×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Flash Remote Code Execution Flaw Exploited In the Wild

Unknown Lamer posted about 3 months ago | from the malware-disguised-as-boring-game dept.

Security 187

An anonymous reader writes "Adobe has released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux, and OS X, the exploitation of which can result in an attacker gaining remote control of the victims' systems. The flaw is being actively exploited in the wild, but apart from crediting its discovery to researchers Alexander Polyakov and Anton Ivanov of Kaspersky Labs, no details about the ongoing attack has been shared." They even updated the explicitly unsupported NPAPI GNU/Linux version.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

187 comments

Shocking (5, Funny)

sunderland56 (621843) | about 3 months ago | (#46162329)

A security flaw in Flash? Really? How surprising.

Re:Shocking (1)

Anonymous Coward | about 3 months ago | (#46162531)

The Internet is a security flaw.

Browsers are have security risks. The plugin model has security risks. Any client on an end-user's machine that runs code is a risk.

Is Flash really any worse? Is it any worse than any other plugin? Is it any worse than javascript? Any worse than the browser itself?

Nice to see Adobe releasing fixes and crediting the researchers at least.

Re:Shocking (4, Informative)

Timothy Hartman (2905293) | about 3 months ago | (#46162633)

You really can't compare it to other plugins. It's such a far leader in being the worst that it is like comparing stepping on an ant to the holocaust.

I don't think Adobe could really just decide not to fix this and ignore the researchers who brought it up. Hardly something to praise.

Devil's avocado (1)

RaceProUK (1137575) | about 3 months ago | (#46163081)

Just keep in mind Flash is a target due to its ubiquity. The same applies to (desktop) Windows, IE and Android. That's not to say these products are without flaw. After all, they're software - of course they have flaws. It's just there's far more people looking for these flaws than in, say, OSX.

Re:Shocking (1)

Anonymous Coward | about 3 months ago | (#46162875)

Is Flash really any worse?

Yes.

Is it any worse than any other plugin?

Yes.

Is it any worse than javascript?

Yes.

Any worse than the browser itself?

Yes.

Any more questions? Yes!!!

Re:Shocking (1)

Saei (3133199) | about 3 months ago | (#46163417)

Oh, how quickly ActiveX has been forgotten.

Re:Shocking (0)

Anonymous Coward | about 3 months ago | (#46163643)

Oh, how quickly ActiveX has been forgotten.

ActiveX didn't exist on Linux, so while it did suck, it sucked for fewer people than Flash, thereby making Flash worse than ActiveX.

Q.E.D.

Re:Shocking (-1)

Anonymous Coward | about 3 months ago | (#46162713)

I find it telling that retards like you can come on here and make quips about this but you have nothing to say about things like innovation or creativity. I guess all you know is poking fun at others while trying to sound insightful.
 
Totally fail.

Re: (Not really) Shocking (0)

Anonymous Coward | about 3 months ago | (#46163015)

Nice try there Adobe.

Seriously though, Flash has gone NOWHERE in the last few years. Adobe refuses to standardise the platform, they take shortcuts to "match the features of competition" and they end-of-life'd it anyways.

Re:Shocking (-1)

Anonymous Coward | about 3 months ago | (#46163091)

Look, if I really WANTED to read page after page of "GRRRR I HAET FLASH NERD RAGE NERD RAGE NERD RAGE" over and over again, I would write a trivial shell script that could replace all of Slashdot's comment system. Got anything interesting to say?

Re: Shocking (2)

nnull (1148259) | about 3 months ago | (#46163797)

Don't forget to install McAfee bundled with your flash update! Because that will help you!

Not much longer? (3, Insightful)

HetMes (1074585) | about 3 months ago | (#46162339)

How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46162381)

Why do we necessarily need flash right now?

Re:Not much longer? (2)

gtirloni (1531285) | about 3 months ago | (#46162425)

A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

Re:Not much longer? (5, Funny)

Chris Mattern (191822) | about 3 months ago | (#46162509)

A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

Yet more arguments against having Flash, then.

Re:Not much longer? (1)

gtirloni (1531285) | about 3 months ago | (#46162995)

While I totally agree, I was trying to be more pragmatic. I couldn't care less if a video I try to watch won't play in the HTML5 version (I will simply not watch it).. and I sincerely hope Zynga burns in hell. But all the other average users out there will keep depending on Flash while those companies don't offer HTML5 versions.

Geez, have to explain everything here :)

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46162573)

A lot of Youtube content is not available in HTML5 yet. Plus, all the famous Zynga games use Flash.

It doesn't help the second you log into youtube.com there is a big red banner saying "FLASH REQUIRED! INSTALL NOW". Most users think shoot I need it and will click on it

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46163001)

If it said "HTML 5 REQUIRED! INSTALL NOW" people would also be lead to upgrade their browser. Regardless of whether its IE, Chrome, Firefox, etc, they could be lead to a download page for an updated version. All major browsers support HTML 5(to varying degrees).

Either way, the users of Youtube would be lead to an install. If they can install flash, they can install a browser.

