The end of Flash?

There’s a growing call to dump Adobe Flash. With alternatives based on HTML5 becoming standardized, many tech experts think a plugin that has often been a source of security holes is a liability.

Security reporter Brian Krebs has written several articles on Flash:

Browser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs.

In 2010, Steve Jobs wrote an open letter explaining why Apple hasn’t supported Flash on iOS:

Adobe’s Flash products are 100% proprietary. They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc. While Adobe’s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system.

Apple has many proprietary products too. Though the operating system for the iPhone, iPod and iPad is proprietary, we strongly believe that all standards pertaining to the web should be open. Rather than use Flash, Apple has adopted HTML5, CSS and JavaScript – all open standards. Apple’s mobile devices all ship with high performance, low power implementations of these open standards. HTML5, the new web standard that has been adopted by Apple, Google and many others, lets web developers create advanced graphics, typography, animations and transitions without relying on third party browser plug-ins (like Flash). HTML5 is completely open and controlled by a standards committee, of which Apple is a member.

It’s misleading to talk about HTML5 as the alternative to Flash. HTML5 as such doesn’t support video or animations, but it provides tags to invoke video codecs. Long-running battles between open-source and MPEG formats have prevented standardization on any video format; MPEG’s H.264 (MP4 video) has achieved dominance in most markets, but the pure open-source Linux advocates are keeping Ogg Theora alive as an alternative, and Google — or should I now say “Alphabet”? — is pushing WebM, which has patents but is released under the BSD license. Are these more secure than Flash, or have attackers just not targeted them as aggressively? I don’t know. But saying that “HTML5 is completely open” misses the point. It’s like saying a drink is safe because you know exactly what the bottle is made of.

For that matter, talking about Flash as a format isn’t quite right. Flash is Adobe’s software, which supports the FLV and F4V containers, both of which are called “Flash Video.” Adobe has published their specifications, and Flash Video files most often use the Sorenson Spark and VP6 codecs.

It would be more to the point to compare Flash Video against H.264. Both use “open standards.” But “open standard” means only that it’s published and completely described, not that anyone can freely implement it. Cisco has made OpenH264 available under the BSD license but disclaims responsibility patent claims by other parties. There are open source implementations of Flash Video, but Adobe has kept its dominant position. This may be because open-source players can’t deal with DRM-protected video. DRM will be a problem for any “open” video format.

Video code is inherently vulnerable because it has to be extremely efficient. It can’t spend a lot of time on bounds checking and other protection against misbehaving code. A single bug can easily become a security hole. This is going to be a problem whatever the format is.

Flash data can be embedded in a number of document formats, including PDF and PowerPoint. If you’re seriously concerned about its risks, you need to uninstall it and not just disable it in the browser. Chrome has Flash built in, though, so you have to disable it there in addition to anything else.

The future of Flash is unclear, but I don’t think it’s going down quickly.

Comments are closed.