back to article Flash deserves to live, says Cisco security man

Don't kill Flash; that's the message from Cisco security veteran John Stewart who says the Adobe team have put in the hard yards into reforming security and needs to weather the current bug storm. The advice follows a call for the ravaged runtime to be expunged from the digital world by former Yahoo-cum-Facebook security man …

  1. Detective Emil
    Meh

    Not a disinterested observer

    At least two Cisco products still require Flash: Cisco Prime Infrastructure and Cisco Configuration Professional. There are probably others …

    1. DaLo

      Re: Not a disinterested observer

      I concur, seems to me a very strange line to take for a security professional other than when they have a vested interest. There is no indication that Adobe is really setting out a concerted effort of security hardening or even really cares that much about finding the issues and fixing them other than just allowing security researchers to find them and then fix (horse stable method).

      It's not as if Adobe have only just found out that there are some vulnerabilities, Flash has been exploited for years and could have started a security hardening procedure back when MS decided it might be time to make noise about doing some 'security hardening' on Windows.

      His claims also just don't ring true - HTML5 is not run as a single vendor closed source executable with full system privileges. The standards are open, some of the implementations are open source, multiple vendors create interpreters and it doesn't have as much freedom to the OS. It has also, you would hope, been built using contemporary thinking on secure programming. Flash has a massive codeset, a legacy of backwards compatibility it needs to cater for and a single supplier, closed source.

      There is no compelling reason to keep flash with the current alternatives, but also there is no reason for Adobe to invest significantly in it - I can't believe that flash production is a big money maker for them.

  2. K

    Flash needs to die...

    But its chicken and egg...

    I have half a dozen very expensive products that still use it (SIEM, Backup etc), most are now developing migrating to a HTML5 interface, but they won't be available for at 12-18 months.

  3. Flocke Kroes Silver badge

    Easy answer

    "If anyone thinks something is better than Flash then they need to consider what that alternative is against doubling-down security efforts on what we already have."

    Nothing is better than flash. So far nothing has proven more resilient. I have been using nothing for years and I thoroughly recommend removing flash and installing nothing as a replacement.

    1. Shadow Systems

      @Flocke Kroes, re Easy Answer.

      Enjoy a pint on me. I can't UpVote you enough for that.

      Adobe is dead. Replace it with Nothing. Weld shut that security backdoor, take a deep breath, & focus your efforts on more productive tasks...

      Like figuring out how to enable the WiFi Router to act like a Tesla Coil upon the neighbors if they try to connect to your network again.

  4. Michael Thibault

    Is there an alternative to the alternative? Skeletal Flash, perhaps?

    Do the world a favour, Adobe: if you're going to make Flash secure, then also make way for HTML5--and make Flash second-tier,

  5. Anonymous Coward
    Anonymous Coward

    Draining the swamp or backing the favourite number?

    If he's right then what we're seeing is the draining of a finite swamp of legacy bugs, without new ones being added (thanks to new! lemon-scented! secure coding)

    If he's wrong then their code monkeys are steadily creating new bugs and it's the equivalent of being sure this time the dealer must roll a double six because he has rolled everything else already, so "maths says it'll be my number now" (an acquaintance of mine made just this statement before losing yet more money at roulette...)

    Trouble is, as outsiders we don't have enough insight: if it was open-source we could see the history of the offending code and judge whether it is repeated schoolboy errors, see whether the overall development gives us confidence, etc. But it's not, so all we can do is ponder their public utterances, which mostly amount to "trust us". And that's the policy that got us to where we are today...

    1. Robert Helpmann??
      Childcatcher

      Re: Draining the swamp or backing the favourite number?

      Trouble is, as outsiders we don't have enough insight...

      On the contrary, I feel comfortable judging by results. I have a rather nice situation in that I am paid in part to patch Flash at work while enjoying a considerably greater amount of security by doing without on my personal machines.

  6. Doogie Howser MD

    Re Silverlight

    Oh, please tell Sky to stop using Silver Shite for Sky Go as well.

    Thanks.

    1. DerekCurrie

      Re: Re Silverlight

      Microsoft has made it thoroughly clear that no one should be using Silverlight henceforth. Why anyone is still using it is beyond comprehension. The alternatives are here and working. Silverlight is dead tech. So bury it already.

  7. Gordan

    And this is exactly why Flash really has to die

    "Chief security officer Brad Arkin last year told the Australian Information Security Association that its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities..."

    I completely removed it from all of my machines after the Hacking Team fiasco (had it set to "ask to run, and used FlashBlock until then) and can happily report that I have observed no obvious loss of functionality. Uninstalling it makes it _really_ expensive to exploit.

  8. Pascal Monett Silver badge

    Whatever

    Flash has had its day.

    I'm happy to know that somebody thinks Adobe is doing a good job. Must be nice for the Adobe team.

    The rest of us see that since 2010 there is constantly a truckload of instances where Flash is an active threat to security. If Flash was an employee, he'd be fired already, even if he helps old ladies cross the street.

    Flash is on the way out, HTML5 it will be. For the good of everyone. So get with the program, Cisco.

  9. Anonymous Coward
    Anonymous Coward

    Flash deserves to die

    Whatever the vulnerabilities in it, it deserves to die because it is not an open standard. It is controlled by a single company. Open standards promote competition and compatibility, closed standards allow a single vendor to screw everyone. It's like having exactly one browser implementation controlled by one company.

    1. John Sanders
      FAIL

      Re: Flash deserves to die

      Exactly what I have been thinking since it was created.

      It is a closed spec, it deserves all that is coming for it.

  10. Anonymous Coward
    Anonymous Coward

    Adobe reports that Flash is now "non-material" to the company. That means it generates less than 5% of its revenue. A few years ago they effectively killed it off and they are not going to spend big money securing a product they consider dead.

    Cisco is not a security company. Anyone who has used comparative offerings from other vendors knows that. They only have a security line because too many companies have the network admins also running the firewalls. They're the ones getting hacked (not because of Cisco but because security is a separate discipline from networking).

    If you really want to hear Cisco howl, let there be an industry cry to ban Java on the desktop. Their so-called security products still mandate it for ASDM and even trying to open a ticket online requires Java. Seriously?

  11. This post has been deleted by its author

    1. DaLo

      Re: "Microsoft is asking its eight Silverlight users and Netflix"

      HTML5 Video does have the ability to do DRM,there was a bit of a fuss about it a while ago. Anyway Encrypted Media Extensions have been around for a while in draft form and are supported by all the major browsers and used by Netflix.

  12. Brian Souder 1

    Move On - Nothing To See Here

    I have just started removing Flash and Java where I can. Solves the whole problem.

    If Adobe was that concerned about moving forward, they should come up with a tool for the Adobe Flash developers that are still out there that takes their files and converts them to HTML 5. This way the poor developers do not have to learn a new tool right away, and we can move on. Plus Adobe can sell another tool that forces their users into the cloud and paying them endlessly. But that is another topic all together ...

  13. Anonymous Coward
    Anonymous Coward

    Java media

    Could be worse. IBM had a Flash-like product in the late 1990's called HotMedia, which merely required Java to run. If they hadn't had their heads up their a$$ we'd all be running HotMedia on websites rather than Flash, and instead we'd be dealing with all the Java vulnerabilities, except we'd have to wait for the dimwits running IBM to keep enough people on hand to fix it. Which, of course, would be *less* likely than Adobe fixing their problems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Java media

      IIRC the main problem with Java (*) was that it was far too slow and resource-hungry on the PCs of the time to be really suited to the website-based Applet use which (ironically) was its main hyped-up selling point in the early days. Anything run on top of Java would still have had that problem, I assume.