Re:Not much longer? (2)

Billly Gates (198444) | about 3 months ago | (#46162465)

Thank your corporate IT masters for using IE 8.

As long as IE 8 is still supported webmasters will refuse to let flash die. Since they support IE 8 it gives no incentive to the corps for leaving IE 8 and it is a cycle all over again where IE 8 is the IE 6 of this freaking decade.

Also 5 years ago is when youtube first supported HTML 5 h.264 videos. Still to this day 50% of the videos wont work without flash. Sigh. Worse if you try to go in without it a big red banner saying "FLASH NEEDED". Ignorant computer users will see this and click the link without testing videos first. They do not know what h2.64 or HTML 5 is. Just that youtube says you need flash etc.

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46162551)

Why do we necessarily need flash right now?

Pr0n.

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46162715)

Don't think so. All ones that I visit regularly already have HTML5 videos.
Pr0n will be leading the next revolution!

Re:Not much longer? (0)

Anonymous Coward | about 3 months ago | (#46162447)

It'll happen around the same time we finally switch over to IPV6.

Re:Not much longer? (2)

gtirloni (1531285) | about 3 months ago | (#46162449)

Look at IE6 declining curve... Flash will probably be worse than that.

Re:Not much longer? (1)

Billly Gates (198444) | about 3 months ago | (#46162601)

Actually IE is the reason flash won't die! That and XP users who can't upgrade to a modern browser. As long as websites cater to them the longer they wont upgrade.

IE 6 lasted for 12 years as a result of this cycle back and forth waiting for the other to upgrade. Corps liked and locked them down and website makers worked for free for +10 years supporting them so why change?

If IE 8 gets below 5% then expect youtube and porn sites to phase out flash.Right now it is the worlds most popular browser thanks to China. Sigh

Re:Not much longer? (1)

Anonymous Coward | about 3 months ago | (#46162937)

Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, that's right at the 0.30 mark, but it should be noted that we don't have a 1:1 people:computer ratio. I forget how many computers we have, but it's over 4,000.

From the website point of view, there's really no reason to hold out once Windows XP is phased out. All other systems can handle HTML 5(well, the systems with large enough market share to matter), which means all the website will have to do is put up a banner saying "You are missing the required plug-in, please click the following link to upgrade your browser." as opposed to "You are missing the required plug-in. Please click the following link to install flash."

Either way, it's one click, one download, and one install. People who are smart enough to install flash should also be smart enough to install a browser that supports HTML 5, even if they don't know what HTML 5 is or understand why their current browser can't support it.

Conversely, just because IE 6 or 8 has x% of market, doesn't mean all of those machines need or require flash.

Alternatively, other platforms that people are familiar with, like smart phones, consoles, tablets, are all HTML 5 compatible. If they get used to seeing HTML 5 features, like stopping a .gif, they'll get to a point where they need/severaly want that feature. That alone will drive them to update their desktop web browser.

Re:Not much longer? (1)

Billly Gates (198444) | about 3 months ago | (#46163113)

Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, that's right at the 0.30 mark, but it should be noted that we don't have a 1:1 people:computer ratio. I forget how many computers we have, but it's over 4,000.

From the website point of view, there's really no reason to hold out once Windows XP is phased out. All other systems can handle HTML 5(well, the systems with large enough market share to matter), which means all the website will have to do is put up a banner saying "You are missing the required plug-in, please click the following link to upgrade your browser." as opposed to "You are missing the required plug-in. Please click the following link to install flash."

Either way, it's one click, one download, and one install. People who are smart enough to install flash should also be smart enough to install a browser that supports HTML 5, even if they don't know what HTML 5 is or understand why their current browser can't support it.

Conversely, just because IE 6 or 8 has x% of market, doesn't mean all of those machines need or require flash.

Alternatively, other platforms that people are familiar with, like smart phones, consoles, tablets, are all HTML 5 compatible. If they get used to seeing HTML 5 features, like stopping a .gif, they'll get to a point where they need/severaly want that feature. That alone will drive them to update their desktop web browser.

Very little is corporate now. Most have already upgraded or in the final stages of phasing out the XP boxen from the internet all together.

The majority now are grandmas and Chinese with pirated copies with Windows Update disabled and IE 6 for the latter in Asia. Home users do not know any of this and are sitting ducks with no IT department to protect them.

I really wish MS would give a friendly polite warning to let them know support is ending soon and you have a few weeks to upgrade before security updates end. These users will not change until they get their credit cards hacked and it is an enabler for the bad guys.

Even with updates XP is very insecure and a crappy OS. These machines always get re-infected with higher infections rates than with Vista and higher boxen. The cost accountants at these companies never put this in as it is not part of GAAP it is not there in their eyes as a cost.

Yes it does mean % marketshare. The PHB bosses will say something along the lines of "What DO YOU MEAN YOU ARE TURNING AWAY CUSTOMERS??! Get that HTML 5 CRAP OFF and get old IE support back NOW." Guess which tool the pissed off webmaster will use for the same effects? You guessed it Flash.

