Why I will dance on Flash’s grave

Whilst we are still talking about Adobe Flash, as we seem to at least once a week, it is worth re-reading Steve Jobs’s Thoughts on Flash, written in 2010, over five years ago.

Wouldn’t you have thought that Adobe would not only have done something, but have been very public and open about what they did, after he wrote:
“Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”

Whatever Adobe did, it was obviously ineffective: Flash continues to manifest a seemingly endless succession of major security vulnerabilities, many of which are only discovered when they are already being exploited – ‘zero day’ vulnerabilities.

Like many of its products, Adobe’s Flash reaches back into the ancient history of personal computing, to the early 1990s, when it was originally developed by FutureWave, and unsuccessfully offered to Adobe in 1995. It passed to Macromedia the following year, and again by acquisition to Adobe in 2005.

I suspect that there are still sections of code in its source which hark back to those days, when Flash was exciting, innovative, and relatively unexposed to modern security threats. Having worked with source code which has evolved over more than a decade, it is scarey how all sorts of pieces get left behind, a bit like the old possessions that accumulate in lofts, basements, or sheds. Steve Jobs made a very public clarion call to Adobe to get its Flash house in order quick. It has demonstrably failed to do so over the last five years.

Whatever problems might remain in the moribund Flash Player may not be the only issues in Adobe products. Earlier this week, Adobe pushed out updates to its Acrobat products, again including important security fixes.

Having paid substantially to upgrade to Adobe Acrobat (Pro) 2015, an app which I start up several times each day, I was surprised that it had not yet offered this important update, particulary as its Preference settings are to “automatically install updates”. So today I forced it to check for updates, only to discover that the update had been available and had clearly not been installed automatically.

acroupdate1Yet Adobe’s own release notes told me that “this update provides new features, security mitigations, feature enhancements, and bug fixes.”*

“Security mitigations” and “bug fixes”? The updater said something different, and more disturbing: “this update addresses customer issues and security vulnerabilities.”

acroupdate2Weave your way to eventually find the relevant Adobe Security Bulletin, and its summary states:
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The details given of the vulnerabilities are broken down into twelve different categories, and cover no less than 46 separate vulnerability reports (CVEs), one of which dated back to September 2014, over six months before the release of Acrobat (Pro) 2015.

It is worth bearing in mind that, like Flash, Adobe Acrobat also originated in the early 1990s. I wonder how much of that ancient code remains in its current source? One significant difference between Flash and Acrobat is that the former is well into decline, and readily replaced; Acrobat is increasingly used, and has neither serious competition nor any workable substitute.

Finally, cast your mind back to 2013, when hackers extracted 10 GB of Adobe’s user database and compromised at least 2.9 million (probably over 38 million) of its customers. Although Adobe started contacting affected customers in October 2013, it is likely that the breach occurred in the September or even before that.

The time has come for Adobe to demonstrate publicly that it is, at long last, putting its security in order. Announcing Flash’s deathdate is but the first in a tough and painful road to restoring confidence in the company and its products. Further delay or silence can only be corrosive, and put the entire company at risk.

* Note: there was a strange incident in the updating which suggests that the updater had never undergone QA checking, and/or that the whole updater system has a significant design flaw. The updater offered access to the release notes only when Safari had been quit. Clicking on the link to the release notes of course re-opened Safari, which would then have blocked the update process.
Furthermore, whilst the updater displayed a linear progress bar during download of the update, that progress reached 100% once the download had completed. For the rest of the installation, which took several minutes further, the bar remained stuck at 100%, and there was no indication as to what further progress was being made. This too appears to be a design flaw in the updater, and indicative of inadequate QA.