The Ed Bott Report

Ed Bott
Home / News & Blogs / The Ed Bott Report

How secure is Flash? Here's what Adobe won't tell you

By | May 14, 2010, 12:15pm PDT

Summary: Adobe’s co-founder and co-chairman says concerns about security in Flash Player are “old news.” Adobe even cites a Symantec study as evidence of their security record. But when you read that study, as I did, you get a completely different, and quite alarming story.

Yesterday, I called Adobe’s Flash “the new Vista” and asked the company to start talking seriously about how they’re addressing problems with their products instead of pretending those problems don’t exist. In talking to Adobe representatives, reading interviews with Adobe executives, and reading Adobe’s public statements, I’ve found a steady stream of denial where there should be transparency.

One of the key issues in this discussion is security. Yesterday, I rattled off some disturbing statistics about vulnerabilities in Flash Player and asked Adobe, “So, how are you planning to convince us that you’ve gotten serious about security? No one from Adobe has gotten back to me on that one. But John Paczkowski of Digital Daily interviewed Adobe co-founder Chuck Geschke yesterday and published a transcription of the conversation this morning. Here’s an excerpt that perfectly illustrates my concerns with Adobe’s record.

JP: Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?

CG: I think they’re old news. Go to our Web site and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. [Microsoft and Apple] may have a different set of facts that they believe are accurate. It’s up to you to decide.

“Old news”? Obi-Wan Kenobi can get away with that kind of hand-waving. The CEO of a public company with a market cap of $18 billion can’t. I intend no criticism of Paczkowski, who did an excellent job under the circumstances, but Geschke’s statement demands some serious fact-checking.

I followed the link to Adobe’s new “Setting the record straight” page, emphatically titled The truth about Flash. Here is the first of two paragraphs that appears under the Security heading:

Security is one of the highest priorities for the Flash Player team. The Symantec Global Internet Threat Report for 2009 found that Flash had the second fewest number of vulnerabilities of all Internet technologies listed (which included both web plug-ins and browsers). This is significant when you consider that Flash Player is among the most widely distributed and used pieces of software in the world. [emphasis added]

That is, charitably speaking, a gross distortion of the facts. And I find it interesting that Adobe’s rebuttal does not include a link to the Symantec report they cite. That makes it more difficult for readers (and reporters) to fact-check their claim. So here, allow me to help. Symantec’s Internet Security Threat Report page includes links to the full report (PDF), which was published in April 2010 and covers the year 2009. There’s also an executive summary (PDF) and a link to archived reports from previous years. You’re welcome to read along with me. Tell me if you think that assertion from Adobe is accurate.

First, a quote from page 40 of the full 2009 report:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9). ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

I suppose there’s some schadenfreude for Adobe in seeing four more vulnerabilities for QuickTime than for Flash Player. But really, is the discovery of 23 vulnerabilities in a single year really something to brag about? Is it somehow an endorsement of Flash Player’s security? Well, to answer those questions you would need to assess the seriousness of those vulnerabilities and determine which ones were attacked. For some reason, Adobe made no mention of this paragraph, which appears in the Symantec report a mere two pages later:

Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan.

Perhaps Adobe’s performance in 2009 was an improvement over previous years? Uh, no. The 2008 edition of Symantec’s annual report found only 16 vulnerabilities in the Flash Player, and the 2007 edition (published in two parts) found no Flash-related vulnerabilities in the first half of the year and 11 in the second half. From 11 to 16 to 23? That is not a trend line that Adobe should be proud of.

In fact, there is nothing in the Symantec report that is flattering toward Adobe and its security record. On page 37, Symantec offers this advice for organizations:

In order to reduce the threat of successful exploitation of Web browsers, administrators should maintain a restrictive policy regarding which applications are allowed within the organization. […] Browser security features and add-ons should be employed wherever possible to disable JavaScript™, Adobe Flash Player, and other content that may present a risk to the user when visiting untrusted sites. [emphasis added]

What the CEO should be saying right now goes something like this: “Yes, we know there are security issues with Flash Player, as there are with all Internet-based programs. We think our adversaries are exaggerating their impact, but we take them very seriously.” At that point, he should turn the floor over to whoever is in charge of security development for Adobe, who can explain, in detail, what sort of processes are in place today to turn that trend line back downward.

Instead, the co-founder and co-chairman waves his hand and dismisses serious security issues as “old news.”

