Facebook chief of security Alex Stamos urges Adobe to kill Flash

By Shawn Knight ยท 21 replies
Jul 13, 2015
Post New Reply
  1. Adobe Flash doesn’t exactly have the best reputation when it comes to security. The platform has been on the way out for years and if Facebook’s new chief security officer had his way, he’d put the dying platform out of its misery sooner rather than later.

    In a recent post on Twitter, Alex Stamos said it was time for Adobe to announce the end-of-life date for Flash and to ask browser makers to set killbits on the same day. He added that even if it is 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.

    A previously unknown Flash vulnerability surfaced last week following the high-profile hack of the Hacking Team earlier this month. Adobe patched it pretty quickly yet since that time, two additional flaws have emerged and it’s entirely possible that additional vulnerabilities could surface from the Hacking Team dump.

    The newest vulnerabilities, labeled CVE-2015-5122 and CVE-2015-5123, target Windows, Mac and Linux. Adobe said it plans to issue patches for these critical flaws sometime this week.

    Flash has been around for what seems like ages and was widely used on the web during the 2000s. The platform also played a key role in the early debate between Android and iOS. Proponents of Google’s mobile operating system pointed to its ability to display Flash-based content as a major advantage over Apple’s mobile OS.

    Apple co-founder Steve Jobs wasn’t a fan of Flash to say the least, noting the platform was created during the PC era for PCs and mice. In 2010, Jobs predicted that new open standards created for the mobile era like HTML5 would eventually win on mobile devices and suggested Adobe start creating great HTML5 tools for the future instead of criticizing Apple for leaving the past behind.

    Adobe announced in mid-2012 that it would no longer release Flash builds for Android.

    Many security experts recommend removing Flash completely until the latest vulnerabilities have been patched or at the very least, enabling the “click to play” option in your browser so you control what Flash content does and doesn’t play.

    Permalink to story.

  2. p51d007

    p51d007 TS Evangelist Posts: 1,253   +614

    I wish someone WOULD kill flash (take java with it), and just use html5 for everything. Flash is like a piece of swiss cheese....full of holes!
  3. Tekkaraiden

    Tekkaraiden TS Evangelist Posts: 997   +93

    Well it was never intended to be what it became (was originally designed as an animation program). Personally I would have loved to see it discontinued when Adobe bought Macromedia.
    Skepps and agb81 like this.
  4. TheBigFatClown

    TheBigFatClown TS Guru Posts: 676   +251

    And since everybody is jumping on the "KILL FLASH" bandwagon I wanna play the Devil's advocate here for a moment. Can somebody please explain why you wanna throw the baby out with the bath water? If the security holes can be patched as they are discovered and they actually are patched in a reasonable time frame, then why kill Flash? @Tekkaradien, if Flash is being used for purposes that it was never intended for and people are bashing it in that context, then how is that the fault of Adobe or Flash? It's like saying, "Let's ban all guns, they keep killing innocent people". I am somewhat confused.

    Microsoft has to release security patches on a monthly basis. Should we kill of Windows too? Should we kill off anything with a history of security flaws? Should we not lock our doors at night because they can be broken into? LOL. Where does it end.

    I recommend that forces of nature will dictate Adobe Flash's future. And not some knee-jerk reactions to proactively KILL what may be dying already.
    gingerbill and RebelFlag like this.
  5. The last version of flashplayer I can recall that was worthwhile was flashplayer 10.3. that version supported 1080p streaming and there was no lag to it whatsoever. once flashplayer 11 came about everything was downhill from there. adobe should rebuild from flashplayer 10.3 and improve from there. just concentrate on bugs on stability. flashplayer 10.3 is very missed by me. it still works on alot of sites but most browsers make you upgrade these days or the website simply wont allow you to play a flash video if u have 10.3 installed (wwe network) :(
  6. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,797   +459

    Because not only is it a terrible idea but everything that could possibly go wrong with a system like this has gone wrong. These are critical exploits being exposed weeks apart. Flash is so far widespread it has an absolutely ludicrous surface area of attack. Adobe are absolutely not responsible enough nor have good enough code quality to be trusted with such a burden. The proof is clear - their own track record is pathetic.

