New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

← Back to Stories (view on slashdot.org)

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Posted by Soulskill on Friday February 8, 2013 @06:05AM from the something-to-be-said-for-consistency dept.

Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."

167 comments

Min score:

Reason:

Sort:

Die Flash, Die by Anonymous Coward · 2013-02-08 06:09 · Score: 5, Funny

I know many will rush to disagree with me but Flash cannot die soon enough...
1. Re:Die Flash, Die by Anonymous Coward · 2013-02-08 06:12 · Score: 5, Funny
  
  This is German for "the Flash, the".
2. Re:Die Flash, Die by Anonymous Coward · 2013-02-08 06:20 · Score: 0
  
  I disagree with you.
3. Re:Die Flash, Die by jbeaupre · 2013-02-08 06:40 · Score: 3, Funny
  
  Yeah. Remember that time, about 70 years ago, when a bunch of of Americans and British were running around Europe yelling "The German!" So silly.
  
  --
  The world is made by those who show up for the job.
4. Re:Die Flash, Die by Anonymous Coward · 2013-02-08 06:47 · Score: 1
  
  Also, "The cabbage"
5. Re:Die Flash, Die by NatasRevol · 2013-02-08 08:37 · Score: 1
  
  Especially if you're a sysadmin who has to mange installation & updates.
  http://www.bynkii.com/archives/2013/02/wtf_flash.html
  
  --
  There are two types of people in the world: Those who crave closure
6. Re:Die Flash, Die by trum4n · 2013-02-08 08:46 · Score: 0
  
  I still hear people say "the Pennsylvania Dutch." Idiots. Its Deutsch.
7. Re:Die Flash, Die by Beorytis · 2013-02-08 09:57 · Score: 4, Informative
  
  Actually no. Although the term shares its origin with the ethnonym "Deutsch", in the local dialect of English spoken there, it's "Pennsylvania Dutch". Not idiots. Just not speaking your idiolect.
8. Re:Die Flash, Die by rudy_wayne · 2013-02-08 10:37 · Score: 1
  
  I know many will rush to disagree with me but Flash cannot die soon enough...
  The problem is not Flash. the problem is the absolute incompetence of Adobe. Despite being a large company with lots of resources (programmers, money, etc) they are unable to produce a piece of software that isn't filled with exploitable security flaws. No software is perfect, but this is ridiculous. No, it's beyond ridiculous.
9. Re:Die Flash, Die by Anonymous Coward · 2013-02-08 19:31 · Score: 0
  
  I know many will rush to disagree with me but Flash cannot die soon enough...
  I'll rush TO agree with you.
10. Re:Die Flash, Die by Anonymous Coward · 2013-02-08 19:32 · Score: 0
  
  Yeah. Remember that time, about 70 years ago, when a bunch of of Americans and British were running around Europe yelling "The German!" So silly.
  Sorry. I wasn't alive 70 years ago. I suppose you had a laptop made out of stone when you were a kid?
11. Re:Die Flash, Die by smallfries · 2013-02-09 01:48 · Score: 1
  
  I know many will rush to disagree with me but Flash cannot die soon enough...
  But.. but... he saved every one of us!
  
  --
  Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
12. Re:Die Flash, Die by Anonymous Coward · 2013-02-09 09:23 · Score: 0
  
  They are german, not dutch. That's what i was pointing out.
Are there non-malicious uses? by fuzzyfuzzyfungus · 2013-02-08 06:13 · Score: 3, Interesting

I realize that implementing embedded flash objects in Office documents was probably something that mostly happened because Microsoft wanted OLE to make embedding arbitrary stuff in arbitrary stuff happen(unlike Adobe's sick fetish for inserting horrible things into PDFs, which is their own damn fault); but do Flash embeds in Office documents actually occur, in the wild, as something people would actually do and distribute, for anything other than malicious purposes? I honestly can't remember ever having seen a single one, ever.
1. Re:Are there non-malicious uses? by Anonymous Coward · 2013-02-08 06:45 · Score: 0
  
  I've seen Flash animations and the like embedded into PowerPoint presentations after being downloaded from some website. I don't know how common that is but I've seen it in academia when a textbook publisher offers animations or video on their website in the Flash format and the professor wants to show it during a lecture without having to quit out of the presentation.
  Granted, you could state that using PowerPoint is malicious intent in of itself.
2. Re:Are there non-malicious uses? by Anonymous Coward · 2013-02-08 07:14 · Score: 0
  
  They get forwarded around the office. Everything is stuffed inside office documents. The nanny software lets them through. They must be OK. They've been checked. Yeah?
3. Re:Are there non-malicious uses? by tibit · 2013-02-08 07:26 · Score: 4, Informative
  
  People use Word documents to send freaking pictures around, because they don't know they can paste into Paint. They don't know how to send weblinks either, so they paste it into Word and send it on.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:Are there non-malicious uses? by kuporuta · 2013-02-08 07:29 · Score: -1, Troll
  
  http://www.cloud65.com/ Kaylee. if you, thought Robin`s c0mment is neat... on monday I bought a gorgeous Mazda MX-5 after having made $9340 this-past/month and in excess of ten-k last-munth. without a question it is the nicest work I have ever had. I actually started 6 months ago and almost straight away began to make at least $85... per/hr. I work through this website,
5. Re:Are there non-malicious uses? by antdude · 2013-02-08 07:41 · Score: 1
  
  Ugh, and old Windows' Paint to send as big bloated BMP images. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
6. Re:Are there non-malicious uses? by cbhacking · 2013-02-08 08:27 · Score: 1
  
  Relatedly, I believe the reason that Word is being used as the exploit vector on Windows is because it doesn't have the sandboxing of IE/Firefox/Chrome. While you could get a lot more people to run the Windows attack code if you posted it on websites, it doesn't do any good when every popular browser newer than IE6 is locked down to not be able to launch arbitrary programs or write to most of the filesystem or registry.
  
  --
  There's no place I could be, since I've found Serenity...
7. Re:Are there non-malicious uses? by riscthis · 2013-02-08 10:13 · Score: 1
  
  Relatedly, I believe the reason that Word is being used as the exploit vector on Windows is because it doesn't have the sandboxing of IE/Firefox/Chrome. While you could get a lot more people to run the Windows attack code if you posted it on websites, it doesn't do any good when every popular browser newer than IE6 is locked down to not be able to launch arbitrary programs or write to most of the filesystem or registry.
  Actually from Office 2010 onwards it does have a sandboxed mode which is triggered based on the origin of the document:
  http://blogs.technet.com/b/office2010/archive/2009/08/13/protected-view-in-office-2010.aspx
  Incidentally I'm not sure Firefox has a sandbox as such at least on Windows - e.g. it doesn't run as a low integrity process like IE.
8. Re:Are there non-malicious uses? by Green+Salad · 2013-02-08 13:55 · Score: 1
  
  Maybe. I've seen it in business Power Point presentations...and hated it *every* time. If I'm going to waste time, let me do it on Slashdot.
  To an impatient, time-pressed captive audience, a lengthy mandatory canned video is "almost malicious." Just give me five bullet points, ask for my decision and get out of my hair.
  Typical: Putting a lengthy flash animation such as "All Your Base Are Belong to Me" at the beginning of a power point presentation to sell me on centralized systems management. I'm already irritated before the core of the presentation is given.
  While I'm complaining, let me throw in another crazed rant. Creating a 2 sentence message in Microsoft Word or .PDF then emailing it as an attachment, is *just* as annoying as the mandatory flash animations.
9. Re:Are there non-malicious uses? by Anonymous Coward · 2013-02-09 07:16 · Score: 0
  
  Yes, people embed videos in PowerPoint so they can be played within their presentations. See for example: http://www.youtube.com/watch?v=hChq5drjQl4
Related to 57 patches for IE next Tuesday? by Billly+Gates · 2013-02-08 06:14 · Score: 2

I wonder if this and Java are related to the HUE monster security update for IE?

--
http://saveie6.com/
And replace it with what? by popo · 2013-02-08 06:18 · Score: 3, Interesting

And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?
There's a reason Flash is the world's most popular online multimedia platform. It's not without issues, but it is lacking a worthy contender.

--
------ The best brain training is now totally free : )
1. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:22 · Score: 0
  
  Silverlight will save us! Oh right, about that.
2. Re:And replace it with what? by Billly+Gates · 2013-02-08 06:25 · Score: 5, Interesting
  
  Yep. HTML 5 can offer hardware acceleration on pretty much any mobile device.
  The reason for flash was that Java was an ugly POS and people did not want to wiat a full minute for their ugly applets to load while flash was all nice and pretty and loaded instantly.
  Flash also exists because of IE. Old IE I may add as IE 9 and IE 10 got their act together and support the HTML 5 video tags. When IE 10 comes out for Windows 7 and XP goes EOL we will see a shift in websites catering to HTML 5 users making flash obsolete for all but the conservative businesses.
  
  --
  http://saveie6.com/
3. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:30 · Score: 0
  
  You do realize that for these types of things, "conservative businesses" means "all businesses"
4. Re:And replace it with what? by Billly+Gates · 2013-02-08 06:34 · Score: 2
  
  Businesses only upgrade if they have a case. Having websites and cloud services move to HTML 5 is a pretty darn good business case to upgrade. IN the past IE 6 had such a strong marketshare that they didnt have to worry about as webmasters were forced to cater to it.
  According to statcounter.com IE 8 usage is falling fast to 14% in the weekdays and 10% at the weekends. IE also is getting auto updated with Windows Update and before did not which is why grandmas kept using IE 6 for many many years. When that number hits 5% IE 8 you can expect websites will start focusing on HTML 5 and CSS 3.
  IE 8 may remain for many corps for years but it wont be all business this time around because of the things stated above. I mean they didn't stick with Mosaic for 10 years did they?
  
  --
  http://saveie6.com/
5. Re:And replace it with what? by gstoddart · 2013-02-08 06:44 · Score: 4, Insightful
  
  There's a reason Flash is the world's most popular online multimedia platform.
  Can you tell us what that is?
  For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.
  
  --
  Lost at C:>. Found at C.
6. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:45 · Score: 1
  
  Flash is write once run only on Flash Player (of an equal or higher version).
7. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:45 · Score: 0
  
  Interesting how silverlight, which has all the features flash has, and is much faster, and is installed on 50-75% of all machines worldwide, is not something we hear about.
8. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:55 · Score: 5, Insightful
  
  There's a reason Flash is the world's most popular online multimedia platform.
  Yes. DRM.
9. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:55 · Score: 0
  
  Nothing, don't replace it because it is totally un fucking necessary.
10. Re:And replace it with what? by Anonymous Coward · 2013-02-08 06:59 · Score: 0
  
  And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere
  As opposed to flash, which is write once and exploit everywhere.
  Are you starting to see the problem here?
11. Re:And replace it with what? by Anonymous Coward · 2013-02-08 07:00 · Score: 0
  
  The only value Flash adds to the internet is for web advertising (*). The vast majority of video hosting sites have already shifted to HTML 5 and web gaming is a shrinking market which leaves only advertising. So long as advertisers build their content delivery around Flash, it will still have legs. As soon as they shift to HTML 5 (which I expect to happen in the next 2 years), Flash will be all-but-dead.
  And everyone, including Adobe, knows this. The only people who don't are grognards holding on to the past where Flash was relevant. It isn't any more. Adobe is building out HTML 5 editing tools and has abandoned Flash for Android. They see where things are going.
  *Saying that Flash adds value to the internet due to advertising amuses me greatly because both Flash and advertising are two of the most hated things on the internet...
12. Re:And replace it with what? by Anonymous Coward · 2013-02-08 07:04 · Score: 0
  
  I block Flash ads as well, but it's completely myopic to suggest that they don't provide "value" for website owners. Flash is used for adverts because it works. Deal with it.
  For video, I've yet to see a HTML5 player that works as well as Flash. It's an okay fallback for iDevice users, but nothing you'd want to foist on the general public.
  Games/Animation: not that I really care about this either, but for those who do, HTML5 seems like it's stuck in the NES era.
13. Re:And replace it with what? by amicusNYCL · 2013-02-08 07:09 · Score: 1, Interesting
  
  Can you tell us what that is?
  Like he said, it doesn't have a viable feature-comparable alternative.
  
  For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.
  Cool story. Meanwhile, even here in 2013, our company started in 1996 is still selling new Flash-based learning courses to companies and government agencies worldwide, and they're still ordering new ones. It's easy for the artists to work in, the code to run the courses hasn't need to be patched or updated in several years, and the major time expense is still having people write the actual instructional content.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
14. Re:And replace it with what? by gstoddart · 2013-02-08 07:13 · Score: 3, Interesting
  
  I block Flash ads as well, but it's completely myopic to suggest that they don't provide "value" for website owners.
  Yeah, but is it of value to users? It isn't for me, and I'm not here to provide value for website owners. As a user, requirement for flash means the back button.
  
  Flash is used for adverts because it works. Deal with it.
  Flash gets blocked/not even installed by me an other users because it's crap. Deal with it.
  I'm not going to allow Flash ads for any reason -- and if the only thing of value is for ads, that pretty much is what I already thought.
  
  For video, I've yet to see a HTML5 player that works as well as Flash
  Maybe it's my age showing, but the number of times I feel like I want to watch a video on the internet is vanishingly small. As in, I have no idea the last time I cared enough to watch a video on the internet. Same for games.
  I don't give a rats ass if other people want to run Flash -- run wild, it's your computer. But I'd be hard pressed to name a single thing that has ever made me think "gee, I've been missing out by not having Flash".
  
  --
  Lost at C:>. Found at C.
15. Re:And replace it with what? by jythie · 2013-02-08 07:14 · Score: 1
  
  Developer community and 3rd party library support tend to trump things like speed or capability. A language and its VM can be fantastic, but if you have trouble hiring people or finding packaged libraries to include, then its utility is restricted.
16. Re:And replace it with what? by gstoddart · 2013-02-08 07:25 · Score: 1
  
  Cool story. Meanwhile, even here in 2013, our company started in 1996 is still selling new Flash-based learning courses to companies and government agencies worldwide, and they're still ordering new ones.
  Yup, and it's products like yours why I periodically have go open up the browser of insecurity (IE) to access because it's the only one what has Flash enabled. Usually 2-3 times per year some company-mandatory crap needs it.
  But for day to day use? Flash is disabled or just simply not installed because I have no trust in it, and it mostly is used for annoying ads. I periodically hit a site which requires Flash for any navigation -- those sites get a back button and never visited again.
  
  --
  Lost at C:>. Found at C.
17. Re:And replace it with what? by Kagato · 2013-02-08 07:34 · Score: 1
  
  Most media options are done in flash. Any type of subscription based service that runs in the browser is flash because there is no standard. And it's going to stay that way so long as Microsoft is going to be a dick and insist everyone else uses their tech for secure streaming.
18. Re:And replace it with what? by ColdWetDog · 2013-02-08 07:38 · Score: 2
  
  And you can argue with this being a feature - or a bug. Just recently finished some course work over at the American Heart Association website. Flash, natch. The structure of which has not been changed for a decade. The same poorly thought out navigation, the same IE centric, buggy code. Just some new content.
  Yes, it's AHA's decision not to spend the money to really look at what they are doing, but it's a pretty standard business practice. If it ever worked, it's good enough.
  If I ever find the person(s) responsible for that abomination, they'd best hope I don't have a defibrillator handy.
  
  --
  Faster! Faster! Faster would be better!
19. Re:And replace it with what? by Anonymous Coward · 2013-02-08 07:38 · Score: 0
  
  silverlight was the last flash killer to come and go. MS have announced they intend to let it die, though it is questionable whether it ever lived. 1% of sites used it.
  html5 will have its role on the web, but like html4, xhtml etc. as it turns out it's good for text and pictures and not much else.
20. Re:And replace it with what? by miknix · 2013-02-08 07:39 · Score: 2
  
  For video, I've yet to see a HTML5 player that works as well as Flash.
  Youtube's? In fact, youtube switches to html5 everytime when it can, guess what? I don't even notice.
21. Re:And replace it with what? by westlake · 2013-02-08 07:40 · Score: 4, Interesting
  
  For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.
  You're entitled to your opinion.
  But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design comes vividly to mind with games like Samorost, Machinarium, and Botanicula.
  Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.
22. Re:And replace it with what? by JDG1980 · 2013-02-08 07:58 · Score: 4, Insightful
  
  And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?
  It's true that for this one particular use-case, Flash may still have an edge against open technologies. But 99% of the Flash on the web is either ads or videos. We don't want to see the ads anyway, and HTML5 makes embedding videos without Flash in a standards-compliant fashion relatively easy. And remember, if your site relies upon Flash, no one with an iDevice will be able to use it correctly. And that's not going to change. In contrast, HTML5 videos work fine on both desktop browsers and portable devices.
  If the only thing Flash is good for is some types of online gaming, then many users don't need it at all, and for those who do, it should be set by default to use a whitelist and only permit the plugin to be invoked on domains that are specifically authorized by the user.
23. Re:And replace it with what? by Anonymous Coward · 2013-02-08 07:59 · Score: -1
  
  Go back under your rock, you nasty old curmudgeon. YOU provide no value, either, so you should be ignored as you ignore Flash. Present something reasonable, not just your shitty, moronic opinion.
  *clicks Back*
24. Re:And replace it with what? by gstoddart · 2013-02-08 08:02 · Score: 0
  
  Go back under your rock, you nasty old curmudgeon.
  Aww, how sweet ... that's the nicest thing anybody has said to me all week.
  
