Adobe Patches Nine Vulnerabilities In Flash 95
jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.
Get rid of flash on slashdot, firefox (Score:1)
Hey, mozilla, please implement proper MSE support, so that youtube actually works thank you!
Hey DICE, please use HTML5 video for slashdot thank you!
Re:Get rid of flash on slashdot, firefox (Score:4, Insightful)
please mark flash as spyware, please kill flash!!!!
Any business that still wants programmers to make apps in flash are stupid, HULU, please recode your apps.
Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.
Please make all firewalls block flash.
Make firefox not even accept flash plugins, ban it , black list it.
Re: Get rid of flash on slashdot, firefox (Score:2)
Thank XP and corporate users.
IE 8 is the worlds most popular browser as a result
Re:Get rid of flash on slashdot, firefox (Score:4, Insightful)
Any business that still wants programmers to make apps in flash are stupid Name one other way to transmit a live video & audio stream from the browser that works across all major platforms that doesn't require a download and install.
Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.
AS3 is essentially Java with most of the same features as most other strongly typed OO languages.
Please make all firewalls block flash. Make firefox not even accept flash plugins, ban it , black list it.
Yes, let's kill off browser-based internet video chat for the next few years and go with vendor specific implementations from Google and Apple! No one should be able to create a video app until Google lets them! Flash needs to die, but the fact is HTML5 has yet to provide a means to provide device access and a streaming AV codec. Sure, Opus is great, but not the standard and will likely never be adopted by Apple and WebRTC is great, but not the standard and has issues with implementation requirements (ICE servers, Turn/Stun).
Re: (Score:2)
Exactly. It's all very well hating on Flash for whatever reason, but until the newer technologies can do the same jobs, and do them at least as well as the older technologies they are replacing, this is an apples to oranges comparison.
Why does anyone think the browsers themselves don't have similar security problems, and won't have more when they offer the same kinds of functionality as the insecure plug-ins we've used in the past?
Re: (Score:1)
Because browser vendors have been learning from their mistakes, and tend to develop sandboxed APIs that we complain about for not being as fast because they're a bit more secure. Generally speaking. In fact the browsers of today can handle the vast majority of what Flash can do already, and often better because they don't break the user's browsing experience as readily.
Re: (Score:2)
Why do you think all the browsers will be able to implement sandboxed APIs for these kinds of functionality successfully, when no major plug-in in history has been able to do so?
If there were a browser that was written using truly robust coding practices, the kind of thing you'd use if you really were writing safety-critical software, then maybe I'd buy that. But they aren't. Like most commercial software, browsers prioritise speed of development and to some extent run-time performance over quality. And the
Re: (Score:1)
Try Star Trek and Lockheed instead.
More detail about problems with Flash: (Score:5, Informative)
Adobe's Flash software is abusive to users, in my opinion. From the Better Privacy [mozilla.org] Firefox extension web page, re-written for clarity:
Some properties of Flash-cookies (LSOs):
1) They don't expire. They stay on each computer for an unlimited time.
2) By default they offer a storage of 100 KB. Normal cookies, 4 KB.
3) Browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
4) Using Adobe's Flash, companies store and access highly specific personal and technical information (system, user name, files,
5) Flash sends the stored information to servers without the computer user's permission.
6) Some Flash applications are not visible to the user. Not all Flash applications display anything.
7) There is no easy way to tell which Flash-cookie sites are tracking you.
8) Shared folders allow cross-browser tracking, LSO's work in every flash-enabled application.
9) Adobe doesn't provide a user-friendly way to manage LSO's. Management is very cumbersome.
10) Many companies make extensive use of Flash-cookies.
Apparently Adobe develops software but doesn't check for flaws. There have been 24 new versions of Adobe's Flash software in one year, if I count correctly, since v11.9.900.170 in January of 2014. (The latest version is v16.0.0.257.) As the Slashdot story mentions, the flaws were found by other companies, not Adobe.
One purpose of the extremely frequent updating may be to push users to allow Adobe to do its silent updating, giving Adobe control over user's computers.
Now, apparently, Flash applications will not work unless the latest version of Flash is installed. That's apparently another way Adobe pushes users to allow Adobe to do silent updating, using the Windows operating system service Adobe calls ARM: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Apparently the former Adobe CEO, Bruce Chizen [wikipedia.org] became tired of managing, because Adobe was, in my opinion, poorly managed for years before Mr. Chizen was replaced in 2007. Bruce Chizen is on Oracle's board of directors. Birds of a feather flock together?
