back to article Adobe: We REALLY are taking Flash security seriously – honest

Adobe insists it is working hard to boost the security defenses in its pilloried Flash Player. The Photoshop giant, based in San Jose, California, says it is making an "extensive" push to secure its plugin before another wave of vulnerabilities are revealed in the software. We're told that, as a result of "recent developments …

  1. Anonymous Coward
    Anonymous Coward

    The very fact that

    every patch for this dog egg is rated as "Critical" highlights exactley how seriously Adobe take the security of its users. It is time for flash to expire and to remain so.

    1. Anonymous Coward
      Anonymous Coward

      Re: The very fact that

      Yeah but the DRM in it works without a glitch. Screw the rest!

  2. Anonymous Coward
    Anonymous Coward

    Awesome

    So they've turned their chief spindoctor to splaffing out positive noises. Clearly treating this latest shitsquall as something of a PR concern.

  3. marc 9

    I haven't had flash installed for over a year on my Mac. If I come across a web site that requires it, I use the developer menu to switch the user agent to 'iPad', which usually does the trick.

  4. Khaptain Silver badge

    Flash : Just say no....

    'There are extensive efforts underway internally'

    They have changed the coffee machine and are now using a stronger Robusta mixture...

    Seriously though, this is not a new problem for Adobe, it has only been like this for the last 5 years or so.....Is the company run by ostriches ?

    +1 for the comment relating to a "dog egg", it's the first time that I have heard the expression, made me laugh this morning which is always a good thing..far better than having to install an adobe product.

    1. Destroy All Monsters Silver badge
      FAIL

      Re: Flash : Just say no....

      > use-after-free() bug

      > 2015 and not even applying proper memory management. Or code verification tools for that matter.

      We don't like people like you here.jpg

      1. GrumpenKraut
        Boffin

        Re: Flash : Just say no....

        > use-after-free() bug

        Somebody tell them valgrind exists.

    2. Flocke Kroes Silver badge

      Re: Searching for dog eggs ...

      Some companies must have bought high page ranking for whatever you type into your search engine. As a result, I know where I can buy dog eggs, and where to find out how to cook them.

      It is hard to decide which made me laugh louder, that or: "Adobe insists it is taking the security of its Flash Player seriously."

      As for flash, I have never used it. If a site requires flash, my search engine can find me a different site.

    3. This post has been deleted by its author

  5. MJ024

    Sometimes you just gotta toss in the towel!

    How can one company fail continuesly and stay in buisness when everyone knows thier software, apps, whatever are the cause of most woes heard in computer security today!

    LOL! Oxymoron = Computer Security

    :)

    1. keithpeter Silver badge
      Black Helicopters

      The answer is obvious when you think about it...

      How can one company fail continuesly and stay in buisness when everyone knows thier software, apps, whatever are the cause of most woes heard in computer security today[?]

    2. Shannon Jacobs

      Depends on the financial model

      Actually, I think the critical wrinkle for Adobe was pioneered by Microsoft. Take a quick look at your legal remedies if some MS software causes you some damage. The answer may surprise you.

      Just kidding. Of course you know that Microsoft is completely free from any liability for any mistakes, incompetence, or downright negligence, and Adobe just followed along that well worn trail.

      Personally, I think we would have rather better software if the companies were also liable for their mistakes. If you added in some punitive damages, Microsoft would have gone bankrupt long ago.

  6. Anonymous Coward
    Anonymous Coward

    Good grief

    The spelling hit-rate in this thread is exceptionally abysmal.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good grief

      your right theirs no surprise that Abode Software is so bad when not even the queens english holds it's place in our hearts. what happened too pride in our industry??? epoch powell was right!!!

  7. This post has been deleted by its author

    1. Mike Bell

      Adobe could get a kicking, at least on the Mac platform. God knows, they need one.

      Choices...choices... A never-ending subscription for Photoshop, or an excellent alternative for a one-off payment of £30?

      1. Gavin McMenemy

        Why just Macs though?

        Why not Windows or even Linux?

        1. Anonymous Coward
          Anonymous Coward

          > Why not Windows or even Linux?

          I just wondered that too... considering the close POSIX similarities between the two... it looks like the reason boils down to lack of (informed?) interest... perhaps compounded by inappropriately offhand "moderation"...

          https://affinity.serif.com/forum/index.php?/topic/626-affinity-for-linux/

          1. Charlie Clark Silver badge

            > Why not Windows or even Linux?

            I just wondered that too... considering the close POSIX similarities between the two.

            What do you think POSIX has to do with it? If it's using QT then its probably reasonably portable, but if they're using MacOS' own libraries then it's much less so.

