Note:
Please be sure to read the “Coverage of Flash player” and “Criticism” parts of the page where I described about the vulnerability of Adobe Flash Player.
Regards,
Acme Gamer
My thinking:
I wish that patch fixes the vulnerability of hacking a computer and Adobe flash player try to make it’s place at no.1 again. See this photo and you might understand too. People still loves Adobe Flash player and Adobe flash player can still upgrade or evolve in something far amazing than our thoughts.
Coverage for Adobe Flash Player:
I say that Adobe Flash is one of the reasons the modern Internet exists. More than a decade ago, it provided an easy way for you to watch videos and listen to music through your browser; it made interactive animated websites possible; and it helped introduce casual online gaming, which paved the way for today’s gaming apps. These days, Flash is used by millions of websites and it is probably safe to say that the majority of computers in the world have Flash installed. Unfortunately for Flash, technology moves on and most of what it does can now be done using other better and safer ways. That’s good for us though, because Adobe Flash is becoming one of the biggest threats to your computer’s security. In just two recent weeks, Adobe had to release three emergency updates to fix serious security problems hackers were using to attack computers. That’s in addition to the monthly patches Adobe has to release just to keep Flash secure because Flash is installed on nearly every computer and in almost every browser, it’s become a tempting entryway for hackers looking to attack computers. If hackers find a weakness in Flash that lets them break into computers, they can attack hundreds of millions of computers before Adobe releases a fix.
Now for the scary part. Getting hacked through Flash can be as easy as just visiting a site running malicious Flash code. “But Kim,” I hear you say, “I only visit legitimate mainstream sites.” Even if you are careful about which websites you visit, hackers can be pretty tricky. You might end up on the site after clicking a link in a phishing email, or hackers might slip a malicious Flash ad on to a legitimate website.
Keeping Flash updated helps, but each time a new hack is discovered it can take Adobe a few days to a few weeks to fix some bugs, leaving you exposed for some period of time. So even if you are cautious where you visit and you are diligent in keeping your system updated, I’m sorry to tell you that you can still be vulnerable. Fortunately, the computer industry is already moving away from Flash in favor of safer, more efficient technology built right into modern browsers. In fact, you can make a few big switches right now to stay safe.
Introduction:
Adobe Flash Player is a runtime that executes and displays content from a provided SWF file, although it has no in-built features to modify the SWF file at runtime. It can execute software written in the Action-Script programming language which enables the runtime manipulation of text, data, vector graphics, raster graphics, sound and video. The player can also access certain connected hardware devices, including web cameras and microphones, after permission for the same has been granted by the user.
Features:
Flash Player is used internally by the Adobe Integrated Runtime (AIR), to provide a cross-platform runtime environment for desktop applications and mobile applications. AIR supports installable applications on Windows, Linux, MacOS, and some mobile operating systems such as iOS and Android. Flash applications must specifically be built for the AIR runtime to use additional features provided, such as file system integration, native client extensions, native window/screen integration, taskbar/dock integration, and hardware integration with connected Accelerometer and GPS devices.
Data formats:
Flash Player includes native support for many different data formats, some of which can only be accessed through the Action-Script scripting interface.
XML:
Flash Player has included native support for XML parsing and generation since version 8. XML data is held in memory as an XML Document Object Model, and can be manipulated using Action-Script. ActionScript 3 also supports ECMAScript for XML (E4X), which allows XML data to be manipulated more easily.
JSON:
Flash Player 11 includes native support for importing and exporting data in the JavaScript Object Notation (JSON) format, which allows interoperability with web services and JavaScript programs.
AMF:
Flash Player allows application data to be stored on users computers, in the form of Local Shared Objects, the Flash equivalent to browser cookies. Flash Player can also natively read and write files in the Action Message Format, the default data format for Local Shared Objects. Since the AMF format specification is published, data can be transferred to and from Flash applications using AMF datasets instead of JSON or XML, reducing the need for parsing and validating such data.
SWF:
The specification for the SWF file format was published by Adobe, enabling the development of the SWX Format project, which used the SWF file format and AMF as a means for Flash applications to exchange data with server-side applications. The SWX system stores data as standard SWF bytecode which is automatically interpreted by Flash Player. Another open-source project, SWXml allows Flash applications to load XML files as native ActionScript objects without any client-side XML parsing, by converting XML files to SWF/AMF on the server.
Multimedia formats
Flash Player is primarily a graphics and multimedia platform, and has supported raster graphics and vector graphics since its earliest version. It supports the following different multimedia formats which it can natively decode and playback.
