
Adobe releases emergency Flash update amid new zero-day drive-by attacks - deanclatworthy
http://arstechnica.com/security/2014/02/adobe-releases-emergency-flash-update-amid-new-zero-day-drive-by-attacks/
======
chmars
That is why I limit my Flash use to Chrome and there with the Browser's click
to play function only

Thanks to Apple, Flash has almost become irrelevant. I usually see it only in
the GUI of my ZyWALL (and only after activating it through click to play).

(Check out [http://www.ghacks.net/2012/07/21/configuring-chromes-
click-t...](http://www.ghacks.net/2012/07/21/configuring-chromes-click-to-
play-feature/) if you do not use click to play in Chrome yet. In Firefox, it
is accessible via about:config.)

~~~
_delirium
On Firefox 26 and newer, plugins.click_to_play is 'true' by default, so you no
longer have to manually set it in about:config. However, this doesn't actually
set all plugins to click-to-play, but rather enables the click-to-play
subsystem.

You can set Flash (or another plugin) to click-to-play by going to Tools->Add-
ons->Plugins and selecting "Ask to Activate" in the drop-down box next to the
plugin. I believe this is by default only the setting for Java.

~~~
chmars
Thanks, good to know!

------
SwellJoe
Great. It installs McAfee without asking. Fuck you, too, Adobe.

~~~
nissehulth
There is a checkbox on the site before you start the download, but of course
it is checked by default. It's like the Ask toolbar that Java wants to install
on every update.

"Hey, we have insecure products that people hate, let's add some more crap"

~~~
SwellJoe
That's a dark pattern if ever I've seen one. It looks like an ad on the page,
thus triggering my ad blindness.

~~~
reboog711
In all fairness, it is an ad.

I've missed that specific checkbox a lot too..

------
webwielder
Has there ever been a piece of software more riddled with security holes than
Flash? The Java runtime? Windows XP?

~~~
Slackwise
Flash, Java, and XP are entire platforms with many moving parts. They are also
the most _popular_ platforms and the most exposed through the most-est-est
popular platform— _the web._

There are plenty of bug riddled pieces of software out there. Plenty of
platforms. Most are probably unknown or not popular enough to be scrutinized.
These 3 are the most popular, most used, and most targeted. You will see them
in tech news more than any other pieces of software. If you read vulnerability
and security blogs, you'll be exposed to a whole, new, enormous, and wonderful
world of bug ridden software.

It's easy to say these kinds of things in hindsight. In their time, these
systems became popular because they filled a void [1]. Now we look back and
say "What were we thinking?", but it was harder to say back when the web
browser was still a document system with minimal programmability.

In all reality, the craft of software engineering is still truly new to the
world, and constantly, rapidly, changing. Unlike the material world with the
limitations of space and resources, the abstract land of organizing
information and information that works on information is a _very_ hard problem
to solve—if it's even "solvable" at all.

[1]: Well, okay, XP was kinda' forced onto the world.

~~~
mnem
Flash is more popular than the browsers they run in?

~~~
higherpurpose
Yes it is. Flash is one entity that runs across several browsers. By
definition it's more popular than each one of them.

If there's a bug in Chrome, it affects only 30 percent of the browsing market
- the Chrome market. If there's a bug in Flash, it affects 95 percent of the
browsing market.

That's why it would've been much better if Adobe open sourced Flash a long
time ago, because then each browser could do their own implementation of
Flash, just like they do with many other open specs today, and then if there
was a bug in Chrome's Flash, it would've only affected the Chrome market.

It's too late to open source Flash now, but we're doing that instead with
alternatives like the HTML5 video tag and WebGL (for animations).

~~~
riffraff
didn't they open the SWF format a few years back? I remember google & co
starting to index flash files in the last decade (still too little to late,
arguably).

~~~
freditup
Yup, they're available here:
[http://www.adobe.com/devnet/swf.html](http://www.adobe.com/devnet/swf.html)

------
w1ntermute
I find it frustrating how many sites still use Flash. YouTube still has an
annoyingly high proportion of videos only available in Flash, while Spotify's
web UI also requires it. I've found that youtube-dl[0] is a nice solution for
watching videos (especially given that live streaming is often not possible
with all the traffic congestion issues as of late), but there's nothing I can
do with Spotify.

