Important PSA for Skype Users: Open up "Internet Options" (yes, the ones in internet explorer), security tab, and add https://apps.skype.com to the "Restricted Sites" list. Skype will still work fine, however there will be no advertisements.
This is important because Microsoft seems to use a lot of Flash advertisements without checking them (I've had plenty of "MICROSOFT VERIFIED DRIVER FIXING" ads come up inside of Skype, so I'm sure some zero day could slip though their ad system)
I would like to hear what Adobe have to say about their streak of serious security problems. Not only that, but they should face some consequences for that neglect. At least be forced to publish a working spec for Flash.
If there were actually a government body that cared about "cyber"-security, they'd be hauled up in front of it. They're basically an infosec Bhopal - creating a toxic mess that other people have to clean up over a period of decades.
In essence there are not critical US systems running on Flash and so the defensive side of NSA don't care. And the offensive side is just happy to let it rot, as that means more opportunities for them.
The thorn in the side of removing Flash has been VMware, who, in their latest vSphere 6 release, clearly made the point that "Flash is the future", with announcements towards deprecating their alternative clients.
I don't understand what they are thinking - it used to be such a progressive company.
I don't know about US Government, but many Governments and sensitive organisations are still using VMware, and this isn't likely to change.
But "thanksfully" they've switched to WordPress on the Whitehouse site and hired the maintainer , so they are improving netsec on THAT front. :)
Which is actually a good thing for hosters worldwide.
You think that any other software you use is any better? Flash gets it rough because it's widely used and independent of the browser (for the most part).
If you're running an update to date flash, that means you're probably running it in a sandbox and probably have silent auto updates turned on. That's good enough for most people.
If you're the kind of person that's going to get specifically targeted, then you should not only reconsider running flash on your computer, but any other program written in an unsafe language.
To be certain, Flash gets a lot of attention because of its install base - but it's been a never-ending FOUNTAIN of RCE bugs for much of the last decade.
data: I grabbed all 500+ records and counted, by month, those with severity 10 (column 10) and severity >= 7 (column 7). Rows is the # of cve records for that month.
NB: only months with at least one cve event show up, but given adobe's focus on security, it wasn't really necessary to fill in months with 0 events to get the point across
Vulnerabilities increase and usage decreases. I wonder if an economically sensible decision should be to EOL Flash soon. Are they still doing any money out of it?
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015"
Most software that's as complex as Flash is probably similarly full of bugs. Most of those vulnerabilities reek of huge development teams toiling over a codebase whose foundation was written in the late 90s and had features and fixes duct taped ever since.
No they don't. Chrome is designed from the ground up for security. It has the same number of bugs as other software of it's size but the type of bugs are much less severe.
Compare FF, Safari, IE, Chrome. Same number of bugs per yet but Chrome has 10x less code execution bugs (ie, 10x less likely for your machine to be owned by unknown bugs)
The chart you just linked (which doesn't show a timescale) shows Chrome with over 300 exploitable bugs. I doubt the denial of service label, that just usually means that a bug wasn't fully investigated. So, again, how is this different from Flash? Chrome is riddled with vulnerabilities (and Safari is too).
Flash runs in a low-priv environment is nearly every major browser, includes application-specific exploit mitigations, and it silently auto-updates, just like Chrome. It's all a matter of the Flash install base: it's in 90%+ of browsers and it's running the same-ish codebase in all of them, making it a relatively stable platform to develop exploits for. That's it! It's more a factor of market share and not "security."
Every document reader, HTML renderer, JavaScript engine, browser, media player, etc that you use is the same -- a house of cards built on poor memory management :-/.
Your statement about Chrome is clearly way off, and that's what your parent was addressing. He never said Chrome was bug-free. And he was right to say that Chrome is way ahead of the other browsers (according to these stats, at least).
Edit: those stats show Chrome is better in terms of CVE severity, not number of annual CVEs.
I don't think the classification of most of those DoS bugs are correct. I also don't think there's a big difference between 100 vulns per year and 300 vulns per year. You go fishing and you find some each time.
no, maybe not as bad, but JIT can be played pretty hard. I think the difference is that they are better structured and more transparent. I would definitely NOT put my hands on flash code, must be a mess!
