Adobe Patches Nine Vulnerabilities In Flash

jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.

Given the track record of Flash

[AchilleTalon]

Given the track record of Flash, I would say they patched 9 and introduced 18.

Re:Given the track record of Flash

[fuzzyfuzzyfungus]

I'm not sure whether their patches add bugs, or whether their original code quality was so atrocious that they are trying to fix a transfinite number of flaws by removing them at a finite rate.

Why?

[barcarolle]

Why in the world are we still using this completely unnecessary software?

Re:Why?

Youporn.

Re: Why?

[gstoddart]

But why do we think it is a good idea for arbitrary websites to be able to run arbitrary code? That's completely idiotic.

Flash and Java are one of those things that expect you to run your browser in the least secure possible configuration (let anybody run anything) on the offbeat chance you might need it somewhere.

Which means you let all of the rest of the websites you visit run anything they want to for no good reason.

Since Flash is mostly a security hole used by advertising, and the few sites I've seen which require Flash for navigation are complete crap, why are people willing to put up with this?

Hey, I know, how about we stop pretending that we need the stuff Flash brings to the table because it just makes a more overall insecure browsing experience, so when you do get exploited it was kind of just a matter of time.

Flash (and to a certain extent, Java) has always been a security hole. It's time to stop pretending that it's otherwise useful.

At the very least, it needs to be sandboxed up the wazoo ... there is no way in hell Flash should have access to anything outside of itself, because you can't trust it. Not now, not ever.

Any chance of a non Chrome linux version?

[Viol8]

No, didn't think so. I guess at some point Flash in firefox will just stop working because so many sites will require a more modern version. Funnily enough I don't think I'll care.

Re:Get rid of flash on slashdot, firefox

[cheekyboy]

please mark flash as spyware, please kill flash!!!!

Any business that still wants programmers to make apps in flash are stupid, HULU, please recode your apps.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

Please make all firewalls block flash.

Make firefox not even accept flash plugins, ban it , black list it.

Security Through Instability

[winphreak]

Luckily, Flash crashes before any malicious code can be executed!

Re:Get rid of flash on slashdot, firefox

[l0ungeb0y]

Any business that still wants programmers to make apps in flash are stupid Name one other way to transmit a live video & audio stream from the browser that works across all major platforms that doesn't require a download and install.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

AS3 is essentially Java with most of the same features as most other strongly typed OO languages.

Please make all firewalls block flash. Make firefox not even accept flash plugins, ban it , black list it.

Yes, let's kill off browser-based internet video chat for the next few years and go with vendor specific implementations from Google and Apple! No one should be able to create a video app until Google lets them! Flash needs to die, but the fact is HTML5 has yet to provide a means to provide device access and a streaming AV codec. Sure, Opus is great, but not the standard and will likely never be adopted by Apple and WebRTC is great, but not the standard and has issues with implementation requirements (ICE servers, Turn/Stun).

More detail about problems with Flash:

[Futurepower(R)]

The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Adobe's Flash software is abusive to users, in my opinion. From the Better Privacy Firefox extension web page, re-written for clarity:
Some properties of Flash-cookies (LSOs):
1) They don't expire. They stay on each computer for an unlimited time.
2) By default they offer a storage of 100 KB. Normal cookies, 4 KB.
3) Browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
4) Using Adobe's Flash, companies store and access highly specific personal and technical information (system, user name, files, ...).
5) Flash sends the stored information to servers without the computer user's permission.
6) Some Flash applications are not visible to the user. Not all Flash applications display anything.
7) There is no easy way to tell which Flash-cookie sites are tracking you.
8) Shared folders allow cross-browser tracking, LSO's work in every flash-enabled application.
9) Adobe doesn't provide a user-friendly way to manage LSO's. Management is very cumbersome.
10) Many companies make extensive use of Flash-cookies.

Apparently Adobe develops software but doesn't check for flaws. There have been 24 new versions of Adobe's Flash software in one year, if I count correctly, since v11.9.900.170 in January of 2014. (The latest version is v16.0.0.257.) As the Slashdot story mentions, the flaws were found by other companies, not Adobe.

