Why killing Flash may be a huge mistake

[sinu]

Content source

http://betanews.com/2015/08/03/why-killing-flash-may-be-a-huge-mistake/

Flash might be a buggy program with multiple holes in its system. Flash might also be extremely vulnerable and a potential risk to millions of users out there.
But Flash should not be discarded, believes Cisco security veteran John Stewart, saying it might in fact be the lesser of two evils.
Facebook’s CSO Alex Stamos has called for the death of Flash, and Mozilla was one of the companies to follow that trend, labelling Flash a threat, and later dumping it from its Firefox browser.
TrendMicro also labelled Flash a threat. However, Stewart believes Flash should not be discarded easily as whatever replaces it might be worse.
"I have a lot of sympathy for the (Adobe) teams. They need to weather the storm", Stewart told The Register in a media call on Friday. "Adobe is zeroing in on ensuring security testing happens across their portfolio in a big way".
"If anyone thinks something is better than Flash then they need to consider what that alternative is against doubling-down security efforts on what we already have", added Stewart
The number of malware attacks through Flash rose 317 percent in the first quarter of 2015.
The McAfee Labs Threats Report May 2015 paper (PDF) says that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014.
Flash has been drawing a lot of attention to itself with the frequent attacks on unsuspecting browsers done through the platform.
For example, back in February this year, one of the most popular websites in the United States, Forbes, was used for a similar attack.

 

[marg]

Since I uninstalled Flash on my Win7 computer, I have not had any unwanted adware installed. I wish they could come out with a better Flash that would Block this type of Exploit. I don't know if this is possible though.

 

[Atlas147]

Have not encountered any malware that exploited flash on my system ever.

 

[Ink]

Since I uninstalled Flash on my Win7 computer, I have not had any unwanted adware installed. I wish they could come out with a better Flash that would Block this type of Exploit. I don't know if this is possible though.

How does Adware relate to Adobe Flash Player? It doesn't. If your version of Flash was out-dated, why didn't you update..

https://en.wikipedia.org/wiki/Adobe_Flash_Player

 

[jamescv7]

First of all there's a mistake since Flash player is on the process to kill by force but as sooner it goes, an equilibrium where HTML 5 should conduct equal parts for some website to accommodate, therefore in such time vulnerabilities are not much outnumbered.

 

[WinXPert]

Have not encountered any malware that exploited flash on my system ever.

Ditto. I think exploited vulnerabilities happens more to those clicker happy people.

 

[Rolo]

In other words, the point here is "Better the devil you know than the devil you don't."

Those numbers--like most in mass media--mean absolutely nothing since they don't compare to non-Flash malware figures: how do I know that all malware isn't up by 300%+?

Flash is used successfully by millions (billions?) without issue. Flash has been "on its way out" almost as long as COBOL...heh...heard it so much it means nothing.

Finally, I'm really tired of being nagged by Chrome that xxxx will soon be unsupported (Chrome will soon be unsupported if that doesn't change). If I want to run Java-powered Flash Silverlight presentations then that's what I'm going to do...with or without your software. Really, I just want stuff to work without someone else's agenda interfering.

 

[Sloth]

Flash has to be killed. HTML5 is the future.

Its all in the hands of web devs at this point of time.

 

[Tani]

Had never faced any issues with flash, felt sad it doesn't work with comodo dragon, while you don't visit random websites allowing flash you need not to worry.

 

[frogboy]

Ditto. I think exploited vulnerabilities happens more to those clicker happy people.

That is my thoughts just watch what you click on.

 

[Enju]

Ditto. I think exploited vulnerabilities happens more to those clicker happy people.

What about all those nice and shiny embedded exploits on popular websites? You don't have to be click happy to get hit by an exploit if it's on a normal website you visit regularly.
I do like that quite a lot of websites are switching to HTML5 and remove Flash but who knows what kind of security risks HTML5 has up it's sleeve.

 

[Azure]

What about all those nice and shiny embedded exploits on popular websites? You don't have to be click happy to get hit by an exploit if it's on a normal website you visit regularly.
I do like that quite a lot of websites are switching to HTML5 and remove Flash but who knows what kind of security risks HTML5 has up it's sleeve.

For those that haven't read this yet.
http://www.securityweek.com/html5-features-efficient-web-exploit-obfuscation-researchers
"Some of the features introduced in HTML5 can be used to obfuscate web-based exploits in an effort to increase their chances of evading security solutions, according to researchers."

 

[Enju]

For those that haven't read this yet.
http://www.securityweek.com/html5-features-efficient-web-exploit-obfuscation-researchers
"Some of the features introduced in HTML5 can be used to obfuscate web-based exploits in an effort to increase their chances of evading security solutions, according to researchers."

Thanks for posting, I remembered the article but couldn't find it anymore!
Only time will tell if HTML5 is truly better than Flash in security regards since it's getting so many features.

 

[_CyberGhosT_]

I agree With Huracan,
While I agree that Adobe Flash has its security flaws, many times simply keeping your software updated is a key step in keeping your defenses tight.

 

[Amiga500]

Well im using flash 11.2 in firefox here on linux mint and im not experiencing any issues with it.Sure its out of date but it still functions just fine.I only enable flash in firefox just for online games which i play but otherwise its disabled and i can browse just fine.

 

[WinXPert]

Can't get rid of Flash. Players at the shop specially young kids play Y8.com games. Those with Facebook play games that needs Flash.

Given that there is an alternative (not HTML 5) what would guarantee that it won't suffer the same vulnerabilities that Flash had.

 

[JakeXPMan]

Updating regularly has proven more effective then not being click-happy ...

I woke up to Adobe Reader trashed/broken function and I wasn't using it often. It probably suffered from a lack of update.

I don't use Adobe Reader anymore, too risky.

 

[Rolo]

HTML5 is the future

...which is not now. Until HTML5 is proven, Flash it is. New tech = new vulnerabilities/exploits. Heck, no browser fully supports HTML5 yet so we may see it sometime before the flying cars.

There's a point when security becomes "Self-Denial-of-Service".

What about all those nice and shiny embedded exploits on popular websites?

What shiny exploits? I see no exploits because I have ad and malware blockers.

Besides, Flash performs far better than HTML5 so far...HTML5 is a resource hog.

Adobe Reader? heh...seriously? Bloat and sluggishness alone is reason enough to not use it.

 

[Enju]

What shiny exploits? I see no exploits because I have ad and malware blockers.

Besides, Flash performs far better than HTML5 so far...HTML5 is a resource hog.

Good luck with that! Adblockers do diminish the chance to get hit by an exploit kit by a tiny bit, but often it's not an ad that's delivering the exploit. If you don't trust me, check it out yourself by using or automating Thug https://github.com/buffer/thug. Also using signatures as defense from malware delivered by exploits is futile, it's still childs play to get your malware FUD in no time.

Calling HTML5 or Flash a resource hog is like saying C++ has bad performance because somebody forgot to use delete... both have their advantages and disadvantages, based on the person writing the code and the field they are deployed in.

 

[Rolo]

Adblockers do diminish the chance to get hit by an exploit kit by a tiny bit

Tiny? I'd say more so than URL scanners, et. al.

Calling HTML5 or Flash a resource hog is like saying C++ has bad performance because somebody forgot to use delete

I don't know that analogy fits but even if it does, it doesn't matter why performance is inferior; it matters that it is. Additionally, you're alluding to sloppy HTML5 programming--a security vulnerability waiting to happen.