Gone in a flash? Facebook says Adobe's plug-in is a security risk no longer worth taking

Gone in a flash? Facebook says Adobe's plug-in is a security risk no longer worth taking

Adobe Systems' Flash software has come under fire yet again after a prominent Facebook executive called for the end of the animation software.

"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Facebook security chief Alex Stamos said in a tweet on Sunday. Stamos joined Facebook last month after less than a year at Yahoo.

His death-to-Flash tweet came a week after cyberthieves released 400GB of internal documents stolen from HackingTeam, a Italian security company that helps governments and other organizations steal information. Those documents included details for exploiting weaknesses in Flash, which the HackingTeam called "most beautiful Flash bug for the last four years."

Since then, independent researchers have verified three previously unknown attacks using Adobe's streaming-video software for browsers. Now, even HackingTeam warns developers and companies to be wary.

"Before the attack, HackingTeam could control who had access to the technology, which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost," the company said in a July 8 press release. "Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

Patches for the software have not yet been issued. Adobe didn't immediately respond to a request for

Stamos' call to end the Flash browser plugin echoes a demand by the late Steve Jobs. "Flash was created during the PC era -- for PCs and mice," Apple's former CEO wrote in his 1,600-word open letter, "Thoughts on Flash," in April 2010. "But the mobile era is about low power devices, touch interfaces and open Web standards -- all areas where Flash falls short."

Flash was once the defacto standard for websites to run games, stream video and deliver animation over browser software. Before Jobs' high-profile attack on the software, Flash ran on more than 800 million mobile phones manufactured by 20 handset makers. The exception was Apple, which banished Flash from iOS, the operating system that powers the iPhone and iPad, and stopped pre-installing the software on Mac computers. These days, Flash is on the wane as more in the online video industry turns to HTML5, a developing language that can run graphics without plugins.

But while it's fading, Flash is far from forgotten. Flash is still used on 23 percent of the 483,000 Web pages tracked by the HTTP Archive, a resource for Web developers. Even though that usage has dropped from 39 percent three years ago, removing Flash from browsers would break much of today's Web. That's why browser makers such as Google and Microsoft have granted Flash special status even as they try to wean the Web from it and other browser plugins.

Killing Flash, though, would be difficult: It's not just decade-old websites that rely on Flash for streaming video. Many top video networks rely on it, said Jan Ozer, a streaming-media consultant and author. Flash, he said, "has its negatives, but why banish Flash altogether if companies like NBC and MLB want to use it?"

According to Adobe, more than 500 million devices are "addressable today with Flash technology" and 110 million websites run the plugin. Adobe has issued more than a dozen Flash security advisories since the beginning of this year.

Stamos, who helped strengthen Yahoo's security prowess before joining Facebook, tweeted that Adobe needs to set a date for Flash's sunset so that browsers could coordinate their dropping the software.

"Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."

http://www.cnet.com/news/gone-in-a-...-risk-no-longer-worth-taking/#ftag=CAD590a51e



DEATH TO FLASH says Facebook security chief

Flash is bad, but not so bad devs will bother with HTML5, so send in the killbits

14 Jul 2015 at 01:29, Darren Pauli

Newly-minted Facebook security chief Alex Stamos has called for Adobe Flash to be taken out behind the shed by a shotgun-wielding world.

The former Yahoo! security head joined Menlo Park this year and over the weekend said in two Tweets that it is time the death knell chimed for the Adobe's much-hacked tool.

"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Stamos says.

"Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.

"Nobody takes the time to rewrite their tools and upgrade to HTML5 because they expect Flash forever. Need a date to drive it."

His comments follow the disclosure of three zero-day vulnerabilities in Flash revealed in leaked source code released as part of the 400Gb Hacking Team archive.

Stamos was quizzed by Twitter users on the fate of various Facebook features such as games and the image uploader that rely on Flash.

He did not say by the time of writing whether the web platform would be ejected in favour of HTML5.


Brad Arkin. The Register

The late Apple boss Steve Jobs fired a Flash salvo in 2010 when he criticised the 'PC-and-mouse' platform for being outdated in the world of low-powered mobile devices.

"Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash," Jobs wrote.

Last year Adobe chief security officer Brad Arkin told the Australian Information Security Association that its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities lead to a big reduction in zero-day attacks.

Arkin said it dropped the time-to-patch from 10 weeks in 2009 to 36 hours last year.

http://www.theregister.co.uk/2015/07/14/facebook_flash_kill/

 

https://support.mozilla.org/en-US/kb/set-adobe-flash-click-play-firefox


Set Adobe Flash to "click to play" on Firefox
All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues.

Some websites use Adobe Flash to display content. However, attackers can also use the security flaws in Flash to run malicious sofware on your computer and gain access to your system.

One way to protect yourself is by disabling or removing Flash, but if your trusted websites require Flash, you can change your plugin settings so that Flash runs only when you click to activate it.

Here’s how to set Flash to run on demand:

1. At the top of the Firefox window, click on the Firefox buttonOn the menu bar, click on the Tools menuAt the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open. Click the menu button and choose Add-ons. The Add-ons Manager tab will open.
   
   
2. In the Add-ons Manager tab, select the Plugins panel.
3. Look for Shockwave Flash on your list. Set it to Ask to Activate.

The next time you visit a website that requires Flash, click on the prompt to activate Flash if needed*:

 

Mozilla blocks all versions of Flash in Firefox amid growing security concerns


As you may or may not know, Adobe Flash -- a veteran tool required by many modern browsers for video playback -- is riddled with vulnerabilities. The product has a long history of being thrown under the bus for its security incompetence. Such is the case today. Mozilla announces that it is blocking all versions of Flash Player in its browser with its latest update.


Mark Schmidt, the head of the Firefox team at Mozilla notes that the company is disabling Adobe Flash by default in the browser. The block is accompanied by an image showing a raised fist and the phrase "Occupy Flash". Users who wish to enable Flash can do so by flipping switches in the settings menu, however.


Last week, security firms warned users about a major vulnerability in all versions of Flash for Mac and Windows clients. The revelation came in the aftermath of a mega security breach at the notorious Hacking Team. Adobe acknowledged the vulnerability and has since provided a patch to fix it. But another vulnerability was discovered soon after.


This is not the first time Adobe Flash has found itself in the limelight for its wrongdoings. Last week Facebook’s new chief security officer announced that he wants to "set a date to kill Flash for once and all". But we can go back further than that. In 2010, Steve Jobs wrote an open letter explaining Apple’s growing concern with Flash.


But somehow, due to its vast presence and a number of products relying on it, Flash has managed to dodge all bullets. However, it seems the nadir for Flash is imminent. Earlier this year, YouTube dropped support for Flash. Furthermore, Chrome has begun to intelligently pause instances of Flash video on its pages.


http://betanews.com/2015/07/14/mozi...n=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN