Not a disinterested observer
At least two Cisco products still require Flash: Cisco Prime Infrastructure and Cisco Configuration Professional. There are probably others …
Don't kill Flash; that's the message from Cisco security veteran John Stewart who says the Adobe team have put in the hard yards into reforming security and needs to weather the current bug storm. The advice follows a call for the ravaged runtime to be expunged from the digital world by former Yahoo-cum-Facebook security man …
I concur, seems to me a very strange line to take for a security professional other than when they have a vested interest. There is no indication that Adobe is really setting out a concerted effort of security hardening or even really cares that much about finding the issues and fixing them other than just allowing security researchers to find them and then fix (horse stable method).
It's not as if Adobe have only just found out that there are some vulnerabilities, Flash has been exploited for years and could have started a security hardening procedure back when MS decided it might be time to make noise about doing some 'security hardening' on Windows.
His claims also just don't ring true - HTML5 is not run as a single vendor closed source executable with full system privileges. The standards are open, some of the implementations are open source, multiple vendors create interpreters and it doesn't have as much freedom to the OS. It has also, you would hope, been built using contemporary thinking on secure programming. Flash has a massive codeset, a legacy of backwards compatibility it needs to cater for and a single supplier, closed source.
There is no compelling reason to keep flash with the current alternatives, but also there is no reason for Adobe to invest significantly in it - I can't believe that flash production is a big money maker for them.
"If anyone thinks something is better than Flash then they need to consider what that alternative is against doubling-down security efforts on what we already have."
Nothing is better than flash. So far nothing has proven more resilient. I have been using nothing for years and I thoroughly recommend removing flash and installing nothing as a replacement.
Enjoy a pint on me. I can't UpVote you enough for that.
Adobe is dead. Replace it with Nothing. Weld shut that security backdoor, take a deep breath, & focus your efforts on more productive tasks...
Like figuring out how to enable the WiFi Router to act like a Tesla Coil upon the neighbors if they try to connect to your network again.
If he's right then what we're seeing is the draining of a finite swamp of legacy bugs, without new ones being added (thanks to new! lemon-scented! secure coding)
If he's wrong then their code monkeys are steadily creating new bugs and it's the equivalent of being sure this time the dealer must roll a double six because he has rolled everything else already, so "maths says it'll be my number now" (an acquaintance of mine made just this statement before losing yet more money at roulette...)
Trouble is, as outsiders we don't have enough insight: if it was open-source we could see the history of the offending code and judge whether it is repeated schoolboy errors, see whether the overall development gives us confidence, etc. But it's not, so all we can do is ponder their public utterances, which mostly amount to "trust us". And that's the policy that got us to where we are today...
Trouble is, as outsiders we don't have enough insight...
On the contrary, I feel comfortable judging by results. I have a rather nice situation in that I am paid in part to patch Flash at work while enjoying a considerably greater amount of security by doing without on my personal machines.
"Chief security officer Brad Arkin last year told the Australian Information Security Association that its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities..."
I completely removed it from all of my machines after the Hacking Team fiasco (had it set to "ask to run, and used FlashBlock until then) and can happily report that I have observed no obvious loss of functionality. Uninstalling it makes it _really_ expensive to exploit.
Flash has had its day.
I'm happy to know that somebody thinks Adobe is doing a good job. Must be nice for the Adobe team.
The rest of us see that since 2010 there is constantly a truckload of instances where Flash is an active threat to security. If Flash was an employee, he'd be fired already, even if he helps old ladies cross the street.
Flash is on the way out, HTML5 it will be. For the good of everyone. So get with the program, Cisco.
Whatever the vulnerabilities in it, it deserves to die because it is not an open standard. It is controlled by a single company. Open standards promote competition and compatibility, closed standards allow a single vendor to screw everyone. It's like having exactly one browser implementation controlled by one company.
Adobe reports that Flash is now "non-material" to the company. That means it generates less than 5% of its revenue. A few years ago they effectively killed it off and they are not going to spend big money securing a product they consider dead.
Cisco is not a security company. Anyone who has used comparative offerings from other vendors knows that. They only have a security line because too many companies have the network admins also running the firewalls. They're the ones getting hacked (not because of Cisco but because security is a separate discipline from networking).
If you really want to hear Cisco howl, let there be an industry cry to ban Java on the desktop. Their so-called security products still mandate it for ASDM and even trying to open a ticket online requires Java. Seriously?
HTML5 Video does have the ability to do DRM,there was a bit of a fuss about it a while ago. Anyway Encrypted Media Extensions have been around for a while in draft form and are supported by all the major browsers and used by Netflix.
I have just started removing Flash and Java where I can. Solves the whole problem.
If Adobe was that concerned about moving forward, they should come up with a tool for the Adobe Flash developers that are still out there that takes their files and converts them to HTML 5. This way the poor developers do not have to learn a new tool right away, and we can move on. Plus Adobe can sell another tool that forces their users into the cloud and paying them endlessly. But that is another topic all together ...
Could be worse. IBM had a Flash-like product in the late 1990's called HotMedia, which merely required Java to run. If they hadn't had their heads up their a$$ we'd all be running HotMedia on websites rather than Flash, and instead we'd be dealing with all the Java vulnerabilities, except we'd have to wait for the dimwits running IBM to keep enough people on hand to fix it. Which, of course, would be *less* likely than Adobe fixing their problems.
IIRC the main problem with Java (*) was that it was far too slow and resource-hungry on the PCs of the time to be really suited to the website-based Applet use which (ironically) was its main hyped-up selling point in the early days. Anything run on top of Java would still have had that problem, I assume.
The irony is that HotMedia sounds like it was an animation tool built on top of the (too) heavyweight Java, whereas Flash- which started out as an animation/presentation tool- ended up beating Java Applets at the "embedded rich web content" field that was Java's much-hyped selling point in the early days.
AFAICT, Flash succeeded partly because it was more lightweight in those early days and its growth in power over the years matched the increasing power of PCs. I wouldn't say Flash killed Java Applets- those had already comprehensively failed to meet their early promise by the time Flash evolved past its roots around the turn of the millennium.
(*) Other than the malicious incompatibilities et al MS introduced in their version to undermine it
The bizarro alternative to ASAP patching has been the ridiculous 'Second Tuesday Of The Month' ritual that is apparently supposed to placate lazy IT 'professionals' who want a predictable day when all the security changes are going to hit them. I've had people blether until they're blue about how this is supposed to be a great idea. And yet, consistently and repeatedly it has been proven to be the dangerous alternative to the only logical choice: ASAP patching.
There is no argument. ASAP patching is the responsible requirement of the software industry. Therefore, let's at last kill off the ritual patching days, be realistic and stay that way. Otherwise, the security exploit rats could not be more grateful. They're lazy as well and love it when they can count on that one day of the month when their coffers will be filled again, nailing the unpatched masses with attacks. Keeping them on their toes like the rest of us are forced to be, zero-day by zero-day, is the last thing they want as well.
Oh and let's kill Adobe Flash and Oracle Java over the Internet ASAP as well. They are wide open gateways to security exploitations, despite all the rhetoric to the contrary. Just end them. Superior replacements are either already here or require coding by security minded developers; Therefore, not coded by Adobe or Oracle. I think we can manage that.
Flash's initial remit of making animation and context-sensitive graphics applications more amenable to graphic artist types was probably the main reason for its success. It's just a pity that at its heart it was just another general-purpose programming language (ActionScript). If you wanted the interactivity but not the ability to execute arbitrary code, it should be possible to move from a procedural paradigm to a more declarative one. It should be possible to write a provably secure "interactive graphics" platform in this way with a modicum of overheads (automatic stack and heap checks whether you want them or not) and neutering the language to eliminate any other "dangerous" operations (pointers or "evals" come to mine).
Of course Flash (and its design) come from a very different time (perhaps HTML5 is more akin to what I'm thinking of?) but it still begs the question about how it's still a bug-ridden piece of shit even after years of all these high-profile security problems...
It was great in 1996 but with HTML5 all these features have been added to the browser. The last hold out was DRM but now flash is simply a buggy duplication of features in the browser. Having that functionality is a massive security risk.
Biting the hand that feeds IT © 1998–2019