Jun 092010

There has been a lot of talk about Flash security lately. First Jobs made some claims about it in his “thoughts on Flash” rant,  and now with the recent vulnerability a lot of people seem to think that he has been proven right.

But is there any truth in Flash being unusually insecure?
Jobs try to back up his FUD by mentioning a Symantec report which he claims “highlighted Flash for having one of the worst security records in 2009″. Of course he doesn’t quote anything from the report, nor provide a link. But if you actually read the report you will see that his claim is a blatant lie.

Nowhere in the report Flash is highlighted, and there is just no data in it to support that conclusion. In fact the report shows that Flash was the browser plug-in with the least reported vulnerabilities.

In the section about web browser plugins they write the following:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9).
ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe reader  had 49 vulnerabilities, Quicktime had 27 vulnerabilities, and Adobe Flash player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

Considering how widespread the Flash Player is, combined with the fact that it runs scripts and has a lot of connectivity features, it’s obviously an extremely attractive target. So the fact that it has the least vulnerabilities is something that Adobe should get credit for.
So we can conclude that Jobs claim has nothing to do with the number of vulnerabilities.

Could it have to do with the severity of the vulnerabilities then?
Indeed Flash is mentioned again in the report:

Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe reader and Flash player was the second most attacked vulnerability.

Considering that Flash is installed of some 98% of computers it is hardly surprising to find that any vulnerability will be exploited to it’s fullest. But that one of the top five attacked vulnerabilities was involving Flash can hardly be used to support Jobs claim of Flash “having one of the worst security records in 2009″.

Search trough the document for when Flash is mentioned and you notice that that there is no other mentions of the security record of Flash other than what I quoted. There is a mention in the section about browsers, where Symantec provides advice about how to secure the browser:

Browser security features and add-ons should be employed wherever possible to disable JavaScript™, Adobe Flash player, and other content that may present a risk to the user when visiting untrusted sites. Organizations should consider adopting a policy of identifying a list of whitelisted, trusted, or authorized websites and block access to all other sites. Whitelists must be actively maintained due to the risk presented when trusted sites are compromised and used to host attacks or malicious software.

Of course this is sound advice for enterprises with sensitive data to protect.
If security is vital you should only allow whatever is really necessary to run on your machines, and that obviously includes Flash. Some people try to interpret this as Symantec trying to imply that Flash is a major threat, but what it means is that Flash is a threat, just like any other piece of software, and for optimal security it should only be used when needed.

Note that they recommend disabling JS as well, meaning that HTML5 , which Jobs seems to imply would be a more secure alternative, should be avoided as well. Disabling both JS and Flash and only allowing access to trusted sites does not make for a great Internet experience, but obviously that is not particularly desirable on enterprise workstations anyway.

So in conclusion there is absolutely no basis for Jobs claims in the report he mentions, and instead it shows a very good security record for the Flash player. But the features and obliquity of the Flash Player will of course mean that hackers will do everything they can to find vulnerabilities, and when they do it has the potential to affect many people.

So the claim that Flash was highlighted is a blatant lie, and it’s not a subject up for discussion. Symantec has a section with highlights in which Flash is not mentioned once. It’s interesting to note what does get highlighted in the report though.

This is what they say on Safari in the highlight section:

Of all browsers Symantec analyzed in 2009, Safari had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a 13-day average; Internet Explorer, Firefox, and Opera had the shortest windows of exposure in  2009, averaging less than one day each.

Compared to other browsers this is a truly appalling security record. Not only did Safari have the second most vulnerabilities of the browsers, but average window of exposure was 13 days. Second place was grabbed by Chrome with 2 days.

Also they have the following to say about Safari:

Additionally, all browsers except Safari either remained status quo or showed an improvement in the window of exposure. This demonstrates an increased effort by vendors to minimize the
amount of time that users are exposed to exploits.

It seems quite clear that the way Jobs reads the report, according to him obscurity equals security. With a market share of a few percent obviously Safari will not make it in to any list of the most attacked vulnerabilities, but that does not make it’s security record any better. The record instead shows that Apple does not seem to care much about security when it comes to their own products.

While it’s very important that Adobe ensures that Flash is secure, there is simply no basis in fact for the claims that it has a particularly bad security record. The latest incident is unfortunate, both since it seems to be a fairly severe vulnerability, and because of the timing.

But according to Adobes security team there should be a patch to the release version tomorrow.

For those of you interested in details about the work of Adobes security team,  I recommend reading this interview.

I just noted that the severity of the current vulnerability is classified to “Risk Level 1: Very Low” by Symantec. Secunia on the other hand is classifying it as “extremely critical”, so I guess the jury is still out on how severe it is. But it does seem like it’s not being actively exploited on large scale yet. According to Symantec the number of infections are 0-49 and the damage level is low as well.


Switch to our mobile site