About to?
By the end of the year is a long moment.
Google's Chrome web browser could be disabling all Flash content by default before the year's out. El Reg has learned that developers with the Chromium Project are working on a new feature known as 'HTML5 by Default'. The move could help to keep users safe by locking off a favorite target for web-based malware exploits. As …
Till then set Chrome to ask before running plugins i.e. flash
This option is cunningly hidden under settings/advanced settings/Privacy/Content settings/Unsandboxed plug-in access.
After that you only run flash when you really want to by right clicking the flash and selecting run. Disabling the flash plugin works too but I found my self forgetting to disable it again after visiting one of the very few sites where I tolerate flash.
So the Almighty Jobs killed Flash on mobile back in 2011, and Google is set to do the same on the desktop in 2016. All I can say is, it is about bloody time!
Flash has been a security joke forever. The numbers there amaze even me, 314 vulnerabilities in 2015? You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.
That said, the Flash plague will probably haunt the Internet for at least another 5 years until Microsoft finally kills it in an undocumented "functional" update to Windows 10. This nonsense about exempting the top 10 Flash domains seems like it could extend the nightmare for a bit.
To be fair, its bug count or frequency isn't worse than any of the major browsers. They are all, universally, major security jokes, in case someone hasn't noticed. The advantage of Flash is that you can actually turn it off, unlike all the Web3.0 hipster crap in modern browsers.
And just to be picky - while it for obvious reasons is unlikely to get targeted by some Russian exploit pack nowadays, Windows 98 in its heyday happily downloaded and ran ActiveX controls automatically. At most displaying a message along the lines or "Are you sure you wanted to run this ActiveX control?"
And not sure whether Windows 98 is vulnerable to the MDAC bugs, but those (applies to NT/2K and XP up to some service pack) were actually a staple in above mentioned exploit packs for many years, and let attackers simply tell it to run any command.
Finally - 98 has no ASLR/DEP (not that it would save you from those), sandboxing, permissions/user control, or even real ring3/0 separation, so any bug - memory corruption or not - and you're hosed.
patrickstar spake:
To be fair, its bug count or frequency isn't worse than any of the major browsers.
No argument, but its line of code count should be less than a browser and its stated set of functions certainly is smaller. Just because someone else writes terrible code does not mean you are excused for doing the same.
Forgive me for using hyperbole to make my original point. I am not revising history to gloss over the atrocious lack of security controls in Windows 98, but given the choice between the two terrible alternatives I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash. Adobe seems to keep including bugs in each Flash release that allow for sundry nastiness despite OS security enhancements
I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash
Really? Win 98 is just DOS which has absolutely no protection against permission escalation because it doesn't have permissions: find any exploit and get pwned.
I think Flash suffered from feature creep. Remove the video stuff and you could probably tighten it up. In the meantime "press to play" and the improved plugin architecture do significantly reduce the attack area. Better still just deactivate it and hassle any websites that tell you Flash is required. Anything that depends on ads or subscription will switch pretty quickly.
It's less, yes, but there is a significant degree of overlap in the functionality exposed to hostile content.
Flash has something corresponding to all the basic components and APIs except the whole user interface thing.
Most importantly, it has all the parts that tend to be where exploitable browser bugs actually are.
To be fair, 1+1 = 2
i.e. if you have a browser with a vuln quotient of x and then you add the y from Flash, you have x+y exposure instead of plain x. Note that in this equation, Flash's y is neither 0 nor negative. I would argue it is pretty high for its functionality compared to the Swiss Army knife of a modern browser.
Additionally, you can run NoScript quite effectively to harden your browser to random JS. And it's not like white-listing automatically makes NoScript happy - it's often that it whines, justifiably or not, for a white-listed site's JS doing something it thinks fishy.
In fact, as someone else mentioned a few days back, I tend to run FF w NoScript and fall back to Chrome when I can't be arsed to figure out what is irking NoScript on a site that I actually use.
Flash content is opaque in that regard and I would rather concentrate on just dealing with JS vulns, thank you very much.
Thank you, Chrome, anything that gets laggards like the BBC and CBC off Flash is most welcome. I haven't used Flash for years and I mostly don't miss it anywhere except for the 2 above. And that certainly includes YouTube which works fine without it.
p.s. one exception - Joel Spolsky's otherwise excellent FogBugz service has a estimates-vs-actual time feature that I would love to use, but is based on Flash for its reporting (hello, D3, please).
The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it! Yet another reason to hate Windows 10, as though there aren't enough reasons already. Curiously it isn't even listed as a plugin on Firefox on Windows 10 so I don't know if Flash is active or not via that browser? She never uses Edge or IE.
"The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it!"
See if you have Wild Tangent Games installed - I found Flash on my Win8 computer, and IIRC it was pre-installed with that.