It’s clear that Adobe’s sheer stubbornness in refusing to address these issues starts at the top.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Ed Bott Report”

Topics

Adobe Systems Inc., Adobe Flash, Symantec Corp., Vulnerability, Flash Player, Security, Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books are currently distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMWare. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

Talkback Most Recent of 131 Talkback(s)

  • RE: How secure is Flash? Here's what Adobe won't tell you
    I've been at the point of total frustration with the way that Flash advertising took over my computer screen for several years. I didn't update Flash often & usually tired to stay at least 2 or 3 minor upgrades behind so that on IE I could surf in peace. Once I switched to Firefox I added an extension that blocked Flash entirely. I have to manually allow any Flash video to run, that way I don't get all this junk "Flash"ing at me and it keeps vulnerabilities at bay.
    ZDNet Gravatar
    EasierPC
    14th May 2010
  • I Agree, Controlling Flash From Consumer Side Makes More Sense!
    @EasierPC ED normally would bring this point up. Yes.... SECURITY is easier to control on the PC/OS/Browser side. Your Firefox Browser doesn't use Active X, as it's Security control either. The addons though are a nice feature to give control to YOU the owner and user of your equipment and OS. But he didn't mention that QuickTime with 27 vulnerabilities had a far higher ratio of Security problems and it too uses MS's Active X Control for Security. So I'll explain it here.

    On IE and even in other browsers on Windows, you must have an Active X Component installed for it to even work. For over 10yrs, Active X has been a thorn in Security Experts sides. It is the ONLY way ANYONE can claim FLASH is insecure. Otherwise..... I would have FLASH Security Issues on Linux and Macs. Which nobody does!

    Symantec's reports specifically target "Remote Code Execution" problems on Windows Operating Systems Only. Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X!

    The culprit is again (as has been for over 10yrs).... ACTIVE X and some VBScripting components from Microsoft. That are not controlled or even written by Adobe for Flash. It is after all simply a player (like any other) within a container file. They can tell Microsoft, their Security components in Active X sucks all they want (just like the NSA and everyone else tells them), every year and they've just never done anything to change that!!!

    Sorry ED but you are totally mis-presenting who the culprit is and who's really in control of FLASH Security in this story!
    ZDNet Gravatar
    Monarky
    14th May 2010

  • ZDNet Blogger

    Not the least bit true.
    @Monarky

    That is really breathtakingly wrong. Allow me to provide you some links, which I chose at random:

    http://www.symantec.com/security_response/vulnerability.jsp?bid=35759

    http://www.symantec.com/security_response/vulnerability.jsp?bid=28695

    I could go on and on, but if you read the list of affected products I think you'll get the point.
    ZDNet Gravatar
    Ed Bott
    14th May 2010
  • Ed Better Read Up on Competing Operating Systems!
    @ED Bott How does "Remote Code Execution" affect Linux? "buffer overflow in the flash-player plugin"!!! That's it.... that's all it does!

    And they even fixed that ridiculously weak issue in a heartbeat over night with an Update. Here's Novell's paper:
    http://www.novell.com/linux/security/advisories/2009_41_flash.html

    A buffer overload is not ever... going to take control of your computer or be capable of executing malicious code (Remote Code Execution) on an OS that doesn't even understand it!

    The list is just a list of the Operating Systems Adobe Flash is installed on. Most importantly...... FLASH is the LEAST affected and it completely dominates the Web in it's use. Like Windows being installed on the majority of hardware. The Truth? ....those lists are all platforms FLASH is installed on. But if the only problem it can cause is "Buffer Overflow" on most of them. Where's the Security issue?
    ZDNet Gravatar
    Monarky
    14th May 2010
    • Flagged

  • ZDNet Blogger

    Seriously?
    @Monarky

    OK, you have no understanding of computer security. Sorry I engaged.

    I'm backing away now before you embarrass yourself further.
    ZDNet Gravatar
    Ed Bott
    14th May 2010
  • Embarrass Myself Further! haha.... You Can't Even Boot Linux w/ AppArmor!
    @Monarky Yeah right! Like "remote code execution" can affect a Mac or Linux OS machine outside of the Browser anyway. Come on DOS attacks and buffer overflows are all you'll ever see on Linux when the attack fails. Which it will inevitably do. Because these "Remote Code Execution" vulnerabilities are all programed for Windows machines. Side by side I'll take Linux with AppArmor over any Windows machine!

    Sure you can take control of mics or cameras in Flash on WINDOWS. But you CAN'T kill or control anything outside of the Browser, unless the malicious code targets that specific OS and it's devices via proper code.

