Forgot your password?
typodupeerror
Security Windows IT Technology

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X 167

Posted by Soulskill
from the something-to-be-said-for-consistency dept.
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
This discussion has been archived. No new comments can be posted.

New Adobe Flash Vulnerabilities Being Actively Exploited On Windows and OS X

Comments Filter:
  • by Anonymous Coward on Friday February 08, 2013 @02:09PM (#42834777)

    I know many will rush to disagree with me but Flash cannot die soon enough...

    • by Anonymous Coward on Friday February 08, 2013 @02:12PM (#42834813)

      This is German for "the Flash, the".

    • by popo (107611)

      And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?

      There's a reason Flash is the world's most popular online multimedia platform. It's not without issues, but it is lacking a worthy contender.

      • by Billly Gates (198444) on Friday February 08, 2013 @02:25PM (#42835017) Journal

        Yep. HTML 5 can offer hardware acceleration on pretty much any mobile device.

        The reason for flash was that Java was an ugly POS and people did not want to wiat a full minute for their ugly applets to load while flash was all nice and pretty and loaded instantly.

        Flash also exists because of IE. Old IE I may add as IE 9 and IE 10 got their act together and support the HTML 5 video tags. When IE 10 comes out for Windows 7 and XP goes EOL we will see a shift in websites catering to HTML 5 users making flash obsolete for all but the conservative businesses.

      • by gstoddart (321705) on Friday February 08, 2013 @02:44PM (#42835295) Homepage

        There's a reason Flash is the world's most popular online multimedia platform.

        Can you tell us what that is?

        For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

        • Re: (Score:2, Interesting)

          by amicusNYCL (1538833)

          Can you tell us what that is?

          Like he said, it doesn't have a viable feature-comparable alternative.

          For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

          Cool story. Meanwhile, even here in 2013, our company started in 1996 is still selling new Flash-based learning courses to companies and government agencies worldwide, and they're still ordering new ones. It's easy for the artists to work in, the code to run the courses hasn't need to be patched or updated in several years, and the major time expense is still having people write the actual instructional content.

          • by gstoddart (321705)

            Cool story. Meanwhile, even here in 2013, our company started in 1996 is still selling new Flash-based learning courses to companies and government agencies worldwide, and they're still ordering new ones.

            Yup, and it's products like yours why I periodically have go open up the browser of insecurity (IE) to access because it's the only one what has Flash enabled. Usually 2-3 times per year some company-mandatory crap needs it.

            But for day to day use? Flash is disabled or just simply not installed because I h

            • Yup, and it's products like yours why I periodically have go open up the browser of insecurity (IE) to access because it's the only one what has Flash enabled. Usually 2-3 times per year some company-mandatory crap needs it.

              If only there was a viable alternative. I haven't seen a good way to synchronize audio with animation, or to let a non-programmer create good artwork, for that matter. Until an HTML5/SVG authoring environment comes along which can export projects that have all of the functionality of Flash and can be used by an artist, we're stuck with Flash. Flash can export some things to HTML5, but it drops a lot of features when it does so.

          • And you can argue with this being a feature - or a bug. Just recently finished some course work over at the American Heart Association website. Flash, natch. The structure of which has not been changed for a decade. The same poorly thought out navigation, the same IE centric, buggy code. Just some new content.

            Yes, it's AHA's decision not to spend the money to really look at what they are doing, but it's a pretty standard business practice. If it ever worked, it's good enough.

            If I ever find the person

            • It's gotten worse lately, now with Captivate and Articulate being released, anyone who can type can create online learning content. I've seen plenty that are no better than a Powerpoint presentation. We have a full staff of instructional designers, artists, etc who actually manage to create engaging and award-winning content, but seeing our competition, I feel your pain.

          • by Onan (25162)

            >>> ...online multimedia platform.
            >> Can you tell us what that is?
            > Like he said, it doesn't have a viable feature-comparable alternative.

            That... doesn't answer the question. If your argument is that Flash is so awesome because it's the best "online multimedia platform", then you're going to have to back that up to what the fuck an "online multimedia platform" is and why I would want one.

            Because yes, like many others in this conversation, I have only seen Flash used for things that I quite

            • That... doesn't answer the question. If your argument is that Flash is so awesome because it's the best "online multimedia platform", then you're going to have to back that up to what the fuck an "online multimedia platform" is and why I would want one.

