Adobe Flash. It’s everywhere. Not all of us want it, but many are forced into submission simply because it’s weaseled its way into a myriad of applied and common uses. This just makes all the worse the news that a vulnerability in Adobe Flash, Reader, and Acrobat applications is allowing malcontents to exploit computers with these products installed.Adobe has confirmed that this vulnerability exists and is currently working to remedy it. As it is, many of the major companies that provide antiviral software have already updated their applications to catch one of the exploits, which said exploit is carried out by way of a PDF file sent in an email; this PDF-equipped email is generally targeted to attack corporations rather than personal accounts.
According to Paul Royal, principal researcher at Purewire, the other type of attack that currently remains unchallenged is merely “a Flash movie of one-frame length. This malicious Flash file is being embedded in Web pages, sometimes of legitimate Web sites that are compromised.” According to his research, this multimedia attack’s code is just different enough from the PDF attack that it will not be caught by many antiviral programs until a separate package can be designed.
From Adobe: “A critical vulnerability exists in the current versions of Flash Player (v9.0159.0 and v.10.022.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v.9x for Windows, Macintosh and Unix operating systems. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”. So if you were thinking that you’re safe with a Linux-based system or OS X, you’re unfortunately incorrect.
This vulnerability has apparently been known about since December of last year, but then it was merely regarded as a bug. It probably began to be exploited around the beginning of July. Still, it’d be nice for known and exploitable bugs to be fixed within a relative time after being found. The good news is that Adobe will have a fix brewed up for most of the exploitable applications by the end of this month.
Not that it’s the end of the world and that we ought to shun Flash simply because of this exploit alone, but it’s no secret that Flash isn’t liked by a lot of people for varied reasons, and this will just amount on top of them. Taking a leaf out of Kroc Camen’s book, I suggest that, if this new exploit in the Flash implementation bothers you enough, simply do without. Is the time been long coming for newer, better multimedia implementations? Is this the final straw for you? Should it be the final straw for everyone else, too? Or is it just another storm that’ll blow by?
The comments are waiting.
Let’s go to install Silverlight
doesn’t exist outside mac os x and windows
and no moonlight isn’t the same as silverlight because it doesn’t work at all on lots of silverlight websites (microsofts own silverlight websites blocks firefox with moonlight)
Edited 2009-07-28 18:15 UTC
https://addons.mozilla.org/fr/firefox/addon/433
there’s also flash killer I haven’t yet tested
Doesn’t help if one of your trusted sites gets compromised, or you get caught by the PDF-version of the exploit. The only solution, until a fix arrives, is to uninstall Flash.
And uninstall Adobe Reader and/or Acrobat if you have it. So it is not just Flash that is vulnerable according to the exploit.
Our office moved away from IE due to the vulnerability at the start of the year. I think it’s time to look at a move away from Reader.
for us to do without Adobe and their overhyped bloatware. Flash is a resource-hogging piece of junk, and so is Adobe Reader on all platforms it supports. Not sure about Photoshop, that’s for the graphics people to decide, but I’ve even heard a few of them complain that recent versions are more bloated than they once were. Oh, and they created that monster known as PDF…
For all new software, people complain that it is more bloated then the previous one. As computing power increases the software designers make it look better, take advantage of resources that are now commonly available. Sure Photoshop 4 will Run faster then CS4 however if you look at it there are a lot of stuff missing and it looks very dull.
If the added code only adds pretty graphics for the sake of change without any benefit to the end user or bundles in once seporate programs which the user has no need of then it’s bloat. Quicktime wants to install Safari and iTunes; bloat. Vista and Office07 cosmetic changes are more for marketing purposes then user benefit; bloat. Reader now wants to install three other software packages along side it and none of them improve PDF viewing; bloat. KDE4 graphic overhaul to look pretty with no clear advantages over KDE3.5; bloat.
Software increasing in resource needs due to added functions and clear benefit for the end user is fine. Software increasing in resource needs purely because bigger hardware is cheaper so why bother writing clean code; that’s a problem for me.
