How secure is Flash? Here's what Adobe won't tell you

How secure is Flash? Here's what Adobe won't tell you

Summary: Adobe's co-founder and co-chairman says concerns about security in Flash Player are "old news." Adobe even cites a Symantec study as evidence of their security record. But when you read that study, as I did, you get a completely different, and quite alarming story.


Yesterday, I called Adobe's Flash "the new Vista" and asked the company to start talking seriously about how they're addressing problems with their products instead of pretending those problems don't exist. In talking to Adobe representatives, reading interviews with Adobe executives, and reading Adobe's public statements, I've found a steady stream of denial where there should be transparency.

One of the key issues in this discussion is security. Yesterday, I rattled off some disturbing statistics about vulnerabilities in Flash Player and asked Adobe, "So, how are you planning to convince us that you’ve gotten serious about security? No one from Adobe has gotten back to me on that one. But John Paczkowski of Digital Daily interviewed Adobe co-founder Chuck Geschke yesterday and published a transcription of the conversation this morning. Here's an excerpt that perfectly illustrates my concerns with Adobe's record.

JP: Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?

CG: I think they’re old news. Go to our Web site and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. [Microsoft and Apple] may have a different set of facts that they believe are accurate. It’s up to you to decide.

"Old news"? Obi-Wan Kenobi can get away with that kind of hand-waving. The CEO of a public company with a market cap of $18 billion can't. I intend no criticism of Paczkowski, who did an excellent job under the circumstances, but Geschke's statement demands some serious fact-checking.

I followed the link to Adobe's new "Setting the record straight" page, emphatically titled The truth about Flash. Here is the first of two paragraphs that appears under the Security heading:

Security is one of the highest priorities for the Flash Player team. The Symantec Global Internet Threat Report for 2009 found that Flash had the second fewest number of vulnerabilities of all Internet technologies listed (which included both web plug-ins and browsers). This is significant when you consider that Flash Player is among the most widely distributed and used pieces of software in the world. [emphasis added]

That is, charitably speaking, a gross distortion of the facts. And I find it interesting that Adobe's rebuttal does not include a link to the Symantec report they cite. That makes it more difficult for readers (and reporters) to fact-check their claim. So here, allow me to help. Symantec's Internet Security Threat Report page includes links to the full report (PDF), which was published in April 2010 and covers the year 2009. There's also an executive summary (PDF) and a link to archived reports from previous years. You're welcome to read along with me. Tell me if you think that assertion from Adobe is accurate.

First, a quote from page 40 of the full 2009 report:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9). ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

I suppose there's some schadenfreude for Adobe in seeing four more vulnerabilities for QuickTime than for Flash Player. But really, is the discovery of 23 vulnerabilities in a single year really something to brag about? Is it somehow an endorsement of Flash Player's security? Well, to answer those questions you would need to assess the seriousness of those vulnerabilities and determine which ones were attacked. For some reason, Adobe made no mention of this paragraph, which appears in the Symantec report a mere two pages later:

Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan.

Perhaps Adobe's performance in 2009 was an improvement over previous years? Uh, no. The 2008 edition of Symantec's annual report found only 16 vulnerabilities in the Flash Player, and the 2007 edition (published in two parts) found no Flash-related vulnerabilities in the first half of the year and 11 in the second half. From 11 to 16 to 23? That is not a trend line that Adobe should be proud of.

In fact, there is nothing in the Symantec report that is flattering toward Adobe and its security record. On page 37, Symantec offers this advice for organizations:

In order to reduce the threat of successful exploitation of Web browsers, administrators should maintain a restrictive policy regarding which applications are allowed within the organization. […] Browser security features and add-ons should be employed wherever possible to disable JavaScript™, Adobe Flash Player, and other content that may present a risk to the user when visiting untrusted sites. [emphasis added]

What the CEO should be saying right now goes something like this: "Yes, we know there are security issues with Flash Player, as there are with all Internet-based programs. We think our adversaries are exaggerating their impact, but we take them very seriously." At that point, he should turn the floor over to whoever is in charge of security development for Adobe, who can explain, in detail, what sort of processes are in place today to turn that trend line back downward.

