8 of the 10 Top Security Flaws Used By Cyber-Criminals This Year Were Flash Bugs

An anonymous reader writes: Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Angler is currently the most popular exploit kit, regularly tied to malware including Cryptolocker. Vulnerabilities in Microsoft's Internet Explorer and Silverlight are also major targets. All of these are the conclusions of a Recorded Future report.

Lies

And Stats proven to be more than 80% of the time.

And the rest we're probably Jave, Acrobat, and OS

[msimm]

I uninstalled Flash about 4 months ago. Guess what...the web still works. Even the questionable video sites I use work (or at least > 50%, which is enough). Sites that insist on requiring flash in 2015 probably haven't been relevant since 2010. Sites that require wonky plugins had better be for work and get relegated to a Microsoft browser product I don't use for anything else.

Re:And the rest we're probably Jave, Acrobat, and

[msimm]

Also, were/we're. Sue me. It's the vodka.

Re:And the rest we're probably Jave, Acrobat, and

[GNious]

In a world where Flash is not required for any functionality, and where it has been a known security risk for a long while, websites that require it are either painfully incompetent, or malicious - feel free to remind hostmasters of this.

Can windows PC runs without Adobe Flash?

Has anyone tried running a PC without Adobe Flash?

Can that PC be used to surf the Net?

Any suggestion would be very much appreciated !

Re: Can windows PC runs without Adobe Flash?

Any sites that require tend to be either Eastern European (dodgy porn) or very old. It's not available on Android any more and that's where most web surfing is done.

Re: Can windows PC runs without Adobe Flash?

so you like to Web surf on that information super-hiway do you? aol to you, brah, and to me, brah.

Re:Can windows PC runs without Adobe Flash?

[hcs_$reboot]

Likely difficult. Windows 10 seems to be written in Flash

Re:Can windows PC runs without Adobe Flash?

[JaredOfEuropa]

When I last replaced my PC, it was a good while before I felt compelled to install Flash on it again. These days, very few sites require it, even the dodgy Eastern European porn sites and equally dodgy advertising rings seem to have shied away from it. I have Flash installed but the browser is set to block it unless specifically allowed. The last time I activated Flash was to watch a news program on some local TV channel's site.

Re:Can windows PC runs without Adobe Flash?

When I last replaced my PC, it was a good while before I felt compelled to install Flash on it again. These days, very few sites require it, even the dodgy Eastern European porn sites and equally dodgy advertising rings seem to have shied away from it. I have Flash installed but the browser is set to block it unless specifically allowed. The last time I activated Flash was to watch a news program on some local TV channel's site.

So let me get this straight... after buying your last PC you actively cruised around dodgy porn sites and sites with dodgy ads, just to check whether those sites were still using Flash?

Sounds like the kind of research project that would get you an Ignobel prize if you published it.

Re:Can windows PC runs without Adobe Flash?

[deviated_prevert]

Likely difficult. Windows 10 seems to be written in Flash

No this is the first good version of windows that was written in flash. Now it only runs on HTML5 and is as good as ever.

Re:Can windows PC runs without Adobe Flash?

[Megane]

See if you can set your browser to require click-to-start for Flash. This ought to get you past most of this Flash malware shit, plus all the annoying Flash ads, while still letting you run the rare thing that still needs it. Now that Youtube can be used without Flash, there's no real need to let it run automatically.

Re:Can windows PC runs without Adobe Flash?

[Joce640k]

Has anyone tried running a PC without Adobe Flash?

Can that PC be used to surf the Net?

Any suggestion would be very much appreciated !

Assuming you have a proper web browser: You can get plugins that stop flash from running automatically. That's almost the same thing as "no flash".

Re: Can windows PC runs without Adobe Flash?

I run with Flash turned off by noscript. Most of the web can be surfed just fine, and more efficiently. For example, AT&T uses Flash to show you a video indicating that it is waiting.

