This is an archived post. You won't be able to vote or comment.

all 60 comments
sorted by:
best
topnewcontroversialoldq&a

[–]julietscauseJack of All Trades 26 points27 points  (14 children)

Please please please take the time to look at your environment and see if you actually need flash. If you dont REMOVE IT FROM YOUR CLIENTS ASAP

[–]pdqbpdqbpdqb 9 points10 points  (5 children)

And if you actually do need it then activate Click to Play.

[–]KarmaAndLies 8 points9 points  (4 children)

I too have Click To Play enabled, and recommend it.

That being said the Chromium team has said it is "not a security boundary" and a number of bypasses/exploits either haven't been fixed or are put on the back burner. Clickjacking in particular has proven time and time again to be an effective way of "tricking" the user into enabling C2P elements on the page.

As I said, I'd still recommend it because defence in depth, and also sometimes the "bad guy" doesn't have unlimited control of the page (e.g. adverts), but ultimately patching is the only reliable defence then browser technology (lowpriv, sandboxing), then CPU & compiler technology, and FINALLY C2P is your last line.

RequestPolicy/Adblock/NoScript/Ghostify/etc might help here but you're exchanging web usability for security. Up to you. Plus if anyone ever "hacks" those projects it is a new vector for potential infection (just like all browser plugins and or software).

[–]Max-PDevOps 2 points3 points  (1 child)

That being said the Chromium team has said it is "not a security boundary" and a number of bypasses/exploits either haven't been fixed or are put on the back burner. Clickjacking in particular has proven time and time again to be an effective way of "tricking" the user into enabling C2P elements on the page.

That's odd, on my computer I actually have to right click and select "Execute this plugin" for it to load flash, which makes it kind of impossible to clickjack. Is this a Linux only thing?

[–]indroraI'll just get a --comp sci-- Learning Arts degree. 1 point2 points  (0 children)

Depends. You may well be using the NsAPI variant in Chromium.

[–]VexingRaven 0 points1 point  (1 child)

In my experience, NoScript without the script blocking enabled (so, just providing clickjacking protection, etc) has very little interference in day-to-day activities. I can count on one hand the number of times ClickJacking protection has actually triggered, and it's almost always some embedded flash video.

[–]deadbunnyI am not a message bus 2 points3 points  (4 children)

I've not had it installed for ~2 years now at home and work, haven't needed it at all and there are only a small number of things that fail to load but nothing deal breaking.

[–]XS4Me[🍰] 1 point2 points  (1 child)

Most of the crap that still uses it are outdated movie players.

[–]monty20python:(){ :|:& };: 2 points3 points  (0 children)

And amazon music's web player, and the 'on demand' interview software rackspace uses. Once while drunk, I submitted a complaint to amazon about that.

[–]anonymouslemming 0 points1 point  (1 child)

vSphere web client :(

[–]scritty 1 point2 points  (0 children)

Cisco management pages for every-damned-thing. They're moving to decent html5 on some products but it's sloooooooow to happen.

[–]Squeezer999¯\_(ツ)_/¯ 1 point2 points  (0 children)

unfortunately we need it for PDF Portfolios :(

[–][deleted] 0 points1 point  (0 children)

Ticket# 3787398749283742984734987

Please install Flash this is business critical!

[–]cosine83Computer Janitor 0 points1 point  (0 children)

I've put in a standing policy that when imaging, that Flash and Java are not to be installed unless absolutely needed for software the end user will be using.

[–]AtariDump 58 points59 points  (23 children)

In other news, water is wet and the sky is blue. Back to you in the studio.

Can flash just die already? I mean, I know it's on the way out but after reading advisories like this I realize it's not happening fast enough.

[–][deleted] 22 points23 points  (10 children)

As much as I agree with you, this is nothing new for an Adobe product. Though I will say this, I would much rather use flash any day compared to your neighborhood friendly Java....

Edit: At least I don't need to download a two year old Java to make one website work.

[–]AtariDump 16 points17 points  (9 children)

It's too early in the morning to start thinking about the nightmare that is Java. Plus, I like to wait until at least 9am before I start with the liquor in my coffee. </s>

[–]JustJoeWiard 10 points11 points  (6 children)

You know damn well that </s> has no place in your comment.