Just checked and no "Wild Tangent Games" installed. Ideally I'd like to remove Flash from the PC, we haven't used Flash for years and hate the way Microsoft appear to have hidden it inside Windows 10. If I can't get rid of it I'd like to be sure that Firefox isn't using it; it isn't listed as a plugin so I don't know.
Odd. If you go into Firefox on the Add-ons manager page and look under Plugins, you should find something there (on my Linux installation it shows up as "Shockwave Flash", it also shows up that way on Windows 7). On Windows you will probably find it in Programs and Features - removing any instance from that point will also remove it from Firefox. Bear in mind though that there are different versions of Flash - the ActiveX version and the NPAPI version. If the latter is missing then Firefox isn't using it. Both versions will appear in Programs and Features if installed.
I'd suggest that if you think that you don't use Flash anymore, then uninstall it anyway and see what happens. Installing it again should you really need it isn't difficult but chances are that you won't.
Windows 8 and 10 included the Flash plugin and it's kept up-to-date with Windows Update.
To disable it in IE: disable ActiveX. The Edge browser has a simple on/off setting for it.
The built-in Flash plugin doesn't work with any other browsers, so her Firefox is safe in that regard.
yes, BUT what if websites NEED FLASH???? the BBC still needs it, but Apple must be paying them something so that it does not need flash??? YES, I once 'spoofed' Firefox the look like Ipad, and HTML5 worked!!! :) but then they changed it, does not work any more...
Edge does not support plugins, but has a heavily-sandboxed implementation of Flash built-in. That'll be what's updating.
The fact that it does update like that proves it's the internal MS version. Look on the bright side, if you were using the official Adobe version she'd have had Chrome and the Google toolbar installed on the qt as well.
"The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed"
M$ : This has nothing to do with you, it's our OS not yours. If you don't like it you know what to do.
Assume the position.
So the Almighty Jobs killed Flash on mobile back in 2011
Only because, by then, enough had been done that Apple could get people to move from the Adobe walled garden to their own. This was pretty much also the time when Apple stopped contributing significantly to WebKit. And, wasn't there a note recently about Apple not giving a shit about the holes in Quicktime?
If it was YouTube that helped Flash to dominance, it was Google that really pushed for HTML5 video being both free to use and free to create. Otherwise content providers would be paying both Adobe and MPEG licences to encode.
The important thing will be to fail on feature detection so that the <video> tag gets precedence and offer "press to play" functions where this isn't possible.
Google could most usefully show leadership by making sure that all the videos on Youtube are available as HTML5, and should preferably remove the Flash version each time they convert a video to HTML5. A quick check of four or five old favourites showed that all of them are still Flash, so YouTube have got work to do.
On the web browser front, Firefox is in the lead: it canned Flash many releases ago, yet strangely El Reg didn't mention that.
Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...
http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/
Imsgine if they had flash , they would be the unstoppable leader in vulnerable software by a large margin
Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...
Oh hello Microsoft Statistics guy, haven't heard from you for a while after I left your last attempt to be creative with statistics in a large smoking hole. I wonder how much are you paying Venturebeat to keep this (rather obvious) attempt at rigging statistics on their pages.
Let's just line up the shot to kick you back into that hole then, shall we?
From the page you supplied:
OSX vulnerabilities: 384
Windows vulnerabilities: (adding up ALL VERSIONS of Windows as you have to do to get the OSX numbers) 151 + 147 + 146 + 135 = 579, and that's leaving out the Server editions and RT.
But that's only one third of the story. After all, it was you who wanted to play with statistics. Let's look at the whole timespan.
OSX was introduced in 1999. That would bring the total of reported OSX CVEs to 1484, but guess what would happen to the Windows total? You'd have to include
Win 98SE : 61
Win 2000: 507
Win XP: 726
.. which brings our jolly total up to 1873 - and I still have left the server totals out of it (because Apple's isn't exactly in heavy use and I want to give the Microsofties at least the sporting chance they never give Apple). Still advantage Apple, and I'm not done yet.
There's more embarrassment waiting in the wings - onwards to the last part of the story.
The real fun starts when you go back to the beginnings and remember why the author made this "comparison": it was to observe security trends for making choices.
A CVE entry is a warning signal which may or may not result in exposure. You'll find that actual exposure data in the "vulnerability" column, which is the real thing you want to pay attention to if you're serious about risk management (you weren't, but I am and these BS stories do not help).
Here is the data as of today:
OSX CVE entries: 1484 Vulnerabilities: 73 Patches: 128
I am going to add up patches and vulnerabilities together because both indicate something grave enough to warrant effort., so for OSX it means that 14% of CVE entries were a risk, grave enough to warrant corrective action by Apple.
Now let's go to Microsoft Windows.