One purpose of the extremely frequent updating may be to push users to allow Adobe to do its silent updating, giving Adobe control over user's computers.

Now, apparently, Flash applications will not work unless the latest version of Flash is installed. That's apparently another way Adobe pushes users to allow Adobe to do silent updating, using the Windows operating system service Adobe calls ARM: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

Apparently the former Adobe CEO, Bruce Chizen became tired of managing, because Adobe was, in my opinion, poorly managed for years before Mr. Chizen was replaced in 2007. Bruce Chizen is on Oracle's board of directors. Birds of a feather flock together?

The present Adobe CEO, Shantanu Narayen, is, in my opinion, a very poor manager. For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice.

Re:More detail about problems with Flash:

The Flashblock extension [mozdev.org] apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Only if you also have AdBlock installed. There is a "bug" when you use both. You can fix it by adding "youtube.com##div#theater-background.player-height" to AdBlock's exception rules.

Are browsers so much better?

[Anonymous+Brave+Guy]

Do you realise that many of the criticisms you're directing toward Flash -- about rapid updates, numerous security fixes including some that were found by others, auto-updating, and so on -- could also be directly aimed at Chrome?

Chrome is an application that actively circumvents the main Windows security model so that it can update executable code on the user's machine without the administrative privileges usually required to install and modify applications. The day someone breaks into Google's update mechanism for even a short time, whether technically or from within the organisation, the damage will be astronomical.

We could discuss related issues with Microsoft's recommended security models and how much of that update mechanism is actually suggested by Microsoft itself rather than Google, but the facts of what Chrome is doing and the potential danger associated with it are still the same regardless of whose idea it was.

Re:Are browsers so much better?

[e70838]

Chrome is a proof that the main Windows security model does not work.

Re:Are browsers so much better?

[Anonymous+Brave+Guy]

The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches

Chrome is the most used browser by some way among private individuals. If anyone cracked its auto-update mechanism, every one of those users could be subject to having their private data uploaded without even knowing it, resulting in the usual problems like fraud and identity theft, and/or encrypted and held for ransom, or just deleted.

The actual cost would depend on how fast Google identified the problem and recovered. Obviously if they found it within a few minutes and shut down the system that would reduce the damage considerably from what it could be. Still, keep in mind that recovering from any breach in this particular software would surely mean at least a major and ongoing PR campaign, as anyone who cracked the auto-update mechanism would disable such channels the moment their malware was installed. It seems possible that the resultant damage not just to the economy from direct fraud but to individual quality of life, consumer confidence, and so on could take a long time to recover, not to mention severely damaging or even bringing down Google as a business.

And all because they didn't want users to get a simple message saying an update was available and inviting them to download it with the usual security precautions, as Firefox or IE would?

It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates.

Of course having timely security updates is better, but as Firefox and IE demonstrate, you don't need to play games that circumvent basic security practices to achieve this.

Finally, Chrome *DOES* provide a way for administrators to lock down to specific Chrome versions, so your post doesn't even have a leg to stand on.

I wasn't advocating not updating, only not updating without any confirmation and bypassing normal security checks, so this is a straw man.

Moreover, if I asked 100 randomly chosen Chrome users how to do this, I imagine fewer than 10 of them would even realise it was possible, so it's not even a good straw man...

Re:History

[Anonymous+Brave+Guy]

The ability to spy on your microphone and camera?

There were explicit prompts for permission before accessing those peripherals with a default answer of "no", which is hardly spying.

In any case, how would you have suggested that someone implement a videoconferencing tool five years ago, without using any of these plug-ins you hate so much because you claim they don't do anything useful and just create security problems?

Re:History

[l0ungeb0y]

Not at all. One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR. What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience. Hell, Google bent over backwards to give Adobe everything they claimed Apple denied them and couldn't get it to run in a stable or usable manner on Android.