Why oh why....
... do websites insist on still making us use this outdated liability of a piece software.
Exploit kit writers are no longer fussed about Java vulnerabilities, focusing their attention almost entirely on Adobe Flash. All of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash, according to a new study [PDF] from NTT Group. In 2013, by contrast, the top 10 vulnerabilities …
Because most web site developers are dumb as a box of rocks when it comes to security. For the vast majority of them security is the network admins job.
Of the ones that even bother to consider security as a project requirement, most think they just need to hash passwords or turn on SSL. The ones that realize that security requires a fairly deep holistic approach are, unfortunately, few and far between and charge more than "off shore" developers.
"Remove the malware called Flash from your PCs and you are immune to the malware that uses Flash."
Problem is: many, far too many web sites require Flash as I'm writing this.
Removing Flash as I've done many moons ago means you're basically out of those sites.
That's ok, for me (IGN, man, why, fucking why ????), but could be more problematic for others ....
Thankfully, youtube made the wise move, months ago.
@regadpellagru - "Problem is: many, far too many web sites require Flash as I'm writing this."
None of the sites that I go to use it for anything other than ads. I haven't installed Flash in years. I used to use a dedicated video plug-in for Youtube, but stopped even using that when Youtube went to HTML5.
The sites that require Flash these days are incredibly niche, and I can't think of a single one off the top of my head other than a few video players (I think BBC still uses it, although they are supposedly ditching it), and I don't use any of those (BBC would block me due to location anyway).
The bottom feeding end of the ad-flinging market seems to be the main hold out for Flash, and quite frankly I can't see any reason to install Flash just for their benefit.
A few web sites still do Flash detection to service users who have ancient PCs running Windows XP with IE 6, but they serve up HTML5 for people without Flash. If you have Flash installed you may not be able to tell if the site genuinely requires Flash, or if you're just getting the "legacy" version because it detected Flash.
start looking for HTML5 vulnerabilities, our cash cows, Java and Flash are being taken away from us.
Oh, and Apple's still recommending Quicktime installation despite the somewhat nebulous security warning from them about their abandonware.
Respectfully,
Grott E. Hacker
Both disabled by default. No site is whitelisted for Flash as even BBC.com has served malware.
Only whitelisted Javascript.
While loads of sites use Flash and Javascript, I can't remember the last time a website wanted actual Java, so it's surprising ANY malware writers bother with it. Flash is the low hanging fruit, followed by hijacking an advertiser's domain and thus getting "reputable" web sites to distribute malware via java script because most people either don't run Noscript or enable whole page rather than whitelisting important bits. Some sites (Twitter, Google, Facebook etc) only get temporarily enabled for session. because of the evil tracking scripts in the buttons/icons people sprinkle on their sites.
It would be better if the icon was static HTML with an argument. But that would not suit the parasites.
If website wants me to see an advert, it's simple. Put a static jpeg + text ON YOUR OWN SERVER you moron!
Otherwise I will block it FOREVER.
And in Spain. It's absolutely appallingly bad Java too. Worse it is Oracle Java only (OpenJava won't run their applets). And at times they force you to use .pdf that only Adobe can read (XFA forms). It's like dealing with IT from the dark ages, mostly because they have to make the online form like the paper one so they can print it out to file it (I kid you not!).
I would prefer more advertisers use it, since flash is click to run anyway, I hardly ever see it. Or if browsers would somehow make html5 animations and video etc click to run as well that could work too.
The only thing I can think of that I need flash for on a semi regular basis is Bank of America ShopSafe
https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go
"https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go"
From that website:
"Please note that ShopSafe requires you to have Adobe Flash installed on your computer."
I have to give it to them. They have the testicles to mention "Safe" and "Adobe Flash" in the same sentence...
Then at the very least don't install their shitty plugin but simply use Chrome browser which has it sandboxed by default in the browser. To be (somewhat) safe you will want to run that bad boy in a VM with a snapshot you revert back after asking to get wtfpwnt.