"Flash as a security threat was kind of a meme"
Originally published on Newgrounds Forums on 2017-08-10.
At 7/26/17 01:19 PM, TomFulp wrote:
- Flash as a security threat was kind of a meme. Yes, Flash had vulnerabilities that needed to be patched and it was a bummer that it was a closed system. However your OS and your web browser also have vulnerabilities that get patched, as does all software. It became a popular thing to complain about but the reality is most people were getting their viruses and malware somewhere other than through an SWF file.
- It really bothers me when people cheer the death of Flash. I totally get why it's time to move on but you shouldn't cheer the death of something that empowered so many people and brought so much joy to the web for 20+ years. I think it's a bandwagon that a lot of joyless people have jumped on, sorry if you're one of them.
"Flash as a security threat was kind of a meme"
Tom, I believe you are misrepresenting the facts regarding Flash and security. I think the good folk of Newgrounds deserve at least some insight into why is Flash is getting so much "hate".
A lot of people who really know what they're doing have written a bunch of things about Flash and why it's time to move away from it.
They include:
Troy Hunt, respected security specialist, author of haveibeenpwned.com, describes Flash as "one of the most frequently exploited pieces of code on the planet"1, and he's not wrong. It's been exploited to the point where security researchers are desperate to see its end.
Cisco Talos group writes in an announcement last year: "In today’s threat landscape, Adobe Flash Player unfortunately remains an attractive attack vector for adversaries to exploit and compromise systems"2
In United States Computer Emergency Reponse Team's alert on the North Korean botnet dubbed HIDDEN COBRA, three out of the main five vulnerabilites it exploited stem from Flash.3
Not so much security, but Steve Jobs wrote something worth reading on Flash seven years ago, and I believe he brings up some good points4
While I cannot speak for the media(journalists don't have the best credibility nowadays), the people and organizations listed above are among the leading authorities on technology and security today. Don't get me wrong, I personally love Flash and have many great memories from it, but today's technological landscape is changing, and it's changing fast. Flash had its time, but it's time to move on. New technologies are popping up daily and the internet as a whole is improving in security, and clinging onto something like Flash simply isn't sustainable in the long run.
"It really bothers me when people cheer the death of Flash"
Please don't let this bother you. I know you're passionate about Flash, but in the end it's just another chunk of code. You said you totally understand why it's time to move on, and people in the security and administration sector have legitimate reasons to "cheer the death of Flash". It's a great relief for a lot of people.
Tom, I sincerely hope to convince you with this that Flash isn't simply "another app that needs security patches" but a serious threat to a more secure internet. It will always be remembered as a core piece of software in the history of the internet.
“So long as they speak your name, you shall never die.” - Dan Brown
Troy Hunt, Security insanity: how we keep failing at the basics, 2016. Link↩
Cisco Talos Group, News Flash! Another Adobe Flash Zero-day Vulnerability Spotted in the Wild, 2016. Link↩
United States Cybersecurity & Infrastructure Security Agency, HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure, 2017. Link↩