Adobe Patches Nine Vulnerabilities In Flash

jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.

Get rid of flash on slashdot, firefox

Hey, mozilla, please implement proper MSE support, so that youtube actually works thank you!
Hey DICE, please use HTML5 video for slashdot thank you!

Re:Get rid of flash on slashdot, firefox

[cheekyboy]

please mark flash as spyware, please kill flash!!!!

Any business that still wants programmers to make apps in flash are stupid, HULU, please recode your apps.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

Please make all firewalls block flash.

Make firefox not even accept flash plugins, ban it , black list it.

Re: Get rid of flash on slashdot, firefox

[Billly+Gates]

Thank XP and corporate users.

IE 8 is the worlds most popular browser as a result

Re:Get rid of flash on slashdot, firefox

[l0ungeb0y]

Any business that still wants programmers to make apps in flash are stupid Name one other way to transmit a live video & audio stream from the browser that works across all major platforms that doesn't require a download and install.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

AS3 is essentially Java with most of the same features as most other strongly typed OO languages.

Please make all firewalls block flash. Make firefox not even accept flash plugins, ban it , black list it.

Yes, let's kill off browser-based internet video chat for the next few years and go with vendor specific implementations from Google and Apple! No one should be able to create a video app until Google lets them! Flash needs to die, but the fact is HTML5 has yet to provide a means to provide device access and a streaming AV codec. Sure, Opus is great, but not the standard and will likely never be adopted by Apple and WebRTC is great, but not the standard and has issues with implementation requirements (ICE servers, Turn/Stun).

Re:Get rid of flash on slashdot, firefox

[Anonymous+Brave+Guy]

Exactly. It's all very well hating on Flash for whatever reason, but until the newer technologies can do the same jobs, and do them at least as well as the older technologies they are replacing, this is an apples to oranges comparison.

Why does anyone think the browsers themselves don't have similar security problems, and won't have more when they offer the same kinds of functionality as the insecure plug-ins we've used in the past?

Re:Get rid of flash on slashdot, firefox

> Hey, mozilla, please implement proper MSE support, so that youtube actually works thank you!

Screw that. Just use VLC. I block all flash and just drag-and-drop the youtube URL into a VLC window. The UI is so much better and you can do things like play at 2x speed. The occasional DRM'd video can be handled with the youtube-dl utility.

Re:Get rid of flash on slashdot, firefox

Name one other way to transmit a live video & audio stream from the browser that works across all major platforms

The word "other" does not belong in that sentence.

Steve Jobs got famous for explicitly not supporting flash on IOS, one of the major platforms. And Flash video working like crap on Linux is still the most used reason for "Linux is not ready for the desktop" - and close to being the only one left, after Steam made Linux a gaming platform.

So, if you want to transmit video to only Windows users, Flash is the way to go.

If you want to reach all major platforms, HTML5 video is the only option, possibly with fallback to Flash for those pesky standard hating versions of Internet Explorer.

Re:Get rid of flash on slashdot, firefox

Well, you'll be happy to know that Firefox is implementing proper MSE support. In fact they're aggressively trying to finish it, including backporting as much as they could into v35. In fact lots of people are having good luck with the nightlies. Now if only Google would stop fucking with Youtube all the time. I wouldn't be surprised if they start making 1080p videos only available via EME, just to make Firefox look bad. They did it before when they disabled non-DASH streams for effectively the same reason.

Re:Get rid of flash on slashdot, firefox

[Gliscameria]

Disabling Flash makes this site a whole lot better.

Re:Get rid of flash on slashdot, firefox

Because browser vendors have been learning from their mistakes, and tend to develop sandboxed APIs that we complain about for not being as fast because they're a bit more secure. Generally speaking. In fact the browsers of today can handle the vast majority of what Flash can do already, and often better because they don't break the user's browsing experience as readily.

Re:Get rid of flash on slashdot, firefox

[Anonymous+Brave+Guy]

Why do you think all the browsers will be able to implement sandboxed APIs for these kinds of functionality successfully, when no major plug-in in history has been able to do so?

If there were a browser that was written using truly robust coding practices, the kind of thing you'd use if you really were writing safety-critical software, then maybe I'd buy that. But they aren't. Like most commercial software, browsers prioritise speed of development and to some extent run-time performance over quality. And they are large applications, with complicated code bases, written in languages like C++. I see no reason to believe that they won't be subject to the same kinds of attacks, sometimes successfully, as everyone else developing software that way.

Re:Get rid of flash on slashdot, firefox

[Guru2Newbie]

No conversation on earth is private. Everything youve seen on Startrek has already been done all by Lockhead Skunk Wor

Try Star Trek and Lockheed instead.

Given the track record of Flash

[AchilleTalon]

Given the track record of Flash, I would say they patched 9 and introduced 18.

Re:Given the track record of Flash

[fuzzyfuzzyfungus]

I'm not sure whether their patches add bugs, or whether their original code quality was so atrocious that they are trying to fix a transfinite number of flaws by removing them at a finite rate.