The present Adobe CEO, Shantanu Narayen [wikipedia.org], is, in my opinion, a very poor manager. For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice.
Are browsers so much better? (Score:5, Insightful)
Do you realise that many of the criticisms you're directing toward Flash -- about rapid updates, numerous security fixes including some that were found by others, auto-updating, and so on -- could also be directly aimed at Chrome?
Chrome is an application that actively circumvents the main Windows security model so that it can update executable code on the user's machine without the administrative privileges usually required to install and modify applications. The day someone breaks into Google's update mechanism for even a short time, whether technically or from within the organisation, the damage will be astronomical.
We could discuss related issues with Microsoft's recommended security models and how much of that update mechanism is actually suggested by Microsoft itself rather than Google, but the facts of what Chrome is doing and the potential danger associated with it are still the same regardless of whose idea it was.
Re: (Score:3, Insightful)
Re: (Score:2)
Chrome is using the wrong parts of that model for what it does.
I agree that giving it the ability to opt out is an error from a system security point of view, but not opting in anyway is on Google.
Re: (Score:2)
The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches - so I totally disagree with the premise of your post. It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates. The near-forced auto-update mechanisms of Firefox and Chrome are some of the best things to have ever happened t
Re: (Score:3)
The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches
Chrome is the most used browser by some way among private individuals. If anyone cracked its auto-update mechanism, every one of those users could be subject to having their private data uploaded without even knowing it, resulting in the usual problems like fraud and identity theft, and/or encrypted and held for ransom, or just deleted.
The actual cost would depend on how fast Google identified the problem and recovered. Obviously if they found it within a few minutes and shut down the system that would redu
Google's Chrome browser has the same issues. (Score:2)
I agree. That's why I stopped using Google's Chrome browser. One one computer I checked,
Google installed 3 system services:
Google Update Service (gupdate), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"
Google Update Service (gupdatem), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"
Google Updater Service (gusvc), "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.ex
Re: (Score:3, Informative)
The Flashblock extension [mozdev.org] apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?
Only if you also have AdBlock installed. There is a "bug" when you use both. You can fix it by adding "youtube.com##div#theater-background.player-height" to AdBlock's exception rules.
Thanks. (Score:2)
Re: (Score:1)
The Flashblock extension [mozdev.org] apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?
The problem is not with Flashblock. Flashblock works just fine with YouTube. I think you're running into an AdBlock Plus issue.
If you have trouble with YouTube on FF 35, then you need to go into AdBlock Plus, Filter preferences, Exception Rules, and add the following:
youtube.com###theater-background
Thanks again. (Score:2)
Most don't have the technical ability... (Score:2)
Not wrong, because we've seen the problem with several domains. I'm guessing that Flash development software now automatically includes that limitation, and that the Flash development software updates without user intervention or knowledge. Most people who develop with Flash don't have the technical ability to know the "minimum API version for thei
Experiences of tech. people are not representative (Score:2)
Translation: In Chrome a highly technically knowledgeable person, who knows that Flash cookies must be deleted, took only 60 seconds to delete them.
"In terms of uploading content to the server, Flash is essentially capable of what JS is capable of. Companies don't need Flash to upload user information."
No JavaScript engine installs a system service. Flash does, and, according t
Re: (Score:1)
Given the track record of Flash (Score:5, Funny)
Re: (Score:3)
Re: (Score:2)
It is a bit worse than that. It is a curious fact that Flash contains more bugs than can actually exist in the code...it is considered among philosophers to be akin to Russell's Paradox. The latest scientific explanation involves higher order quantum mechanics and several new and very odd dimensions. The best theory I've seen so far is that Flash is bit like quantum soup with a black hole in hiding in the extremely odd extra dimensions. Virtual bugs and fixes appear in pairs, but curiously, only the fixes a
Not just joking, a direction of useful inquiry (Score:2)
That is not just a joke, it is a direction of useful inquiry.
We need to philosophize about why a company would be so horrible toward its customers. Okay, probably not involving the quantum soup and black holes of Physics, but instead the quantum soup and black holes of Sociology.
There is some recent Slashdot sociological inquiry about Bill Gates and a cancer cu [slashdot.org]
Re: (Score:2)
I don't understand how softare that's been around THIS long could still be pumping out "critical" security bugs by the dozen.
Re: (Score:2)
Perhaps it's a conspiracy to create more opportunities to monetize it via bundled adware. Then again, never ascribe to conspiracy that which can be adequately explained by incompetence. [wikipedia.org]
Re: (Score:2)
It's a typical case of "cost center".