Things are not that simple. I hate bloat, too. But each new feature between release is always really required by someone, and usually ones of a considerable number. Companies like Adobe really review the priority of every required features and actually always filters out those required by fewer customers. As one said, 80% customers need 20% features, but it is always NOT the same 20%.
Allow AIR and PDF reader to be installed seporately and stop pushing Yahoo and Google browser bars in along side them.
Include more plugin modules on the install media and less hard coded functions in the software.
Don’t default to everything installed in software suites.
Don’t default to everything in memory through pre-loaders when these things are not needed outside of the program.
Stop displaying the Photoshop splash screen above everything else so it can dominate the screen while listing loading plugins.
I think there is much more they could do for the benefit of the customer.
I’ve lost count the number of times Flash has killed off my browser.
As of around version 9 or 10, Flash Player finally uninstalls previous versions when upgrading. I can stop manually uninstalling the past four or five upgrades because the new version just dropped into the directory without any awareness of it’s own software.
Actually, on one machine I’ve got a 7a.ocx stuck in place. Can’t delete in safe mode. Can’t delete using “at boot” utilities. Can’t delete as administrator. Can’t boot off a liveCD and eradicate the POS until I take the time to decrypt the drive. What kind of F’ing shit code and platform allows a file to get locked in place beyond even the mechanisms of the OS?
That’s actually the legacy of an anti-UNIX school. Today, every big application has extension frameworks, but they are always In-process plug-ins. UNIX long time ago has been encouraging cooperating processes rather than in-process plugin, which is actually a monolith. Out-of-process plug-in has been gradually appearing in some platform. And Apple claims it isolate plug-ins of Safari in a separated process.
Process boundaries not only prevent the platform from crash when the plug-in crashes, but also ease the problem isolation and fixing. We have seen enough that FireFox blaming add-on while users blaming FireFox. Every plug-in maintainer points finger to each other when problem happens because they are all mess in the same address space. Let UNIX culture renaissance accelerated and everyone will have a more stable system.
When posting news like this I would recommend you mention the severity if running as non-admin. I always use a locked down account along with SRS restriction polices… frankly most exploits don’t amount to a hill of beans on my systems as nothing is executable to the same directories I can write to.
Unfortunately there are usually ways around such policies; for instance the holes in Windows 7 UAC, or the recent local privilege escalation vulnerability in Linux. LUA/SRP/MAC/whatever makes it more difficult for an attack to gain admin privileges but not impossible.
Also, if you’re using a limited user account but not MAC and your personal data is stored under that account, the data is vulnerable.
Edit: and as far as Flash goes I hope that Silverlight kills it dead, the heck with it being MS technology. If it’s better, let it win for once.
Edited 2009-07-27 22:51 UTC
Um, that would be the worst outcome imaginable for anyone who doesn’t use Windows. The web should use open standards, and thankfully there’s been progress towards this end in recent years. Silverlight would undo all the good that has been done in this area were it to gain prominence, and would give Microsoft a second shot at locking in the web like they attempted to do with ActiveX. I don’t think one needs to imagine too hard to see where things would go from there, look at Windows and IE when Microsoft had no real competition.
Moonlight is available for Linux…
http://en.wikipedia.org/wiki/Moonlight_(runtime)
Although I see what you mean about the binary codecs. Also, software patents are stupid, stifle innovation, and generally deserve to die horribly.
And barely supports some of Silverlight 2.0’s features, let alone those of 3.0… not to mention Microsoft could effectively flip the killswitch on it whenever they wish. Like Gnash and Swfdec on the Flash side of things, Moonlight is doomed to constantly play catch-up and, even worse, is at Microsoft’s mercy (at least Gnash and Swfdec can’t be killed by Adobe). Not good at all for an open web experience, and that’s not even bringing the binary codecs into the mix.
And have you tried to actually use Moonlight?
I did once.
The site I went to didn’t recognise Moonlight and suddenly, I was on a Microsoft site where I was being asked if I wanted to download Silverlight for Windows. Naff all use to me as I was using Linux.
IMHO, Silverlight should die a horrible death. It is nothing more than the latest Microsoft Lockin device.
