Facebook chief of security Alex Stamos urges Adobe to kill Flash

Shawn Knight

Shawn Knight

Posts: 15,291   +192
Staff member

Adobe Flash doesn’t exactly have the best reputation when it comes to security. The platform has been on the way out for years and if Facebook’s new chief security officer had his way, he’d put the dying platform out of its misery sooner rather than later.

In a recent post on Twitter, Alex Stamos said it was time for Adobe to announce the end-of-life date for Flash and to ask browser makers to set killbits on the same day. He added that even if it is 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.


A previously unknown Flash vulnerability surfaced last week following the high-profile hack of the Hacking Team earlier this month. Adobe patched it pretty quickly yet since that time, two additional flaws have emerged and it’s entirely possible that additional vulnerabilities could surface from the Hacking Team dump.

The newest vulnerabilities, labeled CVE-2015-5122 and CVE-2015-5123, target Windows, Mac and Linux. Adobe said it plans to issue patches for these critical flaws sometime this week.

Flash has been around for what seems like ages and was widely used on the web during the 2000s. The platform also played a key role in the early debate between Android and iOS. Proponents of Google’s mobile operating system pointed to its ability to display Flash-based content as a major advantage over Apple’s mobile OS.

Apple co-founder Steve Jobs wasn’t a fan of Flash to say the least, noting the platform was created during the PC era for PCs and mice. In 2010, Jobs predicted that new open standards created for the mobile era like HTML5 would eventually win on mobile devices and suggested Adobe start creating great HTML5 tools for the future instead of criticizing Apple for leaving the past behind.

Adobe announced in mid-2012 that it would no longer release Flash builds for Android.

Many security experts recommend removing Flash completely until the latest vulnerabilities have been patched or at the very least, enabling the “click to play” option in your browser so you control what Flash content does and doesn’t play.

Permalink to story.

https://www.techspot.com/news/61348-facebook-chief-security-alex-stamos-urges-adobe-kill.html

 
I wish someone WOULD kill flash (take java with it), and just use html5 for everything. Flash is like a piece of swiss cheese....full of holes!
 
p51d007 said:
I wish someone WOULD kill flash (take java with it), and just use html5 for everything. Flash is like a piece of swiss cheese....full of holes!
Click to expand...

Well it was never intended to be what it became (was originally designed as an animation program). Personally I would have loved to see it discontinued when Adobe bought Macromedia.
 
  • Like
Reactions: Skepps and agb81
And since everybody is jumping on the "KILL FLASH" bandwagon I wanna play the Devil's advocate here for a moment. Can somebody please explain why you wanna throw the baby out with the bath water? If the security holes can be patched as they are discovered and they actually are patched in a reasonable time frame, then why kill Flash? @Tekkaradien, if Flash is being used for purposes that it was never intended for and people are bashing it in that context, then how is that the fault of Adobe or Flash? It's like saying, "Let's ban all guns, they keep killing innocent people". I am somewhat confused.

Microsoft has to release security patches on a monthly basis. Should we kill of Windows too? Should we kill off anything with a history of security flaws? Should we not lock our doors at night because they can be broken into? LOL. Where does it end.

I recommend that forces of nature will dictate Adobe Flash's future. And not some knee-jerk reactions to proactively KILL what may be dying already.
 
  • Like
Reactions: gingerbill and RebelFlag
The last version of flashplayer I can recall that was worthwhile was flashplayer 10.3. that version supported 1080p streaming and there was no lag to it whatsoever. once flashplayer 11 came about everything was downhill from there. adobe should rebuild from flashplayer 10.3 and improve from there. just concentrate on bugs on stability. flashplayer 10.3 is very missed by me. it still works on alot of sites but most browsers make you upgrade these days or the website simply wont allow you to play a flash video if u have 10.3 installed (wwe network) :(
 
TheBigFatClown said:
And since everybody is jumping on the "KILL FLASH" bandwagon I wanna play the Devil's advocate here for a moment. Can somebody please explain why you wanna throw the baby out with the bath water? If the security holes can be patched as they are discovered and they actually are patched in a reasonable time frame, then why kill Flash? @Tekkaradien, if Flash is being used for purposes that it was never intended for and people are bashing it in that context, then how is that the fault of Adobe or Flash? It's like saying, "Let's ban all guns, they keep killing innocent people". I am somewhat confused.

Microsoft has to release security patches on a monthly basis. Should we kill of Windows too? Should we kill off anything with a history of security flaws? Should we not lock our doors at night because they can be broken into? LOL. Where does it end.

I recommend that forces of nature will dictate Adobe Flash's future. And not some knee-jerk reactions to proactively KILL what may be dying already.
Click to expand...
Because not only is it a terrible idea but everything that could possibly go wrong with a system like this has gone wrong. These are critical exploits being exposed weeks apart. Flash is so far widespread it has an absolutely ludicrous surface area of attack. Adobe are absolutely not responsible enough nor have good enough code quality to be trusted with such a burden. The proof is clear - their own track record is pathetic.

Flash needs to die. I've uninstalled it from all my machines. If everyone who doesn't need it does that, the surface area for flash attacks will drop dramatically.
 
Donning my tin-foiled hat: Maybe Adobe gets pressured by NSA (and the likes) to keep Flash alive?
 
Or lets just do like google or apple and ignore/hide vulnerabilities for months and tout security as a feature.

