Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots Criminals behind some of the most potent exploit kits, Neutrino and RIG, are ramping up attacks slinging the latest ransomware and hosing users who have not applied recent Adobe Flash patches. The patched vulnerabilities permit code execution and allow the dangerous hacking kits to compromise user machines. The two above- …
Not really now is it? Plenty of very smart people have better things to do than be a slave to Adobe's patch cycles and enabling auto-update isn't viable if you care at all about privacy, Microsoft, Oracle and Google have killed that option. As I've said before, the IT industry needs to grow up and stop blaming users for developer cock ups - from Adobe to websites that use Flash to local sysadmins.
On the other hand, one might look at the issue in terms of "Fool me once, shame on you. Fool me some ridiculous number of times, well then I'm stoopid." It's not that consumers and customers should be blamed for flaws in the software, but it's no secret that they exist and when left un-patched will cause problems not only for the owner of the infected machine, but for everyone else as well.
As far as privacy versus patching, it is doubtful that disabling automatic patches will slow a government or corporate entity from getting as much information concerning you as they wish, but it will definitely put you at risk from malware. Alternately, just delete the damn software and do without or use something else up to and including a different OS.
Might I introduce you to Windows, an OS that some programs require?
Might I introduce you to cryptic updates that you may need or which may screw you over with a major OS change?
Might I introduce you to the masses with neither the time, ability, nor inclination to tell the updates apart?
But how vulnerable are you if you don't actually have flash on your system? If you keep patched and no flash? Do they use zero days or does just keeping on top of things stop them?
On a somewhat related note - the flash on windows 10 is that written by Microsoft. Does it suffer from the same flaws or had Microsoft introduced some of their own?
You can avoid Flash vulnerabilities by not using Flash, but many people don't have that option, requiring flash in their everyday activities. And yes, if they want to infect people badly enough and they can acquire one (this can be tough; usually it's states and other powerful agencies that hoard them), they MIGHT use a zero-day vulnerability.
As for Windows 10, that's still done by Adobe IIRC. The only company helping Adobe with Flash is Google, and only in regards to Linux and Chrome.
But the few that remain become that much more difficult to deal with. What do you do when your very-expensive enterprise system requires Flash to control it? Switching it out is not an option due to the accountants, who tend to be able to trump the security team (after all, accountants can influence the IT budget).
... and then there are the websites which REQUIRE flash for no reason. BBC iPlayer, for example, uses flash to stream video. Reasonable enough. But if you want to download a programme to view in the offline player (which, thankfully, doesn't rely on flash), the "download" button is removed unless flash is enabled in the browser.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