As the functionality in Moonlight is always lagging that in Silverlight, it is easy for Redmond to keep the usefulness of Moonlight down to almost absolute zero.
At least I can get Flash on Windows, Linux & OS/X even if it is a pile of steaming do poo (but less smelly than the Silverlight one next door)
This is not true, Moonlight is a good implementation of silverlight, runs on linux, solaris, windows and BSD. Only problem is the codecs, but moonlight do provide for most free codecs.
Flash does not support free codecs and is the worst possible scenario.
Yes agreed, some progress has been made.
Where do you get this stuff from? ActiveX was not Microsoft’s attempt at “dominance” but an alternative to java applets and like applets was a flawed implementation.
Having to lie in order to come up with some stupid anti Microsoft arguments just makes you look paranoid.
Do you have further info on MAC? Thank you.
MAC = Mandatory Access Control, where applications run with only the privileges they need in order to perform a task, as opposed to all the privileges of the user that runs them. (As far as I understand it anyway.) Examples include UAC on Windows Vista/7, and AppArmor, SELinux, Tomoyo, SMACK, and grsecurity on Linux. Also on Windows, I think some HIPS/firewall software can enforce MAC-like policies if the OS doesn’t support it (as in Windows XP).
I would have said Media Access Control, as pertains to networking.
Back to the topic, one thing Flash has open web standards is a comprehensive IDE to develop with. Is there an equivalent tool to develop rich web sites with HTML, CSS and Javascript?
Youtube is kind of Flash’s “killer app”, or page rather, for me. Have they implemented HTML 5 video yet? I could easily do without Flash if not for Youtube.
As far as I know (and I really don’t know very much on this subject– really just what I’ve read from Kroc earlier as well as a bit of research I did after reading what he had to say about it), HTML5 is still vastly in the works and won’t be standardized for a while, especially in sites like YouTube. While a lot of the major browsers support HTML5 already/will support it very soon, there still isn’t a definite standard yet (right?), and I wonder if it will take major websites a while to catch on not to mention actually implement the idea. Imagine switching the whole of YouTube from Flash to HTML5 video… I imagine it would take a while even if it’s an automated process.
I agree with you completely, though. I use Flash mainly for YouTube videos, and I’m sure it’d be a lot easier for people to switch to the new HTML5 video spec if YouTube did the change, too. Or if they did the “Video for Everybody” idea– there would still be Flash in use, but it’d be nowhere near as widespread, and there would be very few at all who wouldn’t be able to see any video implementing this idea. I would love to see it take off.
Anyway. This is all the deaf man telling the blind man what he heard. Just speculation lightly sprinkled with strained education, really.
“Imagine switching the whole of YouTube from Flash to HTML5 video… I imagine it would take a while even if it’s an automated process.”
Not really. The contents of each page on YouTube are dynamically generated, it’s not like they’ve got seventeen zillion static HTML pages, one for each video. All you have to do is flip the switch from generating pages with the video embedded in a Flash player to generating pages with the video in an HTML5 video tag. They already have a demo site up:
http://www.youtube.com/html5
Dailymotion (a Youtube like site) has implemented HTML 5: http://openvideo.dailymotion.com
Edited 2009-07-28 08:09 UTC
You can try out YouTube’s HTML5 implementation here: http://www.youtube.com/html5
You could take a look here:
http://www.youtube.com/html5
If you use Firefox you can disable Flash-player and add the Greasemonkey extension:
https://addons.mozilla.org/en-US/firefox/addon/748
And then add a Youtube-Greasemonkey script like this one:
http://userscripts.org/scripts/show/24999
If you don’t see anything, also install a player for the format like VLC (which has a Mozilla-plugin):
http://www.videolan.org/
That works for Youtube.
Edited 2009-07-28 15:49 UTC
Here’s a good example of how much we need flash: toriseye.quodis.com ( twitter search visualization ), that’s 100% flash-free, only jquery+css2.1+xhtml were used.