    But on Ubuntu, you're Browser runs in a sandboxed environment, anyway within App Armor. So even if hackers started coding for Linux you're protected. But the only way to really beat "Remote Code Execution" vulnerabilities on any platform is by first adopting a "Best Practices" policy in your Web Surfing. Doesn't hurt to install some 3rd party software to detect malicious code in the first place and Sandboxing your browser should all be part of your defense on any platform.

    Slow downs and buffer overflows are hardly security issues on OS-X or Linux installs, after running into malware or malicious sites created for killing Windows machines.

    Quit kidding yourself and making out like you have superior knowledge about security systems on Platforms, you don't even know how to boot up or operate. Let alone install things like Grsecurity or App Armor (installed by default on Ubuntu) to keep you functioning on Linux, even in the face of "Remote Code Execution" vulnerabilities that have never affected these Linuxs setups in the first place! ....I've never been even touched by "Remote Code Execution" vulnerabilities running Linux with my browser sandboxed in AppArmor! .....so yeah your Security issues on Windows are all Greek to me! grin
    ZDNet Gravatar
    Monarky
    14th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky: You come on strong. Unfortunately, you apparently know very little about the Flash, ActiveX and plugins/extensions.

    Just to address (some of) your misconceptions in order:

    " Your Firefox Browser doesn't use Active X, as it's Security control either "

    Correct. No browser use ActiveX as "security control". No, not even IE.

    " ...and [QuickTime] too uses MS's Active X Control for Security "

    No, ActiveX is not a "security control" mechanism. More on that below.

    " Symantec's reports specifically target "Remote Code Execution" problems on Windows Operating Systems Only. Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X! "

    Oh my. Are you somehow alleging that "remote code execution" vulnerabilities do not exist on other platforms because they do not support ActiveX? News for you: Code execution vulnerabilities exists on all platforms. Actually, the platform which does the most to prevent vulnerabilities from being exploited is Windows . And no, it has nothing to do with ActiveX.

    " Having nothing to do with a player that only carries out what it's told to do according to Microsoft's own Security Authentication that is just plain schizt in Active X! "

    It is hard to make sense of this statement, but I think you are trying to blame ActiveX for player vulnerabilities? ActiveX does have issues (more below) but this is just nonsensical! ActiveX does not make vulnerabilities worse or mitigate them. You need to educate yourself on ActiveX instead of simply going with a myth.

    " The culprit is again (as has been for over 10yrs).... ACTIVE X and some VBScripting components from Microsoft. "

    ActiveX has actually had precious few vulnerabilities. But you need to understand what is ActiveX before you have any chance of comprehending this. Hence:

    ActiveX

    ActiveX in component technology which can be used to design pluggable components. Internet Explorer is a popular ActiveX "host". A host exposes an implementation of a contract API which enable the ActiveX components to interact with the host. As such it is comparable to browser plugin architecture used by other browsers. The difference is that ActiveX is a system wide standard - not just for browser plugins.

    ActiveX was promoted by Microsoft as an alternative to Java applets at the time where everyone though that applets would be big. However, unlike Java applets, ActiveX does not run managed code with software isolation. Nor did it originally support a sandbox. This is in line with other browser plugin architectures. Thus, downloaded ActiveX controls runs with the same privileges as the logged in user (until Windows Vista).

    As such, ActiveX has been a robust technology, but it was woefully inadequate for using as an ad-hoc extension mechanism on the Internet. The way ActiveX controls came to be used would be comparable to constantly downloading and installing new plugins to your browser.

    So the problem with ActiveX is not that it is buggy (it is not) or that it is inherently insecure (it is not more or less insecure than browser plugins).

    Flash vulnerabilities are not made more or less severe depending on ActiveX. ActiveX is simply a plugin mechanism. It is not designed to provide a sandbox (although it will now respect a sandbox like in IE).

    ActiveX has been (mis)used by some vendors/websites to "enhance" their websites where they did not really need code to run on the users' systems. Vulnerabilities in such plugins (ActiveX controls) have been exploited by attackers to compromise users' machines. It is important to understand that these are not vulnerabilities in ActiveX infrastructure. It is simply vulnerabilities in code produced by a 3rd party.

    Flash is actually a plugin/ActiveX control which legitimately needs access to the users' systems. Specifically it needs access to hardware/devices such as hardware acceleration, webcam, microphone etc.
    ZDNet Gravatar
    honeymonster
    15th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky

    Yes, you have just embarrassed yourself.

    FFS, buffer overflows are the mother of all memory corruption bugs. It generally lets the attacker take over the executing process and do whatever the user running that process can do.