However, some US domestic websites for various companies that want to be real artsy or have been sold a bill of goods have a Flash front page, and you can't click anything unless you run Flash.

Re:Can windows PC runs without Adobe Flash?

Uhh, that's Silverlight. Get it straight!

Re: And the rest we're probably Jave, Acrobat, and

Or, they have a huge library of popular Flash games. As a tower defense addict I see no way that Flash can leave my PC in the near future.

Re:And the rest we're probably Jave, Acrobat, and

[GNious]

Eating my own dog-chow: https://twitter.com/GNious/sta...

Feel free to retwat it at people who need to stop using Flash :)

VMWare - when are you getting rid of it?

[shocking]

Crying shame that you need it for consoles and the like.

Re:VMWare - when are you getting rid of it?

[_defiant_]

If you've ever used VMware Server 2 you wouldn't be eager for their pure HTML interface. At least the flash one works...

Re:VMWare - when are you getting rid of it?

But it's not even just Flash. The VSphere thing still requires an 80MB download to get the "client integration plugin," which requires ~300MB of disk space to even handle such very basic functionalities like uploading ISO images. Why on earth those people didn't go with simple HTML, add on option to just specify HTTP(s) URLs to ISO images, and run the remote administration with a simple VNC client is beyond me (even Keyboard an mouse macros are trivial over VNC, just stick a small menu strip on top of the graphics output of the emulated machine). Instead, those people have chosen to even draw the mouse pointer themselves, so that the users can suffer twice through the tardiness of flash while waiting for basically anything to happen.

Right now, the stupid flash nonsense doesn't work for me in chrome, it just sends me into an infinite login loop.

Re:VMWare - when are you getting rid of it?

[shocking]

I suspect that you are right - I just want to be able to administer stuff from a HTML5 browser running anywhere.

Re: And the rest we're probably Java, Acrobat, and

[msimm]

Either abstract it, contain it, or visualize it. Using a poorly maintained platform for the games doesn't mean you have to use it for everything.

My bank

I'm so glad my bank's website uses Flash.

Good news!

If my calculations are correct, then that means Flash vulnerabilities have dropped by nearly 20% in 2015 alone!

We can go without

[BlackDesign]

There are multiple platforms not using Flash. Look at Apple's Ipad. By default no Flash on this device and still you can visit 99% of the websites (even video content). Its just the developers that need to turn their heads on it, and start using alternatives.

Re:We can go without

The problem is lethargy and inherent costs to replace/convert everything that exists today. Who is going to pay for the retooling, reengineering and conversion? Just because something is technically possible, in the business world, all decisions like this come with a cost analysis, and right now, it's a negative sum loss. Just because a bunch of home users are click-happy and cause the problem, businesses don't have the exploit on their content.

If you want this shit fixed, it has to come from those making the browsers. They have to remove it completely so none of the macromedia crap works.

Re:We can go without

Its just the developers that need to turn their heads on it, and start using alternatives.

A developer does what a developer is paid to do. Sometimes things do not get fixed until there is a financial incentive to do so.

Re:We can go without

Yes. Hulu and iPad. The free web version, based on flash, not accessible. The app, with subscription, allows viewing of Hulu videos.

Re:We can go without

[azav]

It's* just the developers

        it's = it is

Learn this.

Flash is not a bad idea

Those older than twenty remember when most rather than just some of the vulnerabilities found were in JavaScript/DOM implementation.

Now unfortunately we have half a dozen large firms under the w3c umbrella owning the web. And their intention is to make non PC apps necessary, but to kill off PC desktop.

Re:Flash is not a bad idea

[tepples]

In your theory, once PC desktop is killed off, with what tools will people develop HTML5 apps?

Flashbugs

Flashbugs make flash bombs.
Any Monster Hunter players here?

Flash Bugs running on Microsoft Windows ..