  Present something reasonable, not just your shitty, moronic opinion.
  But ... it's all I've got.
  Seriously AC, go stick your penis in your ear. Or your rear if you're into that sort of thing.
  
  --
  Lost at C:>. Found at C.
25. Re:And replace it with what? by Anonymous Coward · 2013-02-08 08:07 · Score: 0
  
  Can you tell us what that is?
  The reason is Youtube. I wish Google would go ahead and switch it to HTML5. All the browsers are ready for it now.
26. Re:And replace it with what? by cbhacking · 2013-02-08 08:21 · Score: 4, Funny
  
  Good for you... but it turns out that a fair number of the most popular websites on the entire WWW play videos, typically in Flash, and they are watched by people of all ages (perhaps more among the younger set, but certainly not exclusively). Quite a few sites (perhaps not individually the most popular, but a massively common *class* of site) also serve lots of Flash video, although for legal reasons they are only supposed to be watched by adults. People also like to watch videos of events they couldn't make it to and listen to streaming music, both of which are common uses of Flash. You can do web-based video chat or even videoconferencing using Flash (Google Talk can do this, for example).
  I don't like Flash, and I certainly don't trust it; I keep it tightly curtailed where it's installed at all. However, it's definitely useful in some cases. HTML5 is catching up, but not fast.
  
  --
  There's no place I could be, since I've found Serenity...
27. Re:And replace it with what? by cayenne8 · 2013-02-08 08:24 · Score: 1
  
  Maybe it's my age showing, but the number of times I feel like I want to watch a video on the internet is vanishingly small. As in, I have no idea the last time I cared enough to watch a video on the internet. Same for games.
  With me, and my age is getting up there too....I feel I'm watching more and MORE video on the web, but to learn things!!
  I'm trying to learn a lot of video and image editing software and tons of stuff out there from tutorials, to special tricks, differences in versions, etc.
  And if you're into DIY, well, again, youtube and the like are the first places I look for before I even search for text or blogs on things these days.
  I've not been into games in a couple of decades, but for any new project, software or activity I'm interested in, I look first to online videos to get me going.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
28. Re:And replace it with what? by Anonymous Coward · 2013-02-08 08:34 · Score: 0
  
  1. Flash is easily blocked, HTML 5 will not be
  2. Flash can be allowed on a per-instance basis, HTML 5 will be hard or impossible to run on a per-instance basis
  3. Flash is rarely used to construct entire sites, HTML 5 is aimed at being used for entire sites
  4. Flash segregates a lot of multimedia away from other content, this is a very good ting, HTML 5 does the opposite.
  5. Do you want Flash vulnerabilities or HTML 5 vulnerabilities? You can pick both of course but you can't pick none.
  n. I saw her standing there? Use the right arrow to walk to the right to the girl and start the game/story/artwork.
  Flash games are easily the most creative and fun, just avoid anything related to Facebook or other social media. Sites like Newgrounds and Kongregate are hotbeds of small independent digital creativity where anyone can publish.
  The games one can find there are the modern equivalent to the games of Nintendo, Commodore64, and SNES as well as rogue/NetHack, Colossal Cave, and any *nix games pack. They're not the same but they're the same spirit.
  Have you played Red Rogue (open source btw)? Infectionator? Kingdom Rush? Cursed Treasure? Epic Battle Fantasy 3? Elements or Tyrant? Decision 2? Formula Racer 2012? New Star Soccer? Faultline? You might not like any of them but it's the main alternative to "3D FPS only" "big studio" games.
29. Re:And replace it with what? by Anonymous Coward · 2013-02-08 08:37 · Score: 0
  
  Flash is write once run only on Flash Player (of an equal or higher version).
  Mods, this is INSIGHTFUL as all get-out!
30. Re:And replace it with what? by Anonymous Coward · 2013-02-08 08:37 · Score: 0
  
  I do. The HTML5 player "buffers" worse than RealPlayer and seek/skipping video often breaks it (Chrome). Also, even on Youtube, the HTML5 player is not feature-equivalent to the Flash one. Why do you think they still serve Flash by default?
31. Re:And replace it with what? by Onan · 2013-02-08 08:43 · Score: 1
  
  It backfires a bit when your argument in favor of Flash being at the heart of a vast and vital industry is citing a company no one has ever heard of and three games that no one has ever heard of.
  It sounds as if you live in some tiny little niche universe in which "multimedia platform" is a thing. But you should be aware that for nearly everyone else out there, those words are not even meaningful, much less describe anything important or desired.
32. Re:And replace it with what? by Onan · 2013-02-08 08:49 · Score: 1
  
  >>> ...online multimedia platform.
  >> Can you tell us what that is?
  > Like he said, it doesn't have a viable feature-comparable alternative.
  That... doesn't answer the question. If your argument is that Flash is so awesome because it's the best "online multimedia platform", then you're going to have to back that up to what the fuck an "online multimedia platform" is and why I would want one.
  Because yes, like many others in this conversation, I have only seen Flash used for things that I quite strongly did not want happening in any browser of mine. So if the only consequence of Flash's death is that those things couldn't happen anymore that sounds to me like a huge improvement.
33. Re:And replace it with what? by AmiMoJo · 2013-02-08 09:02 · Score: 1
  
  Today it does. If Flash hadn't been around five years ago it would have been forced to use RealPlayer.
  Flash may be BUFFERING bad, but BUFFERING Rea BUFFERING lPlayer is even worse. Think about that.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
34. Re:And replace it with what? by Anonymous Coward · 2013-02-08 09:28 · Score: 0
  
  It provides high quality games just like IOS and Android do :)
35. Re:And replace it with what? by Anonymous Coward · 2013-02-08 09:47 · Score: 0
  
  I don't think I've played a Flash game since 2001 or so. I can live without cellphone minigames in a web browser.
  CAPTCHA: dwarfed
36. Re:And replace it with what? by jader3rd · 2013-02-08 09:49 · Score: 1
  
  For video, I've yet to see a HTML5 player that works as well as Flash.
  Block Flash in your browser. Go to a website that'll fall back to HTML5 if Flash can't be found (I only know of youtube and funnyplace.org). You might see some warnings about Flash not being loaded, but you can still see the vast majority of the videos.
37. Re:And replace it with what? by Anonymous Coward · 2013-02-08 10:09 · Score: 0
  
  Why do you think they still serve Flash by default?
  duh! because not all videos are converted to webm yet?
38. Re:And replace it with what? by Anonymous Coward · 2013-02-08 10:15 · Score: 0
  
  but it turns out that a fair number of the most popular websites on the entire WWW play videos, typically in Flash,
  And there is no good reason from any of those to be using flash.
39. Re:And replace it with what? by Anonymous Coward · 2013-02-08 10:16 · Score: 0
  
  This. No mature authoring environments, crap support and acceleration that only works for certain CSS3 properties. Let's re-invent the wheel once again - afterall, we can't possibly have something that already works - and doesn't use JS. It's the 1990s all over again!
  I love seeing the JS evangelists stumbling all over themselves to do basic animations that were done years ago - AS IF IT'S NEW. Not only is it old-school, but it demonstrates a distinct lack of creativity. Bah!
40. Re:And replace it with what? by amicusNYCL · 2013-02-08 10:18 · Score: 1
  
  Yup, and it's products like yours why I periodically have go open up the browser of insecurity (IE) to access because it's the only one what has Flash enabled. Usually 2-3 times per year some company-mandatory crap needs it.
  If only there was a viable alternative. I haven't seen a good way to synchronize audio with animation, or to let a non-programmer create good artwork, for that matter. Until an HTML5/SVG authoring environment comes along which can export projects that have all of the functionality of Flash and can be used by an artist, we're stuck with Flash. Flash can export some things to HTML5, but it drops a lot of features when it does so.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
41. Re:And replace it with what? by amicusNYCL · 2013-02-08 10:20 · Score: 2
  
