back to article Did you hear? There's a critical security hole that lets web pages hijack computers. Of course it's Adobe Flash's fault

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux. PC owners and admins will want to upgrade their copies of Flash to version 31.0.0.153 or later in order to get the patch – or just dump the damn thing all together. The November 20 security update addresses a …

  1. macjules

    But only if ...

    Basically, an attacker could slip the exploit code into a Flash .swf file, put it on a web page, and covertly install malware on any vulnerable machine that visits the page.

    ... the attacker actually has bothered to install that complete POS software (Flash) on his/her computer.

    1. BillG
      Happy

      Re: But only if ...

      Oddly enough, according to the security alert, this doesn't seem to affect Windows 7 or Windows XP.

  2. Mark 85

    I guess there still people and organizations who haven't got the word to dump Flash yet. Pity that. What's it going to take? Someone with a mallet to go around and smack some sense into them?

    1. ThomH

      My organisation's computer annual security training required all employees to enable Flash. It's all contracted out, and I suspect its developers haven't yet discovered an HTML5 way to prevent users from skipping 20 minutes of video per topic of people ostentatiously failing to be either informative or funny prior to taking a quiz approximately as difficult as a weekend television phone-in competition.

    2. Danny 14

      plus doesn't windows 10 have it baked in? And being baked in you cant install fixes?

      nice!

      1. Anonymous Coward
        Anonymous Coward

        > "plus doesn't windows 10 have it baked in?"

        Doesn't appear to be "baked in" to Win10 at all. I did a quick google, and Flash seems to be simply installable, just as with other OS's. Also, two years ago MS was pulling the Edge browser back from Flash specifically, so they are aware of the Flash issues too.

        1. Sven Coenye

          It was baked in

          1511 didn't have it but one of the feature updates installed it and it was impossible to uninstall (short of deleting files manually.) Maybe MS has come back to its senses, but then I don't have to admin W10 anymore :-)

        2. Captain 0bvious

          I will put it this way - "Flash Player (32-bit)" appears in the Windows 10 Pro Control Panel and has no option to uninstall via Programs and Features. So yeah it's baked in.

    3. Anonymous Coward
      Anonymous Coward

      > "What's it going to take? Someone with a mallet...?"

      If by that, you mean total pwnership of those people, then yes, that's what it will take, and in some cases even that won't be enough.

  3. asdf

    GOAT?

    Even with a retire date of 2020 there is a pretty good chance no piece of software now or even in the distant future will ever be as responsible for as many critical remote exploitable defects (if they care to look sure they could find many more for decades to come lol). Windows OS jokes aside of course ignore the fact that Windows is made of many differing pieces of software. Even the JRE is clapping its hands to acknowledge the greatest malware portal the world has ever known. I bet that hairball code base is something pretty special by this point. I hope they end up open sourcing it just 4 teh lulz.

    1. ThomH

      Re: GOAT?

      Surely some sort of error? As we learnt from the Adobe CEO's 2010 interview with the WSJ, all Adobe Flash crashes on the Mac are the fault of "the Apple operating system". I'm sure Adobe would use the same bullet-proof code on its other platforms too.

    2. bombastic bob Silver badge
      Happy

      Re: GOAT?

      "I hope they end up open sourcing it just 4 teh lulz."

      along with a full source control revision history, including uncensored programmer commit comments

  4. mark l 2 Silver badge

    I wish Channel 4 would pull their fingers out move All4 off Flash as it is the only site I regularly visit that still uses it.

    Channel 5 have ditched in in favour of Widevine DRM so there is no reason that Channel 4 can't ditch it to.

  5. This post has been deleted by its author

    1. cream wobbly

      "There's still a lot that Adobe Flash can do which HTML 5 can't"

      Such as entirely hand over your computing resources to Russian-occupied Ukraine, North Korea, and China? Sure. That's what they're trying to fix. Do keep up.

    2. veti Silver badge

      The problem with redoing from scratch is, there is no reason to believe you'll do any better job than the original team did. Sure you'll avoid their mistakes, but you'll make plenty of your own, including many that they thought of and avoided.

      1. Pascal Monett Silver badge

        Um, sorry, but there is no mistake that the Flash team thought of and avoided. They made all the mistakes.

        1. katrinab Silver badge
          Flame

          You haven't met the people who programmed the interface for my hire car.

          1. JLV

            I see. After 2x3 weeks of rented Ford Focus’s MS-sourced* infotainment system I had recurring fantasies involving sharks, fireants, piranhas, scorpions and its dev team.

            * I believe Ford ditched MS shortly after, for Blackberry.

    3. DropBear

      Would those be the kind of "UI designs" that renders the "back" button (and most conventional ways to navigate a website, for that matter) completely useless...? Because those sites are welcome to rot away together with Flash as quickly as possible. Shooting them behind the barn would be far too good for them.

      1. Anonymous Coward
        Anonymous Coward

        @DropBear; "the kind of "UI designs" that renders the "back" button (and most conventional ways to navigate a website, for that matter) completely useless...?"

        Oh god, I remember those. I think it was circa 2003-04 when I was looking for a graduate position, and there seemed to be loads of banks and similar organisations with wannabe-"impressive"-looking websites that ran almost or entirely within Flash and were a PITA to navigate.

        Fortunately, that seems to have been the peak for that kind of nonsense, and improvements in Javascript and- possibly- the iPhone sidelining Flash seem to have resulted in such things becoming very rare in recent years. Or perhaps the designers just realised entirely Flash-based websites were shite.

        (Not that Flash was a bad *idea* for *embedded* content- just that making the entire website itself a Flash certainly was).

        1. Stuart Castle Silver badge

          In the late 90s, and early 00s, what some people could achieve using Flash genuinely amazed me. Websites with genuinely beautiful presentation, games, interactive videos etc. I was a real fan. Of course, it was annoying when I visited a heavily flash based site on a device that didn't have flash installed and just got a blank page, but I just accepted that as par for the course, because Flash could do things UI wise that couldn't be done otherwise (at the time).

          Technology moves on, however. HTML 5 can do most of the things required to provide flashy user interfaces on websites, and does a good job of playing games. Hell, using something like Parallels, you can even use an HTML5 browser to access Remote Desktop.

          Flash has had it's day. There is very little that can be done in Flash Player that can't be done using other, just as easy to develop for, languages and systems. I think with the number of vulnerabilities being found in it, it's the right decision for Adobe to take it out into the yard with a shotgun, and I think anyone who has a website that requires Flash should seriously look at redesigning that website.

    4. Teiwaz

      There's still a lot that Adobe Flash can do which HTML 5 can't

      I don't know why you got d/v for that - I keep coming across people using swf to share some artistic project or another because there is nothing else convenient and in fairly widespread use.

  6. earl grey
    Facepalm

    I just HAD to look

    And their frikking web site simply downloads a zero length install. Another job well done.

  7. Anonymous Coward
    Terminator

    Type confusion and with-scope pointer caught exception

    TLDR; There’s a bug in Adobe Flash. The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution.”

    1. bombastic bob Silver badge
      Trollface

      Re: Type confusion and with-scope pointer caught exception

      but I'm sure it INSTALLED UNWANTED CRAPWARE just fine, when you attempted to upgrade it...

      (what part of "must you make me UN-tick those boxes EVERY! SINGLE! TIME! ???" did you guys NOT understand the LAST time I sent flame-mail over this???)

      ok it's been a while since I actually INSTALLED (or upgraded) flash, maybe 5 years or more - it was still doing that, right?

  8. JLV
    Trollface

    Oi, BBC, any plans to ditch it?

    I mean its death's only 2 years away now.

    And, before anyone asks, yes, I still see plenty of you-dont-have-Flash-installed s from them on my phone. I thought for a while that it would only happen at first page view, then reloading would show a regular video. As if they were doing just-in-time transcoding.

    But now it just seems BBC often still wants Flash.

    p.s. wouldn't want to forget Edge in this hall of lame, would we?

    p.p.s. and, no, "redoing Flash from scratch" wouldn't do it. Too much flexibility in what can be run from internet sources, essentially an opaque closed source parallel JS, is just not a good idea. If you want video, embed it. If you want audio ditto. If you want animation, there's JS Canvas and SVG. Browsers and plugins are much more able to keep JS stuff locked down and even then it's a constant struggle.

    1. A.P. Veening Silver badge

      Re: Oi, BBC, any plans to ditch it?

      "I mean its death's only 2 years away now."

      That means BBC will ditch it in about 52 years (give or take two months).

  9. jaypatelani

    Not ony BSD :)

  10. Anonymous Coward
    Anonymous Coward

    Living Flash free

    And lovin' it.

  11. Big-nosed Pengie

    The mind boggles

    Actually, it doesn't.

  12. Scroticus Canis
    Trollface

    Kill Flash by 2020? But... but...

    ... what about all those cat videos? Oh the felinity! Such a loss!

    1. katrinab Silver badge
      Angel

      Re: Kill Flash by 2020? But... but...

      They are all available in mp4 format. My iPad is flash free, always has been, and I have no problems at all with cat videos.

      1. Scroticus Canis
        Paris Hilton

        Re: I have no problems at all with cat videos.

        Neither do I, as I wouldn't waste my time watching them, but hey, each to their own.

  13. //DLBL SYSRES

    Irony alert.

    Trustwave, a PCI validation company used by PayPal amongst others to ensure that online stores and shops with credit card terminals are PCI compliant use Adobe Flash for their GUI.

    https://login.trustwave.com/portal-core/home/

  14. Anonymous Coward
    Anonymous Coward

    Can anyone tell me...

    How is it possible for one piece of software to repeatedly have so many seriously critical bugs over such a long period of time?

    I know all software has bugs, but the number and severity of Flash bugs seems at odds with its size and complexity compared to much bigger and technically complicated software.

    With the number of patches released for the Flash Plugin, surely Adobe must have pretty much re-written the whole thing many times over by now, yet still more critical vulnerabilities are found on a weekly basis.

    The Flash developers can't really be that bad can they?

    1. A.P. Veening Silver badge

      Re: Can anyone tell me...

      Very easy, every single patch in Flash creates on average 2.73 new critical bugs.

    2. Version 1.0 Silver badge

      Re: Can anyone tell me...

      The Flash developers can't really be that bad can they?

      Most likely there is no Flash developer, Adobe assigns a couple of people to fix each bug when it's discovered and then move them to another team after it's "fixed" ... and then when the next bug is found they assign a new team to fix it ... and then they move on.

      I was planning to write a book about this called "The Mythical Man Month Spent Bug Fixing" but my publisher tells me that the title is too similar to an older book.

    3. Steve Graham

      Re: Can anyone tell me...

      The basic problem is that Flash is more like a complete operating system than a video player. You can implement a full user interface, do computations, networking, and all kinds of stuff.

      1. DerekCurrie
        Holmes

        Re: Can anyone tell me...

        Steve Graham says: "The basic problem is that Flash is more like a complete operating system than a video player. You can implement a full user interface, do computations, networking, and all kinds of stuff."

        Plus it's kind of obvious that the software Adobe bought along with Macromedia is POORLY documented as well as POORLY coded. In a way, I feel sorry for Adobe being stuck with the buggy albatross. Then again, it is an albatross. Kill it yesterday already.

  15. Big_Boomer Silver badge

    Nuke it from orbit,....

    It's the only way to be sure! :-)

    Seriously, why didn't Adobe just EoL Flash 2 years ago? That would have forced everyone to use something else and would probably have saved the sanity of many a poor support techie. Still gonna be active for another 2 years? Jeez, just put a ****ing bullet in it's brain and move on.

  16. DerekCurrie
    Holmes

    Correction & Perspective

    "Because Adobe does not maintain a fixed patching schedule for Flash Player, this isn't technically considered an out-of-band band-aid." <-- INCORRECT

    YES, Adobe does indeed maintain a fixed patching schedule for Flash Player on the second Tuesday of every month. Adobe established that schedule years ago and have stuck with it.

    YES, this IS an out-of-band update patch and therefore should be considered to be URGENT.

    Personal perspectives:

    A) Real security requires ASAP patching. No excuses! Scheduled patching is merely for convenience at the often dire sacrifice of real security. Thankfully, Adobe has adopted an excellent compromise and uses BOTH strategies, the secure strategy as well as the convenient strategy. Bravo Adobe!

    B) The burial of constantly, consistently buggy, insecure Flash can't come fast enough. It should have been murdered THIS year. I'd gladly have added my own knife. Boo Adobe!

    C) There was a time when I recommended not allowing Adobe to automatically update their free bug-ware. But I relented. Let Adobe's automatic update feature run. No one has time to keep up with Adobe's eternal mess-of-the-day patching. In the past two years I've run into no problems with Adobe's auto-updating. If I have to use their buggy junk, I'm happy to let them fix it themselves without my having to baby-sit the stuff.

  17. anoco

    Another hurried up update

    Got another update today. I wonder if some of the updates are fixing older updates. Because it's hard to believe that there's any line of code left to secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like