I uninstalled Flash a few months ago and don't miss it.
I mostly use Firefox, but I do keep Chrome around, so I could use Chrome's Flash if I wanted to, but I don't think I have so far.
The only site I commonly visit that doesn't work is BBC News, funnily enough. It's a little annoying because it will work if I change the user agent to iPad, but instead I just don't watch BBC News videos.
> Adobe and Google have now created a “Pepper” implementation of Flash Player for all x86/64 platforms supported by the Google Chrome browser, Adobe said.
Google has what's called Pepperflash, which is just the flash executable in a sandbox, similar to what IE8+ has been doing with sandboxing on Vista and newer OS's. Both browsers are incapable of stopping many attacks with their various sandboxing techniques. Flash is just too poorly written and can't be too deeply sandboxed probably because of all the things it needs to do (directly access video drivers, directly access microphones, etc).
It astounds me how often Flash and Acrobat keep pooping their pants with horrible security holes that require frequent updates. It's been how many decades that this been going on for, now?
Yeah, sure, Flash does a lot of crazy stuff that's hard to sandbox, and everyone who understands the code base probably left Adobe years ago, but what the hell is Adobe's own flagship Acrobat doing, that they just can't get it right no matter how many times they try?
Does pushing out so many updates increase the number of third party spyware toolbars that get installed, or something? Is McCaffe (or NSA) giving them a kickback for every virus vector they install that makes McCaffe Security Scan Plus seem useful, on top of the toolbar kickbacks? http://www.tiagoespinha.net/2010/10/adobe-starts-including-s...
Why don't they just run it through emscripten and be done with it?
I find that "click to play" works well enough. So it's always off by default, but you still have the option to make exceptions in the very rare cases where it's needed. I always wonder why is this not enabled by default in all majors browsers in fact.
My problem with click to play — which I used for a few years on Safari, Chrome, and Firefox, with extensions before it was built-in — is that your browser still reports to the website that you have Flash installed. At this point, most sites work without Flash, but only if the site thinks you don't have it. (Or, like Youtube, by requesting the HTML5 player in a setting.)
I haven't had Flash Installed on my primary system for 12+ months, and, I absolutely don't miss it. Ironically, the BBC news is one of the very, very few places that seems to use Flash for Video - so it's probably the only site that I'm ever impacted on.
Emergency fix? To update to the latest McAfee I assume?
I'm sorry for the snark, but bbc reporting without details about Flash - including the helpful 'Flash is a commonly used browser plug-in' subtext below the logo - seems a bit off around here?
The BBC is blog spam yes. It quotes Kreb's article, which happens to be almost exactly the same, except BBC removed links to the advisory, etc.
Edit: in response to TazeTSchnitzel to whom I cannot reply. If BBC included a link to the original post or the actual security advisory I would be less likely to call it blog spam, but I stand by my classification. It is a repost without the sources and with less information (notably a warning to users about the McAfee opt out among other things).
Ha ha, thanks! I've had that problem too. Is that a bug or a feature? How does it work: does it make me travel back in time to before the reply window expired?
It actually transports you forward in time. To discourage deeply nested flame wars, there's a waiting period before the reply link appears that grows with the thread.
Chrome really needs to stop bundling this garbage. Even with whatever Google magic attached to flash, its still a very dangerous plugin, if not the most dangerous. There was just a CVE for the version previous to this one. And the one before that. Its an endless treadmill.
This should be a wake-up call to make flash non-default and, if installed, click-to-play only. Its time we started treating it like Java. Like Java, its clear its owner can't secure it. I imagine its borderline unmaintainable spaghetti code at this point.
Its also very hypocritical of Google, who has taken issue with SSL encryption levels and NPAPI, to be bundling what's essentially the second largest malware vector in browser history, only behind Java. This SHOULD be our wake-up call.
- It will now be click-to-play and enable a icon like the pop-up blocker in the address back to enable all on a page or to whitelist the page.
- You can also whitelist from the settings page by clicking Manage Exceptions, and adding them like this: [*.]youtube.com (all sub-domains, and protocols on youtube.com)
I did not know chrome had this setting option, or I view it but did not really realize what it was for. I'm glad you took some time to list the needed steps.
As I posted elsewhere in this thread, with click to play your browser still reports to the website that you have Flash installed. Sites still often don't send non-Flash content unless they thinks you don't have it installed.
Love how this is posted tut-tuttingly on the BBC's website -- which went from Real Player to Flash to -- eventually -- mp4 video, but only as a last resort. (Motto: "as a public entity we've never found a proprietary format we don't love".) Indeed, I had a Realplayer One "subscription" that took me something like a year to shut off (they'd claim it was off and then keep sucking money out of my account) which I blame entirely on the BBC.
Playing devil's advocate a little: But a lot of this was down to which streaming format their media partners would sign off on (they wanted certain DRM guarantees).
Real Player was the market leader in DRM-ed video, until Flash improved and took over.
Agreed, Flash is great for multimedia. That is largely why it is still so widely used. I just don't prefer it over security which is why it is blocked for me by default ;)
It turns out there is a faster way to fix the issue. There is a program called Adobe Flash Player Uninstaller that does the trick, and as an added benefit, it also prevents any future zero-day exploit.
Seriously, I've been Flash-free for many months, and I haven't missed a thing. I highly recommend it. Other than some really old websites, everything works as expected (YouTube, news websites with video, etc.).
Same here. Though I use extensions like ClickToFlash, which prevent plugin loading by default, but allow me to selectively activate plugins in the DOM by clicking on them.
44 comments
[ 3.6 ms ] story [ 110 ms ] threadThe issue is obviously the Flash player and the browser plugin architecture. With WebAssembly you get the "binary blob" executed without a plugin.
The only site I commonly visit that doesn't work is BBC News, funnily enough. It's a little annoying because it will work if I change the user agent to iPad, but instead I just don't watch BBC News videos.
http://www.pcworld.com/article/250455/for_flash_on_linux_chr...
> Adobe and Google have now created a “Pepper” implementation of Flash Player for all x86/64 platforms supported by the Google Chrome browser, Adobe said.
Yeah, sure, Flash does a lot of crazy stuff that's hard to sandbox, and everyone who understands the code base probably left Adobe years ago, but what the hell is Adobe's own flagship Acrobat doing, that they just can't get it right no matter how many times they try?
Does pushing out so many updates increase the number of third party spyware toolbars that get installed, or something? Is McCaffe (or NSA) giving them a kickback for every virus vector they install that makes McCaffe Security Scan Plus seem useful, on top of the toolbar kickbacks? http://www.tiagoespinha.net/2010/10/adobe-starts-including-s...
Why don't they just run it through emscripten and be done with it?
I'm sorry for the snark, but bbc reporting without details about Flash - including the helpful 'Flash is a commonly used browser plug-in' subtext below the logo - seems a bit off around here?
Which is highlighting this security release from Tuesday: https://helpx.adobe.com/security/products/flash-player/apsb1...
Edit: in response to TazeTSchnitzel to whom I cannot reply. If BBC included a link to the original post or the actual security advisory I would be less likely to call it blog spam, but I stand by my classification. It is a repost without the sources and with less information (notably a warning to users about the McAfee opt out among other things).
If you ever cannot reply to a post try clicking the "X minutes ago" link and usually the reply link will then show.
This should be a wake-up call to make flash non-default and, if installed, click-to-play only. Its time we started treating it like Java. Like Java, its clear its owner can't secure it. I imagine its borderline unmaintainable spaghetti code at this point.
Its also very hypocritical of Google, who has taken issue with SSL encryption levels and NPAPI, to be bundling what's essentially the second largest malware vector in browser history, only behind Java. This SHOULD be our wake-up call.
Additionally, it was Flash that was compromised, not Pepper. There's a distinction.
Open Firefox and navigate to about:config.
You will be sarcastically warned that you about to void your warranty, just click on the “I’ll be careful, I promise!” button to move on.
Now search for:
Next you need to right-click and toggle the setting so that the value is true.Once you are done restart Firefox.
To test it out, head over to a site with Flash (BBC, ironically, has Flash), you will notice you will have to click on the plugin to activate it.
That’s all there is to it.
I'm sure there's a similar method for Chrome, but I don't have it installed to test.
- Open Settings
- Show Advanced Settings (bottom)
- Content Settings (under Privacy)
- Plugins -> "Let me choose when to run content."
- It will now be click-to-play and enable a icon like the pop-up blocker in the address back to enable all on a page or to whitelist the page.
- You can also whitelist from the settings page by clicking Manage Exceptions, and adding them like this: [*.]youtube.com (all sub-domains, and protocols on youtube.com)
I did not know chrome had this setting option, or I view it but did not really realize what it was for. I'm glad you took some time to list the needed steps.
https://helpx.adobe.com/security/products/flash-player.html
Flash is and always has been an absolute joke, I refuse to install it on anything I own.
Real Player was the market leader in DRM-ed video, until Flash improved and took over.
Seriously, I've been Flash-free for many months, and I haven't missed a thing. I highly recommend it. Other than some really old websites, everything works as expected (YouTube, news websites with video, etc.).