Slashdot Mirror
Delete Or Update All Adobe Flash Player Instances, Experts Warn (threatpost.com)
An anonymous reader quotes an article from BankInfoSecurity:
Security experts are once again warning enterprises to immediately update -- or delete -- all instances of the Adobe Flash Player they may have installed on any system in the wake of reports that a zero-day flaw in the web browser plug-in is being targeted by an advanced persistent threat group.... The bug exists in Adobe Flash Player 21.0.0.242 and earlier versions -- running on Windows, Mac, Linux, and Chrome OS -- and "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
Thursday Adobe released an updated version of Flash patching 36 separate vulnerabilities, including the critical vulnerability which "if exploited would allow malicious native-code to execute, potentially without a user being aware." While applauding Adobe's quick response, researchers at Kaspersky Lab say it's already been exploited in Russia, Nepal, South Korea, China, India, Kuwait and Romania, and BankInfoSecurity writes that "The latest warning over this campaign reinforces just how often APT attackers target Flash, thus making a potential business case for banning it for inside the enterprise."
Flash is literally a zombie at this point.
Ok, so if we stick with Flash we might be subjected to security problems.
But if we stick with HTML5-based technologies, then we'll just be more easily tracked by advertisers.
Sounds like we are fucked in both cases!
If you disagree with the moderators here, your reply gets deleted. My roommate is a corporate officer of Adobe, and I've posted quotes from him several times. They've all been deleted.
Any insider knowledge is deleted from here. It's too much of a risk.
There's a reason all the adult sites are going to HTML5 over Flash for video. You know your platform is outdated and totally not worthwhile when the porn industry abandons you.
Wait deleted? What so this is Slashdot admins doing some kind of... what.. I don't get it.
who hates Russia, Nepal, South Korea, China, India, Kuwait and Romania so much? :/
oh! marketing spammers!! hmm.. I have one here in Porto Alegre searching for Flash players.
lol omg vampires suck! uahuahuahuhuahauauhuahuauahuauauuauauhauhauhauhauh
a helena veio pro brazil e o máximo que consegue é bombar um mexicano e um twilight saga do 300!! ppfpfpegheieuheuheuheuheuheuhe
Ban indiscriminate access to the internet and watch how the problems fade away.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
The once dominant interactive web "standard" is dead.
What killed it? Security problems.
For the web, security needs to the number one priority considered from day one when the architecture, specifications and scope of the project are first looked at.
Please tell me how to distinguish this "bad Flash" info from Fear, Uncertainty and Doubt (FUD) disinformation from HTML5 advocates? Patching will inevitably be, well, patchy. So the only safe course seems to be elimination.
Have there really been statistically significant exploitation measured? If so, why haven't websites banned it themselves?
Until they tell the world not to use that POS and that ALL OS's will block it by default in 1 week.
Then, and only then will those sites that seem to work find on IOS (never had flash support) but somehow those same sites on a Laptop/PC demand to have flash installed.
Sorry, Flash is and always has been 'malware'. Pure and simple.
Since you haven't listened to the 483 times we have told you before, we will tell you again. Uninstall Flash Player. That is all.
*yawn*
Slashdot isn't deleting comments. If they did, there wouldn't be an abundance of racist rants in the comments on several articles. You're a troll and probably posted all the replies in this thread. Grow up.
For undermining security to try and trick users into installing McAffe when upgrading. That should be opt IN not opt OUT.
That is not the reason.
Adobe hasn't released a Linux version since version 11. Unless there's a big surprise, there's no option for Linux users but to give up on Flash entirely.
Oh it happens. A lot. But whiplash will deny it until she's blue in the face.
[quote] The bug exists in Adobe Flash Player 21.0.0.242 and earlier versions -- running on Windows, Mac, Linux, and Chrome OS...[/quote]
According to Adobe the current version of Flash is only 21.0.0.192.
I'd like to hear where this later version is that is already considered obsolete, and where the patched update is.
I guess either Firefox/Linux is not vulnerable or it is 'open season' and always will be. The latest version for me is 11.2.202.626, see:
http://www.adobe.com/software/... -- You probably have to activate flash for that page
I rarely use flash anyway, so time finally give it the ole heave/ho.
It's only a Flash zero-day that abuses Windows DDE via a six-step process (Flash - DLL file - Windows DDE - LNK file - VBS Script - CAB file). This zero-day is specific to nation-backed hackers, not average exploit kit skids. The exploitation process is just to hard to follow through, and Microsoft EMET detects it as well. So... it's not really that dangerous ffs
Bullshit.
Pics or it didn't happen.
Flash, Javascript, ActiveX... have we learned now?
Letting random web sites run any form of procedural code on your computer is NOT a good idea. Not just random web sites, but any site THEY in turn want to cross site script. Even when you try to sandbox this stuff, there are still holes. The valid use cases for such scripting are minuscule - it is chiefly used for advertising, tracking, profiling, and interfering with the user experience such as disabling cut and paste. For the very few valid use cases, it can be whitelisted.
But default-enabled? That's insane, no matter what the web-language flavor of the day is.