Code will always be exploited, do you want someone monitoring and fixing those exploits or someone that just doesn't do anything till it's big news.
 
Guest said:
Or lets just do like google or apple and ignore/hide vulnerabilities for months and tout security as a feature.

Code will always be exploited, do you want someone monitoring and fixing those exploits or someone that just doesn't do anything till it's big news.
Click to expand...
Flash, unlike Android, iOS, Windows, Firefox, Chrome, IE, Safari, Linux is installed on practically every device. That is the difference.
 
Adobe won't kill flash. you do that for yourself: just add NOFLASH plug-in to your browser.

when the audience generally won't play flash web authors will quit using it.

if adobe/flash was just sloppy work it would suffer glitches and crashes frequently. think abut this.
 
MikeAcker said:
Adobe won't kill flash. you do that for yourself: just add NOFLASH plug-in to your browser.

when the audience generally won't play flash web authors will quit using it.

if adobe/flash was just sloppy work it would suffer glitches and crashes frequently. think abut this.
Click to expand...
Actually no. In software, you fix the squeaky wheel. Guess how many people complain about a glitch? Lots. How many people complain about a security flaw you don't know about? None. Zip. Nada.

So guess where the effort goes?
 
Darth Shiv said:
TheBigFatClown said:
And since everybody is jumping on the "KILL FLASH" bandwagon I wanna play the Devil's advocate here for a moment. Can somebody please explain why you wanna throw the baby out with the bath water? If the security holes can be patched as they are discovered and they actually are patched in a reasonable time frame, then why kill Flash? @Tekkaradien, if Flash is being used for purposes that it was never intended for and people are bashing it in that context, then how is that the fault of Adobe or Flash? It's like saying, "Let's ban all guns, they keep killing innocent people". I am somewhat confused.

Microsoft has to release security patches on a monthly basis. Should we kill of Windows too? Should we kill off anything with a history of security flaws? Should we not lock our doors at night because they can be broken into? LOL. Where does it end.

I recommend that forces of nature will dictate Adobe Flash's future. And not some knee-jerk reactions to proactively KILL what may be dying already.
Click to expand...
Because not only is it a terrible idea but everything that could possibly go wrong with a system like this has gone wrong. These are critical exploits being exposed weeks apart. Flash is so far widespread it has an absolutely ludicrous surface area of attack. Adobe are absolutely not responsible enough nor have good enough code quality to be trusted with such a burden. The proof is clear - their own track record is pathetic.

Flash needs to die. I've uninstalled it from all my machines. If everyone who doesn't need it does that, the surface area for flash attacks will drop dramatically.
Click to expand...

@TheBigFatClown And also because new standards, as stated on the article, do the same and better without leaving security holes.
 
Because no matter how many holes they patch , there are hackers with a long list of like 300 more holes ready to exploit of which we know nothing about yet
I've seriously lost count of how many times I've seen headlines like "critical exploit on flash, upgrade now" year after year after year
 
Whatever replaces Flash will eventually wind up in the same situation. The more devices use a particular piece of software the larger the target in the eyes of hackers. It's only a matter of time, like everything else, it'll be broken, perhaps never as bad as Flash currently is but none the less it will be rendered just as vulnerable.

To those who have completely removed all traces of Flash from their systems, what the hell do you do on the internet other than read article, don't get me wrong, that's how a lot of my time is spent, but still almost 50% is spent enjoying some form of Flash playback.
 
Kibaruk said:
@TheBigFatClown And also because new standards, as stated on the article, do the same and better without leaving security holes.
Click to expand...

In theory. Stating that as a fact, that a new standard is more secure when it is by definition "new" seems premature. The holes just haven't been discovered yet is probably the more appropriate statement.

Look, I can see this thing going either way, I am no way security expert. If Adobe Flash developers are just a group of *****s that's one thing. But you have to look at all aspects. How long has it been around? The more popular a software package the larger target it is to hackers, etc.

I just came across an article the other day that said there is a security hole in Windows that has been there for years which Microsoft hasn't patched. Maybe it's not a critical security issue but it's there.

Let's just all hold and hands and repeat after me. "Newer must be better!!! Newer must be better!!!" Can't wait for Windows 10. Newer must be better!!!". :)

Microsoft will never need to release any security patches for Windows 10!!! YES!!! or not!
 
Another 0-day... another patch today. That's 3 critical vulnerabilities that affect everyone who uses flash (which is practically everyone who browses the internet) in less than a week?

Need to decentralise the risk. It's about risk and exposure. Everyone is vulnerable but a single point of failure for everyone is ridiculous. The amount of people exposed by a vulnerability in iOS is a tiny fraction of the internet userbase for example.
 
Please don't disable or discontinue flash. It makes my job easier to get into peoples' systems.
Sincerely, Security Breachers Everywhere.
 
  • Like
Reactions: Darth Shiv
Absolutely, all down to the bottom, it is people v.s. people, saying "some must die" is like some wants to be the replacement.
 
You must log in or register to reply here.

Similar threads

Shawn Knight
Adobe is paying upwards of $7 per minute for original video content to train AI
Replies
1
Views
78
erickmendes
erickmendes
midian182
US federal agencies must appoint chief AI officers, according to new guidelines
Replies
7
Views
126
NumberNine
NumberNine
Shawn Knight
Formula 1 chief retires "impossible to navigate" Excel spreadsheet used to manage car...
Replies
10
Views
207
Jme Kerul
J

Latest posts

Back