            The Linux market for paid for desktop apps remains tiny. See if you can get a Kickstarter for the $500,000 mentioned.

        2. Ilgaz

          I am sure it is about the lack of frameworks they use. It should be easy to port to GNUStep but other frameworks doesn't exist on Linux/Win.

      2. Charlie Clark Silver badge

        Choices...choices... A never-ending subscription for Photoshop, or an excellent alternative for a one-off payment of £30?

        Great to hear that Serif have finally started developing for MacOS! Been using PagePlus off and on for over 20 years.

        Another good alternative to Photoshop for different platforms is Photoline: http://www.pl32.com/. However, it's difficult to dislodge Adobe from their perch. For many companies the cost of subscription is small compared to any possible loss of productivity that might accompany retraining.

        Mind you, I don't think Adobe see Flash as anything like as important as Photoshop, Illustrator and InDesign. Wouldn't surprise me if they drop the runtime if they can get into the business of DRM for browsers. The development tools are the money spinner and can already produce HTML5 content. Flash is important for media rights management.

      3. Phuq Witt
        Holmes

        Stick With CS

        "...Choices...choices... A never-ending subscription for Photoshop, or an excellent alternative for a one-off payment of £30?..."

        Or just keep using CS3 ... CS6 [whichever you're currently on]

        Photoshop has been feature complete for years. New versions just add automagic tools which don't work very well or, in the case of CC, a pointless 'cloudy' way of making you rent your software, instead of owning it.

    2. Charlie Clark Silver badge

      We need to be honest about this. Without seeing the code it's very difficult to tell about the quality of the code. Given the frequency, and severity, of exploits, there are obviously some problems. The ability to escalate an exploit in Flash to gain control of the machine is, however, as much a problem with the architecture of the OSes as it is with Flash. Of course, for certain things like video-conferencing access to hardware is required. But this is a key thing: is it possible to develop a restricted version of the software that does not need admin permissions to install?

      Adobe doesn't just write Flash (based on a codebase that Macromedia developed). but a whole load of other programs. I note that their also using Coverity. Would be interesting to know if this includes Flash and what the reports come up with.

  8. hatti

    Work Experience

    Flash player must surely be the project Adobe foists on its work experience newbs.

    "OK here's your desk next to that bunch of filing covered in dust that has never been done, oh coffee machine is there and if you have any questions, ask someone other than myself, I have meetings for the whole of this week then I'm on annual leave for the following month, good luck".

  9. John Tserkezis

    "your parents use it, your children use it, admit it – you use it"

    Not anymore! I've already said on another thread that since it wouldn't even install anymore - I'm ridding myself of it. Mind you, I'm pissing a couple of hundred bucks of subscriptions that I can't get anymore up the wall, but truth be said, I'm glad, and I wouldn't have done it were it not for Adobe forcing my hand.

    So I'm free of it forever. It's quite liberating actually, kinda like swimming naked. (so I've been told)

    1. Dan 55 Silver badge

      I use it with click-to-play, but I can give it up any time I like...

      1. Anonymous Coward
        Anonymous Coward

        " ...but I can give it up any time I like... "

        That's what they all say.

    2. veti Silver badge

      I got a brand-new, pristine PC about four months ago now. Hard disc completely blank. Installed Windows 8.1, then as much other software as I've (so far) wanted, all manually - so I'm pretty damn' sure that no version of either Flash or Java exists anywhere on it.

      And so far, I haven't missed either one. Sure, occasionally - quite rarely - there'll be a video that doesn't play, in which case it might take me all of 30 seconds to find one that does. And that's about it.

      Free yourself. Flash and Java are as bad as each other, and unless you're developing in one or the other - in which case you're part of the problem - you don't need either one.

      1. Malcolm 1

        IE11 has flash built in (or at least the "metro" version does, can't remember about the desktop version off the top of my head). So your machine isn't quite as clean as you might imagine.

  10. Ole Juul

    Leading the way

    No amount of malicious code by Russian, Chinese, North Korean, or disgruntled employees could possibly compete with Adobe when it comes to contributing to cyberterrorism.

  11. Alister

    Adobe: Look, honestly, we really do take Flash security seriously!

    Rest-of-the-World: AH-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA-HA!

  12. Charlie Clark Silver badge
    Stop

    Amid the hyperbolae

    If you don't want to outright uninstall or disable Flash (because you want to watch BBC iPlayer, non-HTML5 YouTube or Twitch.tv videos, or play poker online, or something like that) consider telling your browser to only run Flash files when you tell it to – "click to play" in other words.

    Finally, some sensible advice. Flash is everywhere because it's useful, for varying definitions of usefulness. Nevertheless, the best thing is have it deactivated by default. Of course, the vast majority of users won't bother, just as they don't bother with most other security issues.