    Please educate yourself before trying to debate this. You are in over your head here.

    Apparmor only protects the processes for which you have enabled it. In Ubuntu, apparmor is not even enabled for Firefox! Not even in the latest (10.4) release.

    A profile exists for Firefox, but it must be opted-into by the user. And that profile will not protect Flash .

    Windows is the only OS which comes with sandboxed Flash by default. Since Vista. But (somewhat ironically) only if you use the ActiveX version with Internet Explorer.

    But as Ed just stated: You clearly know nothing about computer security. If you do not even know what a buffer overflow or remote code execution means, then you are not worth debating.

    Thanks.
    ZDNet Gravatar
    honeymonster
    15th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky

    ActiveX has nothing to do with security. It is not a "security component" - it isn't even a component at all. ActiveX is a set of COM interfaces for hosting UI controls within an application. IE uses this set of interfaces to host plug-ins within web pages. Every other browser supports exactly the same thing as ActiveX, they just call it something different. The only thing "special" about ActiveX is that it's not *only* a browser extension API, but a more generalized set of interfaces for UI component hosting, having grown out of COM / OLE Embedding. It is, by its nature, no more or less secure than any other browser extension mechanism which runs native code (i.e. every browser which supports Flash).

    ActiveX controls themselves have a bad reputation because:
    1) Users frequently do not understand that installing a browser extension offered by a web page is equivalent to intalling an executable from a web page. In the early days, ActiveX controls / browser extensions were easier to install than applications so users thought they were safer, but they were not. Nowadays, ActiveX controls come with more warnings, so malicious controls are less likely to be installed. Further, IE runs ActiveX controls (and pages themselves) in a "sandbox" called Protected Mode which helps insulate the rest of the system from attacks by or against ActiveX controls on web pages.

    2) ActiveX is the plug-in mechanism for the most popular browser in the world. Because the browser itself has become more secure, and because browser marketshare is more spread out than it used to be, plug-ins like Flash have become more popular targets.

    Flash is a more ubiquitous target than IE because even users with different browsers, like Firefox, are more likely to have Flash. In fact, users of Firefox are *easier* to attack this way because Firefox doesn't yet sandbox plug-ins the way IE and Chrome do. And IE's sandbox feature doesn't work on Windows XP, so there's another large set of targets you can reach with a Flash exploit.

    Flash vulnerabilities generally impact most or all browsers, but are mitigated on certain browsers like IE and Chrome by their defense-in-depth measures. They tend to affect all platforms, including Linux. But nobody attacks Linux (on the desktop) because nobody uses it.

    AppArmor and SE are uncommon on real Linux deployments, and are each inferior attempts to implement the same security mitigations of other platforms like Windows. AppArmor is actually a pretty amatuerish MAC implementation, partly because it's a bolt-on instead of a pervasive/native aspect of the OS design. But security features have never been a selling point for Linux.
    ZDNet Gravatar
    BrandonLive
    16th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky You obviously don't have any children in elementry school then. We have two (7 & 9) who love their flash based web sites. The 9 year-old want an iPad even though she knows that flash doesn't work on that device, but still complains when I disable flash on our computer... go figure!
    ZDNet Gravatar
    eric2820
    17th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky The flash vunerabilities exist just as much in Windows as it does in Linux and MAC OS. Linux and MAC OS are not immune to vunerabilities...However different 'payload' code will be required. That being said with some cross-platform products like Open Office it is possible to create cross-platform exploits that work on Windows, Mac and Linux.
    ZDNet Gravatar
    eatredmeatfeelgood@...
    17th May 2010
  • Unfortunately Ed's Info is Dated!
    @Monarky Active X is the major culprit of Web Security and that's according to Ed's own posted numbers (though from last year).

    But have any of you bothered to check what has changed in FLASH Security in Version 10.1? No... you don't want to have to admit Adobe is doing something better about Security than any of it's competitors (Microsoft). Not that there is any real competitor for what it can do. How secure is Silverlight? How secure is HTML5? Well we don't know yet on HTML5. But for video there isn't a browser player out of beta yet and they lack control and ability to view in full screen on YouTube.

    But now in YouTube's new FLASH Player we have access to new menu features.

    You can right/click on FLASH content and go to it's new settings panel. Now also now on YouTube, when you R/click on a video, you have a whole list of options too; Report playback issue, Take Speed Test, Stop Download, Copy Embed HTML, Show Video Info, Copy Debug Info, Settings and then About Adobe FLASH PLAYER 10. With advanced settings under 2nd of 5 tabs in Mini Settings Panel is advanced settings w/ advanced security controls tab). This will also be on mobile devices w/ FLASH 10.1 including the Evo in June!