    Flash needs to die. I've uninstalled it from all my machines. If everyone who doesn't need it does that, the surface area for flash attacks will drop dramatically.
  7. Donning my tin-foiled hat: Maybe Adobe gets pressured by NSA (and the likes) to keep Flash alive?
  8. Or lets just do like google or apple and ignore/hide vulnerabilities for months and tout security as a feature.

    Code will always be exploited, do you want someone monitoring and fixing those exploits or someone that just doesn't do anything till it's big news.
  9. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,797   +459

    Flash, unlike Android, iOS, Windows, Firefox, Chrome, IE, Safari, Linux is installed on practically every device. That is the difference.
  10. VitalyT

    VitalyT Russ-Puss Posts: 3,601   +1,887

    Adobe should convince Facebook to kill themselves, 'cos that would be a far greater achievement in human evolution.
  11. MikeAcker

    MikeAcker TS Enthusiast Posts: 33

    Adobe won't kill flash. you do that for yourself: just add NOFLASH plug-in to your browser.

    when the audience generally won't play flash web authors will quit using it.

    if adobe/flash was just sloppy work it would suffer glitches and crashes frequently. think abut this.
  12. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,797   +459

    Actually no. In software, you fix the squeaky wheel. Guess how many people complain about a glitch? Lots. How many people complain about a security flaw you don't know about? None. Zip. Nada.

    So guess where the effort goes?
  13. agb81

    agb81 TS Booster Posts: 78   +38

    Imagine what would happen to productivity if facebook wasn't around.
  14. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,396   +3,410

    I install flash when I find a page that requires it. So the ball is in the web authors hands.
  15. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,259   +878

    @TheBigFatClown And also because new standards, as stated on the article, do the same and better without leaving security holes.
  16. Because no matter how many holes they patch , there are hackers with a long list of like 300 more holes ready to exploit of which we know nothing about yet
    I've seriously lost count of how many times I've seen headlines like "critical exploit on flash, upgrade now" year after year after year
  17. Adhmuz

    Adhmuz TechSpot Paladin Posts: 1,821   +628

    Whatever replaces Flash will eventually wind up in the same situation. The more devices use a particular piece of software the larger the target in the eyes of hackers. It's only a matter of time, like everything else, it'll be broken, perhaps never as bad as Flash currently is but none the less it will be rendered just as vulnerable.

    To those who have completely removed all traces of Flash from their systems, what the hell do you do on the internet other than read article, don't get me wrong, that's how a lot of my time is spent, but still almost 50% is spent enjoying some form of Flash playback.
  18. TheBigFatClown

    TheBigFatClown TS Guru Posts: 676   +251

    In theory. Stating that as a fact, that a new standard is more secure when it is by definition "new" seems premature. The holes just haven't been discovered yet is probably the more appropriate statement.

    Look, I can see this thing going either way, I am no way security expert. If Adobe Flash developers are just a group of *****s that's one thing. But you have to look at all aspects. How long has it been around? The more popular a software package the larger target it is to hackers, etc.

    I just came across an article the other day that said there is a security hole in Windows that has been there for years which Microsoft hasn't patched. Maybe it's not a critical security issue but it's there.

    Let's just all hold and hands and repeat after me. "Newer must be better!!! Newer must be better!!!" Can't wait for Windows 10. Newer must be better!!!". :)

    Microsoft will never need to release any security patches for Windows 10!!! YES!!! or not!
  19. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,259   +878

    Wow such news very impressive so wow, @TheBigFatClown replying with things that have nothing to do with topic... yaaay
  20. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,797   +459

    Another 0-day... another patch today. That's 3 critical vulnerabilities that affect everyone who uses flash (which is practically everyone who browses the internet) in less than a week?

    Need to decentralise the risk. It's about risk and exposure. Everyone is vulnerable but a single point of failure for everyone is ridiculous. The amount of people exposed by a vulnerability in iOS is a tiny fraction of the internet userbase for example.
  21. Please don't disable or discontinue flash. It makes my job easier to get into peoples' systems.
    Sincerely, Security Breachers Everywhere.
    Darth Shiv likes this.
  22. Absolutely, all down to the bottom, it is people v.s. people, saying "some must die" is like some wants to be the replacement.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...