"Probably"? Complex as Flash? Whatever it have a big or small team, was started in the late 90s or whatever it causes problems now. So use whatever excuses you like, Flash is still a security concern with opportunity for more 0-day exploits(just one firm have two in the drawer, how many more there are?).
Every piece of software you use is on a constant month-to-month patch train. Chrome, Windows, Firefox, Quicktime, Adium, hell even OpenSSL updates for security-critical bugs about once a month now. Flash is nothing special. All your software is insecure.
On Windows, you get a pop-up to update manually, which just sends you to their website so you need to download and run the installer by yourself.
If you don't update manually, Flash will wait 45 days before triggering an automatic update. I never waited that long, so I don't know whether it's "silent" or not.
Their clientele isn’t security wary people. Plus they don’t have any serious competition in most of their products so it can’t hurt them either way. So they’ll probably issue a generic statement and move on with their lives.
As for consequences, the best thing most of us could do is disable Flash from the browser. I’ve done it since YouTube defaulted to HTML5 video and never looked back since.
I can think of one use case where Flash still makes sense: Live video
A lot of people seemed to be surprised this is the case but tell me what single live streaming protocol is supported across all browsers without a plugin?
With Flash you can stream HLS (HTTP Live Streaming) to a Flash player in full browsers while just directly loading the same HLS playlist in mobile browsers via native players (iOS / Android).
This means you can deliver live streaming over the same audio/video codec (H.264/AAC) and over the same protocol (HLS). This vastly simplifies your streaming infrastructure and removes the need for transcoding on the server, unless you just want to create different qualities for adaptive bitrate streaming.
It would be nice if "desktop" browsers all supported HLS and H.264/AAC natively, that would be a real Flash killer.
You're right, live video without Flash is not nearly as advanced. However, there are several options that work right now:
- Plain old HTTP WebM stream. Only one resolution, but it works.
- MPEG-DASH - very similar to HLS, but implementable in Javascript via MSE APIs in browsers today.
- WebRTC - low latency streaming, in some cases it might make sense to use this over MPEG-DASH even for one-to-many streaming cases, like interactive lectures and the like.
Unfortunately several browsers lag behind in implementing the required APIs, so this does not solve all problems yet. But the problem isn't creating any new protocols, it's just getting adoption.
As for H.264, it's mostly a solved problem with hardware decoders and OpenH264 (currently not used for <video> playback, but could be). AAC, however, costs more to license and is much more problematic, so there will always be some browser vendors that don't ship it.
A lot of advertising networks use it to deliver advertisements. Whether it is simple inertia at this point, or because the networks can get a better fingerprint using flash, I don't know.
Also, it used to be the case that Flash had better DRM controls on it, but I'm pretty sure that reason is no longer the case since Encrypted Media Extensions got rolled out.
However, that doesn't explain why Facebook's on-site video player uses Flash.
The advertising networks being the last to use it is something that will make Flash's implosion very quick and sudden, IMO.
If uninstalling flash only causes you to miss out on ads, it makes uninstalling flash that much more attractive. Which makes the advertisers want to get off flash that much sooner.
It needs probably just one or two more use cases to disappear (Facebook video is one of them), and its final death will be quite quick.
Which is what makes these exploits so insidious: sneak an infected advertisement onto one network, even briefly, and you're now targeting who knows how many Internet users visiting legitimate, trusted websites.
Honestly, one of the biggest reasons to run an ad blocker is the significantly reduced attack surface.
YouTube's Flash player still works a lot better than the HTML5 one. Their HTML5 one desynchs the audio occasionally, cuts off the audio before the video ends, doesn't support a real right click -> copy video URL (all it can do is give a popup with the URL), and still has other small bugs. The Flash one has none of these problems.
It seems to be the case in general for most sites that offer HTML5 alternatives that the Flash version is much more solid. Maybe using HTML5 video in these domains is inherently error-prone, maybe it isn't, but in practice it almost always gets screwed up.
Plus people still use flash games and sites like Newgrounds.