Meanwhile Grandma will say, but my IE 8 works fine. I do not need to leave etc. I know because this is why IE 6 lasted so long. It wasn't until Google said ENOUGH and made Gmail and Youtbue not work with it in 2009 did it force the corps to now start IE migrations sigh.

Re:Not much longer? (1)

Gunboat_Diplomat (3390511) | about 3 months ago | (#46162515)

How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?

When most of the popular casual games are non-Flash.

Even knowing all the evils and dangers of Flash, if I for some reason were forced to stop using most websites and had to chose only a few to continue using, this [flasharcade.com] would be on that list of what to keep (I'm a tower defense game addict).

Re:Not much longer? (1)

Anubis IV (1279820) | about 3 months ago | (#46162567)

Didn't we already pass critical mass? I uninstalled Flash from my system over a year ago and don't run into Flash very often these days. If you're using a Flash blocker, you may have an inflated sense of how many sites still rely on Flash, since many of them will detect that you have Flash installed and will attempt to serve up a Flash version of the page (which your blocker will then block). In contrast, if you outright uninstall Flash, they'll serve up a Flash-free version of the page.

At this point, the only holdout I deal with regularly is Hulu, and since Chrome comes with Flash built-in, I just hop over into Chrome for that. Really, I'd say that the widespread adoption of mobile devices that lack Flash (both Android and iOS, smartphones and tablets) allowed us to quietly pass the critical mass you're talking about awhile back, since the vast, VAST majority of sites seem to have been updated with non-Flash versions of all of their content.

For crying out loud ... (2)

gstoddart (321705) | about 3 months ago | (#46162341)

Adobe Flash has been a security hole for at least 10 years now.

That people still use it (or install it) boggles the mind.

I won't even install it on my machines.

Re:For crying out loud ... (2, Interesting)

Anonymous Coward | about 3 months ago | (#46162453)

But iDevices couldn't view "the whole web" (though Android can't either now) because Apple wouldn't let this exploit vector on iOS. Seems Steve Jobs really was pretty smart to tell Adobe to fuck off with their bloated malware

Re:For crying out loud ... (4, Interesting)

Anrego (830717) | about 3 months ago | (#46162495)

Agree.

I'm a long time apple hater, but when I read that letter regarding flash, I was nodding the whole time.

Flash is a pile of junk, and if they are going to go all walled garden, flash seems a great thing to keep out of said garden.

Re:For crying out loud ... (2)

TheloniousToady (3343045) | about 3 months ago | (#46162967)

Seems Steve Jobs really was pretty smart to tell Adobe to [expletive] off with their bloated malware

Or, maybe he was just smarting from Adobe's prior treatment of Apple, as Walter Isaacson and others [businessinsider.com] have reported.

Re:For crying out loud ... (0)

Anonymous Coward | about 3 months ago | (#46162461)

How does one watch free pr0n online without Flash?

Re:For crying out loud ... (0)

Anonymous Coward | about 3 months ago | (#46162489)

Easily. I watch videos from Tube8 all the time on mobile phones that don't have Flash. Maybe you need to stop using some shitty site without a fallback for someone not having Flash?

Re:For crying out loud ... (2)

Doug Otto (2821601) | about 3 months ago | (#46162499)

That's a convienent position to take but sometimes you don't have a choice. VMware, for example, requires flash for their web client while at the same time removing functionality from their thick client. I can either take a philosophical stand or I can do my job.

Re:For crying out loud ... (1)

gstoddart (321705) | about 3 months ago | (#46162569)

That's a convienent position to take but sometimes you don't have a choice.

You know, I have yet to find more than a few places where I truly don't have a choice. And all of those are work-related and maybe only 2-3 times/year.

For those, my work laptop with IE is what gets used. But there is little else that I discover which uses that. Certainly nothing I voluntarily use for my own purposes -- my current desktop is 5+ years old and has never had Flash on it.

I've only used VMWare workstation, not the web client ... and I have no desire to access VMs through a web browser, because that's not what I see a web browser as being for.

And, if I truly decide I need Flash, I will run it in a sandboxed VM of Linux under an account with no meaningful name or permissions.

I'm *aware* that there are many things which use Flash, but to date, I've never felt compelled to use it myself.

Re:For crying out loud ... (1)

Doug Otto (2821601) | about 3 months ago | (#46162643)

By VMware client, I actually meant Vsphere. Part of my job is managing the several hundred virtual servers that run a state wide law enforcement agency. VMWare hasn't updated their thick client to support all of the features in ESXi 5.5. To access those features and have passthrough authentication, you have to use Flash, and a windows based browser. Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.

Re:For crying out loud ... (1)

gstoddart (321705) | about 3 months ago | (#46162737)

Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.

LOL, oh god, I am most definitely not claiming to be an authority on VMWare (or anything else for that matter).

I'm saying that for me, in my experience with the web, Flash is useless crap that I have no interest in. That I've successfully avoided using it for most of the last decade tells me that, for me, it's hardly indispensable.

2-3 times a year something work related requires it, and my work laptop has IE and Flash on it for only those things. The rest of the time, I use browsers where it's explicitly disabled and don't exactly find myself thinking "gee, if I only had Flash".

