
Facebook's new chief security officer wants to set a date to kill Flash - therealmarv
http://www.theverge.com/2015/7/13/8948459/adobe-flash-insecure-says-facebook-cso
======
AdmiralAsshat
Flash is one of those things that I will be almost sorry to see go. Not
because I enjoyed it, but because I could safely ignore it most of the time: I
can disable it, meaning that method of attack/annoyance is completely shut
off. When I see my browser showing me something that failed to run because
Flash was not turned on, I'm fairly confident that it was something I didn't
need to see. Sort of like how our spam filters have been trained well enough
that nobody in this day and age still gets e-mails with shady .exe attachments
--they're predictable, and Gmail and Outlook's spam filters will catch them.

On the other hand, once Flash is dead, I worry that the invasive crap that
made Flash so obnoxious will simply be re-engineered in HTML5 and Javascript,
resulting in the same problems of garish pop-ups and autoplaying videos in an
implementation that is more difficult to block.

~~~
vezycash
My main issue with the kill-flash cult is auto playing html5 videos. I've
asked multiple times on HN and have not gotten a working answer.

How can I block HTML5 videos and audios or at least stop them from playing
automatically?

~~~
mkddrm
Starting in September with Firefox 41 you can set media.autoplay.enabled to
False in about:config and stop them from playing automatically.

[https://bugzilla.mozilla.org/show_bug.cgi?id=659285](https://bugzilla.mozilla.org/show_bug.cgi?id=659285)

------
asadotzler
Facebook is the last major site I visit that still pushes Flash on me. When
they clean up their own act, then they can start talking about what Adobe and
the rest of the Web should be doing.

~~~
ohitsdom
Seriously. Before calling out Adobe, Facebook should announce when they'll be
Flash-free. Otherwise it sounds pretty silly: "Tell us when we have to stop
using this insecure, resource-intensive software."

------
discardorama
I can't understand how one piece of software (Flash) can be so horribly broken
over so many years.

I mean, they had one simple thing to do: prevent code from escaping the
sandbox. So how is it possible that they have repeatedly failed at that one
task?

<wear-tinfoil-hat>Never attribute to malice what can be explained by
incompetence, as the saying goes. But after so many years, I'm beginning to
wonder: is it really incompetence, or has some TLA agency convinced them not
to do a good job? </wear-tinfoil-hat>

~~~
billyhoffman
3 thoughts:

First, to be fair, "Flash" is 2 complete Virtual Machines: ActionScript 2 and
ActionScript 3. I expect it to have an increased attack surface.

Second, many things that Flash does (graphics, 3D, video decoding, audio
decoding, etc) pretty quickly get you to unmanaged APIs in the OS.

Third, Flash can be suprisingly tricky to escape. Mark Dowd did an absolutely
insane series of steps to have code that was valid bytecode, that retained
control of a pointer, and to properly setup the memory space for jumping. This
isn't necessarily "easy" by any stretch. The full write up is here:
[http://www.inf.fu-berlin.de/groups/ag-
si/compsec_assign/Dowd...](http://www.inf.fu-berlin.de/groups/ag-
si/compsec_assign/Dowd2008.pdf)

This isn't to give Adobe a complete pass, but there is a lot going on here.
Still, the time for Flash is past and I cannot wait for it to die

------
lode
On my system (without Flash), Facebook is one of the last sites where I
encounter Flash for non-ad content. (Videos)

~~~
cpncrunch
They now have an html5 video player, which I think they just introduced a week
ago. BBC is about the only site I've seen that requires flash video, but I'm
sure they'll get with the program soon.

~~~
TD-Linux
I so far have not gotten Facebook to serve me the html5 video player, for
whatever reason.

~~~
cpncrunch
Stupid question perhaps, but have you disabled the flash plugin? It seems to
work fine on latest Chrome.

~~~
TD-Linux
I don't even have it on my system. I wonder if it's some sort of UA detection
thing? I tried appearing as Chrome 41 on Windows 7, but no luck. (firefox
nightly on linux user here, with h.264/aac support provided by gstreamer)

~~~
cpeterso
I think that Facebook only serves HTML5 video to Windows 7+, so I'm not sure
why your Chrome 41 on Windows 7 test didn't work.

------
astrodust
If Flash was implemented in JavaScript, which sounds slightly crazy but not
entirely impractical, it probably wouldn't have nearly as many
vulnerabilities.

When's the last time a JavaScript exploit was found? I know the Pwn2Own
contests manage to bust out of the sandbox now and then, but this seems
exceedingly rare compared to the near monthly super critical Flash updates.

~~~
danudey
But then it would be even worse on battery life.

