Six Lines

Adobe Flash Security

Posted by Aaron Massey on 25 Oct 2011.

Flash is almost always the #1 target for hackers. It’s nearly ubiquitous and easy to break into. The only thing that might give Flash a run for it’s money is the Java runtime environment. Still, Flash is awful.

Because there are so many stories about how bad Flash is from a security standpoint, I haven’t really spent much time linking to them. However, Steve Bellovin, a computer security pioneer and a Professor of Computer Science at Columbia, wrote a fantastic post about the security problems caused by Flash:

From a technical perspective, it’s simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe’s servers.

Definitely read the whole thing. Bellovin ends his post with this:

No wonder the NSA’s Mac OS X Security Configuration guide says to disable the camera and microphone functions, by physically removing the devices if necessary.

I’m not sure what role the operating system should play here, but it’s fascinating to think about. How should things like the camera and microphone be controlled? Webcams are clearly an important area for privacy.

Lastly, Bellovin’s post is based on research done by Feross Aboukhadijeh at Stanford, which is worth reading if only because it is a pretty compelling case of responsible disclosure.