I would like to hear what Adobe have to say about their streak of serious security problems. Not only that, but they should face some consequences for that neglect. At least be forced to publish a working spec for Flash.
If there were actually a government body that cared about "cyber"-security, they'd be hauled up in front of it. They're basically an infosec Bhopal - creating a toxic mess that other people have to clean up over a period of decades.
In essence there are not critical US systems running on Flash and so the defensive side of NSA don't care. And the offensive side is just happy to let it rot, as that means more opportunities for them.
The thorn in the side of removing Flash has been VMware, who, in their latest vSphere 6 release, clearly made the point that "Flash is the future", with announcements towards deprecating their alternative clients.
I don't understand what they are thinking - it used to be such a progressive company.
I don't know about US Government, but many Governments and sensitive organisations are still using VMware, and this isn't likely to change.
But "thanksfully" they've switched to WordPress on the Whitehouse site and hired the maintainer , so they are improving netsec on THAT front. :)
Which is actually a good thing for hosters worldwide.
You think that any other software you use is any better? Flash gets it rough because it's widely used and independent of the browser (for the most part).
If you're running an update to date flash, that means you're probably running it in a sandbox and probably have silent auto updates turned on. That's good enough for most people.
If you're the kind of person that's going to get specifically targeted, then you should not only reconsider running flash on your computer, but any other program written in an unsafe language.
To be certain, Flash gets a lot of attention because of its install base - but it's been a never-ending FOUNTAIN of RCE bugs for much of the last decade.
data: I grabbed all 500+ records and counted, by month, those with severity 10 (column 10) and severity >= 7 (column 7). Rows is the # of cve records for that month.
NB: only months with at least one cve event show up, but given adobe's focus on security, it wasn't really necessary to fill in months with 0 events to get the point across
Vulnerabilities increase and usage decreases. I wonder if an economically sensible decision should be to EOL Flash soon. Are they still doing any money out of it?
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015"
Most software that's as complex as Flash is probably similarly full of bugs. Most of those vulnerabilities reek of huge development teams toiling over a codebase whose foundation was written in the late 90s and had features and fixes duct taped ever since.
No they don't. Chrome is designed from the ground up for security. It has the same number of bugs as other software of it's size but the type of bugs are much less severe.
Compare FF, Safari, IE, Chrome. Same number of bugs per yet but Chrome has 10x less code execution bugs (ie, 10x less likely for your machine to be owned by unknown bugs)
The chart you just linked (which doesn't show a timescale) shows Chrome with over 300 exploitable bugs. I doubt the denial of service label, that just usually means that a bug wasn't fully investigated. So, again, how is this different from Flash? Chrome is riddled with vulnerabilities (and Safari is too).
Flash runs in a low-priv environment is nearly every major browser, includes application-specific exploit mitigations, and it silently auto-updates, just like Chrome. It's all a matter of the Flash install base: it's in 90%+ of browsers and it's running the same-ish codebase in all of them, making it a relatively stable platform to develop exploits for. That's it! It's more a factor of market share and not "security."
Every document reader, HTML renderer, JavaScript engine, browser, media player, etc that you use is the same -- a house of cards built on poor memory management :-/.
Your statement about Chrome is clearly way off, and that's what your parent was addressing. He never said Chrome was bug-free. And he was right to say that Chrome is way ahead of the other browsers (according to these stats, at least).
Edit: those stats show Chrome is better in terms of CVE severity, not number of annual CVEs.
I don't think the classification of most of those DoS bugs are correct. I also don't think there's a big difference between 100 vulns per year and 300 vulns per year. You go fishing and you find some each time.
no, maybe not as bad, but JIT can be played pretty hard. I think the difference is that they are better structured and more transparent. I would definitely NOT put my hands on flash code, must be a mess!
"Probably"? Complex as Flash? Whatever it have a big or small team, was started in the late 90s or whatever it causes problems now. So use whatever excuses you like, Flash is still a security concern with opportunity for more 0-day exploits(just one firm have two in the drawer, how many more there are?).
Every piece of software you use is on a constant month-to-month patch train. Chrome, Windows, Firefox, Quicktime, Adium, hell even OpenSSL updates for security-critical bugs about once a month now. Flash is nothing special. All your software is insecure.
On Windows, you get a pop-up to update manually, which just sends you to their website so you need to download and run the installer by yourself.
If you don't update manually, Flash will wait 45 days before triggering an automatic update. I never waited that long, so I don't know whether it's "silent" or not.
Their clientele isn’t security wary people. Plus they don’t have any serious competition in most of their products so it can’t hurt them either way. So they’ll probably issue a generic statement and move on with their lives.
As for consequences, the best thing most of us could do is disable Flash from the browser. I’ve done it since YouTube defaulted to HTML5 video and never looked back since.