0: [http://rg3.github.io/youtube-dl/](http://rg3.github.io/youtube-dl/)

~~~
endianswap
Why don't you just use Spotify's native client? They have one for Windows,
Linux, iOS, Android and I assume OSX.

Edit: Oh, unless you're talking more about congestion being the problem for
Spotify, though you can download playlist via the native clients.

~~~
oneeyedpigeon
Many perfectly acceptable reasons exist: maybe you've got a Chromebook, maybe
you're using a computer that isn't yours and you don't want to install things
on it, maybe you have accessibility requirements that the web client serves
better [ _].

[_] I don't actually know whether Spotify's web client _is_ particularly
accessible (beyond requiring flash which makes it totally non-accessible for
me), but it certainly could be.

------
daphneokeefe
If you're unsure of your status, you can open each of your browsers and go to
helpx.adobe.com/flash-player.html where you can click a button to find out if
you have the latest, or if you have flash at all.

------
glfomfn
What surprises me the most is not the number of exploits flash had over the
past years or even there severity of those but the fact that people (including
me) still NEED to keep Flash installed on there machines.

I am pretty paranoid when it comes to security but i still prefer to keep
flash installed with all the security burden it brings than having to deal
with a good portions of websites which wont render properly. Unfortunately we
are far off from the day where flash is not needed.

~~~
oneeyedpigeon
> having to deal with a good portions of websites which wont render properly

I am seriously interested in which sites these are. I suspect you're
exaggerating (I'd be amazed if it were anything like at least 1%, let alone a
"good portion") but am willing to be educated.

~~~
jasomill
As a data point, the only non-video site I currently have whitelisted for
Flash in Safari is Google Maps.

------
joosters
On my Mac, flash never seems to update itself, despite it supposedly having an
auto updater. Does it work for anyone else?

~~~
croikle
Seems to work for me. I opened the Flash Player preference pane and discovered
that it had already updated to 12.0.0.70.

------
puppetmaster3
Adobe has deprecated Flash some years back AFAIK.

~~~
reboog711
I'm not sure what you would consider deprecated.

The Adobe Flash Platform whitepaper lists new features they are working on (
[http://www.adobe.com/devnet/flashplatform/whitepapers/roadma...](http://www.adobe.com/devnet/flashplatform/whitepapers/roadmap.html)
) and Flash Player 13 beta is available on their labs page (
[http://labs.adobe.com/technologies/flashruntimes/flashplayer...](http://labs.adobe.com/technologies/flashruntimes/flashplayer/)
).

I have no idea how long Flash will stay relevant, but I think Adobe AIR has a
shot at being a solid choice for building apps that need to work across
multiple OSes.

------
modeless
There are significant differences in the strength of Flash's sandbox between
browsers. Which browsers does this affect?

~~~
yeukhon
How so? I didn't know Adobe gives different sandbox for different browsers? Or
do you meant browser's policy with plugin (Flash, java runtime)?

~~~
modeless
Originally Flash ran in the browser process with no sandbox. Then some
browsers started running plugins in separate processes, but still not in a
sandbox. This allows the browser to survive Flash crashing, but doesn't
improve security. Some browsers have gone further and added a sandbox to the
Flash process, but I believe that each browser uses its own sandboxing
mechanism, with different security properties. Additionally, some browsers now
use their built-in updating mechanism to update Flash binaries, instead of
relying on Adobe's questionable updater.

I'm not too familiar with what other browsers are doing, but I know Chrome's
version of Flash is different from other versions and specially built for
Chrome. It does not use the NPAPI plugin system. Instead it's built on PPAPI
which is designed with multi-process and sandboxing in mind.

------
abitsios
These posts wouldn't be more regular if they were on a cron job.

Chrome's click-to-play is just such necessity.

------
ChrisAntaki
Hopefully Flashblock would prevent this, in most cases. Could anyone confirm?

~~~
martinml
If you use a native click-to-play solution, it will prevent it unless you're
victim of some kind of clickjacking attack.

If you use a show-then-hide-with-CSS script (there are several for Chrome, for
example), they won't prevent it.

------
pirateking
I have progressively disabled Java, Flash, and now Javascript from my web
experience. It is only a short while longer before I move towards the full rms
style method of browsing the web.