[nickweller]

"8 of the 10 Top Security Flaws Used By Cyber-Criminals This Year Were Flash Bugs"

Bugs in an application can only be exploited by defects in the underlying Operating System

Re:Flash Bugs running on Microsoft Windows ..

That's the most ridiculous and unqualified statement on bugs I've ever read.

What happens if an application allows for arbitrary code injection and execution due to a buffer overflow bug? Injected code could easily wipe all your user space files by using standard file io operations without ever doing anything that can be construed as exploiting defects in an underlying OS.

Name one OS that can't be "exploited" in this fashion.

Re:Flash Bugs running on Microsoft Windows ..

[fustakrakich]

Name one OS that can't be "exploited" in this fashion.

That is the point. All OSs suck. This simply should not happen. I am becoming more convinced it is intentional.

Re:Flash Bugs running on Microsoft Windows ..

[nickweller]

Operating System Security and Secure Operating systems

The foundations of a provably secure operating system (PSOS)

Re:Flash Bugs running on Microsoft Windows ..

[Zero__Kelvin]

You are an idiot

Re:And the rest we're probably Jave, Acrobat, and

[drinkypoo]

Feel free to retwat it at people who need to stop using Flash :)

I only retweet when someone is saying something clever, and preferably when someone knows who they are. Suggesting that something you said is quotable proves that it isn't, because who would want to quote someone like that?

Not supported on most platforms anymore

[Big+Hairy+Ian]

Flash isn't supported on IOS or Android anymore. It's only supported on Windows & Linux because they are not walled gardens. Can't speak for the Apple Mac but assume it's not supported or at least discouraged.

Re:Not supported on most platforms anymore

When you ASSUME... you prove to be an idiot who spouts his uninformed opinion on a very basic topic and gets it wrong.

Re:Not supported on most platforms anymore

[U2xhc2hkb3QgU3Vja3M]

Flash was never supported on iOS and Adobe Flash has not been installed by default on OS X for years now.

Fight for your bitcoins!

Newgrounds

[tepples]

Any sites that require [the Flash Player plug-in] tend to be either Eastern European (dodgy porn) or very old.

I'm not sure what you mean by "very old". Do you mean "established long ago" or specifically "not updated in years"? In which sense are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff "very old"?

Re:Newgrounds

[ArsenneLupin]

I'm not sure what you mean by "very old". Do you mean "established long ago" or specifically "not updated in years"? In which sense are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff "very old"?

What are Newgrounds, Albino Blacksheep, Dagobah, and Weebl's Stuff? Do we have to know them?

Re:Newgrounds

[tepples]

Archives of classic vector animations created before HTML5 had support for <canvas> and <audio>.

Re: Newgrounds

So old stuff, then. Antiques.

Browser break, escalation, and VM escape?

[tepples]

In order to spoil such a research project, a site would have to find an exploit that busts out of not only the browser but also the user account and VirtualBox.

Re: And the rest we're probably Jave, Acrobat, and

[tepples]

Is there a reason you can't play tower defense in Flash Player in Firefox in Xubuntu in VirtualBox?

Your money needs an Ally

[tepples]

Have you tried switching from your Flash bank to an HTML5 bank such as Ally or Schwab?

Re:Your money needs an Ally

Seems like a dumb idea to use a bank that isn't physically located near me.

Lack of thorough support for jails

[tepples]

What happens if an application allows for arbitrary code injection and execution due to a buffer overflow bug? Injected code could easily wipe all your user space files by using standard file io operations without ever doing anything that can be construed as exploiting defects in an underlying OS.

Not if the application is running under a separate user account, a jail, or some other containment facility of the operating system. Lack of such a facility is the defect. An application shouldn't be able to access a resource unless both the user has access to it and the user has delegated access to it to the particular application.

Name one OS that can't be "exploited" in this fashion.