  It's gotten worse lately, now with Captivate and Articulate being released, anyone who can type can create online learning content. I've seen plenty that are no better than a Powerpoint presentation. We have a full staff of instructional designers, artists, etc who actually manage to create engaging and award-winning content, but seeing our competition, I feel your pain.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
42. Re:And replace it with what? by amicusNYCL · 2013-02-08 10:22 · Score: 1
  
  That... doesn't answer the question. If your argument is that Flash is so awesome because it's the best "online multimedia platform", then you're going to have to back that up to what the fuck an "online multimedia platform" is and why I would want one.
  We can start that pretty simply. It is a vector-based graphic and animation tool that allows you to synchronize audio with the animation. That alone has every other alternative beat. Things like drag and drop and all of the various interactions can be reproduced with Javascript in a browser, but letting a non-programmer artist create the content and synchronize the audio with what's going on in the content isn't found in other alternatives.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
43. Re:And replace it with what? by Waccoon · 2013-02-08 10:55 · Score: 3, Informative
  
  Installation was fantastic. When Flash was new under Macromedia, I remember it being only 300K, and it installed immediately without a reboot or restarting the browser. Java at the time weighed in at (I believe) over 12MB and required a reboot. So did most other media players.
  Games. Casual gaming on the PC owes itself almost entirely to Flash. Java sucked, and the alternative was to download and install an EXE, which could do just about anything to your PC. Flash made it possible to run games instantly, directly, without an install, on both PC and Mac. It was the Steam of the day, and worked when everything else failed miserably.
  Cartoons. Doing stuff in vectors reduced bandwidth a thousand fold. Say what you want about HTML5 and movie codecs, but if you want to do vector animation, Flash is still your only option.
  Educational apps. Ever been to a tech site where they have some kind of visual interactive application to show how the technology works? Java should have dominated in this area, but installing Java was painful, the download was huge, and at one time, Java applets couldn't play audio, because that was considered a security violation. Yes, in an attempt to crack down on the annoying audio and MIDI craze, Java banned all audio in applets for a while. No wonder tech sites dumped Java and went to Flash for their presentations.
  Say what you will of closed-source, proprietary media players, but all things that tried to compete with Flash have royally sucked. Flash is most definitely useful, and will continue to exist until HTML stops being garbage (which may take another 10 years or so -- if ever).
44. Re:And replace it with what? by Anonymous Coward · 2013-02-08 11:09 · Score: 0
  
  It backfires a bit when you're calling games that had pretty nice commercial and critical success "no one ever heard of".
  Their games, for example, were featured in several Humble Bundles, including one Bundle dedicated to Botanicula's release with 4 Amanita's games in it. Just that Bundle alone sold 90k copies.
  And that's just one of those Bundles. And it's also on Steam and GoG, and thanks to that sucky Flash platform, it's also available on PS3, iPad and Android.
  So yeah, nobody cares about that tiny little niche, except for all those who do. And you've probably never ever heard about those tiny niche names like Kongregate, Armor Games or, well, Zynga.
45. Re:And replace it with what? by phayes · 2013-02-08 11:15 · Score: 1
  
  Flash animations go away when you remove flash, use flashblock or soon just use Firefox.
  I couldn't care less what games are built with flash. I value not getting hacked by blocking flash more than any minor value flash provides. Adobe has proven themselves unable to provide the level of security I need to leave it on my machines.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
46. Re:And replace it with what? by mark-t · 2013-02-08 11:22 · Score: 2
  
  Good reason for who? The user? Probably not... Good reason for the website owner? Definitely. Just because you might not agree with those reasons doesn't mean they don't carry any value for other people.
  
  --
  File under 'M' for 'Manic ranting'
47. Re:And replace it with what? by westlake · 2013-02-08 11:24 · Score: 1
  
  It backfires a bit when your argument in favor of Flash being at the heart of a vast and vital industry is citing a company no one has ever heard of and three games that no one has ever heard of.
  Oh, really?
  
  Machinarium is a puzzle point-and-click adventure game developed by Amanita Design. It was released on October 16, 2009 for Microsoft Windows, OS X, Linux, on September 8, 2011 for iPad 2 on the App Store, on November 21, 2011 for BlackBerry PlayBook on May 10, 2012 for Android, on September 6, 2012 on PlayStation 3's PSN in Europe, on October 9, 2012 in North America and on October 18, 2012 in Asia.
  Microsoft Windows, Mac OS X, Linux and Android versions of this game were released along with Humble Indie Bundle for Android 4 on November 8, 2012, to customers who paid over the average price.
  It won the Excellence in Visual Art award at the 12th Annual Independent Games Festival and the Best Soundtrack award from PC Gamer in 2009. It was nominated for an Outstanding Achievement in Art Direction award by the Academy of Interactive Arts & Sciences and a Milthon award in the 'Best Indie Game' category at the Paris Game Festival.
  Gaming site Kotaku named it a runner-up for "PC Game of the Year 2009" alongside Torchlight, losing to winner Empire: Total War. Gamasutra, Gamerview and the Turkish site of Tom's Hardware all selected Machinarium as the 'Best Indie Game' of 2009. AceGamez named Machinarium the 'Best Traditional Adventure Game' of 2009.
  Machinarium
  In April of last year there was the The Humble Botanicula Debut.
48. Re:And replace it with what? by ChunderDownunder · 2013-02-08 11:30 · Score: 1
  
  Nevertheless, idealism doesn't match reality - a lot of content still requires a flash plugin. Even a story posted on Slashdot yesterday had embedded flash video. :(
  So although I use chromium or firefox for most things, I keep Chrome handy for news services etc.
49. Re:And replace it with what? by Onan · 2013-02-08 13:34 · Score: 1
  
  I don't know what a "Humble Bundle" is; again, I suspect it's something that features far more prominently in some small specialized market than in the general world. I would suggest that your deep involvement with this niche may be impairing your perspective.
  Just glancing at the small games market, 90k sales certainly seems unexceptional. The top few dozen games sold through itunes seem to each have 10k-30k _reviews_, which almost certainly implies many more than 90k sales.
  And given that those all, obviously, run without Flash, it's hard to see this as supporting the case that Flash does something unique or important.
50. Re:And replace it with what? by 10101001+10101001 · 2013-02-08 15:57 · Score: 1
  
  But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design comes vividly to mind with games like Samorost, Machinarium, and Botanicula.
  In the same way ActiveX remains a remarkably viable platform with mature development tools. Ie, precisely because it's a very large attack vector and it's used both in local and network modes, it's a massive headache for most people who would prefer their games and their internet do-dads to be separate. That way the internet version can be locked down massively with frequent updates and a push for the idea that throwing away any state is just fine while the local games version can be years out of date and very loose on the system with state data being very important. But, again and again that just hasn't worked out--Java is another good example of that.
  
  Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.
  No kidding. And by the same token, audio/video tag blocking needs to be a standard feature of web browsers *now* instead of waiting for the massive abuses that will occur when it's more commonly used. That will hopefully (1) heavily discourage developers making badly designed HTML5 sites that depend on that crap and (2) at least allow people to forceablly block the crap even if it breaks sites just like blocking flash can do now.
  So, Flash is merely a symptom of the disease and not the disease itself. And you're right, Flash has provided plenty of stuff of value. Still, Flash and all Flash-like solutions (even javascript+html5) are crap. I guess Java and ActiveX have turned me all jaded--though at least they were fast.
  PS - Personally, I especially hate flash a lot because of its absurd system requirements to play even the simplest of games--with a 2GHz cpu and 1GB RAM seemingly a minimal spec for a simple 2d platformer. I don't see HTML5+javascript being in the future particularly better on this front. But, then, it'd seem obvious that HTML5+javascript is't a platform for games. By the same token, flash isn't a platform for games. Twisting a platform for badly drawn animations into a video + gaming platform? Impressive, sure. But I just don't honestly get how most people can stand flash from a use perspective. :/
  
  --
  Eurohacker European paranoia, gun rights, and h
51. Re:And replace it with what? by lennier · 2013-02-08 16:52 · Score: 1
  
  I don't know what a "Humble Bundle" is
  Then you're not interested in video games.
  Flash is for games and video on the Web, and occasionally offline.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
52. Re:And replace it with what? by alihm · 2013-02-10 09:04 · Score: 1
  
  Truth is, HTML5 is not going to save us. It will suck even more than Flash, just wait and see. The future of the web is dark and full of bad codes written with JS.
Huh? by mcgrew · 2013-02-08 06:19 · Score: 1, Informative

I'm typing this on a Win 7 notebook w Firefox. KSHE's playing right now (using Flash, of course) and no notification came to me, although some virus defs came through this morning.
Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content
Why? They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).
I just wish Flash would stop crashing every single time I have it hibernate when I'm listening to the radio.