Sorry lmjabreu, its not 100% flash free. Flashblock is blocking a flash app on that page for me. The URL its blocking is //bin.clearspring.com/at/v/1/button1.6.swf. Perhaps not very important to the twitter app itself, but there’s definitely flash on that page.
My biggest gripe with flash and anything like it is that it ruins how the internet functions with regards to hyperlinks and such. In concept, the internet is a bunch of pages with links to each other. Flash violates this. When you click on things in flash, it takes you to other things in flash. It gets particularly bad when web developers build whole sites out of flash. All of a sudden, you can no longer do simple things like open links in new tabs or bookmark them.
If all you’re doing is using flash to play videos or you’re running actual applications in it (which I still think is a weird thing to do), it’s not so bad. I’d still prefer other solutions – particularly ones that aren’t as resource-hungry – but at least then it’s not getting in the way of navigating sites properly.
Still, I’ll be very happy if and when html 5 video stuff eliminates flash as the primary video player on the web. Flash just does not play nice with everything else.
It seems that the Adobe plan to reduce product vulnerabilities announced back in May are not being well implemented yet.
http://blogs.adobe.com/asset/2009/05/adobe_reader_and_acrobat_secur…
Edited 2009-07-28 00:37 UTC
Adobe’s readers and players are a scourge upon the Earth. I hope severe flaws continue to be found in these products. Eventually people will get burned enough that they’ll stop using them.
IE is still the dominant browser despite its myriad flaws.
If flaws continue to be found then readers of OSNews will get more indignant while the average user will carry on, oblivious.
For years I have run Zeta/BeOS as my primary OS, which supported only Macromedia Flash 4 and below. That makes one painfully aware how many Web sites use Flash (often completely redundant, e.g. menus that would be better off being based on JavaScript). It also requires one to watch YouTube videos through tedious “hacks”.
Though reports state that the use of Flash is on its return, I for one surely don’t see it. My conclusion after years of not being up-to-date on Flash merely must be: there is no way around it.
Thom is aiming for a utopia here, and there really can’t be much of a discussion about it. Sure, it would be good if we all moved to HTML video. I already read comments here promoting Silverlight — which is equally likely to have leaks. Then there still are tons of developers out there that can *only* program in Flash, and I know that Communication Studies students in the Netherlands are still being taught Flash. How’s that for a flashy future?
The article was not written by Thom.
Yikes, thanks for pointing that out to me! And I even thought I had checked whether Thom wrote it! My bad.
If it is many times faster then current implementation. And much faster CPU decoding of H.264
Sliverlight – Much like IE, will get worst once Microsoft dominate.
I have a designer here who wants to animate and script rich media presentations.
She is not a coder, though can deal with snippets of ActionScript if necessary – However visual layout, animation, timeline management and audio tools are a must.
If not Flash, what would you suggest they use? Should be open source, open standards, and hopefully free as in beer.
Presentations as in Powerpoint/Keynote-ish stuff? I remember Director being a better tool for that sort of stuff than Flash (or Powerpoint or Keynote, for that matter). Although it has been a few years since I used it (before Adobe took over Macromedia) – and it doesn’t meet the “open source, open standards, and hopefully free as in beer” requirements.
No this is web based presentation stuff – not literally ‘presentations’ with a projector and a bunch of slides, but presentation work e.g. design work, UI workflows, animated diagrams etc.
It has to look slick, first and foremost, and be quick to put together and revise based on feedback from management and the clients, and must be easily viewable by clients, both locally and on the other side of the world.
This is why we use Flash, because as far as I know, there is no better tool for this work. I’m interested to know if there is any real alternative, because i suspect there aren’t, so no amount of complaining about security holes etc. will be cause for any significant number of people to drop their preference for Flash.
Why does anyone think that a bunch of security flaws are going to affect user adoption? – unless theres something that works as well or better than Flash, nobody is able to switch away from it.
Good points.
One can perhaps see flash in two ways – one as the swf:s the Macromedia programs creates; timeline, tweens, events. The other way is to see it as a pure VM, just like for example Java. The latter way is how I use flash (with flex and flashdevelop).