      The irony is that HotMedia sounds like it was an animation tool built on top of the (too) heavyweight Java, whereas Flash- which started out as an animation/presentation tool- ended up beating Java Applets at the "embedded rich web content" field that was Java's much-hyped selling point in the early days.

      AFAICT, Flash succeeded partly because it was more lightweight in those early days and its growth in power over the years matched the increasing power of PCs. I wouldn't say Flash killed Java Applets- those had already comprehensively failed to meet their early promise by the time Flash evolved past its roots around the turn of the millennium.

      (*) Other than the malicious incompatibilities et al MS introduced in their version to undermine it

  14. DerekCurrie
    Mushroom

    ASAP Patching Wins Again

    The bizarro alternative to ASAP patching has been the ridiculous 'Second Tuesday Of The Month' ritual that is apparently supposed to placate lazy IT 'professionals' who want a predictable day when all the security changes are going to hit them. I've had people blether until they're blue about how this is supposed to be a great idea. And yet, consistently and repeatedly it has been proven to be the dangerous alternative to the only logical choice: ASAP patching.

    There is no argument. ASAP patching is the responsible requirement of the software industry. Therefore, let's at last kill off the ritual patching days, be realistic and stay that way. Otherwise, the security exploit rats could not be more grateful. They're lazy as well and love it when they can count on that one day of the month when their coffers will be filled again, nailing the unpatched masses with attacks. Keeping them on their toes like the rest of us are forced to be, zero-day by zero-day, is the last thing they want as well.

    1. DerekCurrie
      Mushroom

      Re: ASAP Patching Wins Again

      Oh and let's kill Adobe Flash and Oracle Java over the Internet ASAP as well. They are wide open gateways to security exploitations, despite all the rhetoric to the contrary. Just end them. Superior replacements are either already here or require coding by security minded developers; Therefore, not coded by Adobe or Oracle. I think we can manage that.

  15. Anonymous Coward
    Anonymous Coward

    Mr Stewart was later heard to utter...

    ..."Flash, Flash, I love you, but we only have fourteen hours to save the earth!"

  16. John Lilburne

    No doubt most of the negatives ...

    ... about flash (I don't care one way or the other) will be from those running pwned Android systems, or closed Apple systems that screw up ever upgrade they push out.

    All systems are riddled with security holes you just don't know it.

  17. sisk

    Flash deserves to die

    Years ago. Even before the exploits started rolling in the quality of the program had deteriorated to the point of "Why the hell would any sane developer ever use that pile of bug soup?" Now that it's being exploited left and right also just dump it already.

  18. Anonymous Coward
    Anonymous Coward

    Corporate websites are Flash-based

    And all our "training" courses are Flash-based....

  19. Frumious Bandersnatch

    Flash done right?

    Flash's initial remit of making animation and context-sensitive graphics applications more amenable to graphic artist types was probably the main reason for its success. It's just a pity that at its heart it was just another general-purpose programming language (ActionScript). If you wanted the interactivity but not the ability to execute arbitrary code, it should be possible to move from a procedural paradigm to a more declarative one. It should be possible to write a provably secure "interactive graphics" platform in this way with a modicum of overheads (automatic stack and heap checks whether you want them or not) and neutering the language to eliminate any other "dangerous" operations (pointers or "evals" come to mine).

    Of course Flash (and its design) come from a very different time (perhaps HTML5 is more akin to what I'm thinking of?) but it still begs the question about how it's still a bug-ridden piece of shit even after years of all these high-profile security problems...

  20. WereWoof

    "Use the force Luke" - Adobe Wan Kenobe.

  21. Andrew Punch

    Duplicate of existing functionality

    The primary advantages of flash have always been more permissive access to the local machine, decent multimedia and particularly DRM. Apart from that it really just duplicates javascript, video tags and SVG.

    It was great in 1996 but with HTML5 all these features have been added to the browser. The last hold out was DRM but now flash is simply a buggy duplication of features in the browser. Having that functionality is a massive security risk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like