Captcha = mishap
"Flash is literally a zombie at this point."
Big problem: Adobe Flash is a "zombie" to technically knowledgeable people who read a lot of technology news. For most people, Flash makes their computers vulnerable.
Is Adobe selling vulnerabilities to hidden parts of the U.S. government, or to other organizations, and fixing the vulnerabilities only after they are discovered publicly? Or is Adobe management so incompetent that there are 10 or 20 or, in this case, 36 vulnerabilities in every version? In either case, the large number of vulnerabilities seem to be a strong advertisement not to install Adobe products on computers that have a connection to other computers or to the internet.
I count 11 new versions of Adobe Flash in 10 months.
The best story I've found about this month's Adobe Flash vulnerabilities is this one: Kill Flash now. Or patch these 36 vulnerabilities. Your choice.
I see web pages that don't need Adobe Flash Player using it anyway. Is that because most people don't use the Better Privacy browser add-on? Flash makes what are called persistent cookies. Better Privacy deletes persistent cookies.
Every time I start Adobe Acrobat Professional, it asks to connect to the internet in 3 different ways. So, when I want to make a PDF file, I generally use the free Bullzip PDF printer.
Because I have no way of knowing what Adobe is doing or hiding, I generally use the free Sumatra PDF Reader.
To me, it seems that Adobe is engineering such a bad reputation for itself that it will eventually put itself out of business. (It seems that Microsoft is following the Adobe methods. Windows 10 seems to be intentionally vulnerable. Microsoft products also have huge numbers of vulnerabilities.)
That's it now Campincensorshills, sweep it under the rug with a -1, just like all the other truths you don't want people to see.
The hypocrisy here is off the fucking scale.
You're full of shit, Slashdot comments don't get deleted, except for the time somebody posted $cientology texts and they were going to file a lawsuit.
It's a lot easier to limit SWF tracking without disabling essential functionality than to limit HTML5 tracking without disabling essential functionality. To limit SWF tracking, disable the Flash Player plug-in on sites outside the SWF whitelist (Newgrounds, Kongregate, Weebl's, Dagobah, Albino, Homestar). To limit HTML5 tracking, you need to install tracking blockers, and if you do that, some sites will refuse you service because they don't know how to present ads that don't track you. Sites using SWF tracking are less likely to refuse service on grounds of lacking Flash Player because then they'd be refusing service to viewers on smartphones and tablets that run a smartphone OS.
At the top of any SWF-based National Weather Service radar loop, you can follow the "Standard Version" link at the top to get an animated GIF instead. The "National Radar Mosaic Sectors" at the bottom are also animated GIFs.
whipslash is a boy. This kid here
Flash Player (PPAPI version) for Linux is current. Flash Player (NPAPI version) 11.2 for Linux is outdated but in extended support until May 2017, during which it gets security updates but no new features. Fresh Player is a wrapper plug-in for an NPAPI browser that hosts PPAPI plug-ins.
For the very few valid use cases, [SWF, JavaScript, or WebAssembly] can be whitelisted.
Among these "very few valid use cases" are web applications, such as Google Docs and Slashdot,* and sites offering vector-based animations, such as Homestar Runner and Weebl's Stuff. So how should the operator of a website hosting a web application go about demonstrating to users that the application is among these "very few valid use cases"?
* Try loading more than the 100 top-scored comments without script. If you succeed, reply and let me know what you pushed.
Slashdot isn't deleting comments. Infrequently, they remove a dupe when only a few comments have been posted and those comments vanish. But that's very rare. I've seen some comments from whipslash that seem pretty unprofessional in response to legitimate criticisms, and you can browse his posting history to see this. But I don't think the editors are deleting comments or moderating en masse and nobody has provided evidence that they are.
I tried removing Flash from my SeaMonkey install and that lasted all of 5 minutes before I found a forum post with an embedded YouTube clip that I couldn't play (and wanted to play). So I can't ditch Flash yet (at least not until YouTube comes up with a way to embed YouTube clips into forum posts, blog posts etc etc without needing Flash installed)
This is news exactly how?
Perhaps more amazing or a testimonial to the current state of slashdot is a lack of "dupe" among the visible comments.
So I scanned the insightful comments. Is it the broken moderation system, lousy moderators, or just a general lack of moderation points? Didn't find much in the way of insight with that tag.
Closest bit was a reference to the need for security. Sorry, NOT insightful.
Insightful would have been an analysis of the drive for flash over substance, as driven by advertiser eyeballs.
Even deeper insight might have considered how the lack of liability for security failures and bugs drove the Internet (in particular and most software in general) down the rathole of phucking the users.
In the end, we wind up with a world dominated by the google's operative motto: "All your attention are belong to us." However, Amazon is probably worse. Did that make you feel better? Also, welcome to Trump's world.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Try loading more than the 100 top-scored comments without script.
I think you've answered your own question. The answer is: "Turn it on if you want it to work".
Persistent threat groups target all operating systems every day. So give up operating systems. If you can't enter your program with front panel switches, you're doing it wrong, noob!
