Time to Drop Flash? How about Java?

There are many articles gleefully advancing when Mozilla and Chrome stopped Flash from running on Tuesday of this week.  (until the new vulnerability was patched)

readwrite: http://readwrite.com/2015/07/15/firefox-mozilla-kill-adobe-flash

there is even a movement against Flash now:

http://www.tomshardware.com/news/mozilla-blocks-flash-in-firefox,29583.html

With an interesting militant image:

occupyflash_images

 

Why did this happen? Well the problem is that Flash is multi-platform and multi-browser software which is a plus right?  Unfortunately to make this actually work (multi-platform/browser) requires a few security shortcuts.

Notice my old post from this January 23rd: http://oversitesentry.com/page/2/?s=adobe&submit=Search#038;submit=Search

there was a CVE 2015-0310 and ver16.0.0.287 was released to fix it.

 

There have been quite a few security problems highlighted lately with last weeks Zero-day vulnerabilities which were patched for Adobe Flash.

As Brian Krebs has mentioned in his post on July 7th:  https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/

It was the Hacking Team breach that started this where the hackers broke into Hacking Team and just like for Sony, the hackers released 400GB worth of data in the Hacking Team company network.  Hacking team is an Italian company selling software which helps countries keep track of people, so there was some anger against them.

In the Hacking Team information there were some uncovered Flash flaws 3 of them to be precise. (that is why we are now at ver18.0.0.209)

http://techcrunch.com/2015/07/14/experts-find-a-third-hacking-team-flash-exploit-call-for-an-end-to-the-madness/

 

It is amazing that in 6 months Adobe had 2 versions with hundreds of releases each.

v17 went to 17.0.0.134 on 3/12/2015 https://forums.adobe.com/thread/1736527

June 9th  ver18 was at release 160 http://www.wilderssecurity.com/threads/adobe-flash-player-v18-0-0-160-released.376951/

Here is a reason why a lot of companies do not disable or uninstall Adobe Flash(from wildersecuritylink):

{ Adobe Flash Player is the high performance, lightweight, highly expressive client runtime that delivers powerful and consistent user experiences across major operating systems, browsers, mobile phones and devices.
Installed on over 750 million Internet-connected desktops and mobile devices,
Flash Player enables organizations and individuals to build and deliver great digital experiences to their end users. }

As mentioned above the same reason it is “expressive” across 750 mil Internet devices is the reason security problems arise.

An old post by a Financial Analyst explains a general security principle: http://www.financialsense.com/contributors/charles-hugh-smith/the-way-forward

risk-security-see-saw

 

 

So do you disable it?

http://www.pcworld.com/article/2947381/how-to-disable-flash-player-why-nows-a-better-time-than-ever.html

PC World has presented the actual settings in the different browsers to disable it.

It depends on how much you like the Flash application on your websites that you frequent.

 

If you are just starting to develop a website you may need to think twice about creating the website with  Flash.  Sure it is a moving picture app,  very useful, and runs on a lot of devices, but there is a security negative aura around it. And for that reason the browser companies, and even facebook is considering disabling it by default, thus making it harder to use it.

Testing  for security is likely not high on your list when developing a website. It should be, but usually is not.

The financial risk scale is appropriate for web applications functionality versus security. And the poster child for function over security is Adobe Flash…

Another application with ubiquity across platforms and security problems is Oracle’s Java.  Which has similar problems.

Graham Cluley has a nice write up on Oracle’s  193 new security vulnerabilities which include 25 for Java.

https://grahamcluley.com/2015/07/hopefully-youve-updated-java-removed/

The bad one is CVE-2015-2590 which is a Zero-day vulnerability as well.

 

Here is also a Flash vs Java Trends image from Google trends

Flash_vs_Java_trends

A little old, but interesting nonetheless.

 

Let me know what  you think – http://oversitesentry.com/contact-us/

Tony Zafiropoulos

 

 

Advertisements