I’m trying to understand the psychology of some events that have occurred in the past couple of days, and I just don’t get it. If anyone can enlighten me, please get in touch.
The Flash update…
Adobe has released another Flash update that corrects a slew of bugs which “could lead to code execution.” These are the worst kind of bugs because they can let an attacker take control of your computer and use it for their purposes.
Of the 25 bugs (CVEs) listed, 24 are due to unsafe language issues (memory corruption, etc.).
The infosec community immediately reacts by (once again) calling to abolish Flash.
… vs the Apple updates
Apple released another Mac OS X update that corrects a slew of bugs that could “execute arbitrary code.” Of 67 bugs listed, 46 are due to unsafe language issues (memory corruption, etc.).
Also, Apple released iOS 9.3.2 that corrects a slew of bugs that could “lead to arbitrary code execution.” Of 39 bugs listed, 32 are due to unsafe language issues (memory corruption, etc.).
The infosec community reacts by (once again) not calling to abolish OS X or iOS. In fact there is not much of a reaction at all, as if this is just business as usual.
The mystery
I’m not going to defend Flash. It has a history of security problems. But Apple’s products also have a history of security problems, and their number and severity are in the same ballpark. (As are those of Microsoft, Google, etc.)
Why does Flash provoke such a different reaction from the infosec community?
And why do unsafe languages (C/C++) get a free pass from the infosec community, when they seem like the root cause of these security problems?