1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Adobe Issues Emergency Update To Flash After Ransomware Attacks

Discussion in 'Off Topic' started by Alfa1, Apr 9, 2016.

  1. Alfa1

    Alfa1 Well-Known Member

    Arty, wedgar, erich37 and 3 others like this.
  2. John007

    John007 Active Member

    this is 2016 xenforo should be using a html5 uploader not flash
     
    Jawsh, erich37, rafass and 4 others like this.
  3. rainmotorsports

    rainmotorsports Well-Known Member

    It's only 2016 which means were still dealing with 2006 browser capabilities lol. Which would be IE7 but the current target is IE 8. Real shame 9 wasn't closer to 10. You have to realize Xenforo targets their customer base. People build forums for government, business and library users who are not on Windows 7+ etc.

    Mean while many of us don't. My personal support policy is 10 years or 3 Windows versions and then the FF/Chrome etc equivalents. So at this point my baseline support is Windows 7 / IE 11 and i think my chrome support falls somewhere back in the 20's. Which is a decent place.

    SSL is potentially a driving factory in killing off old browser support. Except these idiots are making their sites exploit friendly by supporting TLS 1.0 still. No one seems to have heard of a downgrade attack.
     
  4. rafass

    rafass Well-Known Member

    Screen Shot 2016-04-09 at 4.13.17 PM.png
    all said.
     
  5. Chris D

    Chris D XenForo Developer Staff Member

    I've said it before, I'll say it again.

    The decision to use Flash is entirely yours. There is a preference to disable it for yourself, a preference to disable it for your entire site, a personal preference to even install Flash in the first place (or keep it enabled if built in).

    There's even a middle ground where you keep it disabled until there's such a time where you might need to upload multiple files.

    Personally I have Flash disabled now and even doing multiple uploads without Flash is not too arduous.

    It's not a solution but a perfectly sensible workaround for the time being.
     
  6. erich37

    erich37 Well-Known Member

    where is the option in ACP to use HTML5-uploader instead of Flash-uploader ?
     
  7. Chris D

    Chris D XenForo Developer Staff Member

    Options > Attachments > Use Flash Uploader

    We don't ship a HTML5 uploader, but the non Flash Uploader works fine for one file at a time.
     
  8. Chris D

    Chris D XenForo Developer Staff Member

    FWIW we can confirm that we have dropped swfupload in XF 2.0.

    We'll save details for another time, but we have implemented a JavaScript library which utilises the HTML5 file API as a replacement.
     
    Samet Chan, Liam W, wang and 15 others like this.
  9. Alfa1

    Alfa1 Well-Known Member

    You are completely right. And the way it is going with flash the admins aware of this problem will turn off the Flash uploader which relies upon software that is in essence an ongoing security vulnerability. No problem there.
    But what about the admins that are not aware?

    Have you considered to disable or remove the flash uploader in XF1.x ? Or maybe add an admin notice somehow or send out an email warning to xenforo webmasters?

    Xenforo webmasters should be aware about the risk that they are putting their members in by activating the xenforo flash uploader.
     
  10. Chris D

    Chris D XenForo Developer Staff Member

    You seem to be under the assumption that we're putting our users at risk. We aren't. If you install Flash Player or use a browser that has it built in, you are putting yourself at risk. Using a XenForo website while you have Flash Player enabled does not put you at any additional risk than you would be if you had Flash Player disabled. What puts you at risk is using untrusted websites that contain Flash components which have been specifically developed to exploit these security vulnerabilities.

    There's nothing we can or should do about it.
     
    Jim Kingsnorth, eva2000 and Alfa1 like this.
  11. cclaerhout

    cclaerhout Well-Known Member

    Indeed
     
  12. erich37

    erich37 Well-Known Member

Share This Page