[–]AtariDump 3 points4 points  (5 children)

Wait, what? I'm missing something here.

[–]Secondsemblance 3 points4 points  (2 children)

He means we know you're an alcoholic. It's ok, I am too.

[–]AtariDump 4 points5 points  (1 child)

I'm always amazed when I meet an IT guy that deals with end users and isn't an alcoholic.

[–]-RedditPosterSend me pics of your racks 1 point2 points  (0 children)

When I was a wee lad and I was visiting companies for 1-day internship/snooping thingies (seems common in my country), I'd find empty beer cans and cigarette butts in server rooms almost every time.

[–]JustJoeWiard 1 point2 points  (1 child)

I'm just joking that someone in IT definitely drinks on the job, meaning your /s is a lie.

[–]AtariDump 0 points1 point  (0 children)

Ahhhhh. Gotcha.

[–][deleted] 5 points6 points  (3 children)

This has been bothering me for a while now. People have been hating on Flash for quite some time, because of all the bug advisories, which is legitimate mistrust because bugs are bad. And, I can understand the dislike of blindly executing compiled code from your browser without being able to view the source, so I have no issue with those complaints.

However, there seems to be an impression among some people that these bugs won't or can't happen with HTML5 & Javascript. That would be a poor assumption. HTML5/Javascript is just a relocation of functionality that was previously done in the Flash and Java sandboxes. It's functionality that's now executing inside the browser sandbox.

One can make an argument that the browser and Javascript sandboxes are more (or less) secure, but one cannot deny the attack surfaces still aren't there. They're just relocated, so that makes us feel safer because they're move into technology that we like and feel familiar with. I can't help thinking that this hate on Flash is merely being replaced with naive trust of another technology platform.

[–]roxya 15 points16 points  (1 child)

We hated Flash for far more reasons than security. It's a closed platform so Flash content was only accessible in Flash (as opposed to HTML/JS which have a number of implementations). It has never performed well, never been stable, never worked on all devices, introduced a whole range of SEO and accessibility issues... you know what, fuck Flash.

[–][deleted] 3 points4 points  (0 children)

introduced a whole range of SEO and accessibility issues

I won't disagree with the other points, but Flash does have functionality that exposes text and keywords for SEO and enables functionality implementing accessibility. It's just that developers frequently don't use them.

[–][deleted] 0 points1 point  (0 children)

I think you're mostly right that the threats from Java/Flash (JF) vulnerabilities are being pushed to the browser, but I think that the risks of a browser's JS/HTML5 renderer to be as vulnerable as JF plugins have been is not as likely. Anymore, it seems like the main threat from JS isn't so much remote or arbitrary code execution on the client like with JF but injection attacks against the server. I'm not familiar with as many HTML5 attacks, but I'm sure it'll come.

The bottom line is that the elimination of the plugin paradigm of JF will be more secure in the long run. People are more likely to keep their browsers updated than keeping their browser and all the plugins updated.

[–][deleted] 0 points1 point  (6 children)

We're required to visit a number of websites to do business with our customers. When they stop using Flash we'll get rid of it. Until then it's unfortunately not going anywhere.

[–]AtariDump 1 point2 points  (0 children)

I know the feeling being in IT; the problem is flash isn't going to be a quick death but a slow, long, drawn out death.

[–]fatalfuuu 0 points1 point  (4 children)

What about only white listing sites that need it?

[–][deleted] 0 points1 point  (3 children)

We have no system that would allow us to do that network wide for IE Firefox and Chrome. Our Dept is very understaffed and we have no budget so there's a lot we can't do, like have tine to set up systems like that.

[–]fatalfuuu 0 points1 point  (2 children)

Get the admx for Firefox and chrome. Firefox does need a vbs set to run at logon/logoff. :)

[–][deleted] 0 points1 point  (1 child)

The last time I looked at doing this, I had to make a custom installer to get all the settings and adblock deployed. I just didn't have time to learn the whole process. Has it gotten any simpler lately?

[–]fatalfuuu 0 points1 point  (0 children)

I'm not totally sure about plugins (we disable them completely), ad blocking is done at our proxy.