    Disclaimer: I don't write Flash and am not a fan of it. But I know how difficult it is to do cross-platform video. Would we really be safer in a world of Windows Video, Quicktime, OpenVLC, an other plugins? And how are the media rights extensions working for you?

    1. Dan 55 Silver badge

      Re: Amid the hyperbolae

      Just a warning that the click-to-play instructions for Firefox given in the howtogeek link in the article are as wrong as wrong can be. Not sure how well other browsers fare.

      1. Wade Burchette

        Re: Amid the hyperbolae

        I use Firefox and I haven't updated Flash. Every time a website wants to run Flash, I get a message about a vulnerable plug-in. That is my click-to-play. Unless I really really trust a website, I will not click that link. Ghostery blocks the tracking Flash ads, Firefox blocking a vulnerable plug-in blocks the accursed auto-play videos.

  13. Hawkeye Pierce

    There's the problem...

    Said the Adobe drone: "There are extensive efforts underway internally, in addition to our work with the security community and our counterparts in other organizations, to help KEEP our products and our users safe."

    There's the problem right there... spot the word "keep"? They think their products are already good, that the flaws that get announced on a constant basis are things that have just recently crept in, or didn't exist for goodness knows how many years beforehand.

    Seriously, Adobe, you should have recognised there was a major problem three years ago and done something about it then. Not work on the basis that the just announced flaw was the last there would ever be, fix that one and then stick your head in the sand... until the next announced flaw... rinse and repeat...

  14. Dan 55 Silver badge
    Devil

    Does Adobe sit on its hands and wait for people to report vulnerabilities before it fixes them?

    Yes.

    1. Fred Flintstone Gold badge

      Re: Does Adobe sit on its hands and wait for people to report vulnerabilities before it fixes them?

      That would still be a useful approach if their fixes indeed addressed vulnerabilities. As far as I can tell their fixes simply open up holes elsewhere - a bit like digging a hole to fill another one.

      It makes you wonder what sort of approach to coding makes you end up with a game of security whack-a-mole.

      Unless, of course, the original intention was indeed to code a game of whack-a-mole :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Does Adobe sit on its hands and wait for people to report vulnerabilities before it fixes them?

        >Unless, of course, the original intention was indeed to code a game of whack-a-mole :)

        Yup. That is the game.

    2. MysteryGuy
      Joke

      Re: Does Adobe sit on its hands and wait for people to report vulnerabilities before it fixes them?

      Maybe it's not accidental and Adobe is purposely putting in vulnerabilities for use by the NSA, et. all. :-)

      Then again, maybe that's not such a ridiculously far fetched idea after all...

    3. Malcolm 1

      Re: Does Adobe sit on its hands and wait for people to report vulnerabilities before it fixes them?

      Do you reckon they've even stumped up for any static analysis tools yet?

  15. Anonymous Coward
    Anonymous Coward

    "Last year, Adobe's chief security officer Brad Arkin said he wanted to make life much harder for attackers who try to exploit programming cockups, rather than spend all day finding and fixing bad code hidden in millions of lines of source."

    So how exactly does he plan to make life much harder for them, except by fixing the software?

    Fixing the software is exactly what needs to be done in order to make the attackers life harder!

    The mitigation they are talking about is like sticking a band-aid on a bullet wound to stop any more bullets going in.

    1. Dan 55 Silver badge

      That almost always means they're going to wrap up that dog egg (nice description) and stick it in a magic sandbox which will make it smell of roses.

      Hopefully the magic sandbox will be coded to better standards than the dog egg.

      1. Anonymous Coward
        Anonymous Coward

        > Hopefully the magic sandbox will be coded to better standards than the dog egg.

        What are the odds?

        1. Destroy All Monsters Silver badge
          Trollface

          You hear, Larry??

          They could recode the Flash runtime in Java.

          Then one would only have ONE sandbox to worry about. Plus Flash would be able to auto-install on need (and you would profit from a new search bar!!)

          Unfortunately it would mean Oracle and Adobe would enter into the HYPERCLASH OF THE IP WANKERSDJIANTS!

  16. S4qFBxkFFg
    Paris Hilton

    This may be a silly question - but how does Adobe benefit from the existence of Flash?

    It's free to the end-users, but do people creating Flash content pay Adobe for the privilege?

    Do Adobe get a cut whenever a server delivers a flash file?

    Why do they bother when they could still make cash out of Photoshop and its siblings after killing Flash?

    1. Anonymous Coward
      Anonymous Coward

      Favour <----> Favour

      Backdoors <----> Regulatory and taxation blind eyes

      The carrot is certainly preferable to the stick and the effect is the same. Just ask MSFT.