    Yes.... there is improved Security in FLASH 10.1 (which Ed Bott can no longer complain about)! ....and with proper hardware, you have ACCELERATION that makes a dramatic difference in how FLASH plays on these devices that support it!!!

    BTW.... I just want to point out; that FLASH relative to the number of devices and platforms it runs on and the massive content provided on the web, actually has a better success rate than you could ever imagine. Think about it!.... you are continually faced with FLASH content and if you have it installed, many times you don't even realize it's there. You only notice when it acts up and that most of the time isn't even the player's fault! ...it's with content providers or YOU having too many tabs open, etc!
    ZDNet Gravatar
    i2fun@...
    22nd May 2010
  • @honeymonster and Ed Bott
    @honeymonster Making an AppArmor profile for Firefox is kindergarten stuff. But... many distros already include one and unlike Ubuntu, there is NO need for the simple minded quick click opt-in.

    Need Instructions? NOT... you don't even use Linux and you're telling me how to use it! ...and now you're saying that a plugin running within a fully profiled "AppArmored Browser" (Firefox) can somehow plant malicious code in Linux, from a web site using a Firefox Flash Plugin. I guess these hackers have a secret door or knowledge about 100's of totally different Linux Distros Directories in them! haha..

    Why according to you guys.... it knows exactly where my files (kernel modules, drivers, configs, etc) and folders are kept, within my particular Linux distro no less! Dream on buddies!!! .....btw... I DON'T use Ubuntu! wink ...but my install came with a (full profiled) "AppArmored Firefox" browser pre-installed and enabled on first boot! lol

    Like I said..... "Surf Safe and Surf Protected". How (if you're that freaked, which you should be on Windows)? By #1.. running your Browser and OS install, through a Hyper or Secure Tunnel Service. #2 Installed on a virtual install space of some kind. Either from a or within VMware (whichever you use). #3 Since you can't run any other OS from a Live disk, naturally your only choice is Linux in Booting a Live DVD for that one! (like the director of the FBI chooses for Banking, etc)

    But.... just for the imbeciles among you, here's something you can do right on your very own bedbug infested Windows Install (remembering these numbers from above of course; Plugins & Controls, ActiveX= 134 vulnerabilities (highest among plug-ins), Java SE= 84, Adobe Reader= 49, QuickTime= 27, Adobe Flash Player= 23 the lowest of the lot. Naturally these are all on Windows! wink haha...

    NXClient Download and run your choice of a full Linux install or more secure and faster application Browser in "Test Drive" (Yes... Flash is installed in Firefox on KDE):
    http://www.nomachine.com/download.php

    http://www.nomachine.com/testdrive.php

    ActiveX browser plugin Application Control, Utilizes Security Mechanisms to prevent malicious use of the controlled Applications. Let's see how good it actually works? But... remember it's known to be vulnerable to... malicious abuse. The NSA has gone on record as stating it as the worse plugin threat to Internet Security on the web; Re-enforcing Symantec's results above!

    ZDNet Story on Ubuntu in March (read comments from the Linux user you all love to hate, cuz he's right)!
    http://www.zdnet.com/blog/education/get-ready-to-supercharge-those-netbooks-with-ubuntu-1004/3760

    Challenge your own OS and Security to a test! grin Gather a list of known infected sites (including those w/ FLASH security vulnerabilities) and visit them in a duel. Pitting the sandboxed Linux browser (on NX Test Drive Server Browser or OS Equivalent) against your local Win XP or Vista installed IE Browser with-in minutes!

    BTW.... afterall, I'm just an everyday user. Unlike you guys claiming to be "Bona Fide Security Experts"! wink
    ZDNet Gravatar
    Monarky
    15th May 2010
  • RE: How secure is Flash? Here's what Adobe won't tell you
    @Monarky But would that test show the true security of your system, or only be an indication of the targets of those attacks? If I wrote my own OS would it be more secure just because noone was attacking it? I guess it depends on your definition of security.

    Also you wrote that "buffer overflows are hardly security issues on OS-X". Maybe I'm wrong, but I thought Charlie Miller used buffer overflows on OS-X in safari for pwn2own at some point.
    ZDNet Gravatar
    DeadOnArrival
    16th May 2010
  • Flash still sucks. There's no getting around that.
    ZDNet Gravatar
    AzuMao
    19th May 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources