46 comments

[ 4.0 ms ] story [ 93.2 ms ] thread
Has there ever been a piece of software more riddled with security holes than Flash? The Java runtime? Windows XP?
(comment deleted)
Adobe Acrobat is another possible contender.
Flash, Java, and XP are entire platforms with many moving parts. They are also the most popular platforms and the most exposed through the most-est-est popular platform— the web.

There are plenty of bug riddled pieces of software out there. Plenty of platforms. Most are probably unknown or not popular enough to be scrutinized. These 3 are the most popular, most used, and most targeted. You will see them in tech news more than any other pieces of software. If you read vulnerability and security blogs, you'll be exposed to a whole, new, enormous, and wonderful world of bug ridden software.

It's easy to say these kinds of things in hindsight. In their time, these systems became popular because they filled a void [1]. Now we look back and say "What were we thinking?", but it was harder to say back when the web browser was still a document system with minimal programmability.

In all reality, the craft of software engineering is still truly new to the world, and constantly, rapidly, changing. Unlike the material world with the limitations of space and resources, the abstract land of organizing information and information that works on information is a very hard problem to solve—if it's even "solvable" at all.

[1]: Well, okay, XP was kinda' forced onto the world.

Flash is more popular than the browsers they run in?
Yes it is. Flash is one entity that runs across several browsers. By definition it's more popular than each one of them.

If there's a bug in Chrome, it affects only 30 percent of the browsing market - the Chrome market. If there's a bug in Flash, it affects 95 percent of the browsing market.

That's why it would've been much better if Adobe open sourced Flash a long time ago, because then each browser could do their own implementation of Flash, just like they do with many other open specs today, and then if there was a bug in Chrome's Flash, it would've only affected the Chrome market.

It's too late to open source Flash now, but we're doing that instead with alternatives like the HTML5 video tag and WebGL (for animations).

Flash is the most distributed piece of software in the world. A few years ago it was installed on 1 billion devices. A very nice security target.
i was under the impression that this was only true of flash before they implemented an internal sandbox into the runtime, which was quite a while ago now. is that not the case?
On my Mac, flash never seems to update itself, despite it supposedly having an auto updater. Does it work for anyone else?
Seems to work for me. I opened the Flash Player preference pane and discovered that it had already updated to 12.0.0.70.
Check the firewall settings.
Hopefully Flashblock would prevent this, in most cases. Could anyone confirm?
If you use a native click-to-play solution, it will prevent it unless you're victim of some kind of clickjacking attack.

If you use a show-then-hide-with-CSS script (there are several for Chrome, for example), they won't prevent it.

(comment deleted)
Adobe has deprecated Flash some years back AFAIK.
But they still promote Air, and that's just packaged Flash.
I'm not sure what you would consider deprecated.

The Adobe Flash Platform whitepaper lists new features they are working on ( http://www.adobe.com/devnet/flashplatform/whitepapers/roadma... ) and Flash Player 13 beta is available on their labs page ( http://labs.adobe.com/technologies/flashruntimes/flashplayer... ).

I have no idea how long Flash will stay relevant, but I think Adobe AIR has a shot at being a solid choice for building apps that need to work across multiple OSes.

If you're unsure of your status, you can open each of your browsers and go to helpx.adobe.com/flash-player.html where you can click a button to find out if you have the latest, or if you have flash at all.
What surprises me the most is not the number of exploits flash had over the past years or even there severity of those but the fact that people (including me) still NEED to keep Flash installed on there machines.

I am pretty paranoid when it comes to security but i still prefer to keep flash installed with all the security burden it brings than having to deal with a good portions of websites which wont render properly. Unfortunately we are far off from the day where flash is not needed.

Firefox and Chrome (not sure about other browsers) have click-to-flash built in. It means you need one extra click to load flash, and about 1% of legit sites won't work (which you can manually whitelist). It's much better than the alternative of your computer only being as secure as the flash sandbox.
There are many websites that depend on flash for non-mobile browsers.
> having to deal with a good portions of websites which wont render properly

I am seriously interested in which sites these are. I suspect you're exaggerating (I'd be amazed if it were anything like at least 1%, let alone a "good portion") but am willing to be educated.

As a data point, the only non-video site I currently have whitelisted for Flash in Safari is Google Maps.
There are significant differences in the strength of Flash's sandbox between browsers. Which browsers does this affect?
How so? I didn't know Adobe gives different sandbox for different browsers? Or do you meant browser's policy with plugin (Flash, java runtime)?
Originally Flash ran in the browser process with no sandbox. Then some browsers started running plugins in separate processes, but still not in a sandbox. This allows the browser to survive Flash crashing, but doesn't improve security. Some browsers have gone further and added a sandbox to the Flash process, but I believe that each browser uses its own sandboxing mechanism, with different security properties. Additionally, some browsers now use their built-in updating mechanism to update Flash binaries, instead of relying on Adobe's questionable updater.

I'm not too familiar with what other browsers are doing, but I know Chrome's version of Flash is different from other versions and specially built for Chrome. It does not use the NPAPI plugin system. Instead it's built on PPAPI which is designed with multi-process and sandboxing in mind.

That is why I limit my Flash use to Chrome and there with the Browser's click to play function only

Thanks to Apple, Flash has almost become irrelevant. I usually see it only in the GUI of my ZyWALL (and only after activating it through click to play).

(Check out http://www.ghacks.net/2012/07/21/configuring-chromes-click-t... if you do not use click to play in Chrome yet. In Firefox, it is accessible via about:config.)

On Firefox 26 and newer, plugins.click_to_play is 'true' by default, so you no longer have to manually set it in about:config. However, this doesn't actually set all plugins to click-to-play, but rather enables the click-to-play subsystem.

You can set Flash (or another plugin) to click-to-play by going to Tools->Add-ons->Plugins and selecting "Ask to Activate" in the drop-down box next to the plugin. I believe this is by default only the setting for Java.

Thanks, good to know!
These posts wouldn't be more regular if they were on a cron job.

Chrome's click-to-play is just such necessity.

Great. It installs McAfee without asking. Fuck you, too, Adobe.
We need a new word for this bullshit (though it's by no means a new phenomenon).

Kafkaware?

I finally removed Java from all of my machines recently, when it had its most recent major security flaw, for the same reason, though at least Oracle has the decency to provide a checkbox you can uncheck (it is checked by default, however, which is bad enough).

I guess the repeated security issues, and the fact that the only security exploit I've dealt with on any of my personal machines in a decade was due to Java about a year ago, also contributed to the anger and subsequent removal. I am on the verge of making the same choice for Flash. I think I've finally convinced YouTube to always serve me the HTML5 version of videos, anyway...not sure what else I'd lose. Might be worth a try. Especially since the worst advertising offenders (autoplay looping video ads with sound on at the bottom of the page) are always Flash. My web browsing experience would probably actually improve...

Hmm...does Soundcloud use Flash?

Soundcloud works without flash. I uninstalled flash a long time ago and I have no regrets. Youtube works fine with the addition of an extension that forces it to play in html5.
I had to check just now, because I had no firm idea (although, a suspicion), and I don't have flash installed. You won't miss it.
There is a checkbox on the site before you start the download, but of course it is checked by default. It's like the Ask toolbar that Java wants to install on every update.

"Hey, we have insecure products that people hate, let's add some more crap"

That's a dark pattern if ever I've seen one. It looks like an ad on the page, thus triggering my ad blindness.
In all fairness, it is an ad.

I've missed that specific checkbox a lot too..

The new dark pattern I've been seeing in similar products is interesting too. An "accept/deny" flow that looks like a license agree window- of course everybody will just hit accept without reading it. Adobe doesn't do it yet, but I wouldn't be surprised if they did.
I find it frustrating how many sites still use Flash. YouTube still has an annoyingly high proportion of videos only available in Flash, while Spotify's web UI also requires it. I've found that youtube-dl[0] is a nice solution for watching videos (especially given that live streaming is often not possible with all the traffic congestion issues as of late), but there's nothing I can do with Spotify.

0: http://rg3.github.io/youtube-dl/

Why don't you just use Spotify's native client? They have one for Windows, Linux, iOS, Android and I assume OSX.

Edit: Oh, unless you're talking more about congestion being the problem for Spotify, though you can download playlist via the native clients.

Many perfectly acceptable reasons exist: maybe you've got a Chromebook, maybe you're using a computer that isn't yours and you don't want to install things on it, maybe you have accessibility requirements that the web client serves better [].

[] I don't actually know whether Spotify's web client is particularly accessible (beyond requiring flash which makes it totally non-accessible for me), but it certainly could be.

There is no Spotify Linux client. You're supposed to use Wine, which is hacky.
I have progressively disabled Java, Flash, and now Javascript from my web experience. It is only a short while longer before I move towards the full rms style method of browsing the web.