Re:For crying out loud ... (1)

mlts (1038732) | about 3 months ago | (#46162941)

VMWare apparently wants more people to start paying for vSphere, so the ESXi 5.5 client supports basic features, but not the new stuff. Want that, you have to do a web client install, which means having vSphere up and running (and licensed.)

It would be nice if they dispensed with Flash as well.

Re:For crying out loud ... (1)

swb (14022) | about 3 months ago | (#46163049)

It's kind of funny that VMware seems to be pushing for less dependence on Windows, yet I think you need flash in your browser even if you want to use the web client that's part of the linux-based appliance.

Re:For crying out loud ... (0)

Anonymous Coward | about 3 months ago | (#46162697)

Well at least the VMRC is going to HTML5 based which is a good thing. Yes all the management interfaces require flash which boggles my mind. Hopefully someone in the ivory tower of senior management there decides to move away from flash. While they're doing the web client thing it would be really nice to have a fully cross platform solution that works across linux/windows/osx. Otherwise why even bother? Just go back to the thick client. It was a faster UI. I hate the new web client it's slow, it feels slow. They keep saying they'll address it but they haven't. Bah...

Re:For crying out loud ... (1)

robmv (855035) | about 3 months ago | (#46162539)

Do you think your browser is secure? every Firefox and Chrome feature releases contain critical security fixes [mozilla.org] and I don't hear people giving them the same treatment Flash get. I am not a Flash fan, but It is not fair how browser vendors are not blamed too for their bugs with the same emotion people talk about other technologies. Every time a Slashdot post talk about a new browser release never mention the security bugs, only the nice things

Re:For crying out loud ... (1)

gstoddart (321705) | about 3 months ago | (#46162625)

Do you think your browser is secure?

Hell no. Which is precisely why I have Noscript, disable 3rd party cookies, use a hosts file to block stuff, don't have Flash installed on my machine, use Ghostery and several other things to block as much crap as possible.

I don't trust the interwebs at all -- which is precisely why I refuse to allow arbitrary code to be executed by any random web site I hit.

Do I think that I'm 100% secure as a result of that? Nope. Do I think I've minimized the risk by disabling/uninstalling this crap and being careful about what sites I'm visiting? Absolutely.

But Flash? Really? You're just asking for trouble, and that has been true a very long time.

Re:For crying out loud ... (2)

mlts (1038732) | about 3 months ago | (#46162969)

If I -have- to use Flash, I fire up a VM that has a normal (no admin access) user account and run it under a sandboxed Web browser. That way, if/when an exploit happens, it would have to be a very good one to get out of the sandbox and a full context as a user, get Administrator rights, then bash the hypervisor to get out of that.

Not 100%, but it is easy to use, and when done, a closing of the VM rolls all changes back.

Re:For crying out loud ... (1)

gstoddart (321705) | about 3 months ago | (#46163329)

Totally agree.

A have a Linux Mint VM which I use for such things, a completely unprivileged user and the user name is set to be fairly meaningless.

I treat Flash like a pointy object which needs to be handled with care.

Re: For Crying ot loud (1)

nnull (1148259) | about 3 months ago | (#46163747)

No, but how many of those critical security flaws allows an attacker to remote control my machine? In this day and age, this shouldn't be happening considering with what we know now, yet it does and the same problems still exist today as it did 10-15 years ago.

Re:For crying out loud ... (0)

Anonymous Coward | about 3 months ago | (#46162765)

Adobe Flash has been a security hole for at least 10 years now.

Impossible, Adobe Flash only exists since December 3, 2005. Before that, it was Macromedia Flash that has been a security hole for at least 10 years.

All hands, prepare to disengage the smartass-engine :-P.

Re:For crying out loud ... (0)

UnknownSoldier (67820) | about 3 months ago | (#46162943)

> I won't even install it on my machines.

My sentiments exactly. One of the reasons I use Chrome: Don't have to install's Adobe's bloatware for Flash and/or PDFs. If a browser has security issues with plugins then you know there are bigger problems. :-)

Re:For crying out loud ... (1)

TheloniousToady (3343045) | about 3 months ago | (#46162997)

Adobe Flash has been a security hole for at least 10 years now.

I keep wondering how something on the limited scale of Flash could still have an ongoing stream of security issues after all these years. Is there something about its design that's just inherently unsecure?

flashblock, ghostry, adblock, noscript, etc (2)

Billly Gates (198444) | about 3 months ago | (#46162407)

+ standard user account and stop using XP.

Common sense folks.

Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.

Chrome is nice in that its flash in Pepper has extra protection as well.
I recommend flashblock. I can still watch videos on youtube. I just need to click on it.

Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.

I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.

Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.

Re:flashblock, ghostry, adblock, noscript, etc (1)

jones_supa (887896) | about 3 months ago | (#46162483)

The method to block Flash in IE is a bit hidden so I'll explain it here. Open the Gear Menu, go to Safety submenu and tick ActiveX Filtering. To whitelist certain sites, use the blue icon in the address bar.

