So as a rule, in 2015 running Adobe Flash is already pretty scary – but the latest patch release covers 78 CVE-classified Flash security vulnerabilities.
That’s not scary, that’s terrifying.
By now you kinda expect flaws in Flash, it’s just a given. But 78 CVE-classified vulnerabilities in one patch release? That’s just insane, that’s worse than the worst Windows release.
Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in.
The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute code on a vulnerable system.
In addition to the 75 remote code execution flaws, the update addresses three CVE-listed vulnerabilities that could allow for security bypasses. Adobe said it has not yet received any reports of the flaws being targeted in the wild.
Adobe is advising users running OS X and Windows to update their copy of Flash Player to version 20 or later, while Chrome, IE 11, and Microsoft Edge users will receive their updates through the browser. Adobe classifies the fix as a top priority for all Windows, OS X, and Linux browser versions.
So yah if you or your organisation is running Flash, don’t – just please stop. You don’t even have to visit dodgy sites any more, visit a legitimate site with a compromised ad banner and boom – you’re owned.
For example the Dailymotion malvertising attack that took place just a few days ago.
Users running Adobe AIR and AIR SDK for Windows, OS X, Android, or iOS are also advised to update their software to address the vulnerabilities.
Many will point to this latest update as yet another reason for developers, users, and site operators to minimize or outright eliminate the use of Flash. With more-secure platforms such as HTML5 gaining adoption, alternatives to the bug-riddled Flash are only growing more attractive.
Researchers have found that even when the browser-facing components of Flash are disabled, code can be injected into other documents that launches and then exploits vulnerabilities, leaving an outright removal the only option.
Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools “Animator” and encouraging a move over to HTML5.
HTML5 can do everything that Flash was designed to do, I think people just want to commit the development time into replacing this obsolete technology. Adverts are still flash, non-youtube videos on the majority of the web are still Flash, interactive site elements are still Flash, some shitty website are still entirely built in Flash.
I turned off Flash long ago, but it still saddens me that today, at the end of 2015 – that still breaks parts of the Internet for me.
Please, give the World a great Xmas present and just KILL FLASH.
Source: The Register