YouTube's HTML5 video player has always been a shit-show, and I don't understand why. Vimeo has had an excellent HTML5 video player for many years, and there's at least a few third-party HTML5 video players that are pretty good as well.
Are you sure you're actually using the HTML5 player? I am being 100% serious when I say I've never met someone before who thinks YouTube's HTML5 player is good.
Among the various issues I've seen:
* Sometimes refuses to play anything, without showing any errors, requiring a reload of the page.
* Occasional poor performance.
* Audio/video desynchronization
* Scrubbing the video often causes it to get stuck, refusing to play, until I scrub it again
* Videos often take longer to start playing than with the flash player.
* Fullscreen is sometimes broken
* Switching from regular mode to "theater" mode sometimes leaves the video playing in its original size, anchored to the corner of the now-larger black area that it should be playing in.
I think it's gotten a little better recently (i.e. I see issues less often), but it's still far from great.
And before you ask, I've seen these issues in both Safari and Chrome.
Yes, I'm using the HTML5 player. This is easily verified by clicking the right mouse button on the video and seeing the HTML5 context menu. I have no problems with it at all and it's easily superior to the Flash player in performance and resource usage. It also seamlessly plays 1080p 60FPS video without any issues.
As for the issues you're experiencing - are you sure you have GPU acceleration turned on?
I'm using Chrome and CPU usage is only 45-50% for perfect 1080p 60FPS playback.
All such comments about not working flash player on youtube make me think of some kind of adobe shills maybe? Or PEBCK. Unless you have some super lame vidoe card I do not see how one can not make HTML5 player work. My experience:
HTML5 player works really well on youtube, been using it for at least a year (well possibly +- couple months) exclusively. No problems after configuration, machine is quite old q6600 cpu that is 5-6 years old and GF220, which is also quite old now. Full hd video ON Linux (!), Firefox no problems (though possibly just 30fps, not sure if I ever try 60fps). And people complain all over the place about HTML5 youtube on Linux.
Fine. I cannot argue about _your_ experience. _My_ experience is different. One of my computers is really old Pentium M laptop (9y old) and HTML5 barely works at 240p. Not only that, it has limited set of resolutions at the first place. Flash works just fine 480p resolution. It looks also much better at lower bitrates (to _my_ taste) than HTML5 in Firefox
> make me think of some kind of adobe shills maybe
It was far less personal than that, I generaly only lurk on HN, but your post one that struck a nerve finaly, after many similar posts here and in /..
Also 9 year old is quite a frac cry from your initial post of "(3y+) machines", 9 year old machine almost guaranteed has absolutely no support in hardware for modern codecs. So no wonder has strong limitations on resolution. Still flash working better than HTML5 players is still suspicious to me, I still believe with correct configuration reverse should be true, as flash is basically just another layer in between screen and bits on the net. Though possibly not applicable in all cases.
9y old machines is what many people (not gamers, enthusiasts etc.) have; 3+ y old include underpowered Celeron 847, AMDs (way weaker than your monstrous Q6600) and even on these machines Flash works better. _My_ _actual_ observations.
> Still flash working better than HTML5 players is still suspicious to me,
Do you write programs for life or what? It is not a problem with HTML5 players, it a problem the way they are written. Flash is an older product, with better support of legacy or underpowered products.
> I still believe with correct configuration reverse should be true
Yes, the correct configuration is "more powerful CPU".
I am not the person you are replying to but I do not have flash installed on my system. I have to do an occasional reload but I've never had to do anything else you have mentioned.
For reference, I use chromium (not chrome) on Linux (which does not come with flash bundled).
This is like asking why people still use cash when there are so many other easier to use & manage payment options. The simple answer is there are far too many edge cases where it's still required - any single one doesn't sound like a good answer.
I think the truth is, technology that supplants it is still not there yet. Sockets, sound, video...
And there's still a truckload of fun games available only in flash form, which makes flash relevant even if the number of new stuff coming out in it dwindles.
Twitch. Which happens to amuse me, which I like to waste time. But .. they seem unwilling to move away from Flash (the only thing I found was a ~3 year old support thread that wants to .. support HLS. Yay. Not that's not helpful)
Twitch without Flash has been available for a while now, if you were willing to use VLC + an IRC client. Twitch HTML5 chat went live on June 30th, HLS was prior to that.
VLC for HLS I assume (and I only stumbled upon the '/hls' suffix for any url to support that by accident/in that ticket, which still doesn't seem to be officially closed).
IRC for chat is absolutely new to me and would actually be quite nice..
Their latest controller (v4?) removed the Flash requirement for both video (playback) and main (maps) IIRC. Do they still have leftover areas that require Flash?
ubnt has a habit of not finishing what they start. AirControl 2 is not finished and they're talking about Aircontrol 3. Airvision has been rewritten 3 times in 3 years.
For all I know they're doing Unifi 5 in pure flash. I wouldn't be surprised.
Unifi 3.x requires flash to manage devices on a map. It's the main screen you see when you log in.
Unifi 4.x is still beta and I'm not sure if it still requires flash (Though for Ubnt stable means beta, beta means alpha, alpha is unlikely to even run.)
Last I checked AirControl did too (managing many AirOS devices)
In Safari on OS X, Facebook does use the native <video> player.
I'm guessing that Facebook encodes video h264 which isn't natively supported in Firefox; rather it relies on support in the operating system. I'm not sure if Chrome on Linux supports h264, however since Chrome also includes its own Flash player I guess that Facebook may be using their own flash player anyway.
Pretty sure there are some settings you need to enable in about:config to get H264 working in Firefox (assuming you have the right gstreamer stuff installed).
My point, though, is that if a random Italian consultancy can amass multiple Flash 0-days, the folks at the NSA with the $10+ billion budget probably have an essentially endless supply of them (not to mention exploits for other software) at the ready.
"A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment."
The Chrome sandbox isn't as strong as you might think. Flash needs access to a ton of stuff to work:
- Camera / Microphone
- Filesystem
- GPU
So there's plenty you can do without escaping the sandbox.
I'm as grossed out by HT as the next message board nerd, but they didn't develop these bugs; modern industrial software development did. All HT did was weaponize them. These guys aren't the sharpest tools in the shed, so I think you can safely assume other people weaponized these, or worse bugs, as well.
HT purchased these vulnerabilities with an understanding that they would not be made public and patched. Then they failed to safeguard them. Clearly these O-days, and conceivably all computer vulnerabilities, are not close to being as bad as smallpox, but what ethical obligations do actors (companies, governments, hackers, researchers) have to protect vulnerabilities which they plan to not protect the public again?
Say you discover a very powerful attack on AES which allows you under many circumstances to recover the key:
1. do you have an ethical obligation to warn affected parties?
2. If you don't and instead secretly sell this decryption capability to governments and/or private actors, do you have an obligation to ensure that this capability isn't used illegally or unethically?
3. What due diligence is required to protect a vulnerability of this scale?
I do not disagree. In fact, I personally have a problem with all non-vendor vulnerability sales, for the same reason.
I just think we should be clear that exploit developers, brokers, and users don't actually create vulnerabilities; software companies do.
I also think people should give Adobe a little bit of a break --- not much of one, but a little. Adobe got monstrously successful off a codebase that largely predates the concept of software security. It's a nightmare problem for them, and they are working on it. They should work harder.
15 years ago a pretty sizable chunk of the industry thought heap overflows weren't exploitable for code execution, so I don't think that's the right interval.
Why don't you 100% blame the people at fault: Adobe / the original developers.
First, they were incompetent enough to not correctly develop their software.
Second, non-assholes would have a standing price-match policy for bugs. Adobe should give you 110% of the highest bid you get for any 0-day. They could have fixed these a long time ago if they'd paid the discoverer $45k (or $150k -- times three for exclusivity.) These companies are effectively outsourcing security testing and remediation of their software, then whinging that independent developers don't work for free.
> Why don't you 100% blame the people at fault: Adobe / the original developers.
I agree Adobe is at fault for producing insecure software.
Blame is not a limited resource, there is always extra blame to go around. If I am driving recklessly and my brakes fail due to a manufacturing error, both I and the car company are at fault for the accident. One can always, as HT has done, make a bad situation worse but behaving in a reckless and unethical matter.