              We can start that pretty simply. It is a vector-based graphic and animation tool that allows you to synchronize audio with the animation. That alone has every other alternative beat. Things like drag and drop and all of the various interactions can be reproduced with Javascript in a browser, but letting a non-programmer artist create the content and synchronize the audio with what's going on in the content isn't found in other alternatives.

        • by Kagato (116051)

          Most media options are done in flash. Any type of subscription based service that runs in the browser is flash because there is no standard. And it's going to stay that way so long as Microsoft is going to be a dick and insist everyone else uses their tech for secure streaming.

        • by westlake (615356) on Friday February 08, 2013 @03:40PM (#42836043)

          For me, Flash has never provided anything of value -- just ads and badly written web sites is my opinion of it. I think Flash is crap.

          You're entitled to your opinion.

          But Flash remains a remarkably viable platform with mature development tools for animation, video and games. Amanita Design [amanita-design.net] comes vividly to mind with games like Samorost, Machinarium, and Botanicula.

          Animation in adds and badly designed websites don't go away simply because their developers have migrated to HTML5.

          • by Onan (25162)

            It backfires a bit when your argument in favor of Flash being at the heart of a vast and vital industry is citing a company no one has ever heard of and three games that no one has ever heard of.

            It sounds as if you live in some tiny little niche universe in which "multimedia platform" is a thing. But you should be aware that for nearly everyone else out there, those words are not even meaningful, much less describe anything important or desired.

            • by westlake (615356)

              It backfires a bit when your argument in favor of Flash being at the heart of a vast and vital industry is citing a company no one has ever heard of and three games that no one has ever heard of.

              Oh, really?

              Machinarium is a puzzle point-and-click adventure game developed by Amanita Design. It was released on October 16, 2009 for Microsoft Windows, OS X, Linux, on September 8, 2011 for iPad 2 on the App Store, on November 21, 2011 for BlackBerry PlayBook on May 10, 2012 for Android, on September 6, 2012 on PlayStation 3's PSN in Europe, on October 9, 2012 in North America and on October 18, 2012 in Asia.

              Microsoft Windows, Mac OS X, Linux and Android versions of this game were released along with Humble Indie Bundle for Android 4 on November 8, 2012, to customers who paid over the average price.

              It won the Excellence in Visual Art award at the 12th Annual Independent Games Festival and the Best Soundtrack award from PC Gamer in 2009. It was nominated for an Outstanding Achievement in Art Direction award by the Academy of Interactive Arts & Sciences and a Milthon award in the 'Best Indie Game' category at the Paris Game Festival.

              Gaming site Kotaku named it a runner-up for "PC Game of the Year 2009" alongside Torchlight, losing to winner Empire: Total War. Gamasutra, Gamerview and the Turkish site of Tom's Hardware all selected Machinarium as the 'Best Indie Game' of 2009. AceGamez named Machinarium the 'Best Traditional Adventure Game' of 2009.

              Machinarium [wikipedia.org]

              In April of last year there was the The Humble Botanicula Debut. [youtube.com]

          • by phayes (202222)

            Flash animations go away when you remove flash, use flashblock or soon just use Firefox.

            I couldn't care less what games are built with flash. I value not getting hacked by blocking flash more than any minor value flash provides. Adobe has proven themselves unable to provide the level of security I need to leave it on my machines.

        • by Waccoon (1186667) on Friday February 08, 2013 @06:55PM (#42838463)

          Installation was fantastic. When Flash was new under Macromedia, I remember it being only 300K, and it installed immediately without a reboot or restarting the browser. Java at the time weighed in at (I believe) over 12MB and required a reboot. So did most other media players.

          Games. Casual gaming on the PC owes itself almost entirely to Flash. Java sucked, and the alternative was to download and install an EXE, which could do just about anything to your PC. Flash made it possible to run games instantly, directly, without an install, on both PC and Mac. It was the Steam of the day, and worked when everything else failed miserably.

          Cartoons. Doing stuff in vectors reduced bandwidth a thousand fold. Say what you want about HTML5 and movie codecs, but if you want to do vector animation, Flash is still your only option.