Flash Player is free. It's developed and distributed for free. That means it costs Adobe money to put development effort into it.
Adobe makes money selling software, and free software like Reader and Flash Player make no money for Adobe, other than potentially encouraging people to buy their tools by making a large market available.
But still, it cos
Re: (Score:2)
I would honestly say given the track record of Flash ... why the hell are people still running it?
Flash has been a gaping security hole as long as it has existed.
How anybody can pretend that it hasn't been leaving a series of security issues in its wake for over 15 years is mind boggling. Many of us have actively blocked/disabled it for at least 10. I don't even install it on personal machines, and I disable it on work machines except for the 2-3 things per year which I am required to do which won't work
Re: (Score:2)
Fucking irritating and I
Re: (Score:2)
Given the track record of Fedora, the update will hit the mirrors in about 2 days.
Why? (Score:2)
Re: (Score:2, Insightful)
Youporn.
Re: (Score:1)
Yeah sure, replace something with known security holes with something new where they still have to be discovered :)
Re: (Score:1)
You're speaking of html5 video as if it worked as well as flash video.
Re: (Score:1)
Are you asking why we're using dumb clients parsing HTML+Javascript when we have machines more powerful than an '80s supercomputer sitting on our desktops?
Good fucking question, bro. The reason is simple: capitalism. Money can be had by giving people control ("PC on every desk") but even more money can be had by making people believe that they should not have control ("cloud!").
As for Flash vs HTML+Javascript, well, browsers had a long period - i.e. lasting a good decade - of regular serious insecurities. P
Re: Why? (Score:2)
Ah the good old days of DLL hell, deployment of updates taking hours or days instead of minutes, the upgrade treadmill, VB6 et al. What a joy it must've been.
Re: Why? (Score:2)
Yeah because Java is so much more secure and mobile friendly
Re: (Score:3)
But why do we think it is a good idea for arbitrary websites to be able to run arbitrary code? That's completely idiotic.
Flash and Java are one of those things that expect you to run your browser in the least secure possible configuration (let anybody run anything) on the offbeat chance you might need it somewhere.
Which means you let all of the rest of the websites you visit run anything they want to for no good reason.
Since Flash is mostly a security hole used by advertising, and the few sites I've seen w
Re: (Score:2)
There are literally billions of people on the Internet. The fact that you don't find Flash or Java applets useful for anything -- given your own personal lifestyle, interests, location, businesses and governments you deal with, other technologies available, and so on -- does not mean that no-one else in the world does. Although the number of users is steadily trending downwards and alternative/replacement technologies are getting more capable, as a matter of fact there are still millions and millions of peo
Re: (Score:2)
What needs to change is ancient IE FAST!
The good news is mobile now is ahead of the PC with mobile sites with graphics and smoothness. This is because Apple invented much of the HTML 5 specs and pushed it with the iphone. I may not like Steve but now it is forcing website makers to make 2 sites. If China can use SSL rather than Active X plugins written for IE 6 it will finally drop below the radar for PHB to tell webmasters to target. Your site may not be in Mandarin but he looks at statistics where China i
Re: (Score:2)
Because grandmas with IE 7 complain that the internets do not work on your wizbang HTML 5 site. Or your boss threatens to fire you if you do not cater to 98% of all customers.
This means IE 8 hacks and flash to make up for hte fact it is from last decade. If you don't another webmaster in India needing money happily will and the grandmas will keep on using IE 7 like there is no tomorrow since everythign keeps looking fine for her.
This continues until we see a whole freaking decade with no web innovation. Tha
Re: (Score:2)
Try RetroShooter from Arcade Pod. The music alone is worth it.
History (Score:2)
Why in the world are we still using this completely unnecessary software?
Because at a point a few years back it was the only viable solution available to do some of the things flash does. There was no realistic alternative for several years. That gave it a very large installed base and large installed bases don't go away just because they later become inconvenient.
One of the smartest things Apple did in recent years was to keep flash out of iOS [wikipedia.org] so it could never get an installed base on that platform. Solved a whole host of inevitable security and performance problems AND it
Re: (Score:1)
Define 'viable' -- do you mean it was the only sufficiently insecure platform which allowed arbitrary execution of code on the host machine?
The ever cookies? The ability to spy on your microphone and camera? How about providing endless security holes, hacks, exploits, privilege escalations, and who knows what else?
I'm afraid we differ on the meaning of the word 'viable'.
If you consider giving a
Re: (Score:3)
The ability to spy on your microphone and camera?
There were explicit prompts for permission before accessing those peripherals with a default answer of "no", which is hardly spying.