Instead, the co-founder and co-chairman waves his hand and dismisses serious security issues as "old news."

It's clear that Adobe's sheer stubbornness in refusing to address these issues starts at the top.

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: How secure is Flash? Here's what Adobe won't tell you

    I've been at the point of total frustration with the way that Flash advertising took over my computer screen for several years. I didn't update Flash often & usually tired to stay at least 2 or 3 minor upgrades behind so that on IE I could surf in peace. Once I switched to Firefox I added an extension that blocked Flash entirely. I have to manually allow any Flash video to run, that way I don't get all this junk "Flash"ing at me and it keeps vulnerabilities at bay.
    • I Agree, Controlling Flash From Consumer Side Makes More Sense!

      @EasierPC ED normally would bring this point up. Yes.... SECURITY is easier to control on the PC/OS/Browser side. Your Firefox Browser doesn't use Active X, as it's Security control either. The addons though are a nice feature to give control to YOU the owner and user of your equipment and OS. But he didn't mention that QuickTime with 27 vulnerabilities had a far higher ratio of Security problems and it too uses MS's Active X Control for Security. So I'll explain it here.<br><br>On IE and even in other browsers on Windows, you must have an Active X Component installed for it to even work. For over 10yrs, Active X has been a thorn in Security Experts sides. It is the ONLY way ANYONE can claim FLASH is insecure. Otherwise..... I would have FLASH Security Issues on Linux and Macs. Which nobody does!<br><br>Symantec's reports specifically target "Remote Code Execution" problems on Windows Operating Systems Only. Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X!<br><br>The culprit is again (as has been for over 10yrs).... ACTIVE X and some VBScripting components from Microsoft. That are not controlled or even written by Adobe for Flash. It is after all simply a player (like any other) within a container file. They can tell Microsoft, their Security components in Active X sucks all they want (just like the NSA and everyone else tells them), every year and they've just never done anything to change that!!!<br><br>Sorry ED but you are totally mis-presenting who the culprit is and who's really in control of FLASH Security in this story! <img border="0" src="" alt="wink">
      • Not the least bit true.


        That is really breathtakingly wrong. Allow me to provide you some links, which I chose at random:

        I could go on and on, but if you read the list of affected products I think you'll get the point.
        Ed Bott
      • Ed Better Read Up on Competing Operating Systems! ;)

        @ED Bott How does "Remote Code Execution" affect Linux? "buffer overflow in the flash-player plugin"!!! That's it.... that's all it does!

        And they even fixed that ridiculously weak issue in a heartbeat over night with an Update. Here's Novell's paper:

        A buffer overload is not ever... going to take control of your computer or be capable of executing malicious code (Remote Code Execution) on an OS that doesn't even understand it!

        The list is just a list of the Operating Systems Adobe Flash is installed on. Most importantly...... FLASH is the LEAST affected and it completely dominates the Web in it's use. Like Windows being installed on the majority of hardware. The Truth? ....those lists are all platforms FLASH is installed on. But if the only problem it can cause is "Buffer Overflow" on most of them. Where's the Security issue?
      • Seriously?


        OK, you have no understanding of computer security. Sorry I engaged.

        I'm backing away now before you embarrass yourself further.
        Ed Bott
      • Embarrass Myself Further! haha.... You Can't Even Boot Linux w/ AppArmor!

        @Monarky Yeah right! Like "remote code execution" can affect a Mac or Linux OS machine outside of the Browser anyway. Come on DOS attacks and buffer overflows are all you'll ever see on Linux when the attack fails. Which it will inevitably do. Because these "Remote Code Execution" vulnerabilities are all programed for Windows machines. Side by side I'll take Linux with AppArmor over any Windows machine!

        Sure you can take control of mics or cameras in Flash on WINDOWS. But you CAN'T kill or control anything outside of the Browser, unless the malicious code targets that specific OS and it's devices via proper code.