Re:flashblock, ghostry, adblock, noscript, etc (1)

gstoddart (321705) | about 3 months ago | (#46162493)

I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site.

I take the opposite approach. Most websites do not need Java for what I am using them for. But I have no interest in multimedia, mostly just the text parts.

For a very specific site for a specific task I'm willing to manually (temporarily) allow Javascript -- but my default position is not to allow it.

For me, I find there's very few contexts where I actually need the enable it. Mostly it just seems to support advertising and other stuff I don't want anyway -- because, I don't care that you have a Facebook link on your homepage, and I sure as hell don't want them to track every site I visit.

I guess it all comes down to the kinds of sites you're using.

Re:flashblock, ghostry, adblock, noscript, etc (1)

Billly Gates (198444) | about 3 months ago | (#46162545)

And style and preference too.

I find adblock and flashblock work extremely well. Modern browsers with lowrights mode sandbox the javascript fairly well and even IE 8 now supports XSS protection thankfully.

I also use Norton DNS which filters out known bad domains. While my system is not 100% perfect it is pretty darn secure with Avast running as well.

Choose software freedom. (1)

jbn-o (555068) | about 3 months ago | (#46162917)

Recommending any proprietary software to do any task is recommending a security hole. It's trivially easy for any proprietor to include code that spies on you, as computer programmers have long known and Edward Snowden has shown us again. No amount of experience running proprietary software will tell you what you need to know to fix its problems, share your fixes with others, hire others you have good reason to trust to fix problems on your behalf, or even allow someone you have good reason to trust to inspect the program to see if anything needs to be fixed (they're forbidden to do this work for the same reason you are). Picking one proprietary anti-virus program over another, picking one proprietary browser over another, or picking any proprietary program over another proprietary variant of the same kind of program is merely choosing your master. You cannot arrive at a trustworthy solution in this way.

Instead you should choose free (libre) software for your OS, your firmware (via Coreboot), and for all the software you run atop that system. Eschew services that require you to adopt non-free software and gain more control over your computer. The Free Software Foundation's Respects Your Freedom [fsf.org] recently added a computer that meets these criteria. We should help them and help free software hackers write more free software to do the jobs we need to be done.

Ghostery & Adblock = Inferior + 'souled-out' (-1)

Anonymous Coward | about 3 months ago | (#46162985)

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts ( A tightly integrated PART of the IP stack itself )

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:Ghostery & Adblock = Inferior + 'souled-out (2)

Billly Gates (198444) | about 3 months ago | (#46163019)

Complete FUD.

Yes by default it lets some non intrusive ads with a good security record. Follow the link above and it will disable all ads. I will let some in that I know that are safe to make sure websites get their bills paid. Just not ones that blast commercials and install malware.

Adblock doing FAR LESS & worse (0)

Anonymous Coward | about 3 months ago | (#46163401)

Certainly doesn't make it better than hosts (not by longshot - see my last post on that note, OR BETTER STILL, the link to my program for hosts file creation -> http://start64.com/index.php?o... [start64.com]

* When you can PROVE Adblock or Ghostery (advertiser owned or paid off "foxes guarding the henhouse") do MORE than hosts, & better, without being a REDUNDANT slower layer? Then, you can talk!

Since after all: Otherwise, You "eat your words"...

APK

P.S.=> "Almost all ads blocked"? Doesn't hold a candle to hosts nigh ubiquitous versatility in giving users more speed, security, reliability, & even anonymity - period (& you know it, I know it, as does anyone ELSE reading with 1/2 a brain)...

... apk

Re:Adblock doing FAR LESS & worse (2)

Billly Gates (198444) | about 3 months ago | (#46163555)

here [adblockplus.org].

Basically by default it filters the bad ads. However you can filter all ads if you wish and that option is there. I like this method as to reward SOME advertisement if done properly to support websites.

Also the bad guys can simply get another host so your hostfile will always be out of date.

Prove adblock does more than (0)

Anonymous Coward | about 3 months ago | (#46163673)

17 enumerated points here hosts do & adblock can't http://start64.com/index.php?o... [start64.com] which YOU are FREE TO PROVE that Adblock can do for users - since hosts certainly can do those items... & adblock, just plain CAN'T!

* I absolutely KNOW Adblock can't do as much as hosts do, OR as well - period!

(Hey... not only is adblock & even ghostery "souled-out" to advertisers, but they're VASTLY inferior in security/speed/reliablity/anonymity gains hosts files DO give users of them (& adblock doesn't + can't - period)).

---

Lastly?

My app downloads, sorts, & deduplicates data that blocks ALL ads (good & bad), known sites/servers that serve up malware, botnet C&C Servers, rogue DNS servers, & FAR more DAILY (as often as I like manually, automagically every 12 hours if you wish) from 12 reputable & reliable sources in the security community...

Plus - YOU have immediate control over it... do you with"ALMOST ALL ADS BLOCKED"?

Answer = No...

You have to wait on them to patch (useless soon, clarityray will END adblock), & that takes time... & knowledge in regexps, where hosts are an IMMEDIATE + EASY textfile edit, locally.

