back to article Adobe...sigh...issues critical patch...sigh...for Flash Player zero day

Adobe has pushed out a patch for 25 vulnerabilities in Flash Player, including one that is already being targeted in the wild. The latest fix for the internet's screen door includes a remedy for CVE-2016-4117, the remote code execution flaw that is already being exploited by criminals serving up malware-laden advertisements. …

  1. Captain Badmouth
    Paris Hilton

    The final countdown?

    Surely, we must be near the end for this load of crap?

    Paris : Well acquainted with flash, of one sort or another.

    1. This post has been deleted by its author

    2. Ian 55

      Re: The final countdown?

      I am completely sure that Adobe have fixed all the problems this time. They've had enough practice.

    3. Mpeler
      Paris Hilton

      Re: The final countdown?

      It's getting (or probably already has gotten) to the point that if you eliminate all the faulty code in Flash, nothing would be left (but hey, it would be clean code, eh?).

      Might not be a bad thing after all.

      Then again, same thing for windoze 1 0 and patch Tuesdays.

      Yep, Paris. Here's her twin...

  2. jonnycando

    Why....

    Is flash not withdrawn from use already?

    1. Tom 64

      Re: Why....

      It has been, I make a point of uninstalling it from every PC I come into contact with.

    2. theOtherJT Silver badge

      Re: Why....

      Stupid bloody "Web apps" that use it for the UI in my case. I'd love to get rid, but there's no way I can retire it as long as these things exist and we have to use them.

  3. Anonymous Coward
    Anonymous Coward

    What site that you can't just do without still uses Flash?

    1. ThomH

      Hulu, I guess. Except that it's built right in to my TV, and is available for every streaming stick and box. So I don't really need the web site. But it is nevertheless a popular website under active development that seems still to be sticking with the olden days.

      1. John Riddoch

        BBC - all the media there is still flash based.

        Personally, I've set Flash to require action to run and found I'm not missing much online as a result. I also run Adblocker, mainly because malvertising seems to be one of the main avenues of attack.

        1. Skoorb

          BBC HTML5

          @John Riddoch

          Go to http://www.bbc.co.uk/html5 and switch to the HTML5 BBC player. Ther's also an Android HTML5 player avaliable.

          They have been in beta since September last year, but still have not been pushed out as default. The new HTML5 player also uses MPEG-DASH and the avc3 codec, which is pretty cool.

          BBC Research & Development have a load of really interesting blog posts on the work they have been putting into it.

          1. Ken Hagan Gold badge

            Re: BBC HTML5

            Doesn't work on all platforms. Doesn't give any reason why when it doesn't, beyond "Your platform is not supported.". Otherwise I'm sure it is fine and more power to their elbows etc.

            1. Skoorb

              Re: BBC HTML5

              @Ken Hagan

              BBC R&D published a blog post explaining the technologies the player uses and why they can't support some environments. It's linked from the main HTML5 page.

              In summary:

              - Safari on Mac OS X doesn’t support AVC3 via its Media Source Extensions implementation. The HLS implementation is also incomplete.

              - In Firefox, the H.264 and AAC decoders are provided by the operating system. Currently, Firefox will only use decoders from Windows and OS X by default. On POSIX, you have to manually plug your own in.

              - Old browser versions do not have support for HTML5 or MPEG-DASH (the MPEG-DASH standard was only published in 2012).

              If you have any suggestions or other problems, drop the team an email at mediaplayer@bbc.co.uk.

              1. Not That Andrew

                Re: BBC HTML5

                That blog post is IMO mostly bollocks as HTML5 video works fine if you spoof as an iPad or iPhone

              2. Ken Hagan Gold badge

                Re: BBC HTML5

                @Skoorb: Thanks for the link. My device probably falls into the category of "have to manually plug your own in" which means it'll have to wait until I have time to do the necessary googling, but at least I now have a lead to follow.

    2. Anonymous Coward
      Anonymous Coward

      Only my employer's site. So I treat my work laptop as something that I have to protect my home network from.