The primary uses that I see, day to day, for Flash are:

1\. Video players (which should be done natively)

2\. Ads (which is an awful use case)

3\. Fancy, but broken, font replacement (less so lately)

4\. Weird, unnecessary utility, like copying text to the clipboard.

I don't see any reason to reimplement Flash in Javascript when all of these
use cases can be better done in native HTML/Javascript already (1-3), or just
not done at all (4). It seems like a huge amount of engineering effort to
maintain an old technology that even its creator is migrating away from.

~~~
astrodust
The reason is similar to why people build emulators for old game systems: To
be able preserve history.

There's a lot of Flash games and applications out there that would be
completely inaccessible to people were it not for the Flash player.

For example, the Homestar Runner site is built entirely on Flash, and while
movie rips of this exist, there's small, subtle interactive elements only
possible in the Flash version.
[http://www.homestarrunner.com/](http://www.homestarrunner.com/)

When Flash is dead a large part of the web goes dark, and that's a tragedy.

~~~
oddevan
I'll second this. There's large parts of internet culture that exists in flash
animations. DeviantArt, Newgrounds, and of course Homestar Runner...

------
andreineculau
Forget Flash, there are bigger fishes to catch:
[http://blog.andreineculau.com/2015/07/13/major-security-
thre...](http://blog.andreineculau.com/2015/07/13/major-security-threat-
linkedin-facebook-github-etc-and-secondary-email-addresses/#content)

------
wesleytodd
Is this article one big troll?
[https://twitter.com/wesleytodd/status/620677489166123008](https://twitter.com/wesleytodd/status/620677489166123008)

------
Fiahil
Quick question, what would happen to games developed in Flash?

This one was among my favorites for a time:
[http://www.dofus.com/en](http://www.dofus.com/en)

~~~
legohead
There are whole sites/companies built on flash games.. armorgames,
kongregate.. Not to mention the developers to make a living off of it.

Facebook has had a lot of vulnerabilities, maybe someone should ask them to
set a kill date?

------
J_Darnley
Flash will never be dead as long as I still need it to play the greatest
animations the internet has ever produced.

------
kenshaw
Is it too late to schedule January 1st, 2014 as EOL for Flash?

------
stevenh
Why is everyone so obsessed with bashing Flash? Is it just because a RCE
exploit is found once in awhile?

Let's compare Adobe's diligence of patching to another company's. How about
Mozilla?

Adobe usually patches a RCE exploit within 72 hours of discovery. Mozilla seem
to take anywhere from one to three months.

Firefox RCE exploit found on January 20, 2015:
[https://community.rapid7.com/community/metasploit/blog/2015/...](https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-
mozilla-firefox-proxy-prototype-rce-cve-2014-8636)

Firefox RCE exploit found on February 25, 2015:
[https://msisac.cisecurity.org/advisories/2015/2015-018.cfm](https://msisac.cisecurity.org/advisories/2015/2015-018.cfm)

Firefox RCE exploit found on March 1, 2015: [https://www.mozilla.org/en-
US/security/advisories/mfsa2015-3...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-39/)

Firefox RCE exploit found on April 22, 2015:
[https://msisac.cisecurity.org/advisories/2015/2015-046.cfm](https://msisac.cisecurity.org/advisories/2015/2015-046.cfm)

Firefox RCE exploit found on May 12, 2015: [https://www.mozilla.org/en-
US/security/advisories/mfsa2015-5...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-50/)

Did you hear about any of those Firefox RCE exploits? Probably not.

We only hear about Flash RCE exploits because those are the ones which happen
to get exploited in the wild the most. This is not because browsers are always
more secure than Flash; it is because hackers know that if they succeed in
finding a RCE exploit in Flash, they will be able to target the 97% of desktop
users with Flash installed rather than just the 44% who use Chrome or the 15%
who use Firefox. It's the same reason Windows users have always had far more
exploits actively used against them than Mac users. Should we set a kill date
for Windows because of that?

As long as we are making asinine suggestions, how about browsers set a kill
date for Facebook, after which no one can access the site? Facebook's rampant
video piracy problem harming small publishers on YouTube [1] is orders of
magnitude more financially damaging to its victims than MegaUpload ever was.
At bare minimum, it would be appropriate to warn users that they are about to
visit a malicious piracy hub with a red full-screen "Are you sure you want to
go here?" page, and perhaps provide a list of suggestions of alternative
social networks to switch to.

1\.
[https://news.ycombinator.com/item?id=9854160](https://news.ycombinator.com/item?id=9854160)

~~~
mixmastamyk
Because flash is superfluous, while the browser is not.

------
talmand
Kill it? We must be close already because my first thought on seeing the
headline I wondered why someone at Facebook wanted The Scarlet Speedster dead
when we haven't seen him in a movie yet.

Sign of the times.

EDIT: Well, I did.