>Adobe should give you 110% of the highest bid you get for any 0-day.
Bug bounties are sensible, but price-matching seems too easy to game. How can the company know a bid is serious, and not just fake to be matched? "Oh, sure, so-and-so offered $200k for this bug."
(For that matter, while reputation is certainly a thing, what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix? Do the typical contracts to sell 0-days involve continued payment based on the amount of time the bug remains unfixed?)
I'd care a lot more if Adobe, et al, weren't repeatedly screwing up. A couple million dollar bounties and forcing them to pay to internalize their negative externalities will help create the proper internal focus on shipping secure software. Reputation doesn't show up as a line-item.
And if a security dev resells, who cares? The company still got the 0-day and still gets it fixed asap. It's far better than our current situation where these can persist for years.
> what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix?
People willing to pay 5 or 6-digit sums for a zero-day are likely... not nice. One wouldn't double-cross them willy-nilly. Multiple-sale to multiple third-parties scenarios are likely happening every day, but selling to developers could be considered an act of sabotage against all buyers, so there is no incentive really.
How about an escrow contract using a third party and bitcoin? You could call it silk road 3 Its really not that hard to be taken for a ride if you have the resource adobe does.
If you know a company is legally obligated to pay up to $x, and that they have $x, you can offer to pay $x/1.1 in collusion/partnership with the bug-seller, for a share of the proceeds. You can outlaw the collusion, but setting up this kind of mechanic seems like a bad idea.
My Macbook kernel panics and force-reboots itself because of a bug in some newer Firefox browser feature(s) which are used by a JS-based GBA emulator which was trending on HN yesterday. I can consistently duplicate the kernel panic by resizing the browser window while the emulator is running. I've never in my life experienced such a catastrophic bug from a Flash demo.
At worst, such a devastating bug has a decent chance of harboring its own RCE which has yet to be discovered or disclosed; at best, it's one of the most extreme local DOS attacks that a webpage could possibly launch against a client.
Just because it's much more trendy to bash Adobe than it is to bash Firefox doesn't mean that Firefox's problems are nonexistent.
A significant portion of the web using community (including myself) stopped using flash 6-12 months ago, when all the zero-days became a monthly occurrence. The plugin is no longer strategic for adobe, they've stopped any forward-looking development on it, and are now in the mode of whack-a-mole reactive security patching.
I have not once every missed having flash on my system. It's not just the case that the web is useable, it's that, with the single exception of the BBC, it doesn't seem to use it anywhere I visit.
The BBC site will use non-flash videos if you browse it on an iPad, but they don't seem smart enough to serve these to you if you use a desktop browser with flash disabled.
Presumably they could implement a non-flash fallback for users but unfortunately they just haven't bothered.
I tried to cheat by modifying my User-Agent to pretend to be an iPad but had no luck...
I was going to agree with you, but I've just double-checked, and you CAN access video content on the BBC sites on a desktop (MacOS X Safari) by setting your User-Agent to iPad. However, it's important that you've removed Flash completely from your system (using Flash Uninstaller), rather than just disable Flash (hoping to use Click-To-Flash). For some reason, they detect Flash by some kind of file-path-detection code...
> The plugin is no longer strategic for adobe, they've stopped any forward-looking development on it, and are now in the mode of whack-a-mole reactive security patching.
I'm not sure what your point is, but the reality on the ground, is that if you want to provide access to video, or other rich content, flash is incapable of reaching the largest audience, and the audience that's growing the fastest. Adobe has made it clear there will no longer be any development of flash on the mobile platform. HTML5 is the strategic platform for adobe moving forward.
Absolutely no new major content sites as of around 2014 or so support flash as an option - they are all starting with HTML5 and/or thick local clients.
Flash needs to be EOL'd, and the sooner the better for the security of the Internet.
I've been running without Flash for a couple of years now. The only thing I can't do that I would like to be able to do is to watch Facebook videos. Other than that, not having Flash installed is not a problem for me.
For me there are generally 3 steps to the process of watching a youtube video.
1. Get the video id. Retrieve HTML containing youtube /watch?v= urls or other urls that contain the video id. Extract the urls from the HTML or other markup garbage.