    3. John Tserkezis

      "What site that you can't just do without still uses Flash?"

      http://circuitcellar.com/

      http://www.siliconchip.com.au/ (offers low-resolution image based viewing if you don't have flash)

      1. Updraft102

        I was looking for information about Aerocool computer fans the other day, and their site's main menu didn't appear without Flash. I even tried changing my user-agent to that of an iPad to see if it would serve me a Flash-free version, but it was the same as before.

        It doesn't meet the definition of a site I can't do without, of course... just an illustration that some idiot web designers out there still insist on Flash. Thankfully, that security nightmare known as Java has just about faded to total oblivion, and now it's time for Flash to follow.

    4. Gene Cash Silver badge

      YouTube. About 75% of the vids play in HTML5 on Linux.

      The rest seem to be "fragmented-mpeg" and Firefox just shits a brick.

      Unfortunately I can't upgrade Firefox because I lose a lot of functionality.

  4. Tomato42
    Happy

    Fla-what?

    it's been so long I had it installed I forgot it exists

    those were very blissful moments

  5. Anonymous Coward
    Anonymous Coward

    WTH

    Ok, so what major porn sites require flash instead of HTML5? Porn has to be the driver, right? Otherwise this piece of crap would be long gone.

    1. gollux

      Re: WTH

      Porn sites tend to want to keep their customers so are probably well ahead of the curve on HTML5 adoption, unlike ad agencies, Sage software type graphical interfaces and other companies who think they have a captive audience and therefore don't have to change.

    2. e_is_real_i_isnt

      Re: WTH

      Porn companies are flexible and will use HTML5 to gain customers. It's big companies with policies set in concrete who can't move from Flash. They don't make money with their videos they don't care if the customers are exposed.

      1. Lord_Beavis
        Thumb Up

        Re: WTH

        Flexible... Exposed... I see what you did there.

    3. rblythe

      Re: WTH

      As a strictly research-driven activity, I can confirm that YouPorn does not require Flash.

  6. John Tserkezis

    We're way, way past the point of making fun of Adobe creating a bug-riddled mess, should we be actively making fun of web sites who still insist on using it?

  7. Anonymous Coward
    Anonymous Coward

    Keep The Faith

    I think we can trust a major company like Adobe to sort this all out in short order.

    1. tony2heads

      Re: Keep The Faith

      HAHAHAHA - nice piece of sarcasm there.

      It was sarcasm, right?

  8. Anonymous Coward
    Anonymous Coward

    Goodness! A flaw in Flash? That is unexpected.

    (Just testing how sarcastic it's possible to be without the comment box exploding)

  9. a_yank_lurker

    Another Day

    One can barely get through a week without a Flash update. Time to terminate Flash with extreme prejudice.

  10. fidodogbreath
    FAIL

    Amazing

    According to ComputerWorld, Adobe patched 316 Flash bugs in 2015...6.1 bug fixes per week. And clearly there were more still lurking.

    This, for software that has been around for almost two decades

    One wonders: how did it ever work at all?

    1. Tom 64

      Re: Amazing

      > "One wonders: how did it ever work at all?"

      It didn't. Its always been a buggy piece of shit, prone to crashing video drivers and more. The sooner it dies, the better!

      1. e_is_real_i_isnt

        Re: Amazing

        Before it was a crashing pile of bovine excretment, Flash was updated so often that I spent more time downloading (56k all the way) the player than watching the related video. It's been the nexus of bad experiences since Macromedia first built the pile.

      2. Jan Hargreaves

        Re: Amazing

        Never had a problem with crashing video drivers. Must be your video card.

        Flash worked absolutely fine and there were some truly incredible websites built with Flash. There were also loads of sites that were awful and ads that behaved ridiculously. I'm guessing the wide ranging functionality of it led to it being more open to exploits than other software that didn't try to do so many things.

        You give people technology and a few use it to create great things, and unfortunately many use it to create awful things. That is not the fault of the tech itself.

        There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative. Also it's obvious that a lot of you don't play browser based games as HTML5 is not even close to offering the same level of UI & UX.

        1. Captain DaFt

          Re: Amazing

          "Flash worked absolutely fine..."

          But then, Macromedia was acquired by Adobe Systems in 2005, and it's all been downhill ever since.

