Jobs lies regarding Flash Security

There has been a lot of talk about Flash security lately. First Jobs made some claims about it in his “thoughts on Flash” rant,  and now with the recent vulnerability a lot of people seem to think that he has been proven right.

But is there any truth in Flash being unusually insecure?

Jobs try to back up his FUD by mentioning a Symantec report which he claims “highlighted Flash for having one of the worst security records in 2009″. Of course he doesn’t quote anything from the report, nor provide a link. But if you actually read the report you will see that his claim is a blatant lie.

Nowhere in the report Flash is highlighted, and there is just no data in it to support that conclusion. In fact the report shows that Flash was the browser plug-in with the least reported vulnerabilities.

In the section about web browser plugins they write the following:

In 2009, Symantec documented 321 vulnerabilities affecting plug-ins for Web browsers (figure 9).

ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plug-in technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe reader  had 49 vulnerabilities, Quicktime had 27 vulnerabilities, and Adobe Flash player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox.

Considering how widespread the Flash Player is, combined with the fact that it runs scripts and has a lot of connectivity features, it’s obviously an extremely attractive target. So the fact that it has the least vulnerabilities is something that Adobe should get credit for.

So we can conclude that Jobs claim has nothing to do with the number of vulnerabilities.

Could it have to do with the severity of the vulnerabilities then?

Indeed Flash is mentioned again in the report:

Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe reader and Flash player was the second most attacked vulnerability.

Considering that Flash is installed of some 98% of computers it is hardly surprising to find that any vulnerability will be exploited to it’s fullest. But that one of the top five attacked vulnerabilities was involving Flash can hardly be used to support Jobs claim of Flash “having one of the worst security records in 2009″.

Search trough the document for when Flash is mentioned and you notice that that there is no other mentions of the security record of Flash other than what I quoted. There is a mention in the section about browsers, where Symantec provides advice about how to secure the browser:

Browser security features and add-ons should be employed wherever possible to disable JavaScript™, Adobe Flash player, and other content that may present a risk to the user when visiting untrusted sites. Organizations should consider adopting a policy of identifying a list of whitelisted, trusted, or authorized websites and block access to all other sites. Whitelists must be actively maintained due to the risk presented when trusted sites are compromised and used to host attacks or malicious software.

Of course this is sound advice for enterprises with sensitive data to protect.

If security is vital you should only allow whatever is really necessary to run on your machines, and that obviously includes Flash. Some people try to interpret this as Symantec trying to imply that Flash is a major threat, but what it means is that Flash is a threat, just like any other piece of software, and for optimal security it should only be used when needed.

Note that they recommend disabling JS as well, meaning that HTML5 , which Jobs seems to imply would be a more secure alternative, should be avoided as well. Disabling both JS and Flash and only allowing access to trusted sites does not make for a great Internet experience, but obviously that is not particularly desirable on enterprise workstations anyway.

So in conclusion there is absolutely no basis for Jobs claims in the report he mentions, and instead it shows a very good security record for the Flash player. But the features and obliquity of the Flash Player will of course mean that hackers will do everything they can to find vulnerabilities, and when they do it has the potential to affect many people.

So the claim that Flash was highlighted is a blatant lie, and it’s not a subject up for discussion. Symantec has a section with highlights in which Flash is not mentioned once. It’s interesting to note what does get highlighted in the report though.

This is what they say on Safari in the highlight section:

Page 1 of 2 | Next page