          Educational apps. Ever been to a tech site where they have some kind of visual interactive application to show how the technology works? Java should have dominated in this area, but installing Java was painful, the download was huge, and at one time, Java applets couldn't play audio, because that was considered a security violation. Yes, in an attempt to crack down on the annoying audio and MIDI craze, Java banned all audio in applets for a while. No wonder tech sites dumped Java and went to Flash for their presentations.

          Say what you will of closed-source, proprietary media players, but all things that tried to compete with Flash have royally sucked. Flash is most definitely useful, and will continue to exist until HTML stops being garbage (which may take another 10 years or so -- if ever).

      • by Anonymous Coward on Friday February 08, 2013 @02:55PM (#42835433)

        There's a reason Flash is the world's most popular online multimedia platform.

        Yes. DRM.

      • by JDG1980 (2438906) on Friday February 08, 2013 @03:58PM (#42836301)

        And replace it with what? The atrocity also known as HTML5 which is not write once run anywhere, is an absolute bear to code and despite the hype is nowhere near suitable for gaming yet?

        It's true that for this one particular use-case, Flash may still have an edge against open technologies. But 99% of the Flash on the web is either ads or videos. We don't want to see the ads anyway, and HTML5 makes embedding videos without Flash in a standards-compliant fashion relatively easy. And remember, if your site relies upon Flash, no one with an iDevice will be able to use it correctly. And that's not going to change. In contrast, HTML5 videos work fine on both desktop browsers and portable devices.

        If the only thing Flash is good for is some types of online gaming, then many users don't need it at all, and for those who do, it should be set by default to use a whitelist and only permit the plugin to be invoked on domains that are specifically authorized by the user.

    • Automatic flash updates. TFA states that Firefox and Safari on Mac are currently vulnerable and require manual update. Even IE10 on Win8 is doing auto updates. My odds of getting exploited via this vulnerability on my Chromebook? Basically zilch?
      • by KiloByte (825081)

        This particular vulnerability might be patched, but you're wide open to hundreds of others. Flash is not something a responsible OS distributor should install by default.

      • by tibit (1762298)

        TFA is spreading FUD. I've had self-updating flash on OS X for at least a year now, IIRC. Yes, it has been self-updating for safari and other browsers, all automagically. Yes, you can manually disable autoupdates, but then it's your own damn fault.

    • Especially if you're a sysadmin who has to mange installation & updates.

      http://www.bynkii.com/archives/2013/02/wtf_flash.html [bynkii.com]

    • I know many will rush to disagree with me but Flash cannot die soon enough...

      The problem is not Flash. the problem is the absolute incompetence of Adobe. Despite being a large company with lots of resources (programmers, money, etc) they are unable to produce a piece of software that isn't filled with exploitable security flaws. No software is perfect, but this is ridiculous. No, it's beyond ridiculous.

    • I know many will rush to disagree with me but Flash cannot die soon enough...

      But.. but... he saved every one of us!

  • by fuzzyfuzzyfungus (1223518) on Friday February 08, 2013 @02:13PM (#42834839) Journal

    I realize that implementing embedded flash objects in Office documents was probably something that mostly happened because Microsoft wanted OLE to make embedding arbitrary stuff in arbitrary stuff happen(unlike Adobe's sick fetish for inserting horrible things into PDFs, which is their own damn fault); but do Flash embeds in Office documents actually occur, in the wild, as something people would actually do and distribute, for anything other than malicious purposes? I honestly can't remember ever having seen a single one, ever.

    • by tibit (1762298) on Friday February 08, 2013 @03:26PM (#42835821)

      People use Word documents to send freaking pictures around, because they don't know they can paste into Paint. They don't know how to send weblinks either, so they paste it into Word and send it on.

    • Maybe. I've seen it in business Power Point presentations...and hated it *every* time. If I'm going to waste time, let me do it on Slashdot.

      To an impatient, time-pressed captive audience, a lengthy mandatory canned video is "almost malicious." Just give me five bullet points, ask for my decision and get out of my hair.

      Typical: Putting a lengthy flash animation such as "All Your Base Are Belong to Me" at the beginning of a power point presentation to sell me on centralized systems management. I'm already

  • I wonder if this and Java are related to the HUE monster security update [zdnet.com] for IE?

