New Flash flaw could let attackers control Macs, Adobe urges users to update

2

Comments

  • Reply 21 of 60

    I've updated by removing Flash.

  • Reply 22 of 60
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by stevenoz View Post

     

    HTML5 in this case.

     


    It is usually the new advanced features in Flash that get exploited because the standard features have mostly been patched. HTML 5 is great but I don't think it has Pixel Bending on video which is what was exploited in this case. When HTML 6,7,8,9 whatever has all the same capabilities as Flash and an equivalent rapid application development environment, perhaps people will stop using Flash.

     

    EDIT: Actually I have now discovered that Pixel Bender is not a new feature as I suspected, only because I never heard of it before. As it turns out it is obsolete and will not work with the latest versions of Adobe products. I think it only works up to Flash Player version 10 so most people have long since upgraded to a newer version.

     

    ?Other details are that there are actually two different versions of the attack but the one that could affect Macs is the much older exploit referenced above. The second similar technique requires Cisco Meeting plugin and ActiveX on Windows, as well as the older version of Flash player, and so far only while using Firefox. All the attacks are considered extremely sophisticated and originate in Syria. More information here: 

    http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

  • Reply 23 of 60
    lkrupplkrupp Posts: 7,101member
    Quote:

    Originally Posted by hydr View Post

     

    Who uses Flash anyway?


    All the ads on AI for one.

  • Reply 24 of 60
    lkrupplkrupp Posts: 7,101member

    I have the Flash preference panel set to automatically install updates. I just checked and my Flash plugin is already at 13.0.0.206 so...

  • Reply 25 of 60
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Slurpy View Post

     

    Has there been a single week without a critical flash flaw? It seems like I get a warning every couple days on my PC. 


    I get security notices, patches and updates from Apple on a regular basis too. 

  • Reply 26 of 60
    andreidandreid Posts: 96member
    I got rid of Flash long time ago on all my Macs and all the Macs from my company. Life on the web became just better.
  • Reply 27 of 60
    pmzpmz Posts: 3,433member
    Quote:

    Originally Posted by Slurpy View Post

     

    Has there been a single week without a critical flash flaw? It seems like I get a warning every couple days on my PC. Why the **** isn't this technology dead yet? It's been long enough. Any website that still relies on flash for video, etc does not even deserve to exist, when most are accessing the web through mobile now. Half the sites I visit still say "missing plugin" for video on mobile devices. Disgusting. 


     

    You have absolutely no idea what you're talking about. But keep it up, I'm sure you'll get plenty of up votes from iPhone owners.

     

    You are blissfully unaware of the multitude of Flash Web Applications that are still in use in the corporate sector...and are not going anywhere anytime soon.

  • Reply 28 of 60
    pmzpmz Posts: 3,433member
    Quote:

    Originally Posted by Disturbia View Post

     

    5+ years and counting .... living my digital life without these 2 piece of craps:

     

    1. Adobe Flash (and other garbage they sell!)

    2. F****ng JAVA!

     

    They don't die though because of Ads ... Ads ... god damn google and more Ads!


     

    pretty easy when you're just an average consumer browsing the web. no need for either

  • Reply 29 of 60
    mrboba1mrboba1 Posts: 269member
    Quote:

    Originally Posted by lkrupp View Post

     

    All the ads on AI for one.




    It's a great ad-block!

     

    No Flash? No ads.

  • Reply 30 of 60
    dave k.dave k. Posts: 1,306member

    I'm interested in how that is possible to...  

  • Reply 31 of 60
    FFS, Adobe. Die already.
  • Reply 32 of 60
    MarvinMarvin Posts: 14,219moderator
    jungmark wrote: »
    Maybe if Adobe just open sourced Flash, it would be more secure. Haha.

    Only if they use SSL for all the connections. ;)
    jungmark wrote:
    Another day, another Flash bug.

