This may be confirmation bias, and admittedly no software is without vulnerability, but is it just me or do we see these updates for Flash moreso than just about any other internet-facing client?
Is Flash really that bad or is everyone else just bad at reporting zero-day exploits publicly?
Also "Zero Day Exploits" generally mean that the exploit was released to 3rd parties before it was given to the company whose software was being exploited.
I'm a sysadmin at a Big 4 auditing firm. Adobe products are the bane of our existence.
Acrobat 9.4.1 takes over to install. Oh that's right, there's a vulnerability in that version, so now we're gonna have to push 9.4.2
When a user's Flash installation is corrupted, many times the uninstaller fails, so we have to use Windows Installer Cleanup to remove it. Every week, there's a new issue. Can't these fellows get it right?
I'm an ex-flash developer (8 years). I can tell you it's bad. I could find many ways of crashing the browser a few years back. And just reading this article, I went about:plugins in chrome and disabled flash for now.
Flash really is that bad. As a potential malware vector & as something where most users are probably hopelessly out of date (and not by their own fault).
I can't comment on Flash being worse than other software, but one thing is clear: it extends the attack surface of your browser with a whole maze of exploitable goodness.
I actually had the reverse chronology. I discovered how using ClickToFlash gave me significantly better battery life on my MBP, along with faster page loads and zero mysterious pinwheels. ClickToFlash has a better price-performance ratio than upgrading to an SSD – and I love my SSD.
So when I got an iPad, I was especially mystified at why anyone should complain about this garbage being missing.
Haw, quite so. Still, even if the SSD were given to you for free, and we measured cost in installation time, the cost in time to install each one versus the resulting gains would be tremendously in favor of ClickToFlash, so awful is Flash.
I'm not sure I understand your meaning. Using just click to play in about:flags, on a page with blocked plugins you can click the icon which appears next to the bookmark star and select "Run all plug-ins this time". Is that not sufficient?
For per-site whitelisting, you can click on that icon and check "always allow plugin on ..." or go to "settings > under the hood > content > plugins > manage exception."
It isn't the easiest or most intuitive way, but so far worked well enough to me.
I am not 100% sure if that extension is totally blocking the Flash files. Last time I checked it, it was only applying a "display: none" with CSS, and some files slipped past it, making it ineffective against 0-day exploits.
Yeah, I've been noticing something similar. Since upgrading my Android phone to 2.2, with Flash support, browsing the web got slower and clunkier. So many pages have flash advertisements on them, and the phone just doesn't have the horsepower to render them and stay responsive. I wonder if I can turn it off...
in the browser, go to settings, then click 'enable plug-ins' and choose 'on demand'. it will work like clicktoflash and show you a container with an icon wherever flash applets are on a page, which you can just tap on to start playing if you want to.
I just use noscript. No flash will load unless i tell it to, no javascript will load unless i allow it. It's like we first intended, i am the god of my browser. NONE SHALL PASS!
Agreed. What you lose is about 99% ads or games or overly complicated restaurant websites UI's. For cases where its like a Flash video player, i just click on the NoFlash/ClickToFlash placeholder rectangle, that then allows the actual Flash asset to load, and I partake of it. I've generally seen less freezes, crashes and memory use since switching to this approach.
Chrome can not sandbox all plugins without some effort. Only recently did they add support for sandboxing Flash to the stable Chrome release, and even then, only on Windows:
Where can I get accurate information on how sandboxing works on OS X, what it exactly does, what its limits are, and which vulnerabilities it does and doesn't protect against?
FlashBlock: it's not just for keeping your browser from crashing, saving your RAM, conserving battery life, and/or keeping your computer from locking up!
They remind me more of Microsoft at Apple's 90s low point. Their software is everywhere, and it's full of security problems as a side effect of how there was little consideration for security in the original design.
Microsoft has only recently caught up with its insecure legacy. That suggests that we have another 15 years before Flash becomes stable software.
Like it or not, at many big companies, word docs and excel spreadsheets (and powerpoints...) get abused in incredible ways. You'll somehow end up distributing a training document in an excel spreadsheet, and then some not-so-tech-savy manager will come up with the brilliant idea of including VIDEOS in the training documents... and then it begins.
Simply put, Microsoft and Adobe will cram as much crap into their fileformats (pdfs...) as they think random middle managers in large corporations want (and sadly actually use...).
I've seen such things done. It hurts to get a word doc that's just full of embedded jpgs from a scan of a printed out pdf that was originally a website...
Is Flash really that bad or is everyone else just bad at reporting zero-day exploits publicly?