APK

P.S.=> You can *try* your b.s. ALL DAY LONG, but it's not stopping my facts I put out in favor of custom hosts files, & their overall huge superiority over adblock especially (souled out to advertisers like it is, crippled by default, & WEAK against "clarityray")... apk

update-manager (1)

bobstreo (1320787) | about 3 months ago | (#46162431)

Looks like it's already out for Ubuntu

to check and see your version:

http://www.adobe.com/software/... [adobe.com]

Re:update-manager (0)

Anonymous Coward | about 3 months ago | (#46163805)

Quote from that page (before it loads an ad):

Adobe Flash Player - A lightweight, robust runtime environment for rich media and rich Internet applications

I wouldn't trust that site too much...

Fuck me I hate updating flash. (-1, Flamebait)

Anonymous Coward | about 3 months ago | (#46162475)

Jesus titty fucking Christ.

Again, we see Jobs was right in spurning Adobe. If for no other reason than they can't code their way out of a fucking wet paper bag.

Its Twenty fucking fourteen. Anyone else sick of vendor specific plugin shitware? Can we lock these hack web developers in to a darken room and beat them until everything has been moved to HTML5?

You say it's not ready? No, shut the fuck up. I'm sick of fucking excuses. It's ready and it's time. If your prissy gaudy shit can't work without flash then the world does not need it.

Re:Fuck me I hate updating flash. (1)

Calsar (1166209) | about 3 months ago | (#46163603)

All the other software companies have fixed all of their security flaws. What is wrong with Adobe. If it wasn't for Flash the internet would be 100% secure.

I assume the sarcasm tags are not needed.

Re:Fuck me I hate updating flash. (0)

Anonymous Coward | about 3 months ago | (#46163683)

(note: sarcasm noted; below is to add some historical info)

Remember back when the iPhone's browser had an exploit that could root the phone? People were using it to gain root privileges by simply going to a website. It was being used for a positive purpose at the time, but there was absolutely NOTHING stopping it from becoming a malware vector that could take over phones.

And that was without Flash being usable on Apple's devices.

Why If I install it I tend to Click to Play Option (1)

ficuscr (1585141) | about 3 months ago | (#46162479)

Not even sure it would help not knowing how this exploit works, but I've tended to disable all plugins from running on page load, rather on demand when I click. Similar to NoScript/FlashBlock addons. You can then whitelist the sites that you want to allow have flash on load. http://lifehacker.com/5685352/... [lifehacker.com] Wonder what percentage of exploits center around Flash / Acrobat. Thanks Adobe! If your not tricking me into installing unwanted toolbars your exposing my computer to malicious twats.

Let's stop... (0)

Anonymous Coward | about 3 months ago | (#46162537)

Let's just stop bagging on Adobe... At the least they are taking ownership of the issues they have and are making efforts to correct large security flaws. It's called responsibility...

Bagging on Adobe at this point is like calling out a politician for actually making an effort to improve a dysfunctional law in a constructive way...

Re:Let's stop... (1)

bill_mcgonigle (4333) | about 3 months ago | (#46162663)

Let's just stop bagging on Adobe... At the least they are taking ownership of the issues they have

Are they? Have they run the Flash codebase through any of the half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities? Are they being proactive at all?

It's closed source, so we don't know, but perhaps a third-party could certify their efforts and we really could become Adobe supporters.

Re:Let's stop... (0)

Anonymous Coward | about 3 months ago | (#46162801)

Are they? Have they run the Flash codebase through any of the half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities?

Can you prove that they have not run their codebase through any of a half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities? You can't, that's not far off from trying to proving a negative.

Are they being proactive at all?

They certainly seem to be willing to fix Bugs and Exploits made known to them from outside 3rd parties and they have demonstrated a continued commitment to recognize those that are contributing to improving their product.

Re:Let's stop... (1)

Aaden42 (198257) | about 3 months ago | (#46163083)

They certainly seem to be willing to fix Bugs and Exploits made known to them from outside 3rd parties

There’s a word for that, and “proactive” isn’t the word. Close, but off by three letters.

I certainly can’t prove they haven’t taken these steps, but considering Microsoft made a BigThing years ago when they sent all their developers to security school and focused on Windows security (for what that was worth), you’d think Adobe might also want to highlight the fact if they had taken some significant active step to secure Flash. Given the number of “outside 3rd parties” who seem to have little trouble finding exploitable bugs in Flash without the source, you’d think the folks with the source might be able to do a bit better.

I regard Flash (and other plugins) at about the same level I do firewall vendors. The browser itself is (relatively) immune to running executable code from the outside (yes, there have been bugs, but in terms of numbers they’re comparatively few). Plugins like Flash circumvent much of the security model by allowing executable code (albeit bytecode) to be downloaded and run by untrusted third parties with little chance for the user to decide whether to run it or not.

Adobe markets Flash as way to allow dynamic code to execute in a safe & secure manner. Publishing software that’s sole intent is to allow remote code execution should hold Adobe to a much higher standard to make sure that the holes they’ve opened are done in a controlled and secure way. They don’t have a great track record living up to that responsibility.

