Tuesday, July 22, 2014

One Last Reminder About Flash and Java

I'm late to the game, but via TenFourFox Development and reiterated at PowerPC Liberation, the danger from Flash and Java on OS X PowerPC is no longer hypothetical but real. We knew sometime back that the Flashback virus exploited holes in older versions of Java, and if anyone ever compiled its payload as a universal binary we'd be screwed, too. Now we have recent news that Flash has its own killer virus out in the wild called Rosetta Flash. It works in a similar fashion, using security holes to take over your machine, and PowerPC versions of Flash will not be updated to fix it. So like Cameron Kaiser says, it's time to definitely stop using it.

As fiftysixk suggests, though, saying goodbye to Flash can also be an opportunity. There are dozens of ways to bypass its plug-in and stream video through external players. There's PPC Media Center, MacTubes, YouView, TenFourFox's QTE plug-in, various Mplayer plus Youtube-dl hacks, to name a few. The Youtube-dl hacks can be interesting. Youtube-dl supports a ton of sites, not just Youtube, and is frequently updated. In fact, it's the backend for PowerPC Media Center. You can also use Youtube-dl with Mplayer, with a terminal command like this (UPDATE: it appears this no longer works as Youtube broke the "--prefer-insecure" option, natch):

mplayer -quiet -framedrop -cache 8192 -cache-min 10 -cookies -cookies-file ~/.cookie.txt $(youtube-dl -gf 18 --prefer-insecure --cookies ~/.cookie.txt $(pbpaste))

Unpacking it from the inside out, "pbpaste" pastes the copied video URL into the Youtube-dl command retrieving the direct video URL, which is then passed to Mplayer to play. The "--prefer-insecure" option is needed because Mplayer can't play HTTPS links. However, Linux users can use Mpv and drop that option since Mpv plays HTTPS links just fine. Also on Linux, you'd want to install the package xsel and replace "pbpaste" above with "xsel --clipboard". Then save it as a bash script and you're rockin'.

As for Java, a faustian informant tells me there's a Java 6 version available for OS X PowerPC, but I believe it's too old to have the security fixes for the Flashback virus. There's a thread at the Minecraft Forums talking about it, and people also talk about using it to play Runescape, but it's still a huge security hole. You don't want to do any gaming like that unless you can completely disconnect from your network.

Let's stay safe out there!