2 Replies Latest reply on May 24, 2017 1:59 PM by jeromiec83223024

    Flash not allowed anymore?

    dieterh32902406

      As the process of installation is easy, there is some additional software without any permission installed and no way to avoid. What kind of policy has Adobe nowadays?

      My browsers do not have and do not want Flash crab anymore. Why is it still a thread for hackers?

       

      Why does Adobe still pollute the world with a trhead of Flashplayer?

        • 1. Re: Flash not allowed anymore?
          m_vargas Adobe Employee
          As the process of installation is easy, there is some additional software without any permission installed and no way to avoid.

          Third party offers are optional, not required.  Some ad-blockers have been known to block the third party offering.


          To uninstall go to Control Panel > Add/Remove Programs (language may differ depending on your OS version) > look for the software > uninstall

          • 2. Re: Flash not allowed anymore?
            jeromiec83223024 Adobe Employee

            Sorry, I misunderstood the question.

             

            In addition to ad-blockers, third party downloaders occasionally reverse-engineer our download process and get it wrong (there's an in-browser plugin manager that shall remain nameless, which is a frequent offender in this regard).  They bypass our web UI and installation procedure, which does allow opt-out, and instead, erroneously link directly to an asset with the bundled offers.

             

            The only supported way to get Flash Player is to download it directly, from here:

            http://get.adobe.com/flashplayer/

             

            The issue of bundled offers is very different than a discussion about product security, which you've also kind of lumped in here.

             

            Flash Player is a ubiquitous piece of software.  Its literally installed on billions of Internet-connected machines.  There is a tremendous amount of money and effort poured into finding flaws (by researchers in industry and academia, government and military organizations, organized crime, you name it), and in 2017, the successful participants in those efforts are not individuals, they're large, highly-skilled teams combining multiple bugs from multiple products to achieve an escalation of privilege.

             

            Franky, the fact that Flash Player posts frequent security updates indicates that a.) writing an attack against Flash is cheaper than writing three attacks against the major popular browsers, b.) there's a lot of proactive research and testing happening to "hold the line" against a relentless, smart and well-funded adversary and c.) we're diligent and responsive about both patching and notifying the community of those patches.  We take those responsibilities very seriously, even when they may not be comfortable.

             

            There's a reason that operating systems and browsers have moved to monthly release and patch cycles, and it's products that are standing still, and that don't participate in voluntary public reporting and industry efforts to examine those flaws for the purpose of facilitating industry-scale response and research that worry me more.

             

            It's also the truth that there simply isn't a lot of software on your computer tasked with the job of processing untrusted content from anonymous sources.  In many ways, Flash Player is the "heat shield" for browsers because of it's scale.

             

            It's incredibly expensive and time consuming to develop exploits against modern browsers and operating systems, and the more systems you can target with one exploit, the better the Return On Investment.  In the same way that Flash saw a huge uptick in research (and corresponding patches) when the Java plug-in was retired from the browsers, without the Flash Player plug-in as the primary target, that body of expertise and effort (or the motivation to break into systems -- both economic and political) will just focus on the next most convenient target.  Without plug-ins, that's the browsers (although IoT is proving to be an interesting soft target that may be as or more useful depending on the motivation).

             

            To that end, we work closely with the major browser and operating system vendors as well as with our own in-house experts and third-party researchers to ensure that we're staying ahead of the latest emerging techniques and research.  We work closely with all of hte major players in the space, and we're at the front of the line for adopting the latest available security enhancements at the operating system and compiler-level mitigations for modern systems.  At the same time, browser vendors are making significant improvements in isolating both plug-ins and their own internal processes to prevent simple crashes from becoming useful exploits.  This often requires significant rework for us as well, and we're always happy to collaborate on those efforts.  In addition, we're constantly investing in both new mitigations for Flash itself, and in new tooling and techniques for discovering flaws and preventing new ones.

             

            If you were to really diligently dig into the data from the last couple years instead of taking the copy-paste blog stories at face value, I think you'll see a very different reality than what is espoused as popular knowledge.  Are there still 0-days?  Yeah, but they're infrequent, particularly on modern operating systems, and their deployment is usually highly targeted at a specific organization or individual.  When incidents like that do happen, we drop everything to get that patch out to a massive global audience as fast as humanly possible (which requires coordination across multiple companies and considerations, all of whom must distribute Flash as close to simultaneously as possible -- adding tremendous complexity to the process).  While crises are unfortunate, we do everything in our power to ensure a world-class response.

             

            Furthermore, Flash *is* moving to a "Click to Play" model for most browsers, which makes it an unreliable vector for launching exploits -- as an attacker, it's going to be unlikely that your content will run -- particularly if you're hiding it as an invisible page element or distributing it through a malicious ad on an ad network.

             

            That said, if you find that Flash Player doesn't provide sufficient value for you, or you don't like the risk of running it, that's totally okay.  You're more than welcome to not use it.  For your convenience, I've provided links to the uninstallers for you, below.

             

            Uninstall Flash Player - Windows:

            https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

             

            Uninstall Flash Player - Mac:

            https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

             

            Hope that helps!