What is the latest news regarding Adobe Flash?

UsernameIssues · 25 Oct 2015

AnneBurns said:

~~~
Wow! That was some great info. I think I will keep Flash because if it isn't broke, don't fix it. I enjoyed watching both videos. It was a wonder to me how far technology has come. Btw, how do I give credit for folks answering my questions? Thanks UI!!!

You are welcome.

Thanks for the rep.

You might be interested in this post:
https://www.sevenforums.com/security-...nt-killer.html

I don't have the Flash add-on installed for IE. I don't have the Flash plug-in installed for Pale Moon. If I need to see Flash content, I paste the URL into Chrome (which has Pepper Flash built in). This limits my exposure to Flash based exploits because I'm not doing most of my surfing with a Flash enabled browser.

Also, Chrome updates itself and its Flash silently - without needing admin rights or user involvement. That comes in handy for the dozens of computers that I oversee at work - where the user is not an admin.

FerchogtX · 25 Oct 2015

Alejandro85 said:

Speaking of that, HTML5 is still in its infancy. Browsers have still problems in getting it properly implemented, and some have different behavior. Cross-browser compatibility suffers as a result, making it further difficult for a web developer to get a working site with advanced features in plain HTML. Flash on the other hand is a mature thing, and differences between versions are minimal, which simplifies development.

Cross-browser compatibility, broken of course by Google and their stupid VP9 standard for HTM5 videos (H264 is faster) just to save bandwidth...
Now, being serious, yeah, this is still in diapers, I mean, it's impossible that video cards capable of decoding H264 are blacklisted by Chrome or Firefox, and of course, it's more ridiculous that this is the only solution to fix their problems with HTML5 playback, in hopes you buy another card/laptop... I just wonder why programmers are so lazy this days, specially talking about browsers (again).

I mean, I can decode a full HD 60fps video locally, even with VLC (that may exhibit some problems unless you configure it to use OpenGL, which is faster than DirectX) and Firefox just derps with it, simply by setting the flag to "You can't decode because my detection routines don't work properly and I'm lazy as **** to fix it, ah! almost forgot, I force down your throat Ciscos's plugin for H264, which clearly demonstrates is way too slow for this, and gives problems with decoding detection, so your CPU will suffer the consequences, just instead of making t optional for people that can't decode anything to save their lives - same for me, Google Chrome"... Yeah, latest Nighly build seem to fix many issues, but not all, and things go on...

The ony thing Flash seems to not allow is 60 fps playback (which is a shame), but most of the times is way more stable than HTML5... And it's just because of lazyness...

So yeah, Flash is to stay at least a couple of years more, until browsers can do something decent with HTML5 multimedia handling...

DavidE · 25 Oct 2015

UsernameIssues said:

I don't have the Flash add-on installed for IE. I don't have the Flash plug-in installed for Pale Moon. If I need to see Flash content, I paste the URL into Chrome (which has Pepper Flash built in). This limits my exposure to Flash based exploits because I'm not doing most of my surfing with a Flash enabled browser.

I use Pale Moon and have the Flash Plugin set to Ask to Activate
I have the Click to Play per-element extension.

My understanding is this prevents all Flash from auto playing, and I can choose if/what/when flash content plays.

I would prefer not to install another (Chrome) browser just to play flash content when i want to.
I'm just a home user, i don't oversee other work PC's.

If my setup is less secure than using a browser with built-in flash, maybe i should re-think it ?

UsernameIssues · 25 Oct 2015

AnneBurns said:

Thank you to everyone who gave me both cons and pros regarding continued use of Adobe Flash. Case closed!

Sorry, I did not see your "case closed!" statement before I made post #11. As you can see, you have a topic that interests many members. If you wish, you can unsubscribe to the topic so that you don't get an e-mail* each time someone continues to post to this thread. To unsubscribe, look for and click on the link near the top of the page:

What is the latest news regarding Adobe Flash?-unsub.png

*assumes that your forum settings sends you e-mails.

DavidE said:

UsernameIssues said:

I don't have the Flash add-on installed for IE. I don't have the Flash plug-in installed for Pale Moon. If I need to see Flash content, I paste the URL into Chrome (which has Pepper Flash built in). This limits my exposure to Flash based exploits because I'm not doing most of my surfing with a Flash enabled browser.