Re:Given the track record of Flash

[v1]

I don't understand how softare that's been around THIS long could still be pumping out "critical" security bugs by the dozen.

Re:Given the track record of Flash

Because they keep adding new functionality, thus introducing new code that can contain bugs. Plus it's not unusual for some bugs to be discovered and once known find they've been in the software undiscovered for a decade.

Re:Given the track record of Flash

[gstoddart]

I would honestly say given the track record of Flash ... why the hell are people still running it?

Flash has been a gaping security hole as long as it has existed.

How anybody can pretend that it hasn't been leaving a series of security issues in its wake for over 15 years is mind boggling. Many of us have actively blocked/disabled it for at least 10. I don't even install it on personal machines, and I disable it on work machines except for the 2-3 things per year which I am required to do which won't work without Flash.

Why do people have any trust in this platform? It's pretty much been crap for its entire history.

Re:Given the track record of Flash

[gtall]

It is a bit worse than that. It is a curious fact that Flash contains more bugs than can actually exist in the code...it is considered among philosophers to be akin to Russell's Paradox. The latest scientific explanation involves higher order quantum mechanics and several new and very odd dimensions. The best theory I've seen so far is that Flash is bit like quantum soup with a black hole in hiding in the extremely odd extra dimensions. Virtual bugs and fixes appear in pairs, but curiously, only the fixes are attracted to the black hole and disappear from our time-space continuum forever. The consequence is that Flash seems to us as though it is a net emitter of bugs.

When questioned about this, Adobe refused to discuss the matter or its implications...firm evidence of a coverup in my book.

Re:Given the track record of Flash

[Marginal+Coward]

Perhaps it's a conspiracy to create more opportunities to monetize it via bundled adware. Then again, never ascribe to conspiracy that which can be adequately explained by incompetence.

Re:Given the track record of Flash

[nblender]

because "The Internet". My wife doesn't care about internet ideals. She just wants to get her work done. There are lots of sites that she needs to do her work that require Flash... These are places that hired out their web-dev and don't have fulltime staff.. They're not going to hire someone to come and fix something that is apparently working. My wife's computer doesn't auto-update so I hear from her once a week to update her Flash plugin because it's "blocked" again by Safari.

Fucking irritating and I would probably quietly cheer if someone went on a shooting rampage at Adobe... Maybe we can get some radicalized individuals to do it for us...

Re:Given the track record of Flash

[tlhIngan]

I don't understand how softare that's been around THIS long could still be pumping out "critical" security bugs by the dozen.

It's a typical case of "cost center".

Flash Player is free. It's developed and distributed for free. That means it costs Adobe money to put development effort into it.

Adobe makes money selling software, and free software like Reader and Flash Player make no money for Adobe, other than potentially encouraging people to buy their tools by making a large market available.

But still, it costs money to make, so anyone working on Flash player must get stuff working and then shut it down to work on more profitable projects. So "do it fast" versus "do it securely and right".

Adobe doesn't care if customer machines get pwned - they sold the tools for developers to create, so the customer is the developer, not the end user.

Re:Given the track record of Flash

[Burz]

Given the track record of Fedora, the update will hit the mirrors in about 2 days.

Good Thing

Adobe has people from other companies fix their chronic insecurity problems.

Otherwise their profitability would be measurably decreased.

Why?

[barcarolle]

Why in the world are we still using this completely unnecessary software?

Re:Why?

Youporn.

Re:Why?

Pretty sure even youporn supports html5 video now...

Re:Why?

Yep.

Re:Why?

[Gorgonzolanoid]

Yeah sure, replace something with known security holes with something new where they still have to be discovered :)

Re:Why?

Are you asking why we're using dumb clients parsing HTML+Javascript when we have machines more powerful than an '80s supercomputer sitting on our desktops?

Good fucking question, bro. The reason is simple: capitalism. Money can be had by giving people control ("PC on every desk") but even more money can be had by making people believe that they should not have control ("cloud!").

As for Flash vs HTML+Javascript, well, browsers had a long period - i.e. lasting a good decade - of regular serious insecurities. People regularly questioned use of any client-side scripting at all, and while there was hate for IE's Brower Helper Objects, the Netscape API was a fairly good way of delivering rich content. It's only in the past half decade that Javascript has received enough eyes and sufficient maturity that core browsers are becoming less holey add-ins. Stability-wise, of course, HTML+Javascript still has a habit of breaking at the slightest network problem, and while this may be the fault of the individual site developer, it really doesn't encourage graceful failing, encouraging the developer to assume that there is a constant, stable and relatively fast Internet connection - good software ought to work perfectly with zero Internet connectivity and, if it has any collaborative or backup features, sync at intervals.