        2. Charlie Clark Silver badge

          Re: Amazing

          There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.

          I'm no so sure about that any more. It was maybe the case a few years ago but the modern browser runtimes no leave very little to be desired. What maybe missing are the relevant authoring tools.

          Flash should be recognised for two things: a cross-platform graphical runtime for browsers when the only other alternative were Java applets; and ending the video player wars (remember RealPlayer vs. Quicktime vs. Windows Media Player?) Unfortunately, as the internet grew in importance, the problems inherent in the platform became more obvious.

          Flash is now only kept around for sites wanting to use it for DRM which is why it's down to around 14 % of sites. More and more browsers, including all the mobile ones, don't have Flash so now only around 50 % of any sites visitors can actually see the Flash content. Most media sites are already piloting HTML5 video. I expect by the end of the year less than 10 % of sites will be using Flash and a majority of users won't have it installed.

          1. Jan Hargreaves

            Re: Amazing

            Some examples:

            1. Can't play sounds simultaneously in some browsers with HTML5. For games and interactive stuff this is a complete non-starter.

            2. Video masking in HTML5 just isn't anywhere near what you can do.

            3. Recently I was asked to animate a very simple intro logo for a website. I'll be the first to admit that I have no idea how to do this outside of Flash so I used it and exported to HTML5. The swf is just 15kb, but the export to js is 250kb. The technology/ or exporter is primative. It has a long way to go.

            4. Syncing content - like sounds at particular points - this needs to be set on an event rather than a timer. I've had to use a timer on a recent project that doesn't always go at the right time. There may be a way to do this in jQuery - so forgive me if I just don't have the required knowledge on this one.

            5. Just the overall compression Flash provided. On one particular forum I visit regularly, a lot of people have gif signatures and on some pages the browser will just freeze constantly. With flash you can have so much mixed-media content yet it's compressed and handled well by the browser. In HTML5 it really struggles at times. You shouldn't require your users to have 16GB, 16 core machines.

            That said... Flash is on it's way out and I've known that for years. The smartphone basically killed it. Thanks Steve...

        3. Anonymous Coward
          Anonymous Coward

          Re: Amazing

          > There is nothing out there that is even close to providing what it can do. It's a shame that a technology is aggressively retired when there is no viable alternative.

          Well, IBM had a Flash-like technology called HotMedia back in the late '90's, which ran under Java. If IBM management hadn't had it-'s head up it's arse we all could have been using HM instead of Flash. That way instead of playing whack-a-mole with *TWO* bug-and-vulnerability-laden technologies (Flash and Java), we'd only have to be fighting with one. And for that matter, security *was* being thought of in HM even then.

          But, as we all know, IBM suffers cranial-rectal insertion, so we know the outcome.

  11. redpawn

    Proves Quantum Theory

    If you identify all the flaws you can't locate the program.

  12. Anonymous Coward
    Anonymous Coward

    Bypassing security

    One of the chief IT officers of my company (large American industrial company) is due to give an online talk on the cyber security challenge. The site used to host this talk requires the use of Flash Player. We'll have to bypass our browser's security settings to attend this talk. *sigh*.

  13. Anonymous Coward
    Anonymous Coward

    Oh my God ..

    .. soooo many problems I've missed out on by ripping Flash wholesale from my systems.

    That's bad planning - what am I going to blame a breach on now?

    (yes, I'm channeling a bank director right now)

  14. Lord_Beavis
    Linux

    Did you all miss the fact...

    That l Reg is using Flash on this very forum? I keep getting a notice from Firefox that it is being blocked.

    Or is it maybe the ads... (that I have blocked as well).

    1. Fred Flintstone Gold badge

      Re: Did you all miss the fact...

      I keep getting a notice from Firefox that it is being blocked.

      Well, at least that's easy to fix: just uninstall Flash. No more pesky messages :).

  15. Aodhhan

    FugginLameAzzSHeet

    Anything Oracle or Adobe related isn't worth using.

    Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.

    At first people were worried that customers and vendors would have a fit if we rejected all PDFs, but it's amazing how smoothly it's gone. Not to mention the relief for patch testing and worried application owners.