--
Free Martian Whores!
1. Re:Huh? by PlusFiveTroll · 2013-02-08 06:22 · Score: 5, Insightful
  
  >Who in their right mind opens a Word doc from and unknown source
  The idiot secretary in the next office over, or the next floor down.
  Then the payload mines her email addresses and sends you "Minutes from meeting" or some similar crap. So now instead of having an email from an unknown person you get an email from someone you'd expect to get word documents from. Hopefully you are in a company that has decent A/V on incoming mail, most small businesses don't.
2. Re:Huh? by Anonymous Coward · 2013-02-08 06:29 · Score: 0
  
  Not as easy with a macro -- Office doesn't run macros by default and shows a pretty scary warning when it asks you to run it. Flash just runs.
3. Re:Huh? by Ryanrule · 2013-02-08 06:34 · Score: 1
  
  Secretaries are not a thing anymore.
4. Re:Huh? by NJRoadfan · 2013-02-08 06:38 · Score: 1
  
  I didn't even know you could embed Flash content in a Word document. I'm guessing they are using ActiveX, which means you are safe if you don't happen to have the ActiveX version of Flash installed. Whats very annoying is that Adobe's update notifier doesn't update both the ActiveX and Netscape plug-in versions of Flash, just one or the other. Always check the Flash control panel and make sure you have the latest version for both!
5. Re:Huh? by bsane · 2013-02-08 06:56 · Score: 1
  
  Now they're called assistants (or similar) and they still exist every where I've ever worked, there are just a lot fewer of them, and they don't type things up or take notes.
6. Re:Huh? by Anonymous Coward · 2013-02-08 07:00 · Score: 0
  
  Flash's auto updater is a pile of crap, perhaps checking for an update once every 47 years.
  I got so annoyed with it i wrote my own which checks every 3 hours
7. Re:Huh? by Inda · 2013-02-08 07:06 · Score: 2
  
  "especially when Windows warns you when you start to open a word doc in Outlook"
  
  Um, some of us have taught them to tick the "don't ask again" box. Sorry about that.
  
  Getting macros to run is harder these days. There's an extra click or two. They don't execute automatically any more.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
8. Re:Huh? by _xeno_ · 2013-02-08 07:18 · Score: 3, Interesting
  
  As far as I can tell, the Flash updater only bothers to check for an update when the computer first boots.
  Because everyone here constantly reboots their computer, right? I mean, it's not like most computers have sleep modes, and that most people just leave the OS running so they don't have to wait for it to boot. Clearly everyone constantly reboots their computer, once per day, to allow the Adobe Flash Updater to check for updates.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
9. Re:Huh? by tibit · 2013-02-08 07:28 · Score: 1
  
  In a word, run nightly ninite :)
  
  --
  A successful API design takes a mixture of software design and pedagogy.
10. Re:Huh? by Anonymous Coward · 2013-02-08 07:28 · Score: 0
  
  I've found, at least on Windows XP, that it only checks for an update when you log in. Wonderful "feature"...especially for 90% of people who log in once every few weeks between reboots and wouldn't know to run the updater manually.
11. Re:Huh? by benjymouse · 2013-02-08 07:33 · Score: 4, Informative
  
  Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content
  Why?
  Probably because of Windows sandboxing Flash through low-integrity mode. Even if you get to exploit a Flash vulnerability and execute your shell code on Windows, the code is still severely restricted in what it can do. Code executing inside of a low-integrity process can still not infect a system as write-ups (writing or interacting with a higher integrity object/process) are denied.
  
  They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).
  No, infecting with a Macro is more difficult since the last several versions of Word. Word will not automatically run macros and also has an internet-origin policy whereby documents received through Outlook or other email clients or downloaded using a browser is tainted with the "internet zone". You have to dismiss several warnings to run macros from such a document. But if Word will run Flash content (show the animation) and a vulnerability can be exploited, shell code can run as a user.
  That is, until Word 2010 which *also* runs in low-integrity when viewing content tainted with the internet zone. Since Word 2010 the shell code will still be confined to the low-integrity sandbox.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
12. Re:Huh? by Anonymous Coward · 2013-02-08 09:33 · Score: 0
  
  I think the problem in your scenario, is that you have a non-expert user, but you let them have MS Word. Only rocket scientists, on machines sequestered from the network, should be allowed to use the MS Office suite.
  Kick your secretary off the network, or take away Word, or something. We know these "I got something off the 'net! Quick, execute it with all my privileges!" people exist; the idea is that the damage that needs to be done, become limited somehow.
13. Re:Huh? by Anonymous Coward · 2013-02-08 12:25 · Score: 0
  
  As far as I can tell, the Flash updater only bothers to check for an update when the computer first boots.
  Because everyone here constantly reboots their computer, right? I mean, it's not like most computers have sleep modes, and that most people just leave the OS running so they don't have to wait for it to boot. Clearly everyone constantly reboots their computer, once per day, to allow the Adobe Flash Updater to check for updates.
  My Media Center hasn't been rebooted for at least a week and it's been updated. Read the Adobe Flash Player Administration Guide
  Here's the relevant part:
  
  Background update is disabled by default. To enable it, edit the mms.cfg file, as shown below:
  AutoUpdateDisable=0
  SilentAutoUpdateEnable=1
  If background updates are enabled, the task or LaunchDaemon check for an update once every 24 hours. However, if
  no network or internet connection is available at the time of the check, the check occurs again every hour until a
  connection is detected. After the next successful check, another check does not occur for 24 hours.
14. Re:Huh? by mcgrew · 2013-02-09 04:26 · Score: 1
  
  That's one of many things that annoys me about Windows. This notebook runs W7 because I just haven't gotten around to installing Linux yet. Linux would already be on it if it wouldn't hibernate. Ironically, the Linux tower gets shut down when I'm not using it, because when I boot it, all the apps and docs that were open when I shut it down reopen, and it enters its password for me. Hit the switch, pour a cup of coffee and it's good to go, as if it hadn't been shut down at all.
  I wonder if Windows will ever catch up with Linux featurewise? I know of no features Windows has that Linux lacks, but Windows lacks quite a few features I consider absolutely necessary.
  Since I don't use Word (Oo instead) I guess I don't have to worry about the Flash exploit so much. I'll update Flash when the Patch Tuesday forces a reboot (another feature Windows lacks -- Linux updates need no reboots).
  It's amazing that people actually pay for an OS that is less capable than a free one! "You get what you pay for", my ass!
  
  --
  Free Martian Whores!
15. Re:Huh? by Ryanrule · 2013-02-09 06:28 · Score: 1
  
  "they don't type things up or take notes"
  so just screwing the boss then huh
Dear Adobe by Anonymous Coward · 2013-02-08 06:20 · Score: 1

Get the fuck out of the business of doing anything that can connect to the internet. Because you suck at it.
1. Re:Dear Adobe by Rougement · 2013-02-08 06:25 · Score: 2
  
  Yep. They've years to develop something that doesn't suck balls and failed miserably.
Time for HTML 5 yet? by Billly+Gates · 2013-02-08 06:22 · Score: 1

Another reason why proprietary addons that can execute code are a bad idea on the open web. Java got picke do enough last month. Flash also executes code by its very nature so of course it will have holes in it.

--
http://saveie6.com/
Adobe Flash Steps by Anonymous Coward · 2013-02-08 06:26 · Score: 1

1. Develop a technology and an authoring tool
2. Add features at a breakneck pace so no one can compete on the authoring tool
3. Profit!
4. Fix vulnerabilities until the end of times
LOL ... by gstoddart · 2013-02-08 06:26 · Score: 3, Insightful

Or, don't even run it. Flash has been a security and privacy hole for a decade or more.
I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.
Yet another exploit? I'd like to say I'm shocked, but that would be a lie.

--
Lost at C:>. Found at C.
1. Re:LOL ... by amicusNYCL · 2013-02-08 07:13 · Score: 1
  
  I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.
  Which Flash-only websites do you use for work?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:LOL ... by medcalf · 2013-02-08 07:22 · Score: 1
  
  It's not really just a problem with Flash, or with Flash and Java, or with Flash and Java and (pick a technology). The problem is that we do not really know how to build complex, integrated systems — which is what end users need to get what they want (in this case, games and multimedia of various kinds) — that are secure enough for the Internet environment, at low enough operational and development costs to make them practical. Perhaps a new compute architecture (and associated language changes) is needed, where memory for programs and memory for data are physically separated. This could potentially lead to slightly reduced functionality for dramatically improved security. But in any case, this is not just a case of something being badly built, it's an instance illustrating how nearly all the software we use is in some sense badly built.
  