And don't get me started on how easy it is for one piece of shitty Javascript to slow down a whole browser. Java applets, for example, are still easier to write (all the sophisticated UI widget and many backend libraries are in the base system), more elegant to code (Java ain't perfect, but it's simple and neat), and run faster (you may not notice this on your development Core i7, which is part of the problem) than Javascript - but for whatever reason Oracle has simply made them hard to run rather than continuing to secure and innovate, pretty much abandoning rich client-side development because see above: there is more profit selling chains than shovels, i.e. to help your clients to away control.

tl;dr I don't know. I hope we'll get over this cloud business, and treat desktop PCs - where everything must be HTML+Javascript to be hip - the same way we're treating mobile devices now: rich client experiences using proper programming languages and UI widget sets, and failing gracefully when network connectivity is poor.

Re: Why?

[cyber-vandal]

Ah the good old days of DLL hell, deployment of updates taking hours or days instead of minutes, the upgrade treadmill, VB6 et al. What a joy it must've been.

Re:Why?

Why in the world are we still using this completely unnecessary software?

Casual gaming. For myself, my Tower/Desktop Defence game addiction will keep Flash on my machine for quite some time yet. (yes, I know developers *could* have written them in something else, but for the most they haven't).

Re: Why?

[Billly+Gates]

Yeah because Java is so much more secure and mobile friendly

Re: Why?

[gstoddart]

But why do we think it is a good idea for arbitrary websites to be able to run arbitrary code? That's completely idiotic.

Flash and Java are one of those things that expect you to run your browser in the least secure possible configuration (let anybody run anything) on the offbeat chance you might need it somewhere.

Which means you let all of the rest of the websites you visit run anything they want to for no good reason.

Since Flash is mostly a security hole used by advertising, and the few sites I've seen which require Flash for navigation are complete crap, why are people willing to put up with this?

Hey, I know, how about we stop pretending that we need the stuff Flash brings to the table because it just makes a more overall insecure browsing experience, so when you do get exploited it was kind of just a matter of time.

Flash (and to a certain extent, Java) has always been a security hole. It's time to stop pretending that it's otherwise useful.

At the very least, it needs to be sandboxed up the wazoo ... there is no way in hell Flash should have access to anything outside of itself, because you can't trust it. Not now, not ever.

Re: Why?

[Anonymous+Brave+Guy]

There are literally billions of people on the Internet. The fact that you don't find Flash or Java applets useful for anything -- given your own personal lifestyle, interests, location, businesses and governments you deal with, other technologies available, and so on -- does not mean that no-one else in the world does. Although the number of users is steadily trending downwards and alternative/replacement technologies are getting more capable, as a matter of fact there are still millions and millions of people using these plug-ins today and no-one offering them a better option for some of the things they need to do.

Re: Why?

1) The Java applet sandbox is relatively secure, but has received very little attention from Oracle - it could easily have been maintained and updated for finer granularity.

2) Java applets were being run in the late '90s (!) and early 2000s on mobile devices which wouldn't have a hope of running a Javascript site.

3) Android is built on Java (and typically way more permissive than the Java applet sandbox). But Google, disappointingly, did the whole vendor lock-in thing with the API rather than trying to come to the table with a proposal to standardise a cross-platform widget set which would be suitable for modern devices.

The whole One Language, One Sandbox, One Platform theme of modern browsers is as unhealthy as that sort of approach has always been. To argue that plugins are bad because they usually (fine-grained OS permissions exist - use them!) run outside of the browser sandbox is just one level of indirection away from arguing that browsers are bad because they run outside of any particular sandbox.

Re:Why?

[smooth+wombat]

Try RetroShooter from Arcade Pod. The music alone is worth it.

Re:Why?

[loufoque]

You're speaking of html5 video as if it worked as well as flash video.

Re: Why?

[Billly+Gates]

Because grandmas with IE 7 complain that the internets do not work on your wizbang HTML 5 site. Or your boss threatens to fire you if you do not cater to 98% of all customers.

This means IE 8 hacks and flash to make up for hte fact it is from last decade. If you don't another webmaster in India needing money happily will and the grandmas will keep on using IE 7 like there is no tomorrow since everythign keeps looking fine for her.

This continues until we see a whole freaking decade with no web innovation. Thanks IE 6.

Re: Why?

[Billly+Gates]

What needs to change is ancient IE FAST!

The good news is mobile now is ahead of the PC with mobile sites with graphics and smoothness. This is because Apple invented much of the HTML 5 specs and pushed it with the iphone. I may not like Steve but now it is forcing website makers to make 2 sites. If China can use SSL rather than Active X plugins written for IE 6 it will finally drop below the radar for PHB to tell webmasters to target. Your site may not be in Mandarin but he looks at statistics where China is counted 8 - 1 for each user over due to the population making him think 25% lost revenue if you target HTML 5 and not use flash to make up for old IE users.

Free McAfee

watch out for that bundled shite, Adobe obviously isnt doing so good if they have to resort to tricking people into installing other companies marketing software under the guise of a "security update", desperate much ? i'm forever removing the shit from peoples computers, the quicker Adobe are designed out of the web the better.

