Slashdot Mirror
Adobe Patches Nine Vulnerabilities In Flash
jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.
The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?
...).
Adobe's Flash software is abusive to users, in my opinion. From the Better Privacy Firefox extension web page, re-written for clarity:
Some properties of Flash-cookies (LSOs):
1) They don't expire. They stay on each computer for an unlimited time.
2) By default they offer a storage of 100 KB. Normal cookies, 4 KB.
3) Browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
4) Using Adobe's Flash, companies store and access highly specific personal and technical information (system, user name, files,
5) Flash sends the stored information to servers without the computer user's permission.
6) Some Flash applications are not visible to the user. Not all Flash applications display anything.
7) There is no easy way to tell which Flash-cookie sites are tracking you.
8) Shared folders allow cross-browser tracking, LSO's work in every flash-enabled application.
9) Adobe doesn't provide a user-friendly way to manage LSO's. Management is very cumbersome.
10) Many companies make extensive use of Flash-cookies.
Apparently Adobe develops software but doesn't check for flaws. There have been 24 new versions of Adobe's Flash software in one year, if I count correctly, since v11.9.900.170 in January of 2014. (The latest version is v16.0.0.257.) As the Slashdot story mentions, the flaws were found by other companies, not Adobe.
One purpose of the extremely frequent updating may be to push users to allow Adobe to do its silent updating, giving Adobe control over user's computers.
Now, apparently, Flash applications will not work unless the latest version of Flash is installed. That's apparently another way Adobe pushes users to allow Adobe to do silent updating, using the Windows operating system service Adobe calls ARM: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Apparently the former Adobe CEO, Bruce Chizen became tired of managing, because Adobe was, in my opinion, poorly managed for years before Mr. Chizen was replaced in 2007. Bruce Chizen is on Oracle's board of directors. Birds of a feather flock together?
The present Adobe CEO, Shantanu Narayen, is, in my opinion, a very poor manager. For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice.