

Adobe issues emergency Flash fix - manishsingh
http://www.bbc.com/news/technology-33255033

======
thefreeman
OP is blog spam of this post: [https://krebsonsecurity.com/2015/06/emergency-
patch-for-adob...](https://krebsonsecurity.com/2015/06/emergency-patch-for-
adobe-flash-zero-day/)

Which is highlighting this security release from Tuesday:
[https://helpx.adobe.com/security/products/flash-
player/apsb1...](https://helpx.adobe.com/security/products/flash-
player/apsb15-14.html)

~~~
ceejayoz
The BBC is blog spam? Or did the mods change the link without telling us?

~~~
thefreeman
The BBC is blog spam yes. It quotes Kreb's article, which happens to be almost
exactly the same, except BBC removed links to the advisory, etc.

Edit: in response to TazeTSchnitzel to whom I cannot reply. If BBC included a
link to the original post _or_ the actual security advisory I would be less
likely to call it blog spam, but I stand by my classification. It is a repost
without the sources and with less information (notably a warning to users
about the McAfee opt out among other things).

~~~
tokenizerrr
> in response to TazeTSchnitzel to whom I cannot reply

If you ever cannot reply to a post try clicking the "X minutes ago" link and
usually the reply link will then show.

~~~
DonHopkins
Ha ha, thanks! I've had that problem too. Is that a bug or a feature? How does
it work: does it make me travel back in time to before the reply window
expired?

~~~
TallGuyShort
It actually transports you forward in time. To discourage deeply nested flame
wars, there's a waiting period before the reply link appears that grows with
the thread.

------
abrowne
I uninstalled Flash a few months ago and don't miss it. I mostly use Firefox,
but I do keep Chrome around, so I could use Chrome's Flash if I wanted to, but
I don't think I have so far.

The only site I commonly visit that doesn't work is BBC News, funnily enough.
It's a little annoying because it will work if I change the user agent to
iPad, but instead I just don't watch BBC News videos.

~~~
yalogin
So Chrome has their own flash written by engineers at Google?

~~~
ceejayoz
Sort of.

[http://www.pcworld.com/article/250455/for_flash_on_linux_chr...](http://www.pcworld.com/article/250455/for_flash_on_linux_chrome_will_be_users_only_choice.html)

> Adobe and Google have now created a “Pepper” implementation of Flash Player
> for all x86/64 platforms supported by the Google Chrome browser, Adobe said.

~~~
ak217
To clarify, Pepper is not a rewrite of Flash. It's a browser plugin sandbox
API.

~~~
lucian1900
And Google maintain a Pepper port of Flash.

------
ghshephard
I haven't had Flash Installed on my primary system for 12+ months, and, I
absolutely don't miss it. Ironically, the BBC news is one of the very, very
few places that seems to use Flash for Video - so it's probably the only site
that I'm ever impacted on.

------
tomswartz07
If you don't have Click-to-play enabled for Firefox, you should, and here's
how you do it:

Open Firefox and navigate to about:config.

You will be sarcastically warned that you about to void your warranty, just
click on the “I’ll be careful, I promise!” button to move on.

Now search for:

    
    
        plugins.click_to_play
    

Next you need to right-click and toggle the setting so that the value is true.

Once you are done restart Firefox.

To test it out, head over to a site with Flash (BBC, ironically, has Flash),
you will notice you will have to click on the plugin to activate it.

That’s all there is to it.

I'm sure there's a similar method for Chrome, but I don't have it installed to
test.

~~~
Someone1234
Here's the Chrome guide:

\- Open Settings

\- Show Advanced Settings (bottom)

\- Content Settings (under Privacy)

\- Plugins -> "Let me choose when to run content."

\- It will now be click-to-play and enable a icon like the pop-up blocker in
the address back to enable all on a page or to whitelist the page.

\- You can also whitelist from the settings page by clicking Manage
Exceptions, and adding them like this: [*.]youtube.com (all sub-domains, and
protocols on youtube.com)

~~~
hrbrtglm
Thanks a lot,

I did not know chrome had this setting option, or I view it but did not really
realize what it was for. I'm glad you took some time to list the needed steps.

------
mangeletti
It turns out there is a faster way to fix the issue. There is a program called
Adobe Flash Player Uninstaller that does the trick, and as an added benefit,
it also prevents any future zero-day exploit.

Seriously, I've been Flash-free for many months, and I haven't missed a thing.
I highly recommend it. Other than some really old websites, everything works
as expected (YouTube, news websites with video, etc.).

~~~
egwynn
Same here. Though I use extensions like ClickToFlash, which prevent plugin
loading by default, but allow me to selectively activate plugins in the DOM by
clicking on them.

------
Tloewald
Love how this is posted tut-tuttingly on the BBC's website -- which went from
Real Player to Flash to -- eventually -- mp4 video, but only as a last resort.
(Motto: "as a public entity we've never found a proprietary format we don't
love".) Indeed, I had a Realplayer One "subscription" that took me something
like a year to shut off (they'd claim it was off and then keep sucking money
out of my account) which I blame entirely on the BBC.

~~~
Someone1234
Playing devil's advocate a little: But a lot of this was down to which
streaming format their media partners would sign off on (they wanted certain
DRM guarantees).

Real Player was the market leader in DRM-ed video, until Flash improved and
took over.

~~~
Tloewald
Why the BBC was so keen to use DRM-ed video (and audio) escaped me. Slap a
copyright notice on it and be done with it.

~~~
zimpenfish
License holders are generally to blame for forcing DRM onto consumers, not the
streaming provider (based on experience working for Lovefilm.)

------
acron0
It must be such a weight around Adobe's neck, supporting Flash as it dies. I
pity the guy who's job it is to maintain it indefinitely.

~~~
aikah
Flash will get a second life with WebAssembly.

~~~
pjc50
If it lives on in an unbreakable, throttleable sandbox, that's not a disaster.
It was the leaky native code that was the problem.

~~~
aikah
My point exactly,Flash(the IDE) isn't a bad thing if it allows artists to
create interactive experiences or games on the web,desktop or mobile.

The issue is obviously the Flash player and the browser plugin architecture.
With WebAssembly you get the "binary blob" executed without a plugin.

------
tyho
Flash's 11th security hole of 2015:

[https://helpx.adobe.com/security/products/flash-
player.html](https://helpx.adobe.com/security/products/flash-player.html)

Flash is and always has been an absolute joke, I refuse to install it on
anything I own.

------
darklajid
Emergency fix? To update to the latest McAfee I assume?

I'm sorry for the snark, but bbc reporting without details about Flash -
including the helpful 'Flash is a commonly used browser plug-in' subtext below
the logo - seems a bit off around here?

------
billpg
It must be... hang on, what day of the week is it?

------
coldcode
Flash is always at least one emergency fix behind.

------
drzaiusapelord
Chrome really needs to stop bundling this garbage. Even with whatever Google
magic attached to flash, its still a very dangerous plugin, if not the most
dangerous. There was just a CVE for the version previous to this one. And the
one before that. Its an endless treadmill.

This should be a wake-up call to make flash non-default and, if installed,
click-to-play only. Its time we started treating it like Java. Like Java, its
clear its owner can't secure it. I imagine its borderline unmaintainable
spaghetti code at this point.

Its also very hypocritical of Google, who has taken issue with SSL encryption
levels and NPAPI, to be bundling what's essentially the second largest malware
vector in browser history, only behind Java. This SHOULD be our wake-up call.

~~~
bitmapbrother
Java Applets a bigger malware attack vector than IE / ActiveX ?

Additionally, it was Flash that was compromised, not Pepper. There's a
distinction.