      Assets are protected.

      Flash is an asset.

      Flash is protected.

      Just like MSFT

    2. Mark 85

      The cash cow is that browser (Chrome the last time I looked), toolbar or laughable AVS that it wants to install every time you update or install it.

    3. Captain DaFt

      "but do people creating Flash content pay Adobe for the privilege?"

      Yes, yes they do.

  17. Roger Kynaston

    Dear BBC

    I know that things are difficult for you at the moment but please find the resources to migrate iPlayer off Flash.

    I wrote to you direct once and you said it provided a secure platform to provide protected content.

    The secure thing is not true and there are other means of providing protected content whatever that means.

  18. Roger Varley

    While you're at it ...

    could you please fix your installer as well so it doesn't keep trying try to sneak McAfee past the inattentive. Thank you for your attention.

  19. PassiveSmoking

    Thanks to our hardening efforts...

    our software is now as hard as Rick Moranis. With time and effort, one day it might be as hard as Whoppi Goldberg.

  20. David Lawrence

    Moore's law?

    Every update to Flash that I get told to download always addresses two issues:-

    It improves performance (apparently)

    It makes it more secure (allegedly).

    I have just invented Moore's law for Flash...... "evey year Flash gets twice as fast and four times more secure than the previous year". Yes I believe it! Any day now it will be so fast it will start launching animations before I have so much as thought about clicking my mouse, and it will stop hackers from even thinking about developing new ways to steal my money.

    Mmmmm. Nice!

    1. Anonymous Coward
      Anonymous Coward

      Re: Moore's law?

      > Any day now...

      According to my calculations, that day was in 1998

  21. nichomach
    Trollface

    I am perfectly prepared...

    ...to believe that Adobe take Flash's security as seriously as they do its stability.

  22. Spaceman Spiff

    So, why don't they release the Flash code base into the Open Source community with merges/changes and such managed by Apache for example? Are they afraid of getting dissed for the current quality? At least a serious security audit could be performed on it in the meantime.

    1. Pascal Monett Silver badge

      My thoughts exactly.

      Flash is free, so there is no dip in revenue.

      Flash security is hopelessly undermined, and Adobe obviously cannot hire anybody with the skills needed to clean it out, so farm the thing to the Internet where skilled people exist and are certainly willing to take a gander.

      Be serious guys, if you're still chasing after use_after_free() bugs, it's high time you stop thinking of yourselves as capable of programming. Leave that to the experts.

  23. Anonymous Coward
    Anonymous Coward

    The final straw for me was when I came back to my laptop after a couple of hours to find the fan screaming like I'd never heard before, and the body too hot to touch in the area between keyboard and screen. The culprit? A flash banner ad that had somehow escaped eradication by an early version of Adblock. Flash was promptly banished from Firefox to another browser used only for "must see" Youtube movies. These days I use the QuickJava add-on that loads Flashplayer (or java, images, javascript etc etc) with a click on the rare occasions its needed.

    I find it mystifying as to quite why Adobe can't at least reduce the nastiness to manageable levels given the insane amount of patching they're forced to do.

    1. Pascal Monett Silver badge

      You use Firefox and you don't have NoScript installed ?

      How unfortunate.

  24. Matt 75

    just to remind everyone

    that (according to an article published here on El Reg) in 2014 Chrome, Firefox and (no surprise) IE all had more vulnerabilities than Flash.

    So everyone complaining about the dangers of running Flash - maybe you need to switch to a Mac running Safari too as that was the only major browser that had fewer vulns than Flash did....

    1. Destroy All Monsters Silver badge

      Re: just to remind everyone

      You wanna break this down by severity, Matt? Because, you know, "hey statistics".

      1. Matt 75

        Re: just to remind everyone

        Sure. 220 'high' vulnerabilities in IE, 86 for Chrome, 57 for FF, 65 for Flash.

        https://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

  25. geeboh

    If the major porn sites stopped using Flash it would be history by this weekend.

  26. Dave 32
    Pint

    Open Source

    If Adobe can't write secure code (and, it's becoming rather obvious that they can't), they why don't they just open source Flash Player? Sure, attach some provisions to it that guarantees their ability to suck the updated source back in and use it for their other stuff. But, surely open source people could do a better job of maintaining it than they've been doing.

    Dave

  27. Kaltern

    Ironically, the BBC have linked to this very page from their news article about the problem - while still maintaining it to be the best thing for iplayer...

  28. Ilgaz

    Liar

    If they were serious, it would take 2 hours to stop bundling third party software (McAfee ad) and switch to OS native installer (MSI).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like