Tuesday, 14 July 2015 06:36

After multiple 0-days, many call for Flash to go away

Written by

Reading time is around minutes.

After three spate 0-day vulnerabilities are found in your product you can pretty much expect the market to call for you go away. This is the situation that Adobe is in right now. After fighting to their little slice of dominance in the computing industry Adobe’s Flash is arguably one of the most commonly used APIs to rendering rich content. This has made them a rather large target for a number of years… well this and the fact that the Flash development team has made some rather poor choices when it comes to their application.

Facebook’s CSO, Alex Stamos has suggested that it is well past time to retire the browser plug in and move onto something else. Stamos is not the first to suggest this either. The most famous Flash hater was, of course, Steve Jobs. He disliked Flash with a passion and refused to allow it on his iOS platform in any way. At one point he even banned games and applications that were developed using Flash even if they were properly ported to another base.

Still Flash has hung in there despite some high level comments that it is time to let it go. The biggest reason for this is that no one has been able to come up with a real replacement for it. Sure you can develop rich content in HTML 5 and Microsoft even tried to supplant it with SilverLIght (which failed), but there is nothing with the same simplicity as Flash. Which is one of the main reasons that it is easy to exploit. If you look back and the Pwn2Own competitions the majority of the winners used Flash exploits in their attacks.

Yes, it is time for Flash to sail off into the sunset. It is a plug-in that appears to be too far gone to secure. Sadly, even if you remove Flash from the equation there will be another plug-in or API right behind it that will be exploited in the same way. Most of you know exactly which one I am talking about; Java. Between Flash and Java I am and not sure how 100% of the computer systems out there are not completely compromised. After these two simple vectors are gone… well hackers will simply target the many, many holes in HTML 5…. You know, maybe it is simply time to demand better development practices when it comes to security from the entire market…

It will be interesting see if the Hacking Team breach really does bring about the death of Flash and what will jump up to take its place as the most exploited API…

Read 2490 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.