Re:Let's stop... (1)

UnknownSoldier (67820) | about 3 months ago | (#46163059)

> Let's just stop bagging on Adobe...

1. When I have to work around some bullshit because the image editor I paid for (b)locks me from even viewing what it thinks are high resolution scans of money ... Adobe can fuck off.

* https://www.google.com/search?... [google.com]
* http://en.wikipedia.org/wiki/E... [wikipedia.org]
* http://www.rulesforuse.org/pub... [rulesforuse.org]

2. When they start charging "rent" for software as a service ... Adobe can fuck off.

"According to CNET and various other sources, CS6 will be the last version of Adobe's Creative Suite that will be sold in the traditional manner. All future versions will be available by subscription only, through Adobe's so-called 'Creative Cloud' service. This means that before too long, anyone who wants an up-to-date version of Photoshop won't be able to buy it â" they will have to pay $50 per month (minimum subscription term: one year). ..."

"We've made it really clear to folks that you get the discounted price only for the first year," Morris said. "We're pretty confident that even when the price normalizes at the $50 list price, most of these customers are going to stay."

* Source: http://news.cnet.com/8301-1001... [cnet.com]

Translation: We're going to gouge customers whether they like it or not. $ucker$!

So no, we'll stop bagging on Adobe's crap once they stop being dicks not before.

Re:Let's stop... (0)

Anonymous Coward | about 3 months ago | (#46163839)

3. DRM [slashdot.org] on ebooks.

PC editors (1)

Lawrence_Bird (67278) | about 3 months ago | (#46162581)

"They even updated the explicitly unsupported NPAPI GNU/Linux version. "

Afraid of pissing off one of the GNU zealots?

Re:PC editors (0)

Anonymous Coward | about 3 months ago | (#46163699)

Both of the GNU zealots that installed the NPAPI version, yes.

All software is buggy (1)

jgotts (2785) | about 3 months ago | (#46162733)

No software in common use today is mathematically proven to be correct; therefore, all software is buggy.

The most likely place for bugs is in error handling code, because no matter how many tests you write it is impossible to simulate every possible error condition.

We hope that everyone walking into a store doesn't steal something. Only a tiny minority do but a much larger number could get away with it.

The same goes for software. Any halfway decent programmer can find bugs in error handlers. If he chooses to be a whore, then he uses that skill to make money for criminal gangs or in some cases for anti-malware companies. Programmers who are not whores write actual new and useful software, and usually get paid enough that they can lead fairly happy lives. But it always helps to program defensively. Make your error handling just a bit better than the next piece of software. It will never be perfect. But as a society we count on the fact that nearly all people don't try to use whatever particular knowledge they've acquired to screw you over. Programmers are especially moral. We could bring society to its knees if we wanted to, but we prefer to make the world better.

I don't blame Adobe for the bugs. Millions of people are using this software and probably a dozen or two as I put it whores are in league with criminal gangs trying to sell you boner pills and the like. This handful of people aren't the ones finding new classes of exploits. That is a good function of security researchers. These people are instead likely just exploiting old, known, and quite ordinary bugs.

Re:All software is buggy (1)

Daniel Hoffmann (2902427) | about 3 months ago | (#46162807)

Error Handling is one of the most annoying things to do in programming. Some people hate the whole exception handling mechanisms some languages have (be it for code elegance or performance), but I dread to think how to architecture system without those. Even with them it is still very annoying. I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

Re:All software is buggy (1)

Billly Gates (198444) | about 3 months ago | (#46163053)

Funny error handling and throwing an exception is the number 1 area used to 0wn Windows machines. The debugger will run the overflow at ring 0 everytime. It has been fixed for Windows 7 but IE 8 and XP you just need to crash IE to 0wn the system.

Re:All software is buggy (1)

UnknownSoldier (67820) | about 3 months ago | (#46163157)

> I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

That would be extremely nice; In the past I would of argued TINSTAAFL but now that 4-core 2.x GHz is starting to get common switching away from the fundamental root problem of "von Neumann architecture" might be an option. However I don't see anyone switching to the Harvard Architecture anytime soon which means yet another 40+ years of buffer overflows before people wise up ... simply because it is to costly for array bounds checking. :-/

You might find this read interesting:

* "The von Neumann Architecture of Computer Systems"
http://www.csupomona.edu/~hnri... [csupomona.edu]

References:

* Von Neumann architecture http://en.wikipedia.org/wiki/V... [wikipedia.org]
* Harvard architecture http://en.wikipedia.org/wiki/H... [wikipedia.org]

--
"Beautiful Form Helps Function
Ugly Form Hinders Function
"
One of the many reasons it is import to write beautiful code & algorithms.

Re:All software is buggy (1)

Aaden42 (198257) | about 3 months ago | (#46163147)

No software in common use today is mathematically proven to be correct; therefore, all software is buggy.