  --
  -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Can haz software best practices? by Anonymous Coward · 2013-02-08 06:28 · Score: -1

Someone needs to whip these Adobe programmers into shape - this is silly. If we're getting a patch everyday and 3 on Tuesdays it's plain downright bonkers zonkers crazy. Maybe if they scoped their plug-in instead of trying to embed an OS inside the web browser...
Software development really has turned to shit these days. No one gives a fuck how broken to hell everything is.
1. Re:Can haz software best practices? by Anonymous Coward · 2013-02-08 07:34 · Score: 0
  
  Adobe software has always been crash-ridden and buggy. Adobe Premiere was the software that taught me to press CTRL+S every ten seconds and make a backup every hour in case the save corrupted the file.
This is such bullshit by Anonymous Coward · 2013-02-08 06:28 · Score: 0

All these problems are caused by cheap ass OSs that can't protect themselves. All this patching only mitigates the symptoms, nothing more. Fix the OS dammit!
Why is it so bad? by KlomDark · 2013-02-08 06:33 · Score: 1

For way to many years it's been a mess. And these near-daily emergency patches now. WTF is broken in their development/testing process? I don't understand how it can stay so horrid, or why Adobe finds this acceptable...
Even Windows has gotten a lot more secure over the years. But Flash, seems more broken each day.
Anyone have any insight?
1. Re:Why is it so bad? by Anonymous Coward · 2013-02-08 06:46 · Score: 0
  
  Adobe doesn't make any money from Flash player at all.
  So any money spent to fix it is a cost with no quantifiable benefits.
2. Re:Why is it so bad? by DarkOx · 2013-02-08 07:17 · Score: 4, Insightful
  
  Probably because there is not much you can do to fix a fundamentally bad idea. Think of it like all the various attempts to make smoking 'healthy' at the end of day intentionally sucking combustion gases into your lungs just is not good for you, no matter how low tar, free of synthetic chemicals etc you make it.
  What does flash do? It executes code from unknown origin on your machine. That has never been a good idea; even if in some cases you can't get around needing to do it. Flash has more problems though it can't be fully sandbox'ed without breaking all those old apps, it needs to be able to do things like read files, open sockets connections, etc.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
3. Re:Why is it so bad? by tibit · 2013-02-08 07:31 · Score: 1
  
  That's what any web browser does. Flash does not run native code directly from untrusted sources, just as web browsers don't. Usually, the content exploits the bugs that let you run some binary code directly, but it's not because shipping native code around is how it was supposed to work. Both web browsers and flash players get executable content they have to compile to native code and run, or at least run on a bytecode machine.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:Why is it so bad? by DarkOx · 2013-02-08 07:59 · Score: 1
  
  No quite true. If we ignore javascript for a moment pure html rendering is not program execution; its document formatting.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
5. Re:Why is it so bad? by Anonymous Coward · 2013-02-08 08:09 · Score: 0
  
  Too bad Adobe doesn't have any competition, like say, Macromedia.
6. Re:Why is it so bad? by JDG1980 · 2013-02-08 08:16 · Score: 1
  
  For way to many years it's been a mess. And these near-daily emergency patches now. WTF is broken in their development/testing process? I don't understand how it can stay so horrid, or why Adobe finds this acceptable... Even Windows has gotten a lot more secure over the years. But Flash, seems more broken each day. Anyone have any insight?
  Adobe outsources most of their development process to India. That's a major contributing factor.
Another reason to use Chrome, avoid Safari, Mac. by Andy+Prough · 2013-02-08 06:43 · Score: 1

Automatic flash updates. TFA states that Firefox and Safari on Mac are currently vulnerable and require manual update. Even IE10 on Win8 is doing auto updates. My odds of getting exploited via this vulnerability on my Chromebook? Basically zilch?
WTF.. by GrBear · 2013-02-08 06:47 · Score: 1, Insightful

Why the fuck does a WORD PROCESSOR even allow embedded Flash files?! Payloading like this shouldn't even be possible in the first place, that would be as bad as embedded .EXE files in a .doc that autorun when you open the .doc
1. Re:WTF.. by jones_supa · 2013-02-08 07:32 · Score: 1
  
  Indeed, I laughed when I read that in the summary. That kind of attack vector is just so good old Microsoft. <3
2. Re:WTF.. by Anonymous Coward · 2013-02-08 08:06 · Score: 0
  
  Because OLE. A word processor has almost nothing to do with processing words. Sure, you have a spell checker and search/replace, but mostly it's formatting and layout.
3. Re:WTF.. by Anonymous Coward · 2013-02-08 08:57 · Score: 0
  
  Flash video. Calm your nerdrage.
FTFY by schneidafunk · 2013-02-08 06:49 · Score: 1

Email attachments have been a security and privacy hole for a decade.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:FTFY by gstoddart · 2013-02-08 06:53 · Score: 1
  
  Oddly enough, it was only ever Microsoft who decided they'd just blindly run anything in an email attachment.
  
  --
  Lost at C:>. Found at C.
2. Re:FTFY by Anonymous Coward · 2013-02-08 07:08 · Score: 0
  
  Mail.app does it too. There was a recent vulnerability about that.
Why replace it with anything? by Anonymous Coward · 2013-02-08 06:50 · Score: 0

And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?
There's a reason Flash is the world's most popular online multimedia platform. It's not without issues, but it is lacking a worthy contender.
Why replace it with anything? What exactly does it do for me, Joe Anonymous Coward?
Play cat videos? HTML5 does that absolutely fine.
Show me ads? No thanks.
Annoying animated menu navigation? I think pretty much every site has given up on those or found an alternative by now, thanks to Flash-less tablets and phones.
Play dinky games? Yeah, there are still some, I guess, but most of them are now smartphone apps.
There are plenty of "online multimedia platforms" now. Maybe none of them does all the toaster-fridge things that Flash does, but that just means more focus and less crap.
Flash, you had a good life; now go to the old plugins home and live out your days fishing and watching TV without being a burden to your family. Give RealPlayer my love, will you remember to do that for me? Oh, and Java Applets will come by soon, you like them!
1. Re:Why replace it with anything? by mark-t · 2013-02-08 07:16 · Score: 1
  
  Let me say up front that I'd love to be rid of flash forever, but that said... there seems to be an inseparable bond between multimedia and flash.
  However....
  I don't have cable... I don't watch enough TV to justify the expense... but there's a handful of shows (3 of them) that I really *do* like to watch each week, and the networks that air them in my area coincidentally also have those shows available for streaming one day after they air, which allows me to watch them at my convenience. The caveat is that all of these networks require flash to watch the programs in a browser window.
  Okay, so I'm also still sitting through a minute or so of commercials every 8 to 10 minutes, much as I would if I watched it live, but this is preferable to me to not watching the shows I like at all.
  I choose to not resort to piracy because I don't subscribe to the notion that just because I might want something that somebody else made, that this should somehow mean I am entitled to have it on terms that the maker never agreed to.
  Show me an html5 alternative that a) provides a seamless viewing experience; and b) content makers will be sufficiently satisfied with the level of control that it offers that they are actually willing to utilize it (which is realistically still going to mean that the distributor gets to insert advertisements at places of their choosing), and I'd love to say goodbye to flash forever.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:Why replace it with anything? by Dr+Herbert+West · 2013-02-08 09:10 · Score: 1
  
  Flash compiles to Android and iOS without any problems-- beyond the hassle of dealing with the App store and developer certs of course.
  
  Angry Birds was originally written in Flash. So was Canabault-- which you may not have heard of, but every "running" game out there owes a debt to. There's tons of iOS apps built in Flash.
  
  I'd be perfectly happy to see flash off the browser and used for what it's best at-- desktop or mobile applications.
  
  Before I get flamed for suggesting that Flash is an appropriate dev tool for mobile, keep in mind that a crappy app with a lame UI and tons of memory leaks is not the fault of the platform-- it's the fault of the programmer. JAVA, I'm looking at you here, with a degree of sympathy.
3. Re:Why replace it with anything? by mark-t · 2013-02-08 11:28 · Score: 1
  
  Angry Birds was originally written in Flash.
  Got a reference for that? My understanding was that it was originally written in C, for iOS, and later ported to other platforms.
  