Any chance of a non Chrome linux version?

[Viol8]

No, didn't think so. I guess at some point Flash in firefox will just stop working because so many sites will require a more modern version. Funnily enough I don't think I'll care.

Re:Any chance of a non Chrome linux version?

and Linux standalone plugin 11.2.202.429.

It was in the fucking summary! If you can't even read four sentences, how the hell do you manage to operate a Linux distribution?

Hopefully by the time Adobe quits providing security fixes for that one, Flash will either be long-gone or Firefox will gain support for PPAPI and start using the Chrome plugin.

Re:Any chance of a non Chrome linux version?

[Dr_Barnowl]

That's version 11.2

Yes, they've fixed the bugs in it. But it's not the mainstream version, which is 16.

There are plenty of sites that already depend on newer versions of Flash. Try running Card Hunter on Linux : you'll need Chrom(e|ium) with it's bundled Flash for that to work, and that's just over three minor versions (it requires 11.5)

So for given use cases, Flash already stopped working in Firefox for Linux. Supporting PPAPI probably is the only way it will work again.

But personally, I'd vote for "Long Gone". Why bother with Flash when you can do stuff like this directly in a modern browser?

Re:Any chance of a non Chrome linux version?

[Viol8]

I meant a new major version you halfwitted bell end!

Re:Any chance of a non Chrome linux version?

Yeah, I'm aware that it's not the current version. His comment (+subject, I hate when people stick part of the comment in the subject) asked if there's a chance for a non-Chrome linux version. On-topic, that is asking if the security fix is available outside of Chrome, and anything else is a non sequitur.

But personally, I'd vote for "Long Gone". Why bother with Flash when you can do stuff like this [playcanvas.com] directly in a modern browser?

Agreed, though I do like having annoying Flash uses walled behind having plugins click-to-play. I'm not looking forward to when everyone starts doing autoplay HTML5 videos on their sites for crap like that instead. Hopefully by the time advertisers and horrible site designers catch up and start using html5 for that stuff, browsers will start providing similar functionality for the non-flash stuff. NoScript works for now, but it's like driving nails with a sledgehammer: the nail's dealt with, sure, but so is part of the wall.

Actually, thinking about it, the adverts are about the only thing I see using Flash most days, so if I didn't have it outside of Chromium not much would change for me. I do keep Chromium+Flash installed as a backup, but I almost never need it for Flash; I get more use out of incognito mode and loading script-heavy sites that don't play well with my Firefox setup.

  I keep the PPAPI flash plugin and Chromium for the rare cases where I need it, but realistically, those cases are all but nonexistent.

Re:Any chance of a non Chrome linux version?

You probably should have been more specific, then. The summary is about patches for security vulnerabilities, not about the state of Linux flash releases. If you're going to hijack a subject to hop on a soapbox about your gripe, it would work better if the question were clearer. It looked like you started asking about the vuln and then moved on to the rant.

For what it's worth, I do agree that it's annoying that they quit supporting the NPAPI version, even though I don't have any particular love of Flash and don't see it used that much for general things any more. At least Chromium+pepperflash is an alternative for the odd thing that needs a newer version; Android has it worse. I don't know what they were thinking, completely abandoning Flash on android.

At this point I'm surprised they're bothering with new versions of Flash at all, because abandoning mobile makes it seem like they just don't care any more. They even made their Flash creation tools able to output html5 stuff, FFS. They've already forfeited to Jobs' stubbornness, so why not just finish it?

Re:Any chance of a non Chrome linux version?

Use Pipelight to install the Windows Flash plugin into Firefox in Linux.

Re:Any chance of a non Chrome linux version?

[Viol8]

Which part of the phrase "a more modern version" confused you?

Re:Any chance of a non Chrome linux version?

[Tempest_2084]

I had trouble with my version of Flash not working with some sites but found a website describing how to make use of Pepper Flash (part of Chrome) with Firefox and it worked for me. I forget the details but it involved using some free flash player and linking to the Pepper Flash files in the Chrome directory.

Re:Any chance of a non Chrome linux version?

It didn't, I even mentioned that it reads like you started out asking about the patch and then segue into the "I want new version" part at the end. You missed it while trying to be clever, I guess, so here it is again:

It looked like you started asking about the vuln and then moved on to the rant.

Also, if you just had to say something again, you could have continued the discussion along with it like I tried to do. It would have been more interesting and it would have given you a cleaner exit than trying to throw out another attempt at wit.

Re:Any chance of a non Chrome linux version?

[caspy7]

Hopefully by that point project Shumway will have arrived.

Adobe hasn't been updated for 5 minutes.

[MrKaos]

This update will require a reboot and completely disrupt your current workflow until you do.

Reboot now or crash you browser?

Re:Adobe hasn't been updated for 5 minutes.

Poor Windows user.

(Just waiting for the usual herd of Windows fanboys claiming that rebooting Windows hasn't been necessary since Windows 98.

