Thoughts on Flash security
July 21, 2015  

Flash has a pretty poor reputation in the security community and some are calling for it to be retired, in the light of its prominence in the zero-day vulnerabilities revealed in the Hacking Team doxing.

I’d like to take a moment to say that Flash is pretty great. There’s a reason for its success: it’s a great web animation library and editor, and it came early (mid 1990’s). It had competitors but you don’t hear about them anymore; Flash won. Moreover, Flash made video on the web possible. I actually bought a copy, back when that was a thing.

Flash’s security story is interesting. The Flash language, ActionScript, is a memory-safe language (at this point it is a dialect of JavaScript). Naively, this should make Flash immune to the sorts of vulnerabilities you see exploited by the likes of Hacking Team. However, the compiler/interpreter for the language and some of its libraries are themselves written in C/C++, which aren’t memory safe. This is where (I believe) the vulnerabilities are coming from.

It’s strange to see calls for Flash to be retired without seeing any discussion of the root problem: unsafe languages like C/C++. It would be equally valid to say that all of the major web browsers should be retired—like Flash, they are all written in C/C++, and like Flash, they have all had dozens and dozens of serious vulnerabilities. But no one is suggesting that we stop web browsing.

The Hacking Team document dump has led to another major patch announcement, by Microsoft. The patch repairs a bug in font handling that affects almost all versions of Windows and can be exploited to achieve remote code execution. And yet no one is calling for us to disable font rendering!

Flash may be going the way of the dodo, but the root issue will remain. And that deserves a lot more publicity.