  • Huh? (Score:2, Informative)

    by mcgrew (92797) *

    I'm typing this on a Win 7 notebook w Firefox. KSHE's playing right now (using Flash, of course) and no notification came to me, although some virus defs came through this morning.

    Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content

    Why? They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use

    • Re:Huh? (Score:5, Insightful)

      by PlusFiveTroll (754249) on Friday February 08, 2013 @02:22PM (#42834975) Homepage

      >Who in their right mind opens a Word doc from and unknown source

      The idiot secretary in the next office over, or the next floor down.

      Then the payload mines her email addresses and sends you "Minutes from meeting" or some similar crap. So now instead of having an email from an unknown person you get an email from someone you'd expect to get word documents from. Hopefully you are in a company that has decent A/V on incoming mail, most small businesses don't.

      • by Ryanrule (1657199)

        Secretaries are not a thing anymore.

        • by bsane (148894)

          Now they're called assistants (or similar) and they still exist every where I've ever worked, there are just a lot fewer of them, and they don't type things up or take notes.

    • I didn't even know you could embed Flash content in a Word document. I'm guessing they are using ActiveX, which means you are safe if you don't happen to have the ActiveX version of Flash installed. Whats very annoying is that Adobe's update notifier doesn't update both the ActiveX and Netscape plug-in versions of Flash, just one or the other. Always check the Flash control panel and make sure you have the latest version for both!
    • by Inda (580031)
      "especially when Windows warns you when you start to open a word doc in Outlook"

      Um, some of us have taught them to tick the "don't ask again" box. Sorry about that.

      Getting macros to run is harder these days. There's an extra click or two. They don't execute automatically any more.
    • Re:Huh? (Score:4, Interesting)

      by _xeno_ (155264) on Friday February 08, 2013 @03:18PM (#42835735) Homepage Journal

      As far as I can tell, the Flash updater only bothers to check for an update when the computer first boots.

      Because everyone here constantly reboots their computer, right? I mean, it's not like most computers have sleep modes, and that most people just leave the OS running so they don't have to wait for it to boot. Clearly everyone constantly reboots their computer, once per day, to allow the Adobe Flash Updater to check for updates.

      • by mcgrew (92797) *

        That's one of many things that annoys me about Windows. This notebook runs W7 because I just haven't gotten around to installing Linux yet. Linux would already be on it if it wouldn't hibernate. Ironically, the Linux tower gets shut down when I'm not using it, because when I boot it, all the apps and docs that were open when I shut it down reopen, and it enters its password for me. Hit the switch, pour a cup of coffee and it's good to go, as if it hadn't been shut down at all.

        I wonder if Windows will ever c

    • Re:Huh? (Score:5, Informative)

      by benjymouse (756774) on Friday February 08, 2013 @03:33PM (#42835913)

      Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content

      Why?

      Probably because of Windows sandboxing Flash through low-integrity mode. Even if you get to exploit a Flash vulnerability and execute your shell code on Windows, the code is still severely restricted in what it can do. Code executing inside of a low-integrity process can still not infect a system as write-ups (writing or interacting with a higher integrity object/process) are denied.

      They could as easily infect you with a macro. Who in their right mind opens a Word doc from and unknown source, especially when Windows warns you when you start to open a word doc in Outlook (we use Outlook at work).

      No, infecting with a Macro is more difficult since the last several versions of Word. Word will not automatically run macros and also has an internet-origin policy whereby documents received through Outlook or other email clients or downloaded using a browser is tainted with the "internet zone". You have to dismiss several warnings to run macros from such a document. But if Word will run Flash content (show the animation) and a vulnerability can be exploited, shell code can run as a user.

      That is, until Word 2010 which *also* runs in low-integrity when viewing content tainted with the internet zone. Since Word 2010 the shell code will still be confined to the low-integrity sandbox.

  • LOL ... (Score:4, Insightful)

    by gstoddart (321705) on Friday February 08, 2013 @02:26PM (#42835039) Homepage

    Or, don't even run it. Flash has been a security and privacy hole for a decade or more.

    I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.

    Yet another exploit? I'd like to say I'm shocked, but that would be a lie.

    • Email attachments have been a security and privacy hole for a decade.

      • by gstoddart (321705)

        Oddly enough, it was only ever Microsoft who decided they'd just blindly run anything in an email attachment.