Re:Adobe hasn't been updated for 5 minutes.

[RJFerret]

Erm, I just updated both (Firefox & IE) without even restarting browsers happily.

Awesome

[drinkypoo]

The download page crashed FF Nightly. Classy++

Re:Awesome

[rnturn]

Heh. I couldn't get FF to even download it. A portion of the download "form" was obscured and inaccessible under FF. I had to fire up Opera to see the complete form and do the download.

Security Through Instability

[winphreak]

Luckily, Flash crashes before any malicious code can be executed!

It's Patch Tuesday

[WD]

This sort of thing happens every month. Microsoft, Oracle, Apple, etc. This is news?

Re:It's Patch Tuesday

Slow news these days, every month the whiners come out against Microsoft, Adobe and whatever other security issue evolves. The whiners must all have Mac's and feel they are immune? Of course probably not many have ever used a security scanner to verify this is true. Updates for security are a way of life. No different then adding better locks to your house. Is that the end of security? What happens when someone get's past the locks? You get a alarm, right? They get past a alarm, you buy a gun. To secure yourself from anything its a never ending cat and mouse or Chess game. You move, then the bad guy moves. You want to be safer computing then uninstall Flash rather then playing the game of patching holes. Otherwise, hope the patches come before the bad guy get's into your system.

History

[sjbe]

Why in the world are we still using this completely unnecessary software?

Because at a point a few years back it was the only viable solution available to do some of the things flash does. There was no realistic alternative for several years. That gave it a very large installed base and large installed bases don't go away just because they later become inconvenient.

One of the smartest things Apple did in recent years was to keep flash out of iOS so it could never get an installed base on that platform. Solved a whole host of inevitable security and performance problems AND it pushed the rest of the net somewhat away from flash. Apple had other less altruistic reasons to do this besides just the security problems with flash but on the whole I think we have all benefited from flash being pushed aside.

Re:History

[gstoddart]

Because at a point a few years back it was the only viable solution available to do some of the things flash does

Define 'viable' -- do you mean it was the only sufficiently insecure platform which allowed arbitrary execution of code on the host machine?

The ever cookies? The ability to spy on your microphone and camera? How about providing endless security holes, hacks, exploits, privilege escalations, and who knows what else?

I'm afraid we differ on the meaning of the word 'viable'.

If you consider giving any website on the planet effectively root access to your machine in order to implement stuff that doesn't need to run locally as 'viable', then sure. Go with that.

But in terms of a platform where you can have any trust in it, and expectations it isn't a conduit to getting screwed -- I would say Flash is a resounding pile of crap.

I selectively enable it for a few things at work every year. But in general, I do not find that not having Flash even installed is a limitation.

In fact, I find it to be a blessing -- because starting with those stupid "Punch the Monkey" ads, and pretty much everything it's done in its lifetime, I don't find Flash provides much of value. At least not to me.

Flash was created by Macromedia. Which means it was designed by a company who was more or less hostile to consumers from the beginning, and was only doing things which benefited themselves.

I'm firmly of the opinion Flash should have died a violent death years ago.

Re:History

[gtall]

I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash. The fact that it was a security nightmare was just icing for whacking the entire cake.

Re:History

[Anonymous+Brave+Guy]

The ability to spy on your microphone and camera?

There were explicit prompts for permission before accessing those peripherals with a default answer of "no", which is hardly spying.

In any case, how would you have suggested that someone implement a videoconferencing tool five years ago, without using any of these plug-ins you hate so much because you claim they don't do anything useful and just create security problems?

Re:History

[sjbe]

I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash.

The biggest reason Apple refused flash was because it would have circumvented their requirement that developers code natively for iOS. At the time iOS was still young, Flash was still important on PC browsers and Apple essentially would have abdicated control of their development environment to Adobe.

Re:History

[l0ungeb0y]

Not at all. One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR. What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience. Hell, Google bent over backwards to give Adobe everything they claimed Apple denied them and couldn't get it to run in a stable or usable manner on Android.

How can this happen?

This is likely a naive question, but Flash has been around for a zillion years. How can there still be nine holes in it? I realize they are probably adding platform support and optimizations regularly - are they introducing new security holes? Or have these nine been around for a long time, and now just discovered?

Flash is still going strong

I remember when Steve Jobs wrote the article on why Apple decided to stop including Flash player on Mac's and why IOS did not support it period! Back then everyone knew Flash was not going away just because Apple didn't want it. Because in the end if web sites use it, the end user will have to have it. Otherwise, you have broken or incomplete web sites. Its also the same problem as we have had with Internet Explorer. We hate it, but it has always been a necessary evil with many sites and services. Only recently after how many revisions of IE has it come close to web standards. At the same token, we have seen Flash become a magnet for malware and yet do we really see any move from sites to dump it? Even after the rise of tablets which for the most part have not supported Flash.
It amazes me how many of us complain about Flash, but continue to use it. With browser pretty much supporting HTML5 we need to end the charade of needing Flash. We don't need Flash and the alternatives are better and safer. Maybe we need a NO Flash day where everyone is encouraged to uninstall Flash and see if they can do without it. Yes, it will most likely be a total fail. But it doesn't hurt to try.

