How secure is Flash? Here's what Adobe won't tell you

Adobe's co-founder and co-chairman says concerns about security in Flash Player are "old news." Adobe even cites a Symantec study as evidence of their security record. But when you read that study, as I did, you get a completely different, and quite alarming story.
Written by Ed Bott, Senior Contributing Editor

Yesterday, I called Adobe's Flash "the new Vista" and asked the company to start talking seriously about how they're addressing problems with their products instead of pretending those problems don't exist. In talking to Adobe representatives, reading interviews with Adobe executives, and reading Adobe's public statements, I've found a steady stream of denial where there should be transparency.

One of the key issues in this discussion is security. Yesterday, I rattled off some disturbing statistics about vulnerabilities in Flash Player and asked Adobe, "So, how are you planning to convince us that you’ve gotten serious about security? No one from Adobe has gotten back to me on that one. But John Paczkowski of Digital Daily interviewed Adobe co-founder Chuck Geschke yesterday and published a transcription of the conversation this morning. Here's an excerpt that perfectly illustrates my concerns with Adobe's record.

JP: Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?

CG: I think they’re old news. Go to our Web site and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. [Microsoft and Apple] may have a different set of facts that they believe are accurate. It’s up to you to decide.

"Old news"? Obi-Wan Kenobi can get away with that kind of hand-waving. The CEO of a public company with a market cap of $18 billion can't. I intend no criticism of Paczkowski, who did an excellent job under the circumstances, but Geschke's statement demands some serious fact-checking.

I followed the link to Adobe's new "Setting the record straight" page, emphatically titled The truth about Flash. Here is the first of two paragraphs that appears under the Security heading:

Security is one of the highest priorities for the Flash Player team. The Symantec Global Internet Threat Report for 2009 found that Flash had the second fewest number of vulnerabilities of all Internet technologies listed (which included both web plug-ins and browsers). This is significant when you consider that Flash Player is among the most widely distributed and used pieces of software in the world. [emphasis added]

That is, charitably speaking, a gross distortion of the facts. And I find it interesting that Adobe's rebuttal does not include a link to the Symantec report they cite. That makes it more difficult for readers (and reporters) to fact-check their claim. So here, allow me to help. Symantec's Internet Security Threat Report page includes links to the full report (PDF), which was published in April 2010 and covers the year 2009. There's also an executive summary (PDF) and a link to archived reports from previous years. You're welcome to read along with me. Tell me if you think that assertion from Adobe is accurate.

First, a quote from page 40 of the full 2009 report:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9). ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

I suppose there's some schadenfreude for Adobe in seeing four more vulnerabilities for QuickTime than for Flash Player. But really, is the discovery of 23 vulnerabilities in a single year really something to brag about? Is it somehow an endorsement of Flash Player's security? Well, to answer those questions you would need to assess the seriousness of those vulnerabilities and determine which ones were attacked. For some reason, Adobe made no mention of this paragraph, which appears in the Symantec report a mere two pages later:

Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan.

Perhaps Adobe's performance in 2009 was an improvement over previous years? Uh, no. The 2008 edition of Symantec's annual report found only 16 vulnerabilities in the Flash Player, and the 2007 edition (published in two parts) found no Flash-related vulnerabilities in the first half of the year and 11 in the second half. From 11 to 16 to 23? That is not a trend line that Adobe should be proud of.

In fact, there is nothing in the Symantec report that is flattering toward Adobe and its security record. On page 37, Symantec offers this advice for organizations:

In order to reduce the threat of successful exploitation of Web browsers, administrators should maintain a restrictive policy regarding which applications are allowed within the organization. […] Browser security features and add-ons should be employed wherever possible to disable JavaScript™, Adobe Flash Player, and other content that may present a risk to the user when visiting untrusted sites. [emphasis added]

What the CEO should be saying right now goes something like this: "Yes, we know there are security issues with Flash Player, as there are with all Internet-based programs. We think our adversaries are exaggerating their impact, but we take them very seriously." At that point, he should turn the floor over to whoever is in charge of security development for Adobe, who can explain, in detail, what sort of processes are in place today to turn that trend line back downward.

Instead, the co-founder and co-chairman waves his hand and dismisses serious security issues as "old news."

It's clear that Adobe's sheer stubbornness in refusing to address these issues starts at the top.

Editorial standards