Absence of proof is not proof of absence. Yes, very little code can be mathematically proven to be correct, but there’s still some room for either getting lucky, or having enough skill to recognize the portions of the code which are exposed to outside control and exercising extreme care & diligence in crafting that code to ensure that it can safely respond to every possible input.

The entirety of Flash doesn’t need to be 100% bug free for it to be secure from the stand point of resisting remote (native) code execution or sandbox escape. It’s most likely sufficient for its network and file format parser layers to be completely accurate and leave it at that. If a bug in Flash’s animation makes my little gamer dude go flying off the screen or draws some corrupt garbage in my browser window, odds are I didn’t just get 0wn3d. As long as Flash rejects anything but completely valid Flash code (and the Flash VM can correctly react to every possible valid Flash bytecode combination), then Flash itself should be “good enough.” Not saying that’s an easy task, but it’s certainly order of magnitude than trying to ensure that the entire codebase from top to bottom is provably correct.

Re:All software is buggy (0)

Anonymous Coward | about 3 months ago | (#46163277)

How can one prove that software is mathematically correct?

Does the uninstaller work? (0)

Anonymous Coward | about 3 months ago | (#46162929)

No Flash, no problem.

So how vuln are systems /w up-to-date browsers? (1)

Marrow (195242) | about 3 months ago | (#46162945)

Are the browsers providing sufficient sandboxing, or is the situation the same as its been for the last 10 years? Does this flash vulnerability require another vulnerability in the browser ecosystem that has already been blocked in current versions?

And if nothing whatsoever has been fixed... (1)

Marrow (195242) | about 3 months ago | (#46162965)

Is Flash -designed- to be impossible to sandbox? Cannot the browser vendors force adobe to bend and setup their plugin to be easier to sandbox? I don't understand why this is still a problem after all these years.

Re:So how vuln are systems /w up-to-date browsers? (1)

Aaden42 (198257) | about 3 months ago | (#46163207)

Flash is native executable code. It’s not encumbered by any sandboxing function in the browser. That’s by design.

Browser plugins are intended to be allowed unfettered access to the system so that they can accomplish tasks not normally possible within a browser. The only sandbox provided by most browsers relates specifically to JavaScript, and as far as I can tell, this is unrelated to JavaScript at all.

It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linux AppArmor, SELinux, etc.) might be able to contain an exploit within Flash, limiting it to a user account or a directory; but that would take some careful crafting in terms of OS sandbox configuration. None of the major platforms are configured to do anything close to my knowledge.

tl;dr: Your sandbox can’t help you here. Update Flash or you’re toast.

I'm already updated? (1)

IamTheRealMike (537420) | about 3 months ago | (#46162961)

Interesting. I just checked: the Flash bundled with my Chrome is the older version (but it's sandboxed to some extent). So then I opened up Firefox and checked the plugin version, and discovered it was already at the newest patched version. I don't recall any update, so I guess the Flash Player plugin updated itself in the background without me noticing, and actually managed to do that faster than Chrome did. Impressive!

Re:I'm already updated? (1)

caseih (160668) | about 3 months ago | (#46163173)

Or you're already hacked...

Re:I'm already updated? (0)

Anonymous Coward | about 3 months ago | (#46163821)

didnt firefox update yesterday? maybe it was that, i have the new flash too and i dont remember updating the pluggins

This is ridiculous (1)

sl4shd0rk (755837) | about 3 months ago | (#46163149)

It's pretty obvious that Flash has become one of those legacy products where there are only two guys in the entire company that know their way around the codebase. Both have developed chronic alcoholism from maintaining this disaster of a product for so long.

We need an alternative to Flash. An open source alternative which can be forked and maintained by anyone for years and years to come. Something without royalties, patents trademarks and is free to use and modify by whoever wants to and can be implemented into the browser without fear of imprisonment, death or legal embroilment.

Summary is incorrect (0)

Anonymous Coward | about 3 months ago | (#46163363)

They even updated the explicitly unsupported NPAPI GNU/Linux version.

From Adobe's blog: [adobe.com]

For Flash Player releases after 11.2, the Flash Player browser plugin for Linux will only be available via the “Pepper” API as part of the Google Chrome browser distribution and will no longer be available as a direct download from Adobe. Adobe will continue to provide security updates to non-Pepper distributions of Flash Player 11.2 on Linux for five years from its release.

uninstalled (0)

Anonymous Coward | about 3 months ago | (#46163665)

The flash uninstaller is located in /Applications/Utilities on Mac OS X.

Here I go again with the broken "web" sites. Probably should use my iOS apps more again for news etc.

Flash problems? Really? (0)

Anonymous Coward | about 3 months ago | (#46163841)

Assuming you can get it to download...I had to turn off my spyware/malware prevention tools to get the right download page to appear. Others have the same issues.

http://bytestopshere.wordpress.com/2014/01/21/adobe-flash-12-download-debacle/

Then the insane effort to get it to install. So far the installer is crashing every time I run it.

Perhaps the key to running a "more secure" system is to not run this Adobe POC ("piece of crap") software??

What ever happened to truly creative HTML page designers (people)? I think they got lazy when they saw Adobe Flash and similar tools come along.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...