Re:Flash is still going strong

[0123456]

I uninstalled Flash long ago. Very occasionally I find a site that doesn't work at all without Flash, but it's rarely one I care about.

The worst thing are the 'mobile' sites which say 'ah, you're running iOS, so I'm going to give you a sane site that doesn't have any of that Flash crap,' so you know they can make their site run fine without Flash, but you go there with an Android device and it says 'ah, you're running Android, so i'm going to give you the Flash version' even though Flash hasn't run on Android for several versions now.

More detail about problems with Flash:

[Futurepower(R)]

The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Adobe's Flash software is abusive to users, in my opinion. From the Better Privacy Firefox extension web page, re-written for clarity:
Some properties of Flash-cookies (LSOs):
1) They don't expire. They stay on each computer for an unlimited time.
2) By default they offer a storage of 100 KB. Normal cookies, 4 KB.
3) Browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
4) Using Adobe's Flash, companies store and access highly specific personal and technical information (system, user name, files, ...).
5) Flash sends the stored information to servers without the computer user's permission.
6) Some Flash applications are not visible to the user. Not all Flash applications display anything.
7) There is no easy way to tell which Flash-cookie sites are tracking you.
8) Shared folders allow cross-browser tracking, LSO's work in every flash-enabled application.
9) Adobe doesn't provide a user-friendly way to manage LSO's. Management is very cumbersome.
10) Many companies make extensive use of Flash-cookies.

Apparently Adobe develops software but doesn't check for flaws. There have been 24 new versions of Adobe's Flash software in one year, if I count correctly, since v11.9.900.170 in January of 2014. (The latest version is v16.0.0.257.) As the Slashdot story mentions, the flaws were found by other companies, not Adobe.

One purpose of the extremely frequent updating may be to push users to allow Adobe to do its silent updating, giving Adobe control over user's computers.

Now, apparently, Flash applications will not work unless the latest version of Flash is installed. That's apparently another way Adobe pushes users to allow Adobe to do silent updating, using the Windows operating system service Adobe calls ARM: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

Apparently the former Adobe CEO, Bruce Chizen became tired of managing, because Adobe was, in my opinion, poorly managed for years before Mr. Chizen was replaced in 2007. Bruce Chizen is on Oracle's board of directors. Birds of a feather flock together?

The present Adobe CEO, Shantanu Narayen, is, in my opinion, a very poor manager. For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice.

Re:More detail about problems with Flash:

The Flashblock extension [mozdev.org] apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Only if you also have AdBlock installed. There is a "bug" when you use both. You can fix it by adding "youtube.com##div#theater-background.player-height" to AdBlock's exception rules.

Re:More detail about problems with Flash:

The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

The problem is not with Flashblock. Flashblock works just fine with YouTube. I think you're running into an AdBlock Plus issue.

If you have trouble with YouTube on FF 35, then you need to go into AdBlock Plus, Filter preferences, Exception Rules, and add the following:

youtube.com###theater-background

Re:More detail about problems with Flash:

Adobe also doesn't really seem to give two shits about their NPAPI plugin anymore, aside from some token updates to security I haven't seen any evidence that they want to fix their bugs anymore, let alone add support for useful features. The situation just gets worse and worse, to the point that Firefox has largely given up on Adobe and are trying to fix the problems themselves by reimplementing Flash in HTML5 (Shumway). Personally I think Google is also largely to blame, for getting in bed with Adobe to pay them to develop their PPAPI plugin just so the world had yet another standard for plugins, which we want to get rid of anyhow.

Re:More detail about problems with Flash:

In Chrome it took me 60 seconds to figure out how to delete Flash cookies or view which sites are using Flash cookies. In terms of uploading content to the server, Flash is essentially capable of what JS is capable of. Companies don't need Flash to upload user information. A quick look at cookies on my system shows that the vast majority of websites are storing information with regular cookies, not Flash.

"For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice."

Well, yeah... it's very well-known that Adobe has moved to a subscription model for its Creative Suite. And it's also common knowledge that they still offer the old CS6 software to people who aren't interested in the new business model. There's nothing secretive or shady there. CS is now subscription software. From their site: "If you want all-new versions of your favorite creative software — including Photoshop CC and Illustrator CC — join Creative Cloud. If you prefer the previous version, CS6, you can purchase it here. "

"Now, apparently, Flash applications will not work unless the latest version of Flash is installed. "

Wrong. Flash developers specify the minimum API version for their applications. Nothing has changed here. I can still run apps in old versions of the player.

Are browsers so much better?