Win 98SE 61;145;14
Win 2000 507;667;97
Win XP 726;968;192
Win Vista 670;538;123
Win 7 560;436;92
Win 8 254;182;0
Win 8.1 254;129;0
Adding that up demonstrates that over almost 3 times the number of vulnerabilities in the same time span (3032) there were actually more risks addressed than formally reported (118%). In other words, they quickly banged out fixes for thing they didn't even tell you about and hoped you weren't watching the numbers properly. Yup, those are the people you should trust.
So:
1 - based on the bare numbers, OSX is SIGNIFICANTLY less risky than Windows
2 - Apple seems to address issues that have as yet not resulted in exposures in the wild
See you in a few months, I guess?
Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.
Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.
Well, it appears the same happens when you lump all versions into one "OSX" entry, so I guess that balances out.
"A CVE entry is a warning signal which may or may not result in exposure. "
Weird, as all the Android scare stories, and nothing actually occuring here in the real world, that suggests warnings are as good as exploits when it comes to writing clickbait.
Typical upset apple fanboy that has dounke standards ...
Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)
Was. It's already gone...
Adobe can play that game too: it's called HTML5. To be fair, Microsoft accidentally started it with an undocumented feature called XMLRPC (AJAX), and the Canvas API came from Apple, but a huge chunk of Web 3.0 crap is basically a Javascript port of Flash. (No wonder it's crap)
You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.,
Oh come on, it is not that bad surely? Then again you are dealing with a monolithic corporation that is highly protective of its product, regularly threatens anyone finding bugs (and there are a LOT of bugs) with both civil and criminal action yet steadfastly refuses to fix any issues raised by the community as a whole. No, not Microsoft … Adobe.
... plan to exempt the top 10 domains that use Flash for one year in order to concentrate the focus of, and increase the effectiveness of, any new exploits.
Plain-Speaked That For You
Euthanise Flash Now! The pain has to end. Make it quick.
You are very wrong, Youtube has been working impeccably well WITHOUT flash for years.
I have gotten rid of Flash 5 years ago on all my PCs (running Linux) and there is no problem whatsoever with Youtube. By the fact they have been phases :
- many years ago it was "all flash"
- then they "experimented" HTML5 playback (meaning Flash was always the default but you could opt in HTML5)
- then they made HTML5 the default and flash only a fall-back for old browsers that still don't support HTML5 video (some IE6 out there!?)
And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.
@Anonymous Vulture: "All I can say is, it is about bloody time!"
Indeed!
On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.
Sounds like Flash is able to use hardware acceleration and your browser isn't. Hardware acceleration is very dependent upon browser and OS.
And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.
With more recent versions of Firefox you will find that YouTube will force the browser to try to run with HTML5 first by default. It has been this way for a few months now though it will fall back to Flash if HTML5 isn't working or if you have an add-in that forces Flash to be used (yes, they exist).
Photoshop, if I've got my history on it right, is something that started in-house. Flash and ColdFusion to give another example of historically vulnerable software were created by Macromedia. (I used to beta Dreamweaver and its antecedents for them way back when.) Adobe bought them and aside from Dreamweaver (I think) the rest of the products have been exercises in patch, patch, and patch again since. I'm maligning ColdFusion a bit but when it demonstrates real doozys when they turn up.
Photoshop was actually developed externally and first? available as a BarneyScan XP, which came with the BarneyScan film scanner.
Adobes problem is that their products reached maturity years ago, and have been adding bloat in order to (try to) justify their upgrades.
ColdFusion to give another example of historically vulnerable software were created by Macromedia.
Nah, ColdFusion was developed by Allaire and subsequently bought by Macromedia. A lot of people were really sad that Adobe canned Freehand which many thought was better than Ilustrator.
With Flash I think it's worth remembering that it and Shockwave were originally developed as authoring tools for CD and DVDs. They were fine at this and adapting the runtimes to become browser plugins wasn't too hard. Of course, the internet has since become a much nastier place.
Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator. Pagemaker was ok with Aldus, but certainly not so afterwards; but then Indesign *sort* of made up for it. Dreamweaver was fantastic if only because it made Adobe trash the truly awful experience of GUI editors - GoLive.
The crock of Trump in all of this is Flash. Under Macromedia's umbrella Flash was actually pretty stable, regularly maintained and you didn't get the weekly 'Flash Installer needs your attention', which to me is the new MS Word paperclip. Since then, well ...
But thanks anyway Adobe: if it had not been for GoLive I might never have gone onto using BBEdit so quickly in the late 1990's..
Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator.
You may want to keep a beady eye on the guys from Serif who are developing the Affinity products. It's not exactly hard to detect that Affinity Designer and Affinity Photo are very accurately focused on the Illustrator/Photoshop audience that is planning to walk from Adobe because of their licensing change, and possibly those who currently use pirated versions because the Affinity software comes at a far more palatable price.
I already licensed both :).