    • I refuse to install it except on work machines where I periodically have to use it for something I can't avoid.

      Which Flash-only websites do you use for work?

    • by medcalf (68293)
      It's not really just a problem with Flash, or with Flash and Java, or with Flash and Java and (pick a technology). The problem is that we do not really know how to build complex, integrated systems — which is what end users need to get what they want (in this case, games and multimedia of various kinds) — that are secure enough for the Internet environment, at low enough operational and development costs to make them practical. Perhaps a new compute architecture (and associated language changes)
  • For way to many years it's been a mess. And these near-daily emergency patches now. WTF is broken in their development/testing process? I don't understand how it can stay so horrid, or why Adobe finds this acceptable...

    Even Windows has gotten a lot more secure over the years. But Flash, seems more broken each day.

    Anyone have any insight?

    • by DarkOx (621550) on Friday February 08, 2013 @03:17PM (#42835715) Journal

      Probably because there is not much you can do to fix a fundamentally bad idea. Think of it like all the various attempts to make smoking 'healthy' at the end of day intentionally sucking combustion gases into your lungs just is not good for you, no matter how low tar, free of synthetic chemicals etc you make it.

      What does flash do? It executes code from unknown origin on your machine. That has never been a good idea; even if in some cases you can't get around needing to do it. Flash has more problems though it can't be fully sandbox'ed without breaking all those old apps, it needs to be able to do things like read files, open sockets connections, etc.

      • by tibit (1762298)

        That's what any web browser does. Flash does not run native code directly from untrusted sources, just as web browsers don't. Usually, the content exploits the bugs that let you run some binary code directly, but it's not because shipping native code around is how it was supposed to work. Both web browsers and flash players get executable content they have to compile to native code and run, or at least run on a bytecode machine.

        • by DarkOx (621550)

          No quite true. If we ignore javascript for a moment pure html rendering is not program execution; its document formatting.

    • by JDG1980 (2438906)

      For way to many years it's been a mess. And these near-daily emergency patches now. WTF is broken in their development/testing process? I don't understand how it can stay so horrid, or why Adobe finds this acceptable... Even Windows has gotten a lot more secure over the years. But Flash, seems more broken each day. Anyone have any insight?

      Adobe outsources most of their development process to India. That's a major contributing factor.

  • WTF.. (Score:2, Insightful)

    by GrBear (63712)

    Why the fuck does a WORD PROCESSOR even allow embedded Flash files?! Payloading like this shouldn't even be possible in the first place, that would be as bad as embedded .EXE files in a .doc that autorun when you open the .doc

    • Indeed, I laughed when I read that in the summary. That kind of attack vector is just so good old Microsoft. <3
  • Such is the mantra here...

    Sooo tempted to send the CVE out to several people internally, as a word document.

    *sigh*

  • Does Adobe even ever get wrist-slapping fines for being one of the Horsemen of the Internet Apocolypse? They seem quite to content to write shit code and leasurely fix it when their excrement is pointed out.
  • One thing that I see as causing some people to delay updating their Flash, despite an update being available, is that the installer requires you to restart your browser or anything else Flash think is using it. Many people take the attitude "I am working and don't want to be bothered restarting my apps, for something I rarely use".

    Is there any other way Flash could install its updates, without requiring browsers to be restarted?

    • by cbhacking (979169)

      The Netscape Plugin API (which is what Flash is implemented using on Firefox, Opera, Safari, and at least some versions of Chrome) doesn't really support this. I don't know of any legit reason why not, but it doesn't.

      IE, which uses an ActiveX control for Flash, actually has no problem installing or updating plugins without restarting the browser. Refresh the page (which, if it's installed via the browser itself, will happen automatically) and you're good to go.

  • by hessian (467078) on Friday February 08, 2013 @03:12PM (#42835653) Homepage Journal

    Some time ago, after the last round of Flash exploits, I de-installed it and resolved to live without it.

    There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue.

    One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.)

    Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.

    The most amazing this is that browser crashes have dropped to near zero, either one or zero during this time. Most of what I thought was FF and Opera being buggy was in fact Flash being buggy.

    There's not yet enough content switched to HTML5 from Flash to navigate everything, but during my 6 months without Flash, I've noticed that more firms are going away from the Flash-only navigation school of design.