[Anonymous+Brave+Guy]

Do you realise that many of the criticisms you're directing toward Flash -- about rapid updates, numerous security fixes including some that were found by others, auto-updating, and so on -- could also be directly aimed at Chrome?

Chrome is an application that actively circumvents the main Windows security model so that it can update executable code on the user's machine without the administrative privileges usually required to install and modify applications. The day someone breaks into Google's update mechanism for even a short time, whether technically or from within the organisation, the damage will be astronomical.

We could discuss related issues with Microsoft's recommended security models and how much of that update mechanism is actually suggested by Microsoft itself rather than Google, but the facts of what Chrome is doing and the potential danger associated with it are still the same regardless of whose idea it was.

Re:Are browsers so much better?

[e70838]

Chrome is a proof that the main Windows security model does not work.

Re:Are browsers so much better?

[brunes69]

The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches - so I totally disagree with the premise of your post. It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates. The near-forced auto-update mechanisms of Firefox and Chrome are some of the best things to have ever happened to web browsers from the point of view of security.

Finally, Chrome *DOES* provide a way for administrators to lock down to specific Chrome versions, so your post doesn't even have a leg to stand on.

Re:Are browsers so much better?

[Anonymous+Brave+Guy]

The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches

Chrome is the most used browser by some way among private individuals. If anyone cracked its auto-update mechanism, every one of those users could be subject to having their private data uploaded without even knowing it, resulting in the usual problems like fraud and identity theft, and/or encrypted and held for ransom, or just deleted.

The actual cost would depend on how fast Google identified the problem and recovered. Obviously if they found it within a few minutes and shut down the system that would reduce the damage considerably from what it could be. Still, keep in mind that recovering from any breach in this particular software would surely mean at least a major and ongoing PR campaign, as anyone who cracked the auto-update mechanism would disable such channels the moment their malware was installed. It seems possible that the resultant damage not just to the economy from direct fraud but to individual quality of life, consumer confidence, and so on could take a long time to recover, not to mention severely damaging or even bringing down Google as a business.

And all because they didn't want users to get a simple message saying an update was available and inviting them to download it with the usual security precautions, as Firefox or IE would?

It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates.

Of course having timely security updates is better, but as Firefox and IE demonstrate, you don't need to play games that circumvent basic security practices to achieve this.

Finally, Chrome *DOES* provide a way for administrators to lock down to specific Chrome versions, so your post doesn't even have a leg to stand on.

I wasn't advocating not updating, only not updating without any confirmation and bypassing normal security checks, so this is a straw man.

Moreover, if I asked 100 randomly chosen Chrome users how to do this, I imagine fewer than 10 of them would even realise it was possible, so it's not even a good straw man...

Re:Are browsers so much better?

[Anonymous+Brave+Guy]

Chrome is using the wrong parts of that model for what it does.

I agree that giving it the ability to opt out is an error from a system security point of view, but not opting in anyway is on Google.

HiDPI on Firefox

[Ark42]

Flash is useless on my 192dpi laptop. Everything is so tiny or sometimes only fills up the top left 25% of the box. Adobe doesn't ever seem to care -- https://bugbase.adobe.com/inde...

Re:HiDPI on Firefox

offtopic and shoulda bought a mac. osx firefox is fine on both my retina 15 and my 5k imac.

Re:HiDPI on Firefox

Wrong. The issue is in NPAPI flash. It is not an issue of being a retard and getting a mac. Flash works in Chrome only because only the PPAPI flash supports HiDPI.

Steve Jobs was right.

"Flash is shit."
"Adobe is lazy."
He said.

Flash is zombie software. It's dead, it just doesn't know it yet.

---AC

Only game in town

[sjbe]

Define 'viable' -- do you mean it was the only sufficiently insecure platform which allowed arbitrary execution of code on the host machine?

It was the only platform available at the time to do certain tasks on the web the way people ("developers" especially) wanted to do them particularly tasks relating to video. There was nothing else comparable at the time. I never claimed it was a good or secure solution, merely that it was the only game in town. Warts and all. A lot of code was written to utilize flash and that sort of thing doesn't go away overnight even when it should.

Flash is a great example of private technology and interests getting ahead of standards. Internet Explorer 6 is another great example.

Re:Only game in town

[Billly+Gates]

Flash was GREAT and at one time A SAVIOR.

Remember .WMV was taken over the web? Flash freed us by not having IE 6 and MS define multimedia. You go to youtube and through flash it worked on Linux, Mac, and PC.

I remember ask slashdot had questions on .WMV proprietary media tools for the mac as he didn't want to loose visitors and no one used quicktime anymroe and IE 6 had 90% marketshare anyway etc.

Today yeah it is obsolete but it defined video streaming last decade. It worked regardless of browser and did things through actionscript with beautiful graphics that javascript libraries were a full 5 years behind in comparison.

Flash is blocked

[PPH]

Management figures it's just used for viewing porn sites.

upgrade but still 16.235

Anyone else see this? Older version than the summery.

What Jobs actually said

[sjbe]

One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR.

