

Ask HN: Anyone else think it's a major security problem to open source Flash? - coderdude

Flash is installed on some 95% of machines (or so it's said), and we can safely assume that the codebase is full of security holes. Why is it a good idea to suddenly open source it? As soon as it's open there will be a flood of exploits faster than any patching and updating can protect us from. This is not an issue of "obscurity != security." We all know that. However, revealing all the exploits at once != smart.<p>Am I the only person who thinks this?
======
TallGuyShort
The portions of Flash that would concern the security of a user are already
pretty well open-sourced, IMO. Most notably - the Tamarin project/ActionScript
VM (<http://www.mozilla.org/projects/tamarin/>), BlazeDS
(<http://opensource.adobe.com/wiki/display/blazeds/BlazeDS/>). I don't think
Adobe was having to stretch the truth that much when they said it was mainly
the video codecs that had to be kept proprietary. Yes, they're far from being
truly open-source, but they're a lot more open-source than we give them credit
for.

~~~
coderdude
A security hole was _just_ found last week, was it not? Edit: Well, resurfaced
anyway.

~~~
TallGuyShort
Then what's your point? And can you post a reference to the specific problem
you're referring to? I don't believe they've open-sourced anything new within
the past couple of weeks.

To clarify - I'm not saying they don't have security holes. I'm just saying
that the portions of Flash most likely to be of security concern are _already_
open-source.

edit: The bug I believe you are referring to was actually found in 2008, and
is hardly different from the memory-management issues that are rampant
through-out Flex anyway.

[http://www.h-online.com/security/news/item/Adobe-
apologises-...](http://www.h-online.com/security/news/item/Adobe-apologises-
for-unpatched-Flash-vulnerability-925396.html)

~~~
coderdude
I think you made my point for me. A hole that has existed since 2008 in the
closed source portion of Flash. True, they said that particular exploit can't
be used to compromise a system, but that is just one bug out of an unknown
number. The developers of Flash likely do not know the number themselves.

~~~
TallGuyShort
Generally speaking, holes in open-source projects are found by contributors
much faster than by malicious attackers. If Flash really was a security
concern, and I don't believe it is, I would personally rather have it open-
sourced than closed source. The very intelligent hackers that would find the
holes faster than open source contributors, are probably capable of finding
the holes regardless of their possession of the source code (or lack thereof).
That, however, is an entirely separate issue.

Second, can you post some more specific details about concerns you have about
Flash? I really don't see how your concern is any different than the standard
concern about any open-source project. A lot of that comes down to opinion,
and has already been overly debated. I've look at a lot of Adobe's open-source
stuff, and I'm of the opinion that almost all of Flash is already open-source,
and that it presents very little security risk. Both products I posted have a
very healthy following of people looking over the code and reporting issues.
Other than your opinion, what are you basing this question on?

edit: Perhaps it's clearer to ask the question: What's different between Adobe
finding bugs in their closed-source code and Microsoft finding bugs in their
closed-source code? And yet Linux finds itself with much fewer attacks in the
wild - because the people who know Linux best are the ones maintaining the
code!

~~~
coderdude
The difference is that most open source projects start out open. They also
don't start out on 95% of computers. Let me put it this way: if Windows were
open sourced today, would Windows users be safe? Would the legion of "Good
Hackers" be quicker and brighter than the legion "Bad Hackers?" There is no
possible way, on a level playing field, that we would not be attacked by
several new exploits a week. Every day possibly.

~~~
bediger
If Windows were open sourced today, would Windows users be safe? No. Parts of
Windows have such bad design that they'll _never_ be safe. Big example: the
silly "attributes" that don't include "executable". Having a file name
determine executability is prone to human errors, especially since a
definitive list of "extensions" that make a file executable is not
forthcoming.

But if you open-sourced it, someone would eventually provide you with that
list of "extensions".

