Delete Or Update All Adobe Flash Player Instances, Experts Warn

An anonymous reader quotes an article from BankInfoSecurity: Security experts are once again warning enterprises to immediately update -- or delete -- all instances of the Adobe Flash Player they may have installed on any system in the wake of reports that a zero-day flaw in the web browser plug-in is being targeted by an advanced persistent threat group.... The bug exists in Adobe Flash Player 21.0.0.242 and earlier versions -- running on Windows, Mac, Linux, and Chrome OS -- and "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system." Thursday Adobe released an updated version of Flash patching 36 separate vulnerabilities, including the critical vulnerability which "if exploited would allow malicious native-code to execute, potentially without a user being aware." While applauding Adobe's quick response, researchers at Kaspersky Lab say it's already been exploited in Russia, Nepal, South Korea, China, India, Kuwait and Romania, and BankInfoSecurity writes that "The latest warning over this campaign reinforces just how often APT attackers target Flash, thus making a potential business case for banning it for inside the enterprise."

Well

[johnsmithperson123]

Flash is literally a zombie at this point.

Re:Well

[93+Escort+Wagon]

Flash is literally a zombie at this point.

Yeah, I removed the Flash plugin from my computer maybe a year ago. Prior to that, I'd been running ClickToFlash for several years... but then I realized just how infrequently I actually "clicked" to enable anything. Plus Adobe's insistence on installing it for all users, and with admin privileges to boot - really ridiculous, especially given Flash's horrible track record.

Since Chrome has Flash built in, and since I don't use Chrome as my main browser - if there's ever something Flash-based I actually want to access, I just launch that browser. But I can't remember the last time I actually did that...

So we're fucked either way?

Ok, so if we stick with Flash we might be subjected to security problems.

But if we stick with HTML5-based technologies, then we'll just be more easily tracked by advertisers.

Sounds like we are fucked in both cases!

Re:So we're fucked either way?

[93+Escort+Wagon]

But if we stick with HTML5-based technologies, then we'll just be more easily tracked by advertisers.

I am not sure what you based this on - one of Flash's big selling points to advertisers has been just how much info it can provide to them about your browsing habits.

Re:So we're fucked either way?

[bloodhawk]

With flash you get the WORST of both. you get the tracking AND the security problems.

Porn

There's a reason all the adult sites are going to HTML5 over Flash for video. You know your platform is outdated and totally not worthwhile when the porn industry abandons you.

let this be a lesson

[RichMan]

The once dominant interactive web "standard" is dead.
What killed it? Security problems.

For the web, security needs to the number one priority considered from day one when the architecture, specifications and scope of the project are first looked at.

Re:let this be a lesson

[guruevi]

Flash was never a "standard". I've always recommended clients to get rid of Flash sites because it wasn't a standard and not everyone could use it. When Flash was first introduced, a large number of people were still on dial-up and Flash sites were a big no-no because by then we already knew that people would click away if their site didn't load in 5s or less. Flash was then marketed towards people marketing towards broadband (video and interactive sites and DHTML were going to be all the rage once everyone got broadband).

When everyone started getting broadband, companies like Google sprang up (or rather, became embedded in the culture) and "SEO" became the buzzword, Google wasn't Flash-aware or compatible, Flash was dead as a 'standard' platform for 'broadband' because no 3rd party company (outside Macromedia and later Adobe) wanted to support it.

It eventually got taken over by Adobe and it was dead then because nobody trusted Adobe to fix it. It had many security issues already and many compatibility issues even within it's own tools. Adobe never fixed it, they just kind of half-integrated it with the rest of their suite but they effectively put it on life support. When Apple released the iPhone, Flash was dead and now it's just being this zombie process you know you have to get rid of at some point, but you don't really want to because maybe you may need it in some obscure corner of the web.

Re:let this be a lesson

[Solandri]

When Flash was first introduced, a large number of people were still on dial-up and Flash sites were a big no-no because by then we already knew that people would click away if their site didn't load in 5s or less. Flash was then marketed towards people marketing towards broadband (video and interactive sites and DHTML were going to be all the rage once everyone got broadband).

You've got that backwards. The very reason Flash exists was to reach people trying to access the Internet on dialup. Dialup wasn't fast enough to stream video, but real-life video is different from animation. Flash was originally an artist's tool to allow animation over dialup. Instead of having to send a constant video stream, you could send a few sprites and images of backgrounds, then animate those on the user's local computer.

It was only later when web developers realized that Flash was flexible enough to essentially run universal interpreted code (same code would work on PC, Mac, and Linux) that they went nuts. Entire websites in flash, thus defeating the whole purpose of HTML (displaying info in the format the end-user decided was best). Flash ads bypassing the user blocking animated GIF ads. And flash streaming video became ubiquitous (which wouldn't have happened if the folks at W3C had actually added the features web developers were asking for like embedded streaming video, instead of waiting 10 years like they did with HTML 5).

That's why Flash is so full of security holes. Because when Macromedia invented it, they were just thinking of a a good way to animate stuff on the end user's PC. They had no idea it was going to become The way for web developers to do everything they wanted but couldn't because "HTML didn't support it." It's still an excellent animation tool. A large number of animated TV shows and animated movies are partly or completely made with Flash.

Weekly Flash Warning. 7 Days Til Next Alert.

[zenlessyank]

Since you haven't listened to the 483 times we have told you before, we will tell you again. Uninstall Flash Player. That is all.

And Shame on Adobe

[dmomo]

For undermining security to try and trick users into installing McAffe when upgrading. That should be opt IN not opt OUT.

Misleading much?

[campuscodi]

It's only a Flash zero-day that abuses Windows DDE via a six-step process (Flash - DLL file - Windows DDE - LNK file - VBS Script - CAB file). This zero-day is specific to nation-backed hackers, not average exploit kit skids. The exploitation process is just to hard to follow through, and Microsoft EMET detects it as well. So... it's not really that dangerous ffs

Is Adobe paid for deliberate vulnerabilities?

[Futurepower(R)]

"Flash is literally a zombie at this point."

Big problem: Adobe Flash is a "zombie" to technically knowledgeable people who read a lot of technology news. For most people, Flash makes their computers vulnerable.

Is Adobe selling vulnerabilities to hidden parts of the U.S. government, or to other organizations, and fixing the vulnerabilities only after they are discovered publicly? Or is Adobe management so incompetent that there are 10 or 20 or, in this case, 36 vulnerabilities in every version? In either case, the large number of vulnerabilities seem to be a strong advertisement not to install Adobe products on computers that have a connection to other computers or to the internet.

I count 11 new versions of Adobe Flash in 10 months.

The best story I've found about this month's Adobe Flash vulnerabilities is this one: Kill Flash now. Or patch these 36 vulnerabilities. Your choice.

I see web pages that don't need Adobe Flash Player using it anyway. Is that because most people don't use the Better Privacy browser add-on? Flash makes what are called persistent cookies. Better Privacy deletes persistent cookies.

Every time I start Adobe Acrobat Professional, it asks to connect to the internet in 3 different ways. So, when I want to make a PDF file, I generally use the free Bullzip PDF printer.

Because I have no way of knowing what Adobe is doing or hiding, I generally use the free Sumatra PDF Reader.

To me, it seems that Adobe is engineering such a bad reputation for itself that it will eventually put itself out of business. (It seems that Microsoft is following the Adobe methods. Windows 10 seems to be intentionally vulnerable. Microsoft products also have huge numbers of vulnerabilities.)

Re:Is Adobe paid for deliberate vulnerabilities?

[macs4all]

That's one of the things I have always liked about OS X: Native PDF support for both Reading and Writing PDFs.

Just under a year of extended support left

[tepples]

Flash Player (PPAPI version) for Linux is current. Flash Player (NPAPI version) 11.2 for Linux is outdated but in extended support until May 2017, during which it gets security updates but no new features. Fresh Player is a wrapper plug-in for an NPAPI browser that hosts PPAPI plug-ins.

Can't get rid of Flash yet

[jonwil]

I tried removing Flash from my SeaMonkey install and that lasted all of 5 minutes before I found a forum post with an embedded YouTube clip that I couldn't play (and wanted to play). So I can't ditch Flash yet (at least not until YouTube comes up with a way to embed YouTube clips into forum posts, blog posts etc etc without needing Flash installed)

Re:Can't get rid of Flash yet

[melting_clock]

You could install flashblock and only allow flash content that you actually need. It cuts down on security threats and ads.