Just like Chrome, Microsoft Edge will start automatically pausing less important Flash content this summer


Microsoft continues to unveil features coming to as part of the Windows 10 Anniversary Update, slated for this summer. The latest one is an update to how Microsoft Edge handles Flash content, following in Google Chrome’s footsteps.

Google and Adobe worked for a long time last year to automatically pause less important Flash content (like ads) in Chrome. In March 2015, with the goal of making Flash content more power-efficient in Chrome, a setting was introduced to play less Flash content on the page, but it wasn’t turned on by default. In June, the option was enabled in the browser’s beta channel, and in September 2015 it was turned on for everyone.

Now Microsoft wants to do the exact same thing in Edge.

The new browser will “intelligently auto-pause” Flash content that is “not central to the webpage.” If you want to try this out now, you can take the feature for a spin with Windows 10 build 14316, which was released to Windows Insiders yesterday.

Here is how Microsoft differentiates content that is and isn’t central to the webpage:

Peripheral content like animations or advertisements built with Flash will be displayed in a paused state unless the user explicitly clicks to play that content. This significantly reduces power consumption and improves performance while preserving the full fidelity of the page. Flash content that is central to the page, like video and games, will not be paused.

In March 2015, Google said the goal was to pause certain plugin content, including “many Flash ads.” It also split Flash content into two the same two types:

This can help you save precious battery power and CPU cycles. But don’t worry, the primary plugin content on pages (games, videos, etc.) should still run just fine.

Neither company is hiding its desire to limit Flash usage. “We encourage the web community to continue the transition away from Flash and towards open web standards,” Microsoft said today.

Microsoft says it also plans to offer additional control over the use of Flash (including content central to the page). Eventually, the company hopes Flash will no longer be necessary to bundle with Edge.

The end goal is to move as many sites as possible to HTML5, which is better for both performance (lowering memory and CPU usage, while boosting battery life) and in terms of web standards (making life easier for developers). Given Flash’s various vulnerabilities, there are obvious security gains as well.

Get more stories like this:  twitter  facebook

Amateur astronomers catch Jupiter’s latest impact on video

Jupiter This week, two different amateur astronomers released footage of an impact event on Jupiter. The separate observations, one in Austria and one in Ireland, show a brief, small flash of light at the exact same time. Phil Plait, Bad Astronomy writer for Slate, said the footage revealed “very strong evidence for an actual impact.” However, he noted that what kind of planetary object… Read More

Pwn2Own 2016: Chrome, Edge, and Safari hacked, $460,000 awarded in total


Once again, major browsers fell at the two-day security contest Pwn2Own. Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.

Pwn2Own has been held annually since 2007 at the CanSecWest security conference. The goal is to exploit widely used software and mobile devices with vulnerabilities that have not yet been publicly disclosed, in exchange for the device in question and cash prizes. The name is derived from the fact that contestants must “pwn” (another way to say “hack”) the device in order to “own” it (win it).

Of the trio, Chrome fared the best. Two attempts were made to hack Google’s browser: One failed and one was deemed a partial success. The successfully exploited vulnerability in Chrome had already been independently reported to Google, so it wasn’t given full points.

Edge and Safari meanwhile didn’t survive any attacks. Two attempts were made to hack Microsoft’s browser and three attempts were made to hack Apple’s browser. All attempts were successful (2/2 for Edge and 3/3 for Safari). The biggest cash prize for a single attempt was $85,000 for pwning Microsoft Edge.

Here’s the full breakdown for the 21 vulnerabilities:

  • Microsoft Windows: 6
  • Apple OS X: 5
  • Adobe Flash: 4
  • Apple Safari: 3
  • Microsoft Edge: 2
  • Google Chrome: 1 (duplicate of an independently reported vulnerability)

Operating systems are included in the list because the attackers exploited them to gain access outside of the browser. In fact, every successful attack at Pwn2Own this year achieved system or root privileges, which has never happened at the event before. Adobe Flash was included because it was unsurprisingly often used to circumvent browser security.

11 attempts were made in total this year by five teams:

  • Tencent Security Team Sniper (KeenLab and PC Manager): 3/3
  • 360Vulcan Team: 1.5/2
  • JungHoon Lee (lokihardt): 2/3
  • Tencent Security Team Shield (PC Manager and KeenLab): 1/2
  • Tencent Xuanwu Lab: 0/1

If you’re curious about the teams and their attacks, security firm Trend Micro has recaps available for both days:

Get more stories like this:  twitter  facebook

Google will stop running Flash display ads on January 2, 2017


Google today announced the Google Display Network and DoubleClick Digital Marketing are completely ditching Flash for HTML5 next year. More specifically, advertisers will no longer be able to upload display ads built in Flash into AdWords and DoubleClick Digital Marketing starting on June 30, 2016, and won’t be able to run display ads in the Flash format on the Google Display Network or through DoubleClick starting on January 2, 2017.

Flash has been on its way out for years. Not only is the tool a security nightmare with new vulnerabilities popping up regularly, the market has been slowly but surely moving away from plugins in favor of HTML5.

Google has played a big part in helping to kill Flash. In January 2015, YouTube ditched Flash for HTML5 video by default and in February the company began automatically converting Flash ads to HTML5.

Today’s announcement is thus just the latest nail in the coffin. Google says this latest move aims “to enhance the browsing experience for more people on more devices” and encourages marketers to update their Flash display ads to HTML5 before the aforementioned dates. Video ads build in Flash, however, “will not be impacted at this time” Google noted.

Late yesterday, Adobe launched Animate CC, the successor to its Flash Professional tool that helped make Flash ubiquitous. When first announcing the move in December, the company boldly stated: “Looking ahead, we encourage content creators to build with new Web standards and will continue to focus on providing the best tools and services for designers and developers to create amazing content for the Web.”

