Tuesday, March 15, 2011

Flash - Bang - SilverLight! and HTML5 if you can?

Adobe Discovers "Critical" Security Flaw in Flash, Won't Release Patch Until Next Week
Vulnerability is being actively exploited


Another critical vulnerability in Flash was announced by Adobe this week.  The latest in a string of high profile flaws afflicting its PDF and Flash formats, the news adds fuel to the fire of the company's detractors

Among those detractors is Apple CEO Steve Jobs who has spewed vehemence about Adobe over the last year, claiming Flash crashed Macs, was buggy, insecure, and ate up battery life.  Adobe and Apple enjoy a rather curious relationship given the fact that Apple users account for a significant portion of the sales of Adobe's lucrative Creative Studio Suite.

While Mr. Jobs' stance on Flash is somewhat extremist, Adobe is certainly taking its sweet time with getting patches to these critical flaws out the door.  The latest flaw, which affects Flash, Adobe PDF Reader, and AdobeAcrobat, won't be fixed until next week.

That might be acceptable, except for the fact that malicious users, according to Adobe’s own accounting, are already actively exploiting this vulnerability in the wild.  

Hackers/spammers are distributing Excel spreadsheet documents that look innocent, but contain a harmful embedded SWF (Flash) file that exploits the flaw to gain unauthorized access to the victim's system.  Adobe says Windows, OS X, and Linux machines alike are all affected by the flaw.
Even Microsoft has taken to trashing Flash (to be fair, Microsoft is trying to promote its own competitive offering -- Silverlight).  Of the major players, only Google seems to be firmly supportive of Flash, using its support for the format as a selling point on its Android phones.

But despite its security issues, the fact is that Flash is a heavily entrenched technology that powers at least some features of most of the internet's major websites.  

While it is troubling that Adobe is letting widely known flaw survive in the wild for so long is troubling, but ultimately the fact that it was exploited in the first place may not be entirely its fault.  In order to offer a rich content platform, you have to provide a wide interface to plug in text, graphics, video, audio, and more.  Such an interface is inherently exploitable in its broadness and many doors.

As for the platform's non-security limitations, it may be battery hungry but graphics aren't free, as any gamer who's played on their laptop could tell you.  Ultimately graphics intensive rich-media apps will inherently be prone to being buggy, insecure, 

At the end of the day, while Apple's Steve Jobs or Microsoft trash Adobe and hold up platforms they hold share in -- like proprietary implementations of HTML 5 or Microsoft Silverlight -- ultimately these platforms may suffer from the same problems if they are fortunate enough to mature and grow in market share.  After all, it's easy to spew insults at your adversaries, but it's much harder to perpetually maintain and upgrade a widely used, ambitious internationalsoftware project.

No comments:

Post a Comment