Security 101 - Flash is popular


To lighten the mood

only for the final Apple fake ads it’s worth it :smile:

So, you know, that touchy subject about how Flash is not secure and all the haters telling you how everyone should install it …

well … let’s educate ourselves about security a little and come back to Flash and security.

First, here are the Golden Rules of Security

  1. Software developers Always Make Mistakes.
  2. Mistakes Get Exploited.
  3. Developers tend to make the SAME mistake more than once.
  4. see 1.

And with Flash you could add: More Functionality = More Exploits

Remember 2006 when Flash 9 was released and we got this new AVM2 running ActionScript 3 ? well… that was new ground for exploits

But why is Flash exploited in the first place ?

It’s simple, any wildly popular technology will be hacked
and Flash is quite popular since 2001, and so popular in fact that it is viral.

From the funny animation/game where you slam the face of your boss, to video, to whatever other kind of entertaining content.

Ask anyone: Would you open an email attachment named “funny_stuff.exe” ?
the answer would be “no”, but ask them the same question when the
attachment is named “funny_stuff.swf” and there the answer is “probably” / “maybe”.

But you see, it’s not only Flash, it’s anything and everything.

If you go to CVE Details
(CVE stands for Common Vulnerability Exploit)

On the left you can list the top 50 products having the highest number of security vulnerabilities

Flash is ranked 7

Does this mean it is less secure or more popular ?

Exactly, it means numerous security exploits are discovered because it is widely popular, but most medias does not present the information this way.

In the media, they say because numerous exploits have been discovered then it is not safe to use it and it’s where Flash get a bad reputation.

But they don’t explain that all security exploits discovered are not necessarily exploited but only have a potential to be exploited, and because of that those have been patched then publicly announced as publicly known CVE.

Here how it works

  • security researcher find some Flash exploits
    in private, in their lab (eg. not known to the public)
  • they inform Adobe about it
  • Adobe engineer work on it to provide a patch/fix
  • only when the solution is found to patch the security flaw
    then the security exploit is publicly announced and categorized
  • that’s where the security exploit get listed in a CVE database

All that does not mean the exploits were actually exploited.
Maybe, maybe not, there is no way to know for sure.

When you read “today security bulletin, 500 Flash exploits found”, this does not mean evil hackers were running wild with 500 keys to open the doors, no it means, at the contrary, that 500 doors have been actually locked down.

And it’s not at all how the medias present and see that kind of information.

Look at the list of the top 50 products again, you can see Linux Kernel ranked 2, Google Chrome ranked 4, etc.

Those are products with a hell lot of developers, security researchers and open source contributors who review, inspect and research for security exploits continuously.

My point is that the number of security exploits discovered and publicly listed in a CVE does not make a product less secure.

Those top 50 is in fact a list of what is widely popular and widely used, and oh yeah Flash is ranked 7.

Now, you have also the case of the zero day exploit, something that is known more or less publicly or at least known to be used in the wild while the vendor is not aware of it and/or have not yet issued a patch or security fix for it.

Those are the real security risks, the exploit is there but there is no fix for it.
But those are rare, and the medias make no difference between those and the known CVE.