The death of Flash can’t come soon enough, both for performance and security reasons. In a way, Adobe ensured Flash’s death in November 2011, when the company announced the withdrawal of support for Flash Player on mobile devices. That said, despite the big news we’ve seen in the last 12 hours, Flash will likely still be around for a few years.

Adobe Launches Animate CC, Previously Known As Flash Professional

animate_cc Adobe today officially launched Animate CC, the latest version of its animation tool for the web. Animate CC was previously known as Flash Professional, but the importance of Flash has (thankfully) declined over the last few years and the company decided it was time to rename the product to better represent what it is actually being used for. The new version of Flash Professional Animate CC,… Read More

Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash

An Apple logo hangs above the entrance to the Apple store on 5th Avenue in the Manhattan borough of New York City

Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities.

Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS.

These results come from CVE Details, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures.

Here is the 2015 list of the top 50 software products in order of total distinct vulnerabilities:


You’ll notice that Windows versions are split separately, unlike OS X. Many of the vulnerabilities across various Windows versions are the same, so there is undoubtedly a lot of overlap. The argument for separating them is probably one of market share, though that’s a hard one to agree to, given that Android and iOS are not split into separate versions.

It’s also worth pointing out that the Linux kernel is separate from various Linux distributions. This is likely because the Linux kernel can be upgraded independently of the rest of the operating system, and so its vulnerabilities are split off.

If we take the top 50 list of products and categorize them by company, it’s easy to see that the top three are Microsoft, Adobe, and Apple:


Keep in mind that tech companies have different disclosure policies for security holes. Again, this list paints a picture of the number of publicly known vulnerabilities, not of all vulnerabilities, nor of the overall security of a given piece of software.

If you work in IT, or are generally responsible for the security of multiple systems, there are some obvious trends to keep in mind. Based on this list, it’s clear you should always patch and update operating systems, browsers, and Adobe’s free products.

Firefox for Windows users can now watch Netflix in HTML5 instead of Silverlight, coming to OS X next year


Mozilla today announced Firefox for Windows now works with Netflix’s HTML5 video player. At the same time, Netflix promised the functionality would come to Firefox for Mac users “next year.”

In May, Mozilla released Firefox 38 with digital rights management (DRM) tech for playing protected content in the HTML5 video tag, but only on Windows. The Adobe Content Decryption Module (CDM) in Firefox can be used to play back DRM-wrapped content on Windows Vista and later, a feature that at the time, some premium video services including Netflix, had started testing.

Now, Netflix has flipped the switch. As a result, Firefox for Windows users no longer need to use Silverlight to watch Netflix, joining IE, Edge, Safari, and Chrome users. In fact, if you’re using the latest version of these browsers, you don’t need to install any plugins at all to use the service.

Netflix offers more technical details:

Firefox ships with the very latest versions of the HTML5 Premium Video Extensions. That includes the Media Source Extensions (MSE), which enable our video streaming algorithms to adapt to your available bandwidth; the Encrypted Media Extensions (EME), which allows for the viewing of protected content; and the Web Cryptography API (WebCrypto), which implements the cryptographic functions used by our open source Message Security Layer client-server protocol.

Although Netflix specifically mentions OS X, Mozilla says it is working with Adobe to bring the Primetime CDM to Firefox “on other operating systems.” That would suggest Linux, or maybe even Android and iOS, are all possibilities.

Mozilla announced the controversial (given the closed nature of DRM) Firefox integration in May 2014 . The company’s stance is that enabling DRM is not ideal, but it’s a necessary evil since Firefox users want to use services like Netflix.

Add the fact that Mozilla is looking to ditch NPAPI plugin support from Firefox by the end of 2016, and you can see how HTML5 and DRM will soon be the only way for Firefox to work with Netflix. Indeed, “This is an important step on Mozilla’s roadmap to deprecate NPAPI plugins,” Mozilla’s Justin O’Kelly wrote today.

Adobe confirms new critical Flash vulnerability is being exploited in targeted attacks, promises patch next week


Adobe today released a security bulletin confirming a vulnerability in all versions of its Flash product for Windows, Mac, and Linux. The company says it is aware of reports that an exploit targeting this vulnerability is being used in limited, targeted attacks. Adobe plans to release a patch for Flash “during the week of October 19” to plug the security hole.

The latest Adobe Flash flaw (CVE-2015-7645) was found by security researchers at Trend Micro. The attackers behind operation Pawn Storm, an economic and political cyber-espionage operation that has been targeting a wide range of high-profile entities since 2007, were found to be exploiting the new Flash vulnerability in their latest campaign.

Trend Micro explains:

In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Trend Micro reached out to Adobe, which in turn confirmed that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. The company also established that all Flash versions are affected:

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version and earlier 18.x versions
  • Adobe Flash Player and earlier 11.x versions for Linux

Just yesterday, Adobe rolled out its monthly security patches, including for Flash. That, unfortunately, wasn’t enough, and once again Flash users will need to patch next week.

Given the number of Adobe Flash vulnerabilities that are discovered and exploited on a regular basis, we recommend uninstalling the software and seeing if you can live without it. Most of the Web is moving away from Flash and towards HTML5 anyway.

That said, we will update you when a patch is available.

More information:

Powered by VBProfiles

Farewell To Flash: What It Means For Digital Video Publishers

flash-crosses It’s been more than five years since Steve Jobs wrote his infamous “Thoughts on Flash” letter citing the high level of energy consumption, lack of performance on mobile and poor security as the reasons his company’s products would not support Adobe Flash technology. Finally, it appears we’re getting closer to the curtain closing on Flash. Read More