FLASH MUST DIE, says Facebook security chief
It's in a magic bad-but-not-bad-enough hellspot - so just kill it already
Newly-minted Facebook security chief Alex Stamos has called for Adobe Flash to be taken out behind the shed by a shotgun-wielding world.
The former Yahoo! security head joined Menlo Park this year and over the weekend said in two Tweets that it is time the death knell chimed for the Adobe's much-hacked tool.
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Stamos says.
"Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.
"Nobody takes the time to rewrite their tools and upgrade to HTML5 because they expect Flash forever. Need a date to drive it."
His comments follow the disclosure of three zero-day vulnerabilities in Flash revealed in leaked source code released as part of the 400Gb Hacking Team archive.
Stamos was quizzed by Twitter users on the fate of various Facebook features such as games and the image uploader that rely on Flash.
He did not say by the time of writing whether the web platform would be ejected in favour of HTML5.
Brad Arkin. (The Register)
The late Apple boss Steve Jobs fired a Flash salvo in 2010 when he criticised the 'PC-and-mouse' platform for being outdated in the world of low-powered mobile devices.
"Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash," Jobs wrote.
Last year Adobe chief security officer Brad Arkin told the Australian Information Security Association that its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities led to a big reduction in zero-day attacks.
Arkin said it dropped the time-to-patch from 10 weeks in 2009 to 36 hours last year. ®