    YMMV. For me, life without Flash has been better, although I do miss out on some things.

    • by tibit (1762298)

      It used to be that the #1 source of Safari crashes auto-reported to Apple was Flash. I wouldn't be surprised if that's still the case.

    • by aaarrrgggh (9205)

      I was quite content without it, until Google tweaked some things in their finance pages where graphs wouldn't allow static graphs anymore. I grudgingly re-installed yesterday after nearly three years without. It's out again... I will just skip using Google Finance.

    • You can solve the video playing problem quite easily with something like FF's Video Download Helper add-on or JDownloader. These tools can examine a URL and allow you to download any videos they find for local playback.

    • by JDG1980 (2438906)

      There are glitches: I can't get most video content, and Flash-only sites are inaccessible. However, this ended up being not a big issue. One reason for this is that many YouTube videos play in HTML5 on Firefox. (If you find a video you can't play, try embedding it; this sometimes produces a workable version.) Overall, the playback on HTML5 is better than Flash. There are fewer random slowdowns and stall-outs. On the downside, not every video is in HTML5.

      If you're using Firefox, one problem is that they'

      • If you're using Firefox, one problem is that they've been very tardy with H.264 support, for ideological reasons.

        I understand some of their reasoning and am not critical of it.

        If anything, I think every FireFox user should try it without Flash. There just are not crashes. It's inspiring.

      • by ssam (2723487)

        it is already a compile time option on linux since about FF14.

    • by jader3rd (2222716)

      I can't get most video content, and Flash-only sites are inaccessible.

      Sometimes if I really want something on the website I'll change my user agent string to the same as the iPad's, and I have yet to hit an issue with the site not being able to limp along at that point.

    • by antdude (79039)

      With FlashBlock extension, one could block Flash videos. How does one do that with embedded HTML5 videos?

  • A simple way to make Internet Explorer block Flash by default: Gear icon -> Safety -> ActiveX Filtering.

    After that, you can re-enable Flash for selected sites by clicking the blue icon in the address bar.

  • by benjymouse (756774) on Friday February 08, 2013 @03:51PM (#42836209)

    We see here how the Windows platform has been battle hardened to the point where the attackers have to resort to lower-yield secondary attacks. Head-on attacking Flash on Windows does not get the attacker very far because of the security advancements such as Mandatory Integrity Control (MIC). That's why the attackers try to exploit it in contexts where MIC does not prevent system infection, such as through older versions of Microsoft Word through emails.

    OS X is still wide open to such head-on attacks when a vulnerability exists, especially Firefox because Mozilla has steadfastly refused to put in place a proper sandboxing barrier. Even Safari has some sandboxing in the latest version of OS X.

    Firefox not. A vulnerability in Firefox or one of its plugins means significant risk of successful exploits.

    Flash on Windows executes in a low-integrity process. Even if a Flash vulnerability is exploitable and shellcode gets to execute in the Flash host process, it still cannot write anywhere or interact with higher integrity objects because of mandatory integrity control (MIC) which was introduced with Vista.

    The upshot: Attackers have to try secondary routes on Windows where the conversion rates are much, much lower. And this specific attack vector will not work on Word (or other Office applications) since Word 2010. Since the 2010 versions, internet downloaded documents are also opened in low-integrity mode, meaning that even here the shellcode would be similarly restricted.

  • This is the primary reason I use Chrome: so that I don't have to bother with a system-wide Flash. I can still watch cat videos (by clicking on them), but my word processor can't be infected through software that's not installed.
    • Your comment made be curious, so I looked into it and Chrome is indeed using the PPAPI plugin (which other programs can't make use of) on all platforms as of Chrome 23.

      Good to know. :)

  • Lets all push to get rid of alternative runtimes once and for all.

  • ... between living with the problems that flash has but still being able to use the websites that I visit which utilize it (mostly tv station websites) and not using those websites at all (which would require that to watch the same programs, I would either have to pay more money every month for cable tv, instead of legitimately streaming the shows from the networks' websites, or else resort to pirating the shows, an activity that I object to on moral grounds in cases where the work is available cheaply and

  • Flash is blocked on all of my devices. And has been for a long time. There's absolutely no need for flash.

After an instrument has been assembled, extra components will be found on the bench.

Working...