That is by definition not a native app. It can behave like one but it's not the same thing.

What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience.

Here is what Jobs said about Flash. Note the bit where he said:

"We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features. We cannot be at the mercy of a third party deciding if and when they will make our enhancements available to our developers"

It was VERY much about maintaining control over how applications were developed for iOS.

Hell, Google bent over backwards to give Adobe everything they claimed Apple denied them and couldn't get it to run in a stable or usable manner on Android.

Yes they did and there were a lot of people loudly crowing about how having Flash somehow made Android better than iOS. There were/are plenty of reasons to prefer Android but Flash has never been one of them.

Re:What Jobs actually said

[Billly+Gates]

I just read his statement and to me I got flash sites are crap on his phones and 3rd party deciding is bad.

HTML 5 would not be here without Steve Jobs (no I am not a mac fan). It got off the ground as you could use HTML 5 and CSS 3 for gradients and other effects and video. Flash did not have a mobile mode and scaled and performed poorly.

It forced web developers to learn HTML 5 for mobile sites and of course with its popularity for -webkit helped Android too with mobile site apps which are now trying to jerk HMTL 4 off (thanks to IE 8) to the grave.

Google's Chrome browser has the same issues.

[Futurepower(R)]

"... many of the criticisms [directed] toward Flash... can also be aimed at Chrome"

I agree. That's why I stopped using Google's Chrome browser. One one computer I checked,
Google installed 3 system services:
Google Update Service (gupdate), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
Google Update Service (gupdatem), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
Google Updater Service (gusvc), "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

Normally, software requires an update only if new features have been developed, or in rare cases when a vulnerability is found. I'm guessing, and it is just a guess, that a lot of the vulnerabilities found in Adobe's Flash software are due to extremely poor management of Adobe that began about halfway through Bruce Chizen's period of being CEO. I imagine that the best people at Adobe left because of not liking Chizen's management. Certainly now, when I talk with people at Adobe, they seem very much out of control, as though there is no real management at Adobe or even understanding of technology management.

However, although Google's management has been degrading rapidly in recent years, in my opinion, Google has historically been much better managed. Someone checks Google software before it is released. But there are such frequent updates in Chrome that it seems possible that Google is being forced by some secret agency in the U.S. government (There are many more than just the NSA.) to deliver software to get information directly from user's computers. (I've been studying the degradation of management of formerly excellent companies since the downfall of Fairchild Semiconductor and of Tektronix.)

Also, there is an abuse that is becoming much more common: It is possible to give a name to a service (or an Internet domain) that is misleading or un-informative about who is in control of it. The sneaky, dishonest, abusive people are becoming more powerful, as in other areas of U.S. society.

So, we need an open-source operating system that has a far better security model. (Open source so that we can try to prevent hidden agencies from being in control.) We need a federal law that all software components must be labeled with their true supplier.

Most don't have the technical ability...

[Futurepower(R)]

"Wrong. Flash developers specify the minimum API version for their applications. Nothing has changed here. I can still run apps in old versions of the player."

Not wrong, because we've seen the problem with several domains. I'm guessing that Flash development software now automatically includes that limitation, and that the Flash development software updates without user intervention or knowledge. Most people who develop with Flash don't have the technical ability to know the "minimum API version for their applications".

Experiences of tech. people are not representative

[Futurepower(R)]

"In Chrome it took me 60 seconds to figure out how to delete Flash cookies or view which sites are using Flash cookies."

Translation: In Chrome a highly technically knowledgeable person, who knows that Flash cookies must be deleted, took only 60 seconds to delete them.

"In terms of uploading content to the server, Flash is essentially capable of what JS is capable of. Companies don't need Flash to upload user information."

No JavaScript engine installs a system service. Flash does, and, according to Adobe, new vulnerabilities are discovered in Adobe software every 2 to 4 weeks. So, even if Adobe is not abusive, there are plenty of opportunities for others to invade a system.

"A quick look at cookies on my system shows that the vast majority of websites are storing information with regular cookies, not Flash."

Cookies on the system of a technically knowledgeable person are not representative of the cookies on the systems of average users.

Thanks.

[Futurepower(R)]

Thanks for the info about AdBlock.

Thanks again.

[Futurepower(R)]

Thanks for the additional info about AdBlock.

Not just joking, a direction of useful inquiry

[Futurepower(R)]

"The best theory I've seen so far is that Flash is bit like quantum soup with a black hole in hiding in the extremely odd extra dimensions."

That is not just a joke, it is a direction of useful inquiry.

We need to philosophize about why a company would be so horrible toward its customers. Okay, probably not involving the quantum soup and black holes of Physics, but instead the quantum soup and black holes of Sociology.

There is some recent Slashdot sociological inquiry about Bill Gates and a cancer cure.

Then there is WEIRD, When Every Idea Rates Dumb.

a new bug?

is anyone seeing massive memory usage by flashplayerplugin.exe?