    It's amazing how secure an environment gets when you stop using Oracle (anything) on the network, and stop using Apache for public facing web sites. For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.

    1. Anonymous Coward
      Anonymous Coward

      Re: FugginLameAzzSHeet

      Thank goodness my company has figured this out, and stopped purchasing and using it. No more Oracle DBs or apps.. no more Adobe reader etc.

      I was just revisiting Linux databases, and came across MariaDB (yes, I know I'm late in this, I've been busy) - the main driver appears to have been Oracle's direction. I installed it and so far so good, no MySQL using applications have noticed anything amiss :).

      For two years now, a contracted penetration testing/red team hasn't been able to breach our network; this includes phishing attacks.

      Still, these sort of remarks are bad practice. It's the sysadmin equivalent of sticking a big "please kick me, hard" on your back. Besides, pen tests are a function of the capabilities of the red team and their tools at one point in time - it's not a guarantee that some girl in Russia is not capable of walking past your defences with a APT sequence as if they don't exist. Do those attempts at least trigger your network intrusion detection? Do you spot these people in your log file reviews?

      Never go smug - the Net has a habit of adjusting that sort of attitude, harshly.

  16. TXITMAN

    HoHum

    Spent the afternoon checking computers for Flash Player. Only found a few remaining and those are required, for now.

  17. Anonymous Coward
    Anonymous Coward

    Just how did this happen ?

    Here's a challenge for an El Reg writer...I'd love to know just how this complete clusterfuck of a piece of software happened...what was the original design, what language was it written in, how did something get released on to the world that has proved so impossible to clean up ? Was it just a bizarre twist of fate that meant that a piece of software that should have been retired after two years happened to survive for 20 as an undead bearer of bugs ? Can you find the some of the original devs/management ? What do they say ?

    Because it's staggering just how long this has been going on for.

    1. Ken Hagan Gold badge

      Re: Just how did this happen ?

      Wikipedia has some historical remarks. It does appear that the product went through several names and companies as its owners decided what they wanted it to be for. Since its origins are around 1990, I imagine the implementation language was originally C, but back then it was easy (almost too easy) to flick a switch and start compiling your code as C++ in order to use lots of shiny language extensions, so I would also imagine it has been C++ for most of its life. ActionScript was apparently bolted on the side about 10 years after the original design.

      In competent hands, this would mean that the product has been polished and refined over a quarter of a century and is now an absolutely fucking awesome model of how software should be constructed. (It is a pity that the product has to remain closed-source for commercial reasons, because it would be sooo cool to publish it.) Ports to other architectures have been reduced to switch-flicking. Any architectural flaws in the original design have been swept away and the development team probably still contains one or two of the original developers because why would you walk away from an easy job curating your very own cash cow?

      The evidence suggests that it is more like the unwanted runt of the litter that was abused by various different groups, none of whom ever bothered to learn what they actually had before attempting major modifications. It's probably still written in 1990-style C and contains the left-overs of attempts to port to several new architectures that didn't quite work out. The current maintainers weren't even born when it was created and aren't really familiar with C programming, but fortunately it's a bit like Java so they are managing to get along.

    2. Cameron Colley

      Re: Just how did this happen ?

      It happened because web developers were generally lazy and unskilled and wanted their cake and to eat it too. Don't get me wrong, there were and are some really good web developers out there but the trend was always for them to be people who were "a bit creative" and "a bit computery" and wanted to make a lot of money so they used Flash as an easy way to make impressive sites for customers who didn't know any better.

      A similar thing happened with online games -- rather than writing games in real programming languages people made them in Flash because it was easier to be cross-platform and took less time to develop.

      Flash has always been dodgy cludge of a toy for playing with and doing fun and cool things with but, sadly, people who didn't know better or didn't care used it for things they shouldn't and became dependent upon it.

      Then there are the "But... But... But... We wouldn't be able to do X without Flash." crowd who don't understand that this means "We can't do X.". You know, the kind of people who demand that the laws of physics don't apply to them.

      In short, Flash is still here because some people are too stupid to be let loose on computers.

  18. doke

    vCenter and Pandora

    VMware vCenter and Pandora run in Flash. Sigh.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like