In any case, how would you have suggested that someone implement a videoconferencing tool five years ago, without using any of these plug-ins you hate so much because you claim they don't do anything useful and just create security problems?
Only game in town (Score:2)
Define 'viable' -- do you mean it was the only sufficiently insecure platform which allowed arbitrary execution of code on the host machine?
It was the only platform available at the time to do certain tasks on the web the way people ("developers" especially) wanted to do them particularly tasks relating to video. There was nothing else comparable at the time. I never claimed it was a good or secure solution, merely that it was the only game in town. Warts and all. A lot of code was written to utilize flash and that sort of thing doesn't go away overnight even when it should.
Flash is a great example of private technology and interests gettin
Re: (Score:2)
Flash was GREAT and at one time A SAVIOR.
Remember .WMV was taken over the web? Flash freed us by not having IE 6 and MS define multimedia. You go to youtube and through flash it worked on Linux, Mac, and PC.
I remember ask slashdot had questions on .WMV proprietary media tools for the mac as he didn't want to loose visitors and no one used quicktime anymroe and IE 6 had 90% marketshare anyway etc.
Today yeah it is obsolete but it defined video streaming last decade. It worked regardless of browser and did thi
Re: (Score:2)
I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash. The fact that it was a security nightmare was just icing for whacking the entire cake.
Re: (Score:2)
I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash.
The biggest reason Apple refused flash was because it would have circumvented their requirement that developers code natively for iOS. At the time iOS was still young, Flash was still important on PC browsers and Apple essentially would have abdicated control of their development environment to Adobe.
Re: (Score:3)
What Jobs actually said (Score:2)
One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR.
That is by definition not a native app. It can behave like one but it's not the same thing.
What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience.
Here is what Jobs said [apple.com] about Flash. Note the bit where he said:
"We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if
Re: (Score:2)
I just read his statement and to me I got flash sites are crap on his phones and 3rd party deciding is bad.
HTML 5 would not be here without Steve Jobs (no I am not a mac fan). It got off the ground as you could use HTML 5 and CSS 3 for gradients and other effects and video. Flash did not have a mobile mode and scaled and performed poorly.
It forced web developers to learn HTML 5 for mobile sites and of course with its popularity for -webkit helped Android too with mobile site apps which are now trying to jer
Any chance of a non Chrome linux version? (Score:3)
No, didn't think so. I guess at some point Flash in firefox will just stop working because so many sites will require a more modern version. Funnily enough I don't think I'll care.
Re: (Score:2)
That's version 11.2
Yes, they've fixed the bugs in it. But it's not the mainstream version, which is 16.
There are plenty of sites that already depend on newer versions of Flash. Try running Card Hunter [cardhunter.com] on Linux : you'll need Chrom(e|ium) with it's bundled Flash for that to work, and that's just over three minor versions (it requires 11.5)
So for given use cases, Flash already stopped working in Firefox for Linux. Supporting PPAPI probably is the only way it will work again.
But personally, I'd vote for "Long G
Re: (Score:2)
I meant a new major version you halfwitted bell end!
Re: (Score:2)
Which part of the phrase "a more modern version" confused you?
Re: (Score:2)
Re: (Score:2)
Hopefully by that point project Shumway will have arrived.
Adobe hasn't been updated for 5 minutes. (Score:2)
Reboot now or crash you browser?
Re: (Score:2)
Erm, I just updated both (Firefox & IE) without even restarting browsers happily.
Awesome (Score:2)
The download page crashed FF Nightly. Classy++
Re: (Score:2)
Security Through Instability (Score:5, Funny)
Luckily, Flash crashes before any malicious code can be executed!
It's Patch Tuesday (Score:2)
This sort of thing happens every month. Microsoft, Oracle, Apple, etc. This is news?
Re: (Score:2)
I uninstalled Flash long ago. Very occasionally I find a site that doesn't work at all without Flash, but it's rarely one I care about.
The worst thing are the 'mobile' sites which say 'ah, you're running iOS, so I'm going to give you a sane site that doesn't have any of that Flash crap,' so you know they can make their site run fine without Flash, but you go there with an Android device and it says 'ah, you're running Android, so i'm going to give you the Flash version' even though Flash hasn't run on Andro
HiDPI on Firefox (Score:2)
Flash is useless on my 192dpi laptop. Everything is so tiny or sometimes only fills up the top left 25% of the box. Adobe doesn't ever seem to care -- https://bugbase.adobe.com/inde... [adobe.com]
Flash is blocked (Score:2)
Management figures it's just used for viewing porn sites.