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The training department in HR uses an older verson of Adobe Captivate for their presentations and audio won't work with any newer version. Since Adobe only rents software I can't justify the $750 a month it will cost for all 3 users to update! Thanks adobe
So I will be fired or written up if we get any ransomware, but I can't use newer software. What a joy!
At home I use flashblock for Chrome and Adblock plus for Chrome and IE. Too bad I can't use it at work as my users are drooling idiots who will form a line at my office asking for why flash content won't work automatically and a funny little icon will apear that says click to play. Oh that is write our training links require IE 6 and IE 8 still
http://saveie6.com/
HowToGeek puts 0-delay refresh in a meta http-equiv tag inside a noscript tag: "meta HTTP-EQUIV="refresh" content="0;url='...'"
If you open the page with javascript turned off it refreshed the page immediately after loading is finished and continues forever.
Fuck those guys.
How the hell can one piece of software have so many vulnerabilities?
Why are you still pushing flash video on your site? No, not you with a site that gets 1000s of daily views. You, the guy or gal working on large media sites with several million daily viewers. Of course, you respond that it is not your incompetence but your boss's instead. Yeah, yeah. I wonder about you guys and how you came to get a job including your inept CIO. It reflects negatively either way when you submit your resume at a company that is more up to date. Although, it probably helps when you are applying at another dinosaur media company. Maybe thats your industry's trick, hopping from one dinosaur to the next where the hiring team nods in approval at the legacy skills and best practices that they, too, are most comfortable using.
Some of us stupider mother fuckers have shitty janitor type jobs where we maintain a thing called VMware.
This VMware is a really expensive product. It's also really, really, really poorly designed. The management interface requires flash. To boot, it won't even run on Linux clients.
So much fucking stupid faggotry inside VMware. To the stupid fucking indogook who thought flash was the best option, I personally wish bad fortune and ill health upon - and the entirety of his extended family.
Wait. Did did that fucking cunt Lennart pottering work at VMware? Picking flash for your management interface is about as smart as replacing the Linux init system with a bloated, monolithic, poorly designed heap of shit called systemd.
This website does not work in Firefox without the Flash Plugin.
http://www.ssd.noaa.gov/goes/east/carb/flash-rb.html
I use this website every day.
Any suggestions.
At least silverlight died when told to
Would making it open-source help fix the vulnerabilities, or just open a Pandora's box of publicly available holes to exploit?
Of course, the best option is not to install it, but making the code secure might be an interesting challenge.
are there any good open source flash replacements (mainly for firefox on my mac) that can get me through some older sites that use flash. I just need something with minimal features and tight security.
I was aware of swfdec back in the day and found some others: lightspark, gnash, Mozilla Shumway.
One of the really useful features in PDF is the ability via Adobe Reader to embed flash videos in PDFs. It's a very convenient way to deliver videos to a client (or in our case, grant review committee) in a nicely packaged way that is guaranteed to be playable (everyone can get Reader). Moreover, everyone that accepts documents for various applications in my circles, accepts them in PDF.
If we can't use flash (and I recognize that, eventually, another solution will become necessary), what's the alternative for embedding videos in a universally readable document?
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Pretty much every modern browser out there has flash included, so I can't fathom why anyone would even have older instances of flash installed. I literally go through my programs on a weekly basis, and if I haven't used it that week it gets deleted.
experts warning enterprises to update flash? oh ok *pop* could have had a V8
New versions of flash all suck ass. They have spyware capabilities beyond just flash cookies. You should just use linux with an 11.202 series at home. This is a FUD story to get you to install spyware. This is social engineering!!!!
If you are home and you watch pornos like cam girls you should use the plugin BetterPrivacy for firefox too. Never watch your butts in Windows.
You'd think a corporate officer at Adobe could afford his own place.
https://news.ycombinator.com/i...
Does the OS make a difference for the importance of the security flaw?
They uninstalled it a while ago, after one of those zero-days.
Then re-installed it, when a patch came around for that zero day
Then just let it rot. I think it's patched occasionally. Thank god I'm not forced to use that silly Windows-image of theirs.
They know what they're doing. They just think an APT can't or won't hit them. Or that AV and their silly proxy will catch it. I actually have to chuckle at the thought of that.
Windows 2000 - from the guys who brought us edlin
"Turn it on if you want it to work".
Then site operators can continue to track people and/or accidentally infect their PCs by making sites that don't work at all without script, and then telling people "Turn it on if you want it to work".
Then site operators can continue to track people and/or accidentally infect their PCs by making sites that don't work at all without script
Then don't use their site if they track you and/or accidentally infect your PC. This isn't rocket science. You don't use Google or Gmail, do you?
Then don't use their site if they track you and/or accidentally infect your PC. This isn't rocket science.
Knowing that a site will do that if the user chooses to enable scripting for that site is rocket science.
Where it's obviously just intentional.
Fuck you Adobe. And fuck flash even harder.
Knowing that a site will do that if the user chooses to enable scripting for that site is rocket science.
It isn't. And anyway, users don't care. I see you use Gmail. Gmail tracks you, surveils you, and reads your mail. You not only answered your own question but you're also the living proof of end user apathy about privacy.