Internet Security Systems - AlertCon(TM)

10 Years of Flash!

Posted by Gunter Ollmann on December 13, 2006 at 12:34 PM EST.

I hear that I missed a beach party - assuming you could call those seaside pebble gardens in Brighton a beach.  "Flash on the Beach" celebrated 10 years of Flash.

Starting off life as Future Splash before being renamed Flash! in 1996 by new owners Macromedia, and now part of the Adobe product suite, it is supposedly installed on around 90% of desktop systems.

Love it or loathe it, it's managed to hang around as the preferred client-side web animation tool for a decade and will likely to maintain that premier spot for a few more years.

While there have been several very notable security vulnerabilities with the product and it has been leveraged for many a desktop compromise, I would say that it has done pretty well from a security perspective.  However I do fear that we will see an increase in attackers making use of its custom programming language to create and launch obfuscated attacks that exploit other vulnerabilities within web-browsers.  Certainly we have already noticed a large shift towards the use of JavaScript to obfuscate web-browser exploits and their payloads.  Doing the same in Flash will make it more difficult for traditional signature-based protection systems (e.g. AV) to provide any kind of protection at all.

I can't say I'm particularly enamored with Flash.  I hate all the advertisements that use it - popping up over the top of what I'm trying to read - requiring me to click a 'close' option to get rid of the advertisement.  I also hate the fact that it slows things down when I'm traveling - holed up in a hotel with a dial-up connection or with 512k shared amongst 200 rooms.

My solution for the last 4 years is to have several browsers installed on my laptop- some of them with flash installed, some without.  I typically use a non-IE browser without Flash (or any plugin's) installed for web surfing, and will flick to a browser that has it installed if I really need to navigate the site in Flash animations etc.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.