Any GNU/Linux distribution with an AppArmor policy in effect. Or iOS on Apple devices. Or IOS on Nintendo Wii for that matter. Or Android, provided the APK doesn't have the SD full access permission. Or OLPC Sugar, which has the Bitfrost capability system. Likewise, both OS X with Mac App Store and Windows 8 and later with Windows Store prohibit store applications from writing outside the application's own data folder and folders chosen by the user or reading outside those folders and the program folder.

Re:Lack of thorough support for jails

Windows has the capability to run programs under different accounts. So under your logic, it is also not defective. In fact, most OSes are multiuser anymore so they aren't defective either.

Re:Lack of thorough support for jails

[tepples]

Windows has the capability to run programs under different accounts.

That's a start. Bundling a GUI to create accounts for individual desktop applications would be even better.

Re:Lack of thorough support for jails

The closest I've seen was the old "Drop My Rights" utility released as MSVC source for Windows XP. You could use it to force a shortcut to selectively exclude permissions for the linked application without the need to create a plethora of application-specific accounts. A programmer who understood Windows ACLs could have modified the source to support Win2000, but it was EOL or close to it at the time; the source for DropMyRights used API functions introduced in WinXP, but they were merely wrappers introduced to streamline boilerplate ACL code commonly needed when using the older API.

- T

As an old Shockwave Director user

[azav]

And engineering team member, Flash just can't die soon enough.

Re:As an old Shockwave Director user

[Zero__Kelvin]

So you are saying Flash is like people who use the subject line as the start of their post?

Re:As an old Shockwave Director user

[azav]

Awwwwww, you need a hug.

what is flash?

flash = data that executes. it can't be made secure. does not matter what the underlying os is.

Re:And the rest we're probably Jave, Acrobat, and

+1. Haven't used Flash in over a year. Haven't noticed. HTML5 FTW!

And then there's VMware vSphere Web Client...

... released in 2015, and is the front-end for your vCenter and vSphere environment that, guess what, requires FLASH!!! Really VMware?!!!

Re:And the rest we're probably Jave, Acrobat, and

[gweihir]

Same here. Using flash these days is gross negligence.

Re:And the rest we're probably Jave, Acrobat, and

[antdude]

My former and current employers still use Flash, Java, Silverlight, etc. :/

Re:And the rest we're probably Jave, Acrobat, and

[antdude]

What about those Flash games, interactive http://homestarrunner.com/ etc.? :P

Re:And the rest we're probably Jave, Acrobat, and

[Zero__Kelvin]

"Suggesting that something you said is quotable proves that it isn't"

That has to be one of the most absurd assertions I have seen in quite some time.

Why is online banking dumb?

[tepples]

Seems like a dumb idea to use a bank that isn't physically located near me.

Are you referring to getting money into a bank not physically located near you, to getting money out of a bank not physically located near you, or to some other use case I haven't thought of?

As for getting money into a bank not physically located near you, you can have direct deposit of your paycheck or other ACH transfers sent to any bank. Personal checks can be mailed or in many cases deposited using an iOS or Android device with a rear-facing camera. Cash can be spent locally; I'll often dump cash into the self-checkout lane at a local grocery store. What other money do you regularly receive?

As for getting cash out of a bank not physically located near you, many banks reimburse for ATM fees. Or you can get cash back with a purchase at any retailer that takes EFTPOS cards.

Re:Why is online banking dumb?

So you recommend using two banks? Seems like twice the hassle.

My bank charges me extra for ATM fees. so $2.95 charged by the ATM operator and $2 for an out-of-network fee. Costs me nearly $5 to use an ATM, how awesome is that?

Re:Why is online banking dumb?

[tepples]

So you recommend using two banks?

Only for about a month while you are switching to only an online bank.

many banks reimburse for ATM fees. Or you can get cash back with a purchase at any retailer that takes EFTPOS cards.

My bank charges me extra for ATM fees.

Dump it and switch to an online bank that charges no out-of-network fees and reimburses ATM operators' fees, like Ally or Schwab. Or get cash back at Walmart or wherever.