        But on Ubuntu, you're Browser runs in a sandboxed environment, anyway within App Armor. So even if hackers started coding for Linux you're protected. But the only way to really beat "Remote Code Execution" vulnerabilities on any platform is by first adopting a "Best Practices" policy in your Web Surfing. Doesn't hurt to install some 3rd party software to detect malicious code in the first place and Sandboxing your browser should all be part of your defense on any platform.

        Slow downs and buffer overflows are hardly security issues on OS-X or Linux installs, after running into malware or malicious sites created for killing Windows machines.

        Quit kidding yourself and making out like you have superior knowledge about security systems on Platforms, you don't even know how to boot up or operate. Let alone install things like Grsecurity or App Armor (installed by default on Ubuntu) to keep you functioning on Linux, even in the face of "Remote Code Execution" vulnerabilities that have never affected these Linuxs setups in the first place! ....I've never been even touched by "Remote Code Execution" vulnerabilities running Linux with my browser sandboxed in AppArmor! yeah your Security issues on Windows are all Greek to me! :D
      • RE: How secure is Flash? Here's what Adobe won't tell you

        @Monarky: You come on strong. Unfortunately, you apparently know very little about the Flash, ActiveX and plugins/extensions.

        Just to address (some of) your misconceptions in order:

        "<i> Your Firefox Browser doesn't use Active X, as it's Security control either</i>"

        Correct. No browser use ActiveX as "security control". No, not even IE.

        "<i>...and [QuickTime] too uses MS's Active X Control for Security</i>"

        No, ActiveX is not a "security control" mechanism. More on that below.

        "<i>Symantec's reports specifically target "Remote Code Execution" problems on Windows Operating Systems Only. Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X!</i>"

        Oh my. Are you somehow alleging that "remote code execution" vulnerabilities do not exist on other platforms because they do not support ActiveX? News for you: Code execution vulnerabilities exists on all platforms. Actually, the platform which does the most to prevent vulnerabilities from being exploited is <i>Windows</i>. And no, it has nothing to do with ActiveX.

        "<i>Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X!</i>"

        It is hard to make sense of this statement, but I think you are trying to blame ActiveX for player vulnerabilities? ActiveX does have issues (more below) but this is just nonsensical! ActiveX does not make vulnerabilities worse or mitigate them. You need to educate yourself on ActiveX instead of simply going with a myth.

        "<i>The culprit is again (as has been for over 10yrs).... ACTIVE X and some VBScripting components from Microsoft.</i>"

        ActiveX has actually had precious few vulnerabilities. But you need to understand what is ActiveX before you have any chance of comprehending this. Hence:


        ActiveX in component technology which can be used to design pluggable components. Internet Explorer is a popular ActiveX "host". A host exposes an implementation of a contract API which enable the ActiveX components to interact with the host. As such it is comparable to browser plugin architecture used by other browsers. The difference is that ActiveX is a system wide standard - not just for browser plugins.

        ActiveX was promoted by Microsoft as an alternative to Java applets at the time where everyone though that applets would be big. However, unlike Java applets, ActiveX does not run managed code with software isolation. Nor did it originally support a sandbox. This is in line with other browser plugin architectures. Thus, downloaded ActiveX controls runs with the same privileges as the logged in user (until Windows Vista).

        As such, ActiveX has been a robust technology, but it was woefully inadequate for using as an ad-hoc extension mechanism on the Internet. The way ActiveX controls came to be used would be comparable to constantly downloading and installing new plugins to your browser.

        So the problem with ActiveX is not that it is buggy (it is not) or that it is inherently insecure (it is not more or less insecure than browser plugins).

        Flash vulnerabilities are not made more or less severe depending on ActiveX. <b>ActiveX is simply a plugin mechanism.</b> It is not designed to provide a sandbox (although it will now respect a sandbox like in IE).

        ActiveX has been (mis)used by some vendors/websites to "enhance" their websites where they did not really need code to run on the users' systems. Vulnerabilities in such plugins (ActiveX controls) have been exploited by attackers to compromise users' machines. It is important to understand that these are not vulnerabilities in ActiveX infrastructure. It is simply vulnerabilities in code produced by a 3rd party.