I use Pale Moon and have the Flash Plugin set to Ask to Activate
I have the Click to Play per-element extension.

My understanding is this prevents all Flash from auto playing, and I can choose if/what/when flash content plays.

I would prefer not to install another (Chrome) browser just to play flash content when i want to.
I'm just a home user, i don't oversee other work PC's.

If my setup is less secure than using a browser with built-in flash, maybe i should re-think it ?

As far as I know, the Flash content must play** in order for exploits to work.
Your setup should be safe...
...if Flash is kept up to date
...if there are no exploits in the wild for the Click to Play per-element extension.

**Flash objects can "play" without any visible motion for the user to see. The Flash object could be made to look like the screenshot below while "playing". That looks like a Flash object that has not been clicked on and is not playing.

What is the latest news regarding Adobe Flash?-fe.png

I'm not certain if Flash exploits have to also be coupled with a browser exploit in order to do damage. If the browser plays a role, then Chrome and IE might be safer than Pale Moon and Firefox simply by virtue of the integrity level that the browsers run at***. With the UAC turned on, IE and Chrome use a parent process at the medium integrity level. Their children processes (the ones that render websites) are run at lower integrity levels (lower is better/safer). Pale Moon and Firefox only use one instance and that instance runs at the medium integrity level. However, my thinking might be flawed. Perhaps privileged execution exploits can elevate a low integrity level process to the high integrity level with the same ease that a medium integrity level process can be raised to the high integrity level.

***as you can see, I rebel against the notion that one should not end a sentence in a preposition.

AnneBurns · 25 Oct 2015

No worries about this thread being continued. My query has unleashed some great feedback. I think the most important thing to remember, if you choose to keep Flash, is to make sure it has the latest updates. I make it a point to do that.

DavidE · 25 Oct 2015

AnneBurns said:

No worries about this thread being continued. My query has unleashed some great feedback. I think the most important thing to remember, if you choose to keep Flash, is to make sure it has the latest updates. I make it a point to do that.

I agree and keep Flash updated.
I subscribe to the "latest version of" thread so i soon get an email notification whenever a new version is available.
That way I don't have to manually periodically check for Flash updates.
Subscribe to this thread and you can keep informed of Flash changes via SF email:
Latest Version of Adobe Flash Player

UsernameIssues · 26 Oct 2015

The latest, most up to date version of Flash will most likely be flawed. Researchers have worked their way into various forums where exploits are sold and it seems that there is a list of exploits that are doled out after other exploits get patched. Having an exploit patched is good news for those that sell exploits. It just brings them more business.

It takes less than 24 hours from the time that an exploit is sold (or given away) to the time that it can show up in the wild. It takes a lot longer than that for Adobe to create a patch and then get all computers updated. There are members of this forum that have decided that there is no Flash content worth the risk. They don't have Flash installed/enabled for any browser.

I'm visiting this forum via Pale Moon, but I have Chrome streaming Flash video content in another window. I use Chrome/Flash every day, but I try to use it in ways that help prevent attacks. For example, I like a few streams on ustream.tv. Rather than bookmark and visit a particular channel, I bookmark the info needed to only play the stream of interest, not the potentially dangerous stuff around the stream.

What most people bookmark:

Code:

http://www.ustream.tv/nasahdtv

What is safer to bookmark:

Code:

http://www.ustream.tv/embed/6540154

What I actually bookmark:

Code:

http://www.ustream.tv/embed/6540154?wmode=opaque&autoplay=true&volume=0&quality=best

Subsequent visits to those bookmarked streams are less dangerous than visiting the entire webpage.

What are the odds...
...that you will encounter a website that is delivering infected adverts? I can't answer that. Yahoo.com (and 22 other reputable websites) infected lots of visitors with CryptoWall 2.0 late in 2014. The bad guys had taken over some of the servers that deliver adverts. Those servers then infected ads. Yahoo delivered ads from servers that they did not own/control. Most websites do that too.

Depressing - ain't it.

DavidE · 26 Oct 2015

UsernameIssues said:

Depressing - ain't it.

Yes

AnneBurns · 26 Oct 2015

It seems to me that no matter what we do, there will always be a risk factor to consider. All a person can do is be mindful of what you click on, keep a 'clean machine', clear your cache including temporary files and such, have decent anti mal and viral protection, and go to a forum to get software to occasionally really clean house.