MP3:
Support for decoding and playback of streaming MPEG-2 Audio Layer III (MP3) audio was introduced in Flash Player 4. MP3 files can be accessed and played back from a server via HTTP, or embedded inside an SWF file, which is also a streaming format.
FLV:
Support for decoding and playing back video and audio inside Flash Video (FLV and F4V) files, a format developed by Adobe Systems and Macromedia. Flash Video is only a container format and supports multiple different video codecs, such as Sorenson Spark, VP6 and more recently H.264. Flash Player uses hardware acceleration to display video where present, using technologies such as DirectX Video Acceleration and OpenGL to do so. Flash Video is used by YouTube, Hulu, Yahoo! Video, BBC Online and other news providers. FLV files can be played back from a server using HTTP progressive download, and can also be embedded inside an SWF file. Flash Video can also be streamed via RTMP using the Adobe Flash Media Server or other such server-side software.
PNG:
Support for decoding and rendering Portable Network Graphics (PNG) images, in both its 24-bit (opaque) and 32-bit (semi-transparent) variants. Flash Player 11 can also encode a PNG bitmap via ActionScript.
JPEG:
Support for decoding and rendering compressed JPEG images. Flash Player 10 added support for the JPEG-XR advanced image compression standard developed by Microsoft Corporation, which results in better compression and quality than JPEG. JPEG-XR enables lossy and lossless compression with or without alpha channel transparency. Flash Player 11 can also encode a JPEG or JPEG-XR bitmap via ActionScript.
GIF:
Support for decoding and rendering compressed Graphics Interchange Format (GIF) images, in its single-frame variants only. Loading a multi-frame GIF will display only the first image frame.
Streaming protocols:
Adobe flash player is also used for streaming protocols. It is also one of the main features. Some cases are given below,
HTTP:
Support for communicating with web servers using HTTP requests and POST data. However, only websites that explicitly allow Flash to connect to them can be accessed via HTTP or sockets, to prevent Flash being used as a tool for cross-site request forgery, cross-site scripting, DNS rebinding and denial-of-service attacks. Websites must host a certain XML file termed a cross domain policy, allowing or denying Flash content from specific websites to connect to them. Certain websites, such as Digg, Flickr, Photobucket already host a cross domain policy that permits Flash content to access their website via HTTP.
RTMP:
Support for live audio and video streaming using the Real Time Messaging Protocol (RTMP) developed by Macromedia. RTMP supports a non-encrypted version over the Transmission Control Protocol (TCP) or an encrypted version over a secure Transport Layer Security (SSL) connection. RTMPT can also be encapsulated within HTTP requests to traverse firewalls that only allow HTTP traffic.
TCP:
Support for Transmission Control Protocol (TCP) Internet socket communication to communicate with any type of server, using stream sockets. Sockets can be used only via ActionScript, and can transfer plain text, XML or binary data (ActionScript 3.0 and later). To prevent security issues, web servers that permit Flash content to communicate with them using sockets must host an XML-based cross domain policy file, served on Port 843. Sockets enable AS3 programs to interface with any kind of server software, such as MySQL.
Performance:
Hardware acceleration:
Until version 10 of the Flash player, there was no support for GPU acceleration. Version 10 added a limited form of support for shaders on materials in the form of the Pixel Bender API, but still did not have GPU-accelerated 3D vertex processing. A significant change came in version 11, which added a new low-level API called Stage-3D (initially codenamed Molehill), which provides full GPU acceleration, similar to WebGL. (The partial support for GPU acceleration in Pixel Bender was completely removed in Flash 11.8, resulting in the disruption of some projects like MIT’s Scratch, which lacked the manpower to recode their applications quickly enough.)
Current versions of Flash Player are optimized to use hardware acceleration for video playback and 3D graphics rendering on many devices, including desktop computers. Performance is similar to HTML5 video playback. Also, Flash Player has been used on multiple mobile devices as a primary user interface rendered.
Compilation:
Although code written in ActionScript 3 executes up to 10 times faster than the prior ActionScript 2, the Adobe ActionScript 3 compiler is a non-optimizing compiler, and produces inefficient bytecode in the resulting SWF, when compared to toolkits such as Cross-Bridge.
Cross-Bridge, a toolkit that targets C++ code to run within the Flash Player, uses the LLVM compiler to produce bytecode that runs up to 10 times faster than code the ActionScript 3 compiler produces, only because the LLVM compiler uses more aggressive optimization.
Adobe has released ActionScript Compiler 2 (ASC2) in Flex 4.7 and onwards, which improves compilation times and optimizes the generated bytecode and supports method inlining, improving its performance at runtime.
As of 2012, the Haxe multiplatform language can build programs for Flash Player that perform faster than the same application built with the Adobe Flex SDK compiler.
Game development:
Adobe offers the free Adobe Gaming SDK, consisting (as of August 2014) of several open-source AS3 libraries built on the Flash Player Stage3D APIs for GPU-accelerated graphics:
Away3D: GPU-accelerated 3D graphics and animation engine
Starling: GPU-accelerated 2D graphics that mimics the Flash display list API
Feathers: GPU-accelerated skinnable GUI library built on top of Starling
Dragon Bones: GPU-accelerated 2D skeletal animation library
A few commercial game engines target Flash Player (Stage3D) as run-time environment, such as Unity 3D and Unreal Engine 3. Before the introduction of Stage3D, a number of older 2D engines or isometric engines like Flixel saw their heyday.
Adobe also developed the CrossBridge toolkit which cross-compiles C/C++ code to run within the Flash Player, using LLVM and GCC as compiler backend, and high-performance memory-access opcodes in the Flash Player (termed “Domain Memory”) to work with in-memory data quickly. CrossBridge is targeted toward the game development industry,and includes tools for building, testing, and debugging C/C++ projects in Flash Player.
Notable online video games developed in Flash include Angry Birds, Farmville and Farmville 2, and Adventure Quest (started in 2002, and still active as of 2011).
Desktop platforms:
The latest version of Flash Player is available for Windows XP and later, Mac OS X 10.6 and later and Linux.
Adobe Flash Player is available in four flavors:
The “Internet Explorer – ActiveX” version is an ActiveX control for use in Internet Explorer, its shells, and other Windows applications that support ActiveX technology. This plugin cannot be installed on Windows 8 and later, because these OSes come with their own integrated Flash Player ActiveX.
The “Firefox – NPAPI” version is available for Firefox as well as other applications that support NPAPI technology.
The “Opera and Chromium – PPAPI” version is available for Chromium and browsers based on Chromium (such as Opera) as well as other applications that support PPAPItechnology. This plugin cannot be installed on Google Chrome as it comes with its own built-in Flash component.
The “projector” version is a standalone player that can open SWF files directly.
On February 22, 2012, Adobe announced that it would no longer release new versions of NPAPI Flash plugins for Linux, although Flash Player 11.2 would continue to receive security updates. In August 2016 Adobe announced that, beginning with version 24, it will resume offering of Flash Player for Linux for other browsers.
The Extended Support Release (ESR) of Flash Player on MacOS and Windows was a version of Flash Player kept up to date with security updates, but none of the new features or bug fixes available in later versions. It has been on version 11.7 as of July 9, 2013, version 13 as of May 13, 2014, and version 18 as of August 11, 2015. Adobe has decided to discontinue the ESR branch and instead focus solely on the standard release as of August 2016.
Criticism:
Usability:
In some browsers, prior Flash versions have had to be uninstalled before an updated version could be installed. However, as of version 11.2 for Windows, there are now automatic updater options. Linux is partially supported, as Adobe is cooperating with Google to implement it via Chrome web browser on all Linux platforms.
Mixing Flash applications with HTML leads to inconsistent behavior with respect to input handling (keyboard and mouse not working as they would in an HTML-only document). This is often done in web sites and can lead to poor user experience with the site.
The February 20, 2014 update to 12.0.0.70 introduced a reported bug, producing green video with sound only. This defect is related to hardware acceleration and may be overcome by disabling hardware acceleration via the Adobe settings in Firefox (accessed by right clicking within the video) or in Internet Explorer (within the Tools settings). This defect may be related to widely used graphics hardware, AMD Radeon HD video cards, and similar visual defects have occurred in earlier Flash updates, with the same workaround.
Privacy:
Flash Player supports persistent local storage of data (also referred to as Local Shared Objects), which can be used similarly to HTTP cookies or Web Storage in web applications. Local storage in Flash Player allows websites to store non-executable data on a user’s computer, such as authentication information, game high scores or saved games, server-based session identifiers, site preferences, saved work, or temporary files. Flash Player will only allow content originating from exactly the same website domain to access data saved in local storage.
Because local storage can be used to save information on a computer that is later retrieved by the same site, a site can use it to gather user statistics, similar to how HTTP cookies and Web Storage can be used. With such technologies, the possibility of building a profile based on user statistics is considered by some a potential privacy concern. Users can disable or restrict use of local storage in Flash Player through a “Settings Manager” page. These settings can be accessed from the Adobe website or by right-clicking on Flash-based content and selecting “Global Settings”.
Local storage can be disabled entirely or on a site-by-site basis. Disabling local storage will block any content from saving local user information using Flash Player, but this may disable or reduce the functionality of some websites, such as saved preferences or high scores and saved progress in games.
Flash Player 10.1 and upward honor the privacy mode settings in the latest versions of the Chrome, Firefox, Internet Explorer, and Safari web browsers, such that no local storage data is saved when the browser’s privacy mode is in use.
Security:
Adobe security bulletins and advisories announce security updates, but Adobe Flash Player release notes do not disclose the security issues addressed when a release closes security holes, making it difficult to evaluate the urgency of a particular update. A version test page allows the user to check if the latest version is installed, and uninstaller may be used to ensure that old-version plugins have been uninstalled from all installed browsers.
In February 2010, Adobe officially apologized for not fixing a known vulnerability for over a year. In June 2010 Adobe announced a “critical vulnerability” in recent versions, saying there are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. Later, in October 2010, Adobe announced another critical vulnerability, this time also affecting Android-based mobile devices. Android users have been recommended to disable Flash or make it only on demand. Subsequent security vulnerabilities also exposed Android users, such as the two critical vulnerabilities published in February 2013 or the four critical vulnerabilities published in March 2013, all of which could lead to arbitrary code execution.
Symantec’s Internet Security Threat Report states that a remote code execution in Adobe Reader and Flash Player was the second most attacked vulnerability in 2009. The same report also recommended using browser extensions to disable Flash Player usage on un-trusted websites. McAfee predicted that Adobe software, especially Reader and Flash, would be primary target for attacks in 2010. Adobe applications had become, at least at some point, the most popular client-software targets for attackers during the last quarter of 2009. The Kaspersky Security Network published statistics for the third quarter of 2012 showing that 47.5% of its users were affected by one or more critical vulnerabilities.The report also highlighted that “Flash Player vulnerabilities enable cyber-criminals to bypass security systems integrated into the application.”
Steve Jobs criticized the security of Flash Player, noting that “Symantec recently highlighted Flash for having one of the worst security records in 2009”. Adobe responded by pointing out that “the Symantec Global Internet Threat Report for 2009, found that Flash Player had the second lowest number of vulnerabilities of all Internet technologies listed (which included both web plug-ins and browsers).”
April 7, 2016, Adobe released a Flash Player patch for a zero-day memory corruption vulnerability CVE-2016-1019 that could be used to deliver malware via the Magnitude exploit kit. The vulnerability could be exploited for remote code execution.
Vendor lock-in:
Flash Player 11.2 does not play certain kinds of content unless it has been digitally signed by Adobe, following a license obtained by the publisher directly from Adobe.
This move by Adobe, together with the abandonment of Flex to Apache was criticized as a way to lock out independent tool developers, in favor of Adobe’s commercial tools.
This has been resolved as of January 2013, after Adobe no longer requires a license or royalty from the developer. All premium features are now classified as general availability, and can be freely used by Flash applications.
Apple controversy:
In April 2010, Steve Jobs, at the time CEO of Apple Inc. published an open letter explaining why Apple would not support Flash on the iPhone, iPod touch and iPad. In the letter he blamed problems with the “openness”, stability, security, performance, and touchscreen integration of the Flash Player as reasons for refusing to support it. He also claimed that when one of Apple’s Macintosh computers crashes, “more often than not” the cause can be attributed to Flash, and described Flash as “buggy”. Adobe’s CEO Shantanu Narayen responded by saying,
“If Flash [is] the number one reason that Macs crash, which I’m not aware of, it has as much to do with the Apple operating system.”
Steve Jobs also claimed that a large percentage of the video on the Internet is supported on IOS, since many popular video sharing websites such as YouTube have published video content in an HTML5 compatible format, enabling videos to playback in mobile web browsers even without Flash Player.
Security Tips:
As we know that Flash player is being used in almost all of the computers and keeping your data safe from hackers is also important we are describing some security tips.
Use anti-viruses like IO-Bit, Windows defender, Norton, 360 Safeguard, etc
Only use Flash Player for trusted websites.
Set Flash Player for special permissions only.
Note:
Before downloading this software you must read the upper parts as you might not be aware of it’s vulnerability. Also for more information please go this link for finding about the issue of Adobe Flash Player.Click Here and Click here for more
Comments