Flash deserves to live, says Cisco security man

Adobe's scars make it ugly but tough. So tough it's being attacked more than ever

Don't kill Flash; that's the message from Cisco security veteran John Stewart who says the Adobe team have put in the hard yards into reforming security and needs to weather the current bug storm.

The advice follows a call for the ravaged runtime to be expunged from the digital world by former Yahoo-cum-Facebook security man Alex Stamos following the disclosure of nasty zero day Flash flaws as part of the Hacking Team data dumps.

Stamos' sentiments are opposed by other tech institutes like Trend Micro and Mozilla which labelled Flash a threat, the latter dumping it from its Firefox browser.

Stewart is pragmatic however and says Adobe's security scars have made it potentially tougher than whatever may replace it should it be promptly dumped.

"I have a lot of sympathy for the (Adobe) teams. They need to weather the storm," Stewart told this reporter in a media call today.

"Adobe is zeroing in on ensuring security testing happens across their portfolio in a big way.

"If anyone thinks something is better than Flash then they need to consider what that alternative is against doubling-down security efforts on what we already have."

Adobe has been changing its practices to drop the time to patch. Chief security officer Brad Arkin last year told the Australian Information Security Association that its focus on increasing the cost of exploiting Flash and Reader rather than just patching individual vulnerabilities led to a big reduction in zero-day attacks.

Stewart points to various platforms including Java, Microsoft, and Cisco's offerings that have been "in the woolshed" more than once over a stretch of security vulnerabilities.

Yep. Flash is getting better. For sure.

He says security testing that exists in all components of software development is virtually absent outside of large companies including Adobe.

The security bod's comments comes on the back of The Borg's 2015 mid-year security report [PDF] released today which illustrates a glaring spike this year in Flash vulnerabilities that result in code execution hosing of user systems.

Patch. Patch. Patch. Patch.

HTML5 is widely seen as the successor to Flash given its increased flexibility and support, something that was pointed out to the wider tech community in 2010 when late Apple CEO Steve Jobs penned an open letter on the topic.

Microsoft is asking its eight Silverlight users and Netflix to stop using its platform in favour of HTML5.

The continued use of Flash has been boon for the dangerous Angler exploit kit. Cisco says a whopping 40 percent of users who encounter Angler are compromised by it.

It says Angler VXer's responsiveness to Adobe Flash vulnerabilities is "an example of their commitment to innovation". ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019