  --
  File under 'M' for 'Manic ranting'
4. Re:Why replace it with anything? by Dr+Herbert+West · 2013-02-08 13:56 · Score: 1
  
  I read it in a game blog somewhere... it must be true!
  
  My impression was that the prototype/proof-of-concept was built in flash, with (as you suggested) the native-code versions built later. I, of course, could be completely mistaken in which case I'm sure someone will correct me, preferably with an anecdotal car-analogy.
We don't need antivirus software! by Netdoctor · 2013-02-08 06:54 · Score: 2

Such is the mantra here...
Sooo tempted to send the CVE out to several people internally, as a word document.
*sigh*
Punishment by ThatsNotPudding · 2013-02-08 06:58 · Score: 1

Does Adobe even ever get wrist-slapping fines for being one of the Horsemen of the Internet Apocolypse? They seem quite to content to write shit code and leasurely fix it when their excrement is pointed out.
Re:Another reason to use Chrome, avoid Safari, Mac by KiloByte · 2013-02-08 06:59 · Score: 2

This particular vulnerability might be patched, but you're wide open to hundreds of others. Flash is not something a responsible OS distributor should install by default.

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Installing flash, without browser restart? by Midnight+Thunder · 2013-02-08 07:04 · Score: 1

One thing that I see as causing some people to delay updating their Flash, despite an update being available, is that the installer requires you to restart your browser or anything else Flash think is using it. Many people take the attitude "I am working and don't want to be bothered restarting my apps, for something I rarely use".
Is there any other way Flash could install its updates, without requiring browsers to be restarted?

--
Jumpstart the tartan drive.
1. Re:Installing flash, without browser restart? by Anonymous Coward · 2013-02-08 07:28 · Score: 0
  
  Weird. While reading this story I just barely updated Flash (on Windows XP) with both IE 8 and Firefox open. No restart at all.
2. Re:Installing flash, without browser restart? by cbhacking · 2013-02-08 08:41 · Score: 1
  
  The Netscape Plugin API (which is what Flash is implemented using on Firefox, Opera, Safari, and at least some versions of Chrome) doesn't really support this. I don't know of any legit reason why not, but it doesn't.
  IE, which uses an ActiveX control for Flash, actually has no problem installing or updating plugins without restarting the browser. Refresh the page (which, if it's installed via the browser itself, will happen automatically) and you're good to go.
  
  --
  There's no place I could be, since I've found Serenity...
3. Re:Installing flash, without browser restart? by Midnight+Thunder · 2013-02-08 09:58 · Score: 1
  
  Weird. While reading this story I just barely updated Flash (on Windows XP) with both IE 8 and Firefox open. No restart at all.
  I was on a Mac, so maybe Flash goes by different rules here?
  
  --
  Jumpstart the tartan drive.
How is Chromebook "open" to Flash vulnerability? by Andy+Prough · 2013-02-08 07:04 · Score: 2

I'd like to see the explanation as to how my Chromebook could be "wide open to hundreds" of Flash vulnerabilities. Seems preposterous from what little I know about Flash and how it interacts with Chromebook's locked-down Gentoo-based OS.
My report: 6 months without using Flash by hessian · 2013-02-08 07:12 · Score: 4, Interesting

Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.
There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue.
One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.)
Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.
The most amazing this is that browser crashes have dropped to near zero, either one or zero during this time. Most of what I thought was FF and Opera being buggy was in fact Flash being buggy.
There's not yet enough content switched to HTML5 from Flash to navigate everything, but during my 6 months without Flash, I've noticed that more firms are going away from the Flash-only navigation school of design.
YMMV. For me, life without Flash has been better, although I do miss out on some things.

--
Futurist Traditionalism
1. Re:My report: 6 months without using Flash by tibit · 2013-02-08 07:33 · Score: 1
  
  It used to be that the #1 source of Safari crashes auto-reported to Apple was Flash. I wouldn't be surprised if that's still the case.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
2. Re:My report: 6 months without using Flash by aaarrrgggh · 2013-02-08 08:18 · Score: 1
  
  I was quite content without it, until Google tweaked some things in their finance pages where graphs wouldn't allow static graphs anymore. I grudgingly re-installed yesterday after nearly three years without. It's out again... I will just skip using Google Finance.
3. Re:My report: 6 months without using Flash by mister_playboy · 2013-02-08 08:20 · Score: 2
  
  You can solve the video playing problem quite easily with something like FF's Video Download Helper add-on or JDownloader. These tools can examine a URL and allow you to download any videos they find for local playback.
  
  --
  Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
4. Re:My report: 6 months without using Flash by JDG1980 · 2013-02-08 09:05 · Score: 1
  
  There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue. One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.) Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.
  If you're using Firefox, one problem is that they've been very tardy with H.264 support, for ideological reasons. However, they are going to start supporting it in Firefox 22 by default, at least on Windows 7 systems that already have the codecs built in. This should eliminate some of the compatibility issues that have been observed.
5. Re:My report: 6 months without using Flash by Anonymous Coward · 2013-02-08 09:48 · Score: 1
  
  Even better - a plugin like YouTube5 for Safari (analogues are available for Chrome and Firefox). There are only a handful of videos on YouTube which won't play through one of those plugins (due to some DRM cr@p)
  Another option is to use a two-browser solution. Safari (Flash-free) is my main browser, but I use Chrome a few times a month to view pages which need Flash. More and more, I just hit the back button and find what I'm looking for on a site which isn't polluted with cr@pware.
6. Re:My report: 6 months without using Flash by jader3rd · 2013-02-08 09:54 · Score: 1
  
  I can't get most video content, and Flash-only sites are inaccessible.
  
  Sometimes if I really want something on the website I'll change my user agent string to the same as the iPad's, and I have yet to hit an issue with the site not being able to limp along at that point.
7. Re:My report: 6 months without using Flash by Anonymous Coward · 2013-02-08 12:18 · Score: 0
  
  As you know it's DRM that makes youtube not display some videos in html5.
  But I believe all videos uploaded to youtube are automatically encoded in all video formats youtube provides, so by using a greasmonke script will get you a html5 or mov (or whatever apple uses) for any video you want.
8. Re:My report: 6 months without using Flash by ssam · 2013-02-10 04:44 · Score: 1
  
  it is already a compile time option on linux since about FF14.
9. Re:My report: 6 months without using Flash by antdude · 2013-02-10 05:05 · Score: 1
  
  With FlashBlock extension, one could block Flash videos. How does one do that with embedded HTML5 videos?
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
10. Re:My report: 6 months without using Flash by arglebargle_xiv · 2013-02-10 15:18 · Score: 1
  
  Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.
  Never had it installed in the first place. Never really missed it, in fact I'm frequently surprised at how painfully obnoxious various flash-infested sites are when I have to view them on someone else's computer.
  The best thing though is the air of smugness I'm allowed to put on whenever a new flash exploit comes out and I can completely ignore it. That alone makes it worthwhile.
11. Re:My report: 6 months without using Flash by twzop · 2013-02-11 01:06 · Score: 0
  
  Thanks for sharing your experience. This is something that I've been thinking of doing for months. I left Google in the place of startpage.com for search over 6 months ago and love it. Don't see why leaving Flash for good won't work. I am a professional web developer and PHP programmer and we refuse to code for flash anymore and are totally fine. Great writeup and glad to hear that it's working for you.
12. Re:My report: 6 months without using Flash by guymc · 2013-02-11 05:22 · Score: 1
  
  Congratulations & welcome to the club! http://couchguy.tumblr.com/blueblockok
Re:Another reason to use Chrome, avoid Safari, Mac by tibit · 2013-02-08 07:25 · Score: 1

TFA is spreading FUD. I've had self-updating flash on OS X for at least a year now, IIRC. Yes, it has been self-updating for safari and other browsers, all automagically. Yes, you can manually disable autoupdates, but then it's your own damn fault.

