There are a number of things that require it. For me the big ones are MLB At Bat, WatchESPN, Hulu, and HBO Go.
Re: (Score:2)
There are a number of things that require it. For me the big ones are MLB At Bat, WatchESPN, Hulu, and HBO Go.
People are migrating to phones and tablets for such things.
Charging extra for mobile (Score:2)
Re: (Score:2)
Just for fun I tried to watch a video on Hulu with Safari and sure enough they told me I had to have Flash installed in order to watch their stuff. Then I told Safari to lie to them and tell them that I am using an iPad. Low and behold the videos worked like a charm. Why do sites like Hulu and others still require that people have this malware vector installed on their systems?
I have it disabled. (Score:5, Interesting)
I deliberately do not install Flash on my computers _and_ I deliberately choose to not install any of the third-party work-alikes.
If the content owner only publishes content in a SWF, it is not worth my bother to look at it. Okay, I can't view video clips in Facebook, but if it is an embedded youtube video, usually I can view it just fine by going to youtube's website.
Vector animations (Score:2)
If the content owner only publishes content in a SWF, it is not worth my bother to look at it.
Animutations and other vector animations are usually much smaller in their original SWF than they are when transcoded to MPEG-4 or WebM video. In this era of monthly caps, rendering to pixels can't always compete with the bandwidth efficiency of vectors. You're not going to get, say, "We Drink Ritalin" by Robinson Wilburn [albinoblacksheep.com] (parody fan video for the song "Hot Limit" by John Desire, which incidentally introduced me to DDR) as small in MP4 as it is in SWF, probably not even with H.266 when it does exist.
Okay, I can't view video clips in Facebook, but if it is an embedded youtube video, usually I can view it just fine by going to youtube's website.
If the
Re: (Score:2)
You do realize HTML5 supports vector animation?
Re: (Score:2)
Forgot a link...just some examples: http://creativedroplets.com/ht... [creativedroplets.com]
DIE FLASH DIE!!!
Edge Animate expires (Score:2)
Re: (Score:2)
I suggest you get a new laptop. I get 120fps on the 1000 object version at full quality. The argument that there are more tools for an old technology than a new one is missing the point. The tools will come and there are many ways to create SVG.
Re: (Score:2)
At 4000 objects Flash topped out at 30fps. I get over 60 for SVG and canvas.
Ship now (Score:2)
I suggest you get a new laptop.
Except for the Surface Pro, other 10" products I've seen are also Atom based. Or has Atom improved dramatically in the past four years?
The tools will come
That doesn't help if you want to deliver something now, not years later after the tools have come.
Re: (Score:2)
large commercial applications still on flash.
Porn.
Just call the CEO (as a parent from some morals protection group) and ask why they are still promoting that "porn player app". It'll get ported to something else on their IT department's double emergency overtime program.
Portable code ... (Score:2)
Seriously: why doesn't Flash just die? (Score:5, Insightful)
Re: (Score:3)
It is dying. Things don't die instantly in the software world, they just decline.
Re: (Score:2)
Some things die so slowly it seems you have to literally wait for the actual users to die. IE6 is one of those things. Flash is another.
Re: (Score:2)
I don't have Flash on my latest Linux laptop (Debian distro). And YouTube seems to work fine*. I suspect that they are already falling back to HTML5. The only people that seem to be hanging onto Flash are porn sites who want to do some digging around on your system in the background while you are fapping.
*The occasional annoying "you need a plugin ..." message but then the video just plays.
Re: (Score:2)
Re: (Score:2)
Yes, 2-way HD Video Chat on Desktop Browsers and Native Apps with Adobe Air. In a couple years real time video communication will be fulfilled in Browser with WebRTC, but WebRTC is not ready and only supported on a couple browsers. Until then the only reliable method to get 2-way HD Video Conferences in both the Browser and Native Apps is with Adobe Flex streaming to a Media Server such as FMS or Wowza.
Because nothing does a good job replacing it yet (Score:3)
There is a non-trivial demand for highly interactive stuff on the web. You may not be interested in that, but many people are and thus many developers are. Well, only Flash really does anything approaching a competent job of that. If you want to make something like a game, that runs on all the major browsers and all the major platforms, Flash can do that. Anything else, it is a crap shoot.
For example I remember when the HTML5 Angry Birds came out. Ok, interesting, I'd like to see that. In Chrome, it works m
Ahem. (Score:5, Funny)
http://i.imgur.com/TNz9k9G.jpg [imgur.com]
Re: (Score:2)
Re: (Score:2)
4,294,967,296 Internets to you sir! That's all the internets!
Re: (Score:2)
4,294,967,296 Internets to you sir! That's all the internets!
You know, with IPv6, you get 340,282,366,920,938,463,463,374,607,431,768,211,456 internets.
Re: (Score:2)
SFW, as long as you aren't drinking anything you wouldn't want to spit up on your keyboard when you're reading it, otherwise your employer's IT department might not be happy about having to deal with the results of your spit-take.
Uninstall Flash! (Score:5, Interesting)
I just reinstalled my OS a few weeks ago and never reinstalled flash. Despite a profuse amount of websurfing and watching videos here and there, I haven't needed flash yet.
Fewer annoying, moving, sound-producing site navigation controls, better battery life on my laptop when watching videos, and fewer horrible security vulnerabilities to worry about! Dumping Flash is something I should have done long ago!
Re: (Score:3)
Or just set it to "click to run", that way a redirect to a malicious website will do nothing, a compromised banner ad will do nothing so they'd have to compromise actual flash content on a site you use. For bonus points you don't see flash ads. And if it gets too annoying to do a single click extra, you can always set up an exception for that site.
Personally what I miss the most these days is a setting to really block everything from opening up a new tab/window, no matter what link I clicked. Despite having
Re: (Score:2)
Yours might not. My bank doesn't use flash.
Re: (Score:3)
If your bank is pushing the use of Flash, you *SERIOUSLY* need to consider changing from establishment.
Re: (Score:2)
Re: (Score:2)
Right, because there's never critical vulnerabilities in widely-used open source software. I mean, anything as sensitive as, say, an SSL library would obviously be thoroughly tested and code reviewed to prevent any kind of trivially exploitable error that looks like something a CS freshman student might make. Thank goodness neither OpenSSL nor GnuTLS are required by any common free software, for example...
Re: (Score:2)
abobe crapware or gnash (Score:2)
The summary doesn't say.
Re: (Score:1)
Re: (Score:2)
...Shumway [areweflashyet.com]. Sometimes it has an advantage to run a VM in a VM.
So you can game while you game?
Re: (Score:2)
'Zero-day' no longer carries any meaning.