Ask HN: Why is Flash so vulnerable? - zatkin
======
patio11
It's a ginormous codebase in a non-memory-managed language which was written
back before the industry got serious religion on security. It is free, has a
very wide install base, and in common deployments will execute code provided
by any host on the Internet. This makes it a _very_ attractive target.

Applications of similar complexity/surface area can swallow hundreds of
millions of dollars of security research. Flash has not received this.
(Windows/Office/etc have.)

~~~
acqq
While technically true, this diagnosis is a bit misleading.

The question is "Why is Flash so vulnerable?" and the part of Patio's answer
is "codebase in a non-memory-managed language." Well, practically everything
we seriously use has the codebase in a non-memory-managed language.

All the common operating system guts -- written in a non-memory-managed
language. All the common browsers guts -- written in a non-memory-managed
language. Even the guts of the "memory managed languages" are -- written in a
non-memory-managed language.

C and variations, and not memory managed. And nobody managed to replace C and
dialects with something else. The Rust language will maybe manage to be used
for something serious, already implementing the experimental layout engine but
at the moment it's still too hard even to replace the current Firefox engine
with the one written in Rust. It's a good thing that Rust and other
developments exists, but in practice, C is still everywhere.

So Flash is not an exception in being written in C or the dialect of it. That
some parts of some systems can be implemented in memory-managed languages is a
very old thing, and it doesn't protect them from exploits. Parts of Firefox
are written in JavaScript. Even when something is written in Java (which is
memory-managed) didn't mean a thing, as recently Java code was the favorite
attack vector (in spite of being "virtual" and "memory managed").

Security is hard. Certainly, millions of dollars of security research and the
implementation of their results help the most, more than "it's not memory
managed" as it is too simple an answer to be of much use in the given context.

So why then Flash? Because of many things, but specifically Flash brought to
the browsers huge functionality which is still slowly being reimplemented in
the form of the standard features of the browsers. Even ignoring the fact that
they brought these features without too much external reviews, the only way to
bring so much functionality to the huge infrastructures that existing browsers
are was for Flash to cross a lot of boundaries. And the attacks are the
boundary crossings, so piggybacking on what Flash does is often the best thing
for an attacker to do. Then, the second cause is certainly that Flash codebase
definitely didn't receive enough attention to become safer. And the current
reason is -- even Adobe doesn't expect Flash to ever become something worth of
too much investment.

Disclaimer: I've implemented one memory managed language in C. Behind almost
every language mentioned anywhere is some non-memory-managed C. Simple "a
single island" languages can be very clean and safe. Add the features, use of
the system libraries, boundary crossings etc, and "memory managed" is just a
small point.

~~~
tptacek
Large codebase, unsafe implementation language, _huge attack surface_ , and
popular target probably covers all the reasons.

------
ruraljuror
I was listening to the Security Now podcast this morning. On episode 514, _Tor
's Astoria Client_ about the first 30 minutes of the podcast is spent going
into extreme detail about how a recent Flash vulnerability was exploited.

I can't link to a page for the episode.

Here is the episode list:
[https://www.grc.com/securitynow.htm](https://www.grc.com/securitynow.htm)

The episode:
[https://media.grc.com/sn/sn-514.mp3](https://media.grc.com/sn/sn-514.mp3)

The transcript:
[https://www.grc.com/sn/sn-514.txt](https://www.grc.com/sn/sn-514.txt)

I think most of the content is sourced (and credited) to this post from
FireEye: [https://www.fireeye.com/blog/threat-
research/2015/06/operati...](https://www.fireeye.com/blog/threat-
research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html)

~~~
bendmorris
Thanks for sharing, this is fascinating.

Given the level of sophistication in this attack, I wonder to what extent the
number of vulnerabilities found in Flash is a function of the effort spent
disassembling it and searching for them specifically. Since browsers implement
their own language runtimes, might they be vulnerable to the same types of
attacks? Is there anything that makes Firefox inherently more secure than
Flash?

------
bmm6o
To me, it seems like a combination of several factors: * None of Adobe's
products are particularly stable or secure - not even the ones they charge a
lot of money for. * Flash's wide install base and the fact that it's easy to
invoke on a target (via the browser) machine makes it an inviting target for
hackers. * Flash is a fairly complex piece of software - after all, it's a
language runtime. * They don't charge for the Flash runtime, so there's no
direct return on investment for making it more secure. The main losses are
reputational and until there's a mass revolt (which might be coming) it's hard
to quantify any financial losses.

~~~
zatkin
You could say all of those factors for Chrome, except for the first one.

~~~
bmm6o
I left off: * Adobe's implementation doesn't have a drop-in replacement that
offers a near-frictionless alternative.

------
ucho
I might be stating the obvious - it contains language interpreter. It is hard
stuff to do and from the beginning the focus was on speed not the security.
Now it is a high value target and it was probably checked for bugs more than
any software in history.

------
nudpiedo
That is how big organizations work:

1\. they feel flash is slowly dying or that it could be potentially be sold

2\. No more investment in order to get the biggest money from the already
existing market of customers, a future sale, or force migration to other
products of the same company.

They do not understand that the image of the technology and the community is
damaged; and that is a pity when I think in the haxe project and the open
source community around it.

Now even an open source alternative to the binary flash would not safe the
damaged image and HTML5 canvas is predestinated to overtake it.

EDIT: I think adobe lost a big chance in the market with flash by being too
much closed and not understanding modern development/online communities.

------
frozenport
I blame Adobe's culture, their culture discourages good programming and their
other projects suffer the same problems. For example, bread winners like CS/CC
frequently crash, I have a collection of Indesign files that will crash on
demand but my concerns have yet to be remedied after 4 years. Internally, they
rely on a custom widgeting kit designed to match the functionality found in
their pre-OSX mac software (over 20 years!). Build times are said to be
several hours.

Adobe is simply not competent at writing modern software, don't forget that if
you cant get a flash zero-day you might get one for Adobe Reader!

------
forgottenacc56
A company that employees cheap programmers.