        Flash is actually a plugin/ActiveX control which legitimately <i>needs</i> access to the users' systems. Specifically it needs access to hardware/devices such as hardware acceleration, webcam, microphone etc.
      • RE: How secure is Flash? Here's what Adobe won't tell you


        Yes, you have just embarrassed yourself.

        FFS, buffer overflows are the mother of all memory corruption bugs. It generally lets the attacker take over the executing process and do whatever the user running that process can do.

        Please educate yourself before trying to debate this. You are in over your head here.

        Apparmor only protects the processes for which you have enabled it. In Ubuntu, apparmor is not even enabled for Firefox! Not even in the latest (10.4) release.

        A profile exists for Firefox, but it must be opted-into by the user. And that profile <i>will not protect Flash</i>.

        Windows is the only OS which comes with sandboxed Flash by default. Since Vista. But (somewhat ironically) only if you use the <i>ActiveX</i> version with Internet Explorer.

        But as Ed just stated: You clearly know nothing about computer security. If you do not even know what a buffer overflow or remote code execution means, then you are not worth debating.

      • RE: How secure is Flash? Here's what Adobe won't tell you


        ActiveX has nothing to do with security. It is not a "security component" - it isn't even a component at all. ActiveX is a set of COM interfaces for hosting UI controls within an application. IE uses this set of interfaces to host plug-ins within web pages. Every other browser supports exactly the same thing as ActiveX, they just call it something different. The only thing "special" about ActiveX is that it's not *only* a browser extension API, but a more generalized set of interfaces for UI component hosting, having grown out of COM / OLE Embedding. It is, by its nature, no more or less secure than any other browser extension mechanism which runs native code (i.e. every browser which supports Flash).

        ActiveX controls themselves have a bad reputation because:
        1) Users frequently do not understand that installing a browser extension offered by a web page is equivalent to intalling an executable from a web page. In the early days, ActiveX controls / browser extensions were easier to install than applications so users thought they were safer, but they were not. Nowadays, ActiveX controls come with more warnings, so malicious controls are less likely to be installed. Further, IE runs ActiveX controls (and pages themselves) in a "sandbox" called Protected Mode which helps insulate the rest of the system from attacks by or against ActiveX controls on web pages.

        2) ActiveX is the plug-in mechanism for the most popular browser in the world. Because the browser itself has become more secure, and because browser marketshare is more spread out than it used to be, plug-ins like Flash have become more popular targets.

        Flash is a more ubiquitous target than IE because even users with different browsers, like Firefox, are more likely to have Flash. In fact, users of Firefox are *easier* to attack this way because Firefox doesn't yet sandbox plug-ins the way IE and Chrome do. And IE's sandbox feature doesn't work on Windows XP, so there's another large set of targets you can reach with a Flash exploit.

        Flash vulnerabilities generally impact most or all browsers, but are mitigated on certain browsers like IE and Chrome by their defense-in-depth measures. They tend to affect all platforms, including Linux. But nobody attacks Linux (on the desktop) because nobody uses it.

        AppArmor and SE are uncommon on real Linux deployments, and are each inferior attempts to implement the same security mitigations of other platforms like Windows. AppArmor is actually a pretty amatuerish MAC implementation, partly because it's a bolt-on instead of a pervasive/native aspect of the OS design. But security features have never been a selling point for Linux.
      • RE: How secure is Flash? Here's what Adobe won't tell you

        @Monarky You obviously don't have any children in elementry school then. We have two (7 & 9) who love their flash based web sites. The 9 year-old want an iPad even though she knows that flash doesn't work on that device, but still complains when I disable flash on our computer... go figure!
      • RE: How secure is Flash? Here's what Adobe won't tell you

        @Monarky The flash vunerabilities exist just as much in Windows as it does in Linux and MAC OS. Linux and MAC OS are not immune to vunerabilities...However different 'payload' code will be required. That being said with some cross-platform products like Open Office it is possible to create cross-platform exploits that work on Windows, Mac and Linux.
      • Unfortunately Ed's Info is Dated!