--
A successful API design takes a mixture of software design and pedagogy.
IE tip by jones_supa · 2013-02-08 07:36 · Score: 1

A simple way to make Internet Explorer block Flash by default: Gear icon -> Safety -> ActiveX Filtering.
After that, you can re-enable Flash for selected sites by clicking the blue icon in the address bar.
mod Up by Anonymous Coward · 2013-02-08 07:36 · Score: -1

where it belongs, A child knoWs pro-homosexual
os4it.. by Anonymous Coward · 2013-02-08 07:45 · Score: -1

a losing battle; Is dying.Things1 clear she couldn't
This vulnerability effects Linux and Android too by sophos7 · 2013-02-08 07:47 · Score: 1

From Adobe's Security Bulletin Affected software versions Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh Adobe Flash Player 11.2.202.261 and earlier versions for Linux Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x If you're running on Android it might not show in the market but if you view "All Apps" which shows previously installed apps along with ones currently installed, Flash will be there and say Update next to it. I think it's also interested that this comes about a week since Firefox started blocking all plug-ins by default, except Flash.
Windows secure, OS X not so much. by benjymouse · 2013-02-08 07:51 · Score: 4, Interesting

We see here how the Windows platform has been battle hardened to the point where the attackers have to resort to lower-yield secondary attacks. Head-on attacking Flash on Windows does not get the attacker very far because of the security advancements such as Mandatory Integrity Control (MIC). That's why the attackers try to exploit it in contexts where MIC does not prevent system infection, such as through older versions of Microsoft Word through emails.
OS X is still wide open to such head-on attacks when a vulnerability exists, especially Firefox because Mozilla has steadfastly refused to put in place a proper sandboxing barrier. Even Safari has some sandboxing in the latest version of OS X.
Firefox not. A vulnerability in Firefox or one of its plugins means significant risk of successful exploits.
Flash on Windows executes in a low-integrity process. Even if a Flash vulnerability is exploitable and shellcode gets to execute in the Flash host process, it still cannot write anywhere or interact with higher integrity objects because of mandatory integrity control (MIC) which was introduced with Vista.
The upshot: Attackers have to try secondary routes on Windows where the conversion rates are much, much lower. And this specific attack vector will not work on Word (or other Office applications) since Word 2010. Since the 2010 versions, internet downloaded documents are also opened in low-integrity mode, meaning that even here the shellcode would be similarly restricted.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
1. Re:Windows secure, OS X not so much. by Anonymous Coward · 2013-02-08 15:29 · Score: 0
  
  I didn't even know about this exploit until just now. However earlier today when I went to a website that uses flash, Safari has already disabled the plugin and told me to update to a new version for security reasons. Apple has had the ability to quickly push out updates to the Xprotect.plist for some time now.
2. Re:Windows secure, OS X not so much. by ahabswhale · 2013-02-08 19:16 · Score: 1
  
  It's sandboxed like Chrome: http://www.webmonkey.com/2012/06/flash-firefox-play-together-in-new-security-sandbox/
  
  --
  Are agnostics skeptical of unicorns too?
3. Re:Windows secure, OS X not so much. by benjymouse · 2013-02-08 20:37 · Score: 1
  
  It's sandboxed like Chrome: http://www.webmonkey.com/2012/06/flash-firefox-play-together-in-new-security-sandbox/
  Flash in Firefox is only sandboxed like Chrome on Windows:
  
  ... offers several new features aimed to make the widely used browser plugin more secure — including a new security “sandbox” for Firefox on Windows.
  But not on OS X. Chrome on Windows uses UAC/MIC too (and also puts in place some extra sandboxing features). Note, Firefox itself on Windows is still not sandboxed. This sandboxing only applies to the Flash plugin, not the browser itself and not to other plugins. An exploit running on Windows is running under low-integrity mode. It can not write anywhere to infect the system.
  Firefox on OS X is not sandboxed; not the browser itself, not plugins in general and not Flash by itself. An exploit runs as the current user once it is running shell code. It runs with the user privileges and can write anywhere the user can, i.e. it can infect the local user account.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Chrome to the rescue by Just+Some+Guy · 2013-02-08 07:57 · Score: 1

This is the primary reason I use Chrome: so that I don't have to bother with a system-wide Flash. I can still watch cat videos (by clicking on them), but my word processor can't be infected through software that's not installed.

--
Dewey, what part of this looks like authorities should be involved?
1. Re:Chrome to the rescue by mister_playboy · 2013-02-08 08:30 · Score: 1
  
  Your comment made be curious, so I looked into it and Chrome is indeed using the PPAPI plugin (which other programs can't make use of) on all platforms as of Chrome 23.
  Good to know. :)
  
  --
  Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
2. Re:Chrome to the rescue by ficuscr · 2013-02-08 18:41 · Score: 1
  
  Totally, love the 'click to play' option. Can avoid drive-bys and many obnoxiousness ads. There is really no down side to using this setting.
JRE and Flash, RIP 2013, Silverlight RIP 2010 by TheSkepticalOptimist · 2013-02-08 08:00 · Score: 1

Lets all push to get rid of alternative runtimes once and for all.

--
I haven't thought of anything clever to put here, but then again most of you haven't either.
New Adobe Flash marketing slogan by Anonymous Coward · 2013-02-08 08:21 · Score: 0

"Adobe Flash! It's Infectious!"
How about Linux/Android/etc users by phorm · 2013-02-08 08:31 · Score: 1

Does this bug also affect users of those OS's, because last time I heard
a) Adobe isn't offering a flash package for current android
b) Adobe isn't offering updates to the Linux flash version.
I'll assume that Linux users can have the vulnerable version, is there something in the OS that makes them immune or were they just not mentioned?
1. Re:How about Linux/Android/etc users by benjymouse · 2013-02-08 08:49 · Score: 2
  
  Does this bug also affect users of those OS's, because last time I heard
  a) Adobe isn't offering a flash package for current android
  b) Adobe isn't offering updates to the Linux flash version.
  I'll assume that Linux users can have the vulnerable version, is there something in the OS that makes them immune or were they just not mentioned?
  The 1st paragraph of TFA:
  
  Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
  Short of using SELinux or apparmor on Linux (and live with the consequences), there is nothing to prevent an exploit using these vulnerabilities through e.g. Firefox or other non-sandbozed browsers. IIRC Chromium uses a sandbox which would prevent the attack from infecting your account.
  Windows uses low-integrity mode to sandbox Flash in browsers which is why the attackers try to use an alternate (and lower yeilding) attack vector through older versions of Microsoft Word (Word 2010 sandboxes the entire document including any Flash content if the document was downloaded from an untrusted source or received through an email)
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Automatically disabled in Safari by Anonymous Coward · 2013-02-08 08:46 · Score: 0

Automatic flash updates. TFA states that Firefox and Safari on Mac are currently vulnerable and require manual update. Even IE10 on Win8 is doing auto updates. My odds of getting exploited via this vulnerability on my Chromebook? Basically zilch?
TFA is partially correct. Apple today pushed out an update to XProtect disable vulnerable versions of the plugin in Safari.
So Safari is not vulnerable, but it can't play Flash either until you do a manual update.
Bring on the HTML5 exploits! by Anonymous Coward · 2013-02-08 10:00 · Score: 0

I can't wait! Forget blinking and marquees, the future is now - or maybe not. Welcome to the new IFRAME overlards.
Given the choice.... by mark-t · 2013-02-08 11:50 · Score: 1

... between living with the problems that flash has but still being able to use the websites that I visit which utilize it (mostly tv station websites) and not using those websites at all (which would require that to watch the same programs, I would either have to pay more money every month for cable tv, instead of legitimately streaming the shows from the networks' websites, or else resort to pirating the shows, an activity that I object to on moral grounds in cases where the work is available cheaply and legally through a venue approved of by its maker, even if that venue is not my own first choice), I have to admit to simply preferring to live with Flash's problems.
If all these networks didn't insist on using it for their shows, I'd be quite happy to uninstall flash entirely. But they do, so I don't.

--
File under 'M' for 'Manic ranting'
Flash died a long time ago. by csumpi · 2013-02-08 14:19 · Score: 1

Flash is blocked on all of my devices. And has been for a long time. There's absolutely no need for flash.
"most popular websites on the entire WWW" by Anonymous Coward · 2013-02-08 20:45 · Score: 0

Ah, that'd be those web sites with gaping black holes in them.
Me goes "Gee, what an ugly website" and clicks on. Seconds later, it's half-forgotten -- you know. My attention span and that.
Three cheers for Firefox by hessian · 2013-02-09 15:19 · Score: 1

If you're using Firefox, one problem is that they've been very tardy with H.264 support, for ideological reasons.
I understand some of their reasoning and am not critical of it.
If anything, I think every FireFox user should try it without Flash. There just are not crashes. It's inspiring.

--
Futurist Traditionalism
1. Re:Three cheers for Firefox by Nutria · 2013-02-10 07:08 · Score: 1
  
  I think every FireFox user should try it without Flash. There just are not crashes. It's inspiring.
  I keep FF open constantly with many windows and huge numbers of tabs. It hasn't crashed since I moved to 64 bits. (The crashes were all Linux 32-bit "exceeded process address space" deaths.)
  One thing that might be saving me is Flashblock.
  
  --
  "I don't know, therefore Aliens" Wafflebox1