2. Retrieve the video. Feed the /watch?v= url to a script that does some "find and replace" on the absurdly long googlevideo urls. Below I have given an example of such a script. Complaints welcome. It takes a /watch?v= url on stdin and retrieves the video in the format specified on the command line.
3. Play the video. ffmpeg libraries, mplayer, etc.
Whatever it is Flash does in the process of watching youtube videos (I am quite sure it is not step 3), I do not need it.
Thus even if by not using Flash or a complex "modern" web browser to watch youtube videos somehow were to reduce my exposure to vulnerabilities that routinely occur in such software, I would not care. Because the reason I do not use Flash is.... because I do not need it.
# proof of concept: video retrieval
# requirements:
# sh, sed, tr, openssl, ftp
# Adobe Flash not required
# HTML5 not required
# Python not required
# Awk not required
# web browser not required
curl=ftp
file=1.mp4 # default outfile
url=www.youtube.com # example
# itag #s are on the wikipedia page for youtube
f061(){
sed '
s,%3D,=,g;
s,%3A,:,g;
s,%2F,/,g;
s,%3F,?,g;
s/
does Chrome and Firefox automatically update the Flash? I can't turn it off because...well lot of video sites made for men that are not Youtube or Twitch but more popular than Vimeo ever will be, requires flash.
Firefox - "no", it doesn't have Flash built-in but uses Flash installed in the operating system. However, Flash installed separately for example in Windows/OS X also updates itself.
However, you are screwed either way: always running the latest Flash player version which is known to be constantly full of security bugs, just like in the past 3 years... :)
So if it is so widely known, why no action was taken by anyone to stop them from undermining Internets security?
Also not everyone knows how bad Flash is for their security, only few geeks care about reading cve-s. So until it goes to mainstream media not enough people will care.
Huh, I hadn't researched this before, but it looks like flash for Linux has been frozen for years, while the windows and OS X releases keep getting updates.
So I guess Linux users are immute to this new zero-day?
What are the people doing now who formerly developed Flash? Are they all diesel mechanics and baristas or what? I wouldn't even considering calling back a candidate why had Macromedia on their work history.
Flash is decades old, not that big, and still has use-after-free vulnerabilities? Tools for catching those have been widely available for years. That makes one suspect those vulnerabilities aren't there by accident.
We need public disclosure of the code check-in that created the bug, with names. People need to be fired for this.
Work on a massive decades old software project and get ready to have your eyes opened. All the automated static and dynamic software analyzers catch only the easiest flaws, but can catch the more serious ones only if you're skilled and lucky.
Firing people for software bugs is the stupidest thing I've heard in a while. Everyone writes horrific software flaws. Everyone. The best of the best programmers just write less of them. Firing people for bugs is a job perk that will only motivate any good developers to find a less stupid employer as soon as possible.
All the automated static and dynamic software analyzers catch only the easiest flaws
In a 64-bit environment, at least for development purposes, why can't every single malloc() cause an allocation from new memory page(s)? Then free() removes the page(s) from accessible virtual memory.
Too much overhead for production, but it would sure catch a lot of use-after-free bugs during development. Is nobody doing something like that, or is that part of what you consider "the easiest flaws"?
It's been a while but I'm pretty sure the issues here only happen in extremely contrived edge cases. Not to say they aren't big deals or to downplay them, but I don't think even that would catch them reliably. Not without extremely heavy fuzzing or something.
Flash is big - video, audio, animation, browser hooks, filesystem access, etc. - and while Flash has been around for decades the code in the current iteration mostly hasn't been.
This comment was heavily voted down a day or so ago (not by me, I voted it up). But just now I'm reading about yet another zero-day, this time against Java.
So the question is, when are we going to get disgusted, sick and tired of all this sloppy code? When will "heads will roll for this" revert to being a meaningful punishment instead of just a historic cliche?
Enough is enough! If there are no consequences there will be no improvement.
This is important because Microsoft seems to use a lot of Flash advertisements without checking them (I've had plenty of "MICROSOFT VERIFIED DRIVER FIXING" ads come up inside of Skype, so I'm sure some zero day could slip though their ad system)