    Another thread of the same Adobe hate comments. I expect everyone has deleted Firefox too because of all the critical security flaws:

    https://www.mozilla.org/security/known-vulnerabilities/firefox.html

    https://www.mozilla.org/security/announce/2014/mfsa2014-29.html
    "these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution."
    https://www.mozilla.org/security/announce/2014/mfsa2014-31.html
    "This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution."
    http://www.infosecurity-magazine.com/view/36635/mozilla-patches-thunderbird-remote-exploit-vulnerability/
    "The vulnerability allows the attacker to execute malicious script code in the victim’s browser, resulting in script code injection, persistent phishing, client-side redirects and similar client-side attacks."

    http://www.computerworld.com/s/article/9247381/Apple_patches_Safari_s_Pwn2Own_vulnerability_two_dozen_other_critical_bugs
    ^ 27 vulnerabilities in Safari, 26 critical allowing arbitrary code execution. 33 OS vulnerabilities, not being fixed in Snow Leopard.

    6 vulnerabilities in Chrome:
    https://msisac.cisecurity.org/advisories/2014/2014-018.cfm
    "Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution"

    Guess we're back to using good old trusty Internet Explorer. Hold on:
    http://www.pcworld.com/article/2148368/new-internet-explorer-zero-day-puts-web-at-risk-and-xp-isnt-getting-a-fix.html
    "This new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user."

    It annoys people with Flash more because it's a non-essential add-on but it's not the case that Adobe's developers are worse just because the vulnerabilities are publicized more.
  • Reply 33 of 60
    dsddsd Posts: 184member
    Quote:

    Originally Posted by Psych_guy View Post

     

    Flash needs to die.


    And it will after the last porn site switches to HTML5.

  • Reply 34 of 60
    dysamoriadysamoria Posts: 2,152member
    Another Flash security hole. What a shock.

    Why is this crap even possible anymore? What happened to sandboxing?
  • Reply 35 of 60
    I went for a year w/o flash installed on my computer a few years ago and really didn't have any problems w/o it. I installed it again several months ago, as I was lazy and wanted to see a video that required it and figured by now Adobe made the product more streamlined and better performing on OSX. After this article came out, I decided I'd update the flash player installed... turns out, there's not really an efficient way to do this w/o going to the website, so... problem solved, I found the "uninstall" option in my utility folder. Thanks adobe for making the uninstall much easier than an update. I think I'll try another year or two w/o flash or maybe indefinitely. Didn't Adobe lose their talent behind flash to Apple anyway?
  • Reply 36 of 60
    Quote:

    Originally Posted by pmz View Post

     

    You are blissfully unaware of the multitude of Flash Web Applications that are still in use in the corporate sector...and are not going anywhere anytime soon.


     

    You're seriously arguing that Flash is the new COBOL?

  • Reply 37 of 60
    disturbiadisturbia Posts: 563member
    Quote:

    Originally Posted by pmz View Post

     

     

    pretty easy when you're just an average consumer browsing the web. no need for either


    Yep! I don't need to watch porn ... so average I am!

     

    My point is if above average consumers stop accessing sites which are built on top of Flash / JAVA, then they'll try to come up with non Flash / JAVA solutions.

     

    Or at least, voice your concerns ....

  • Reply 38 of 60
    stevenoz wrote: »
    Like so much about Adobe these days... another reason to look for a light on the horizon to signal an alternative route, away from Adobe.

    HTML5 in this case.

    And don't get me started on the rental-only Adobe CC, which I think is an insult to previous users of their software products.

    The new features are getting fewer and fewer, so Adobe knows you may not buy their very-expensive software again soon. They've decided to charge you monthly for the privilege making your digital designs, whatever they are. Then their bottom line won't suffer when their technical progress is slow.

    I kinda wish Apple would buy Adobe, since many of their users always have been Mac users, and make their software free when you buy a Mac.

    Then someone else would not have to make another Creative Suite from scratch for us to buy, not rent.
    If apple took over Adobe we would see current works better,(a few deleted), and flash working better than html5.
  • Reply 39 of 60
    The good thing about Flash is that it takes the heat off Microsoft Office.


    Ignoring iTunes, so the day Flash ceases is the day Office likely becomes the worlds most hated software.
  • Reply 40 of 60
    danoxdanox Posts: 386member
    Flash is dead on my computer never to return. Apple made the right decision to not use it on mobile.
Sign In or Register to comment.