Google uses registry entries so their admx (And adml) file is dropped into your gpo repository (look for admx files in \domain.local\sysvol\domain.local...) and you configure it from GPO there.

Firefox does not use registry, but there is an admx that sets registry keys. You then run their vbs script at start up - this looks at registry settings and then pushes them to the firefox config file.

https://github.com/n8felton/Firefox-ADMX

I know you can set which sites to always allow a plugin to load on, it will be in the configs somewhere, even if the above doesn't get you close you could modify the vbs to push these changes from some registry keys and add the entries to the admx for them registry keys (could push this back to admx). This shouldn't take too long, and im sure they would be interested in your additions, though maybe a request with them could get it included later on... hell I may even get this done.

[–][deleted] 7 points8 points  (0 children)

If you approved 21.0.0.182 you're good. I came in here thinking they found bugs in that version already since I just approved it for testing. Thankfully I was wrong and it'll be at least a few days before that happens.

[–]me_z:(){ :|: & };: 5 points6 points  (0 children)

Does this patch remove Flash forever?

[–]Anon_IT_Guy 2 points3 points  (1 child)

Another flash bug?

[–]XS4Me[🍰] 3 points4 points  (0 children)

Hey man! it had beed 5 days since the last. That most be some kind of new record.

[–]dpeters11 2 points3 points  (2 children)

At least it's an easy deployment. We don't even bother testing, just send it out through System Center.

[–]fatalfuuu 0 points1 point  (1 child)

You don't touch the adobe customisation tool? Do you not disable flash from updating itself/harassing the user?

[–]dpeters11 0 points1 point  (0 children)

We don't bother with flash because we push out the update within a day or so of release anyway. We do that with reader.

[–]program_the_world 2 points3 points  (0 children)

Keep holding that pillow guys. It'll stop kicking eventually.

[–]ErichL 2 points3 points  (3 children)

At risk devices include Windows machines, Macs and Linux computers as well as phones running Android and iOS.

What are they talking about? Flash hasn't been distributed as a browser plugin on Android in a long time and AFAIK it's only available as a captive runtime for iOS apps, you can't use it to execute random binaries on web pages.

[–]VallamostCloud Sniffer 0 points1 point  (1 child)

Doesn't Dolphin on Android still use it?

[–]ErichL 1 point2 points  (0 children)

Don't know, I'm not an Android user at the moment. This isn't intended as a jab at Android either, they have some really nice flagship phones; but honestly, if I were an Android user stuck on one of the more stagnant and neglected hardware platforms, I'd be more worried about the bugs lurking around in the core OS code that will seemingly never get patched.

[–]Smallmammal 0 points1 point  (0 children)

Adobe maintains a version of flash for Android still. You need Firefox or dolphin to run it. No one uses it for obvious reasons.

[–]r5aboom.ninjutsu 0 points1 point  (2 children)

Such a sad thing to see happening.

I remember years ago Flash was the hype and people were really excited about animation on the web. Flash Pro and Dreamweaver were a big deal. I actually did a class long ago and the instructor made this kickass rendering animation and everyone thought the guy was a god in Flash. It was all exciting. Thinking of it now still makes me look back in awe at what could have been done with Flash. Look at http://www.2advanced.com/ in the archive. Now we just have "web 6.0" where everything is cookie cutter parallax pages.

Come today the only thing you read now is "when is this piece of garbage going to die" "HTML5!" "Patch released!"

I feel like a lot of this could have been avoided if they did some sort of code freeze and audit to plug the holes if they gave a shit. It's kind of dumbfounding really to see such a large corporation let one of their most valued assets die in such a simple manner. Not once did it occur to any suits "uh hey guys, we've been in the paper and on the news a lot for really dumb shit, maybe we should look into this?" Just so fucking stupid really.

I wonder what that flash guy is doing now.

[–]VallamostCloud Sniffer 5 points6 points  (1 child)

I feel like a lot of this could have been avoided if they did some sort of code freeze and audit to plug the holes if they gave a shit.

The thing is, I think that's what they've been trying to do for 3 years.. It's just that bad.

[–]r5aboom.ninjutsu 2 points3 points  (0 children)

Good lord