        @Monarky Active X is the major culprit of Web Security and that's according to Ed's own posted numbers (though from last year).

        But have any of you bothered to check what has changed in FLASH Security in Version 10.1? No... you don't want to have to admit Adobe is doing something better about Security than any of it's competitors (Microsoft). Not that there is any real competitor for what it can do. How secure is Silverlight? How secure is HTML5? Well we don't know yet on HTML5. But for video there isn't a browser player out of beta yet and they lack control and ability to view in full screen on YouTube.

        But now in YouTube's new FLASH Player we have access to new menu features.

        You can right/click on FLASH content and go to it's new settings panel. Now also now on YouTube, when you R/click on a video, you have a whole list of options too; Report playback issue, Take Speed Test, Stop Download, Copy Embed HTML, Show Video Info, Copy Debug Info, Settings and then About Adobe FLASH PLAYER 10. With advanced settings under 2nd of 5 tabs in Mini Settings Panel is advanced settings w/ advanced security controls tab). This will also be on mobile devices w/ FLASH 10.1 including the Evo in June!

        Yes.... there is improved Security in FLASH 10.1 (which Ed Bott can no longer complain about)! ....and with proper hardware, you have ACCELERATION that makes a dramatic difference in how FLASH plays on these devices that support it!!!

        BTW.... I just want to point out; that FLASH relative to the number of devices and platforms it runs on and the massive content provided on the web, actually has a better success rate than you could ever imagine. Think about it!.... you are continually faced with FLASH content and if you have it installed, many times you don't even realize it's there. You only notice when it acts up and that most of the time isn't even the player's fault!'s with content providers or YOU having too many tabs open, etc!
    • @honeymonster and Ed Bott

      @honeymonster Making an AppArmor profile for Firefox is kindergarten stuff. But... many distros already include one and unlike Ubuntu, there is NO need for the simple minded quick click opt-in.

      Need Instructions? NOT... you don't even use Linux and you're telling me how to use it! ...and now you're saying that a plugin running within a fully profiled "AppArmored Browser" (Firefox) can somehow plant malicious code in Linux, from a web site using a Firefox Flash Plugin. I guess these hackers have a secret door or knowledge about 100's of totally different Linux Distros Directories in them! haha..

      Why according to you guys.... it knows exactly where my files (kernel modules, drivers, configs, etc) and folders are kept, within my particular Linux distro no less! Dream on buddies!!! .....btw... I DON'T use Ubuntu! ;) ...but my install came with a (full profiled) "AppArmored Firefox" browser pre-installed and enabled on first boot! lol

      Like I said..... "Surf Safe and Surf Protected". How (if you're that freaked, which you should be on Windows)? By #1.. running your Browser and OS install, through a Hyper or Secure Tunnel Service. #2 Installed on a virtual install space of some kind. Either from a or within VMware (whichever you use). #3 Since you can't run any other OS from a Live disk, naturally your only choice is Linux in Booting a Live DVD for that one! (like the director of the FBI chooses for Banking, etc)

      But.... just for the imbeciles among you, here's something you can do right on your very own bedbug infested Windows Install (remembering these numbers from above of course; Plugins & Controls, ActiveX= 134 vulnerabilities (highest among plug-ins), Java SE= 84, Adobe Reader= 49, QuickTime= 27, Adobe Flash Player= 23 the lowest of the lot. Naturally these are all on Windows! ;) haha...

      NXClient Download and run your choice of a full Linux install or more secure and faster application Browser in "Test Drive" (Yes... Flash is installed in Firefox on KDE):

      ActiveX browser plugin Application Control, Utilizes Security Mechanisms to prevent malicious use of the controlled Applications. Let's see how good it actually works? But... remember it's known to be vulnerable to... malicious abuse. The NSA has gone on record as stating it as the worse plugin threat to Internet Security on the web; Re-enforcing Symantec's results above!

      ZDNet Story on Ubuntu in March (read comments from the Linux user you all love to hate, cuz he's right)!

