On June 7, Adobe closed a critical vulnerability in Flash Player (
news ,
company message ). Vulnerability CVE-2018-5002 was immediately detected by several research teams from China - this is a remote execution of arbitrary code as a result of a buffer overflow error. This is a zero-day vulnerability: at the time of discovery, it was already used in targeted attacks in the Middle East. This rather serious problem is perceived as routine news simply because of the name of the affected product: well, who can already be surprised by RCE in a flash?
This year alone, this is the second critical vulnerability of zero day, the first urgently
closed in February. Adobe Flash has generally become an exemplary example of unsafe software, it has been consistently in the top of the most frequently attacked applications, and has not left this rating for years. It is still common among users, despite many years of trying to replace it with objectively more efficient technologies. Regardless of the attitude to technology, Flash has become an integral part of the history of the Internet. With the help of a couple of links and one graphic, we will try to look at Flash from a security point of view and beyond.
From the glorious past to the sad presentThe early history of the ancestor of Adobe Flash, drawing programs SmartSketch - this is a useful case how to rely on the development of promising technologies in the face of lack of information. So imagine yourself in the year 1992-1993. There is no web as such, the Internet is a toy for scientists and a closed club of fans of communication in the mail and
news . At the same time, promising technologies are all described: there are standards for multimedia PCs, for wearable devices, there are first tablet concepts. It is not clear that from this will develop and bring money, and most importantly - in what sequence all these technologies will shoot. SmartSketch developers first made the wrong bet on one of the first operating systems for wearable computers with a touch screen (
PenPoint ).
The system did not live up to the commercial release, and SmartSketch had to be quickly ported to Mac OS and Windows, where there were quite a few drawing programs. And here is the second strategic decision - to restructure the project for creating animation, and even provide the possibility of publishing on the web - turned out to be true. In 1996, the product, renamed FutureSplash Animator, was released. At about the same time, Microsoft realized that the Internet was the future, started to pump up relevant projects with budgets for marketing and development and create something that would become really usable only in 10-15 years - any web TV and other interactivity. Interactive - this is including animation, and then the creators of the software map and flooded.
Also in 1996, the project was acquired by Macromedia (and renamed to Flash). By the beginning of the new millennium, a free client plugin has become the most common browser extension. In 2005, Macromedia was sold to Adobe, and even then it was not only software for creating complex web objects, but rather a software development platform, in which Flash Player became just a delivery method. Somewhere in the distance, it was already then possible to discern the reflections of a brighter future, in which computer manufacturers, developers of operating systems, and even browsers play the role of cable television operators responsible for wiring. At the same time, real money is earned on content that is created and delivered via the Flash platform, and is fully controlled by Adobe. Great, right?
Perhaps this would have happened if it were not for the development of mobile devices, in which there was a different interaction scenario (a pen and fingers instead of a mouse) and a much weaker iron than that of ordinary PCs. Flash was present, for example, in Windows Mobile OS, but the experience was so-so. In 2007, Apple released the first iPhone, a smartphone, in which viewing a full-fledged web has become more or less convenient. The absence of Flash was often presented as one of the serious drawbacks of the device: without it, at the end of zero years it was impossible to stream video and audio from a variety of resources, use some business applications, and, of course, it was impossible to play any
fun farm . In 2010, immediately after the release of the iPad, which
also did not have Flash , Steve Jobs wrote
an open letter explaining why Flash would never appear on Apple mobile devices.
I will list the main arguments of Jobs against Flash briefly. Closed standard (Jobs stipulates that Apple has a lot of
proprietary , too, but web standards must be open). As a counterexample, the WebKit engine, developed by Apple and used everywhere (the letter mentions Nokia smartphones, is mentioned, and then it was still relevant!).
Resources and battery: an example is given of the inefficient implementation of the H.264 codec in Flash, which does not allow full use of video decoding hardware. Hence the increased load on the processor and half an hour of battery life. Sharpening the mouse control and the inability of the normal operation when controlling the fingers. Adobe’s lack of motivation to optimize Flash applications for the iPhone and iPad. Finally, both security and reliability were mentioned (“the number one reason for the fall of Macintosh computers”).
Oh, che began here . The Adobe director, of course,
responded : “poppies,” they say, are falling because the axis is curved. About battery consumption is all a lie. And, of course, "we are for multiplatform." It seems that the dream that the program is written once and then works on anything - even on a PC, even on a coffee maker, was never realized. The problems of efficient coding are somehow solved, simply already without Adobe and the Flash platform.
For a relatively long time, it was quite a simple and convenient tool, with a working delivery mechanism to a huge audience. And then it ceased to be such a tool: July 25, 2017, Adobe
announces the collapse of development and support for Flash. The reason is the universal application of those very open web standards. Since then, the story of Flash began as the AKA zombie platform, time-consuming mines on the computers of millions of users.
How bad is it?The question should be divided into two parts: how bad is your person personally and how bad is Adobe Flash from a security point of view? The first question is easy to answer yourself: go to the Adobe website
page with the Flash Player version check widget. In my case, the Chrome browser first asked for permission to launch Flash, and then showed that I have the latest version, with the patched out zyrodeem from June 7th. It seems everything is fine: the browser manufacturer (Chrome) automatically maintains the relevance of the Flash plugin. On the other hand, it is quite possible to turn off this functionality altogether: for an ordinary user, the offer to start Flash when the page loads will not cause any special questions. And the situations when even the latest version of the plugin is critically vulnerable is a lot.
How bad is Flash Player in general? A general overview is provided by the CVE vulnerability database.
There for the Flash Player at the time of publication there was information about 1047 vulnerabilities since 2005. The largest number of vulnerabilities was added to the database in 2015 and 2016, even as Adobe
announced a radical increase in platform security. Adobe Reader, which is also quite often used for cyber attacks, has 368 vulnerabilities recorded in the same CVE database - almost three times less. 86% of Flash Player vulnerabilities in CVE are assigned to security levels 9-10, that is, these are critical vulnerabilities. 79% are directly marked as leading to the execution of arbitrary code.
The price of unsafe softwareI can not say that I agree with Steve Jobs' letter about Flash. Do not forget that it was written in 2010, when watching a video on YouTube in HTML5 without dancing with a tambourine was difficult (Flash was completely
turned off only in 2015). Losing Flash is a business story about technology, which began to lose ground long before it became almost the most frequently attacked software.
So imagine yourself in Adobe: for 13 years, the technology has brought the company a lot of money. For a number of reasons, it is time for technology to rest, but for another three years it will generate revenue - due to the desire of the industry to ensure compatibility. Development is stopped, investment is zero, income is, beauty! But no, some (long-accepted) technical decisions, or simply oversight on the part of security, force us to spend considerable amounts of money and resources on maintaining a minimally decent look of a product that does not deserve it. But it is necessary: otherwise damage to reputation, and even legal costs.
It would be interesting to read someone's memories with analysis: how did that happen? It is advisable even with tips on how to avoid this in the future. So far, we can only conclude that it is necessary to invest in security almost before the start of product development. You can, of course, think that some other people will have to rake the initial shoals initially, after profits and bonuses have been received. But this is not a serious approach. How responsibly are they in developing system-forming software in our time? We learn in 10-15 years?
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.