Why Adobe Flash is a security risk and should be removed
Adobe Flash is, without a shred of doubt in my mind, living on borrowed time. This is courtesy of many things, but most of all the consistent insecurity record that follows it around like a crazed stalker in a bad movie.
It’s time, in fact long overdue, for Adobe to issue an ‘end of life’ timeline for Flash and do us all a favour. I first warned about the dangers of Adobe Flash, aptly enough, on Friday 13th July, 2007. Eight years on and the danger remains; not the same “three critical vulnerabilities impacting users of Adobe Flash Player on all platforms” as back then, but critical vulnerability after critical vulnerability nonetheless. Eight years on and I found myself writing a news story warning of yet another Adobe Flash zero day with the headline of ‘Dear Adobe Flash, why won’t you DIE, DIE, DIE?‘ The not so funny thing is that I’m not the only one, and for good reason.
When I say ‘not the only one’ you may wonder who else I am referring to? Well there’s the late, great, Steve Jobs who was co-founder and CEO of Apple for starters. Back in 2010 Jobs famously issued a very coherent and well-reasoned rant against Adobe Flash which, as far as security was concerned, stated that “Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first-hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”
Damning words indeed, but devalued by many at the time as just part of the ongoing war of words between Adobe and Apple over iOS not supporting Flash. How about we fast forward to the here and now then, and someone who doesn’t have that some product support axe to grind? I’m talking about Alex Stamos who just so happens to be the Chief Security Officer as Facebook, and Facebook actually requires Flash (for now at least) for some tools such as the FB album image uploader as well as some third party apps and even for playing video on some browser clients.
Yet Stamos stated in a series of tweets that “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day” and “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
Stamos was prompted to post these, in my never humble opinion, wise words following on from the analysis of data published as a result of the Hacking Team breach which uncovered no less than three zero days. Yes, another group of three which leads me to suggest that the Latin phrase ‘omne trium perfectum’ or everything that comes in threes is perfect is perversely rather applicable to Flash: a perfect storm of insecurity.
Not only did this latest trio prompt Stamos to issue his warning, but both Chrome and Firefox browsers to temporarily suspend all support for Flash until a fix was distributed. You may think that this sounds a little harsh, after all there are plenty of Microsoft Windows vulnerabilities year after year. I will admit that the threat attack surface is a very complex landscape, and if Flash were to be removed from the map then the bad guys would quickly enough find another area to exploit. Heck, who am I kidding, they are exploiting plenty of other areas already and all that would happen is that more attention would be paid to finding new ways to exploit those.
So maybe killing Flash isn’t the answer after all? Actually, no I am not saying that. Flash has proven itself to be both highly attractive to the cybercriminals and highly vulnerable, time and time again. Adobe, meanwhile, appears to be unable or unwilling to resource the kind of roots up rebuild of the Flash codebase that would be necessary in order to make it a more secure product. This is where the difference between it and, for example, Microsoft Windows comes in. Microsoft does, at least, release completely new versions of the operating system on a regular basis; and improved security comes as part of the upgraded package. Flash seems to be broken, fundamentally broken, and no amount of sticking plasters can hold it together.
I’ve known security industry veteran and blogger Graham Cluley for more than 20 years now, and have to agree with him when he says of a desire to call time on Flash that “The problem is that perhaps Adobe doesn’t feel happy acknowledging that securing Flash is beyond them, and so is unwilling to drop the product. The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure.”
I’m not entirely unaware of the number of businesses, especially towards the smaller end of the Small to Medium Enterprises (SME) spectrum, rely upon Flash for pretty much their entire web presence. The legacy problem is alive and well in the world of IT, and nothing highlights this more than the fact that Adobe Flash not only still exists but also has a huge number of business advocates. The fact that this is so is somewhat surprising, given that HTML5 can do just about everything that Flash can and do it better (or at least more securely) I would dare to suggest, yet the fact remains.
The saving grace may be mobile development, a market where Adobe isn’t the only show in town and developers are not quite so keen to stick with what they know at any cost. That HTML5 is becoming the default (hello YouTube!) for many of the new, young creatives entering the mobile field has a knock on effect when those same creatives are asked to provide web design for the desktop as well. Back in the day, and I admit I am showing my age here, people used to say that no one ever got fired for buying IBM, yet as history shows us IBM was not too big to fail and neither is Adobe. Hands up, those SMEs I speak of, along with government and educational outfits, have legacy products which are built around Flash and replacing them would come at a high cost. What we have to ask ourselves, and ask of them, is how high the cost of doing nothing?
This is where I think the notion of a controlled death is a sensible move forwards, and one which Adobe really needs to be taking. Forget the die-hards who insist that Windows XP is still the most secure Windows operating system despite it long since moving past the best before date, if we were to listen to them I would still be writing pieces such as this on my PCW9512 powered by C/PM+. I am not. Given a clear enough time to die timeline, there is no reason why we cannot move on from Flash. Once the option to do nothing has been removed, then even the legacy lovers will be forced into conceding that there is life after this buggy and insecure dinosaur.
One group which certainly thinks this way is ‘Occupy Flash’ movement which has a goal “To get the world to uninstall the Flash Player plugin from their desktop browsers.” As well as arguing that “the only way to truly force the web to embrace modern open standards is to invalidate old technology” the Occupy Flash manifesto states “Flash Player is dead. Its time has passed. It’s buggy. It crashes a lot. It requires constant security updates. It doesn’t work on most mobile devices. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology. Websites that rely on Flash present a completely inconsistent (and often unusable) experience for fast-growing percentage of the users who don’t use a desktop browser. It introduces some scary security and privacy issues by way of Flash cookies.”
If that’s not quite your style, and until that end of life announcement comes (if it ever does) then I would suggest you take heed of this piece of advice from Gavin Millard, technical director at Tenable Network Security: “With Flash continuing to be a favoured attack vector for exploit kit and malware authors, maybe it’s time that it was put out to pasture, only being used by parts of the business that requires it and continually monitoring for users that don’t.”