      Challenge your own OS and Security to a test! :D Gather a list of known infected sites (including those w/ FLASH security vulnerabilities) and visit them in a duel. Pitting the sandboxed Linux browser (on NX Test Drive Server Browser or OS Equivalent) against your local Win XP or Vista installed IE Browser with-in minutes!

      BTW.... afterall, I'm just an everyday user. Unlike you guys claiming to be "Bona Fide Security Experts"! ;)
      • RE: How secure is Flash? Here's what Adobe won't tell you

        @Monarky But would that test show the true security of your system, or only be an indication of the targets of those attacks? If I wrote my own OS would it be more secure just because noone was attacking it? I guess it depends on your definition of security.

        Also you wrote that "buffer overflows are hardly security issues on OS-X". Maybe I'm wrong, but I thought Charlie Miller used buffer overflows on OS-X in safari for pwn2own at some point.
      • Flash still sucks. There's no getting around that.

        [b] [/b]
    • RE: How secure is Flash? Here's what Adobe won't tell you


      "I didn't update Flash often & usually tired to stay at least 2 or 3 minor upgrades behind so that on IE I could surf in peace. "

      It's one thing to complain about advertising, something else to complain about an application you purposely failed to update.
  • Apply the Same Logic to Apple vs Microsoft

    Windows had years of consequences due to security related issues. Users were graced with malware and a protection racket. I would hope that Ed would apply the same logic evenly. If security is a reason to ditch Flash, then it is a reason to ditch Windows as well.

    He wrote yesterday that advertising false freedoms is unacceptable. That's funny, he's been criticizing Apple for being closed and lauding Microsoft as the champion of open architecture. Like many others, Ed confuses platform with marketplace. He has been a ongoing proponent of a broad psudo marketplace that just happens to look exactly like the Windows platform. This marketplace has a logo, a corporate agenda, and a limited number of shareholders, but against all logic and the tennents of the free market, Ed will have you believe that it is in no way false. Apparently this has not been a monopoly. Apparently every vendor but one just coincidentally "recommends" Windows software.

    This is the guy who comes now to warn us about false freedoms? Let's consider the source.
    • RE: How secure is Flash? Here's what Adobe won't tell you


      I don't think Ed needs me to defend him, but I don't see where he's advocating ditching Flash? I think the point is that Adobe should be putting their efforts into increasing Flash security rather than trying to falsely portray it as secure.

      While I agree that Ed often writes favorably about Microsoft products, I think he is objective about the shortcomings in MS products as well as others. The fact that Flash security sucks is unrelated to Microsoft, but if an insecure Microsoft product were the topic of discussion, I don't think anyone would be giving MS a free pass.

      There's been a lot of talk about Adobe and Apple lately, and I think one of the only areas of universal agreement is that Adobe software quality needs a lot of improvement. Our firm has a substantial investment in Acrobat (full version, not Reader), and I can tell you this isn't just a Flash thing. We spend more time supporting Acrobat than we do Windows and Office combined. Say what you want, they need to get busy focusing on quality.
      • RE: How secure is Flash? Here's what Adobe won't tell you


        HTML5 and Silverlight are in the wings. This is Ed's message. Microsoft has shown us all how to pull up our socks and fix software. Bless em. Now it took a scant 15 years mind you, but they did it. Through many of those years and countless Windows security problems, Ed did not see fit to offer up alternatives to Windows, yet two alternatives to Flash are available now. Miraculous!

        OSX had user account control and essentially zero security consequences for a 9 year stretch that saw billions in lost revenue from Windows security flaws. Now I know for a fact that Ed was critical of Microsoft at many points in this timeline. It has been a long series of calls for forbearance. At no point has the aggregate effect of years of problems been examined. It has been years of reductive hair splitting and damage control. So I'm as surprised as anybody, when Ed who is clearly a paragon of patience, even implies "alternatives are available". It is clear now, that alternatives are available for everything but Windows.
      • RE: How secure is Flash? Here's what Adobe won't tell you


        No he doesnt,but what does he or anyone else expect from FOSS zelots?