The ubiquitous Google has released o3d:
http://code.google.com/apis/o3d/
…which, to some extent, can be seen as the 2nd case above.
Adding a timeline is possible right now, as o3d puts the code in js. So the day someone adds the sugar the flash vm generates, and possibly also a usable program to help creating end user content that uses the sugar, then flash might actually be threatened.
Edited 2009-07-28 12:22 UTC
Oh I completely agree. In the discussions specific to Flash’s use for video delivery, Javascript is often mentioned as an alternative – but I think there are two main reasons why it hasn’t displaced Flash:
1) In many cases, the choice is between (on one hand) mature, relatively turn-key Flash applications that just require a little customizing through component inspector, and (on the other hand) JS libraries that require a significant amount of coding to do anything useful with them.
2) At present, I find that complex javascript apps have the same types of problems that plague Flash – they cause crashes or sluggish behaviour in browsers and there are numerous security issues. On top of that, there are many browser compatibility issues with JS (which typically isn’t the case with Flash).
I suspect that will change in the future, as javascript interpreters improve & JS apps become more mature/full-featured. But at present, there are still good reasons to use Flash for some types of content – especially for commercial web development.
If I were go to a client and give them the choice between a $50 Flash app, and paying to spend 20-30 hours to write a JS equivalent – they’re almost certainly going to pick the Flash app.
I challenge anyone to get IPlayer working under Gnash or swfdec.
quite a few sites will direct you to a non-flash version if the server detects that you don’t have flash. plugins like flash block still report to the server that you have flash.
i recommend setting up 2 browser accounts or profiles, one with and one without flash. then your normal browsing can be done without flash, you get the sans-flash versions of sites, you effect the flash install base stats (i think currently adobe can claim that >99% of browsers have flash installed). then when you hit a site that needs flash you fire up your second browser.
i achieve this in linux by making a second user account. in that account i install flash into the .mozilla folder. then i use
ssh -X flashfox@localhost firefox
it should be possible to do with sudo, but i could not figureout how to make X happy.
you could also use 2 profiles under the same user, http://www.downloadsquad.com/2006/04/13/run-multiple-firefox-versio… or just 2 different browsers.
I’ve fell this way for a long time but like most, I’m forced to use it because every freaking website requires it. And here’s the rub, most of the blinky animated crap that Flash is used for can be done as easily through other more universally browser independent methods. Joomla! No flash yet it has the hovery, blinky menus and they work without a pluggin or a specific browser.
Sure, it has it’s uses but the marketing folk have strong-armed the site developers into over-saturating the whole internet with a crappy format from a single provider who repeatedly demonstrates inability to support cross platform readers and bug fixes in a timely manner.
We’re addicted to flash just like we’re addicted to Microsoft and oil. At least with PDF’s people can generally use html or .doc files with the same effect. I can usually boycott .PDF and especially Adobe’s reader.
Flash on the other hand is a beast. The only way I can see around it, is a really slick open source competitor. It would have to compete with the consumer side of it, and the developer side. HTML5 is fine, but if you want people to switch to it, it needs an edge. Some great developing tool that defaults to it etc.
I do not agree. While Flash is a tool to create content, most of the times (IMHO) people wishing for Flash compatibility (iPhone, etc) just want to be able to watch videos. In those cases, even if they say so, people couldn’t care less about Flash per se (the player) but the content (which can be made –and is being made– non-player-dependent, as H.264 is not).
Most of the cases where pages *require* Flash just to see non-Flash content (i.e. video), the developer is to blame, honestly. SWFObject with a direct alternative link to the video file should have done with most of the need for Flash ages ago. There is absolutely no reason for it not having become the standard way to embed Flash video. It’s not like you have to be have PhD to learn how to use it. And now there is even Video for Everybody.
Why are YouTube pages written so that clips, all of which have H.264 versions, only play if Flash is installed? What does have one to do with the other?
(My argument does not apply to using Flash to dynamically generate content, animate or add other features beyond a simple video player)
Edited 2009-07-29 02:55 UTC
Just reinforces what I already know: Flash sucks.
’nuff said.