Dear Adobe: It's time for security rehab The stories about Adobe software keep coming, and the news hasn't been good. Critical bugs in Reader and Flash have come under real-world, zero-day attacks so many times in the past year that the exploits almost seem routine. Security researchers such as Mike Bailey, Dan Kaminsky and Jeremiah Grossman and Robert "RSnake" Hansen …
That kind of attitude is the perfect example of 'head in the sand' thinking, if Adobe don't fix their products then why should anyone bother with security? If your ultra-secure software is inevitably, as you suggest, going to be compromised then lets all just throw our firewalls, AV software and malware protection out the window, eh? That'll make us safer and breed some respsonsibility and accountaability into us all won't it?
It should glaringly be obvious. So it's ok to say to your punters "Fuck you! This is what you are getting!" The downside to that approach, incase it isn't obvious, is to reply "Fuck you! We just won't use your product! It's not THAT good!". I do hope you are not in a position to direct policy for your employer! By following what is proposed in this"charming dictat" give's Adobe a leg to stand on when people like Jobs call them "lazy" and refuse to put Flash on their products. This not only applies to Flash, but Adode's portfolio as a whole. In the 20 odd years hat I have been using Adobe software, it has been getting progressively worse. Bad UI design, bloat and instability affects all their products. As for "makeing money"; Adobe's ridiculous pricing structure that is only beaten by Autodesk! You see, with 70-80 million purchases of devices that run iPhone OS worldwide, Apple have set a dangerous precedent; flash is entirely unnecessary for surfing the web. It would seem that people aren't bothered if Flash isn't present or not. That is possibly set to expand. Let also not forget the growing popularity of plugins like FlashBlock for Firefox and Chrome and ClickToFlash for Mac. Adobe need a reality check, or at least time for Warnock to step aside.
Flash is bundled with many browsers by default. That kind of ubiquity is worth £Billions.
If it's a big security hole (and it is increasingly problematic), then how long before MS, with a clear competing product in Silverlight, will tolerate Adobe making them look bad.
Adobe. Have been going downhill since a sales guy displaced a tech. guy as CEO.
'Snot just their plugins, installing CS3 was such a massive headache that we haven't bothered to update to CS4.
And expensive.
We pay more per year in the Adobe tax for 1 seat of graphics programs, than we pay to M$ for 10 OS seats + servers + 10 office seast + databases + 3 Visual Studio seats COMBINED.
And I'm led to understand that open source is even cheaper!
Adobe needs a competitor, and fast.
" It's not like there's a viable alternative - at least if you want to actually serve content to customers. "
Really? There's about a billion or so free PDF readers and writers (the spec is open, so anyone can make one), and Silverlight and HTML5 to replace flash... I can't think of one Adobe product that doesn't have a viable (if not better) alternative.
To be blunt:
- I run Firefox with FlashBlock and NoScript (on a Mac. Safari is crap. Sorry if that offends), and don't allow Flash to run, period
- I use Apple Preview instead of Adobe Reader to read my PDFs
- If I encounter a Web site that requires me to have Flash enabled (a refreshing few, fortunately), I send a polite e-mail to the vendor explaining that I will not be purchasing from them because I will not run Flash on the machine on which I do all my financial work
So not only is Adobe not gaining any money from me, they're putatively losing money as I refuse to use vendors that require their software. As time goes on and these security holes become more (in)famous, I suspect more and more users will refuse to install Flash, and Adobe will face serious competition.
So right now, only a few psychotic geeks like me refuse to run Flash. (Yeah, I ran 1000' of CAT 6 through the house instead of using wireless, too). As Adobe continues to ignore security, our numbers can only increase. At some point, Adobe will start losing serious money because of it.
In my experience Adobe products in general are shoddy. The security holes are just symptomatic of bad practise in the development cycle.
Adobe - as the article says - go away and get your house in order. If you're worried about shareholder value, worry about what the stocks going to be worth when something like Flash spreads the next big virus or malware attack.
Mr Jobs has nothing to do (directly) with what the HTML spec does and does not include. Apple is a member of the coalition, and they submit technology and ideas, but they are but one member...
Also, no one is claiming any costs for h.264 outside of the people who WRITE codecs, sell software including them, or manufacture devices with hardware h.264 decoding, and those that broadcast non-free TV content using the codec, and some broadcast websites that profit directly from the use of the codec.
YouTube falls in a grey area, as there are no fees for accessing their content, however, they do profit from the advertising. This is covered under the provision for videos less than 12 minutes, for which there are no fees for "indirect revenue". Videos longer than 12 minutes cost 2% of the retail price to view, or 0.02 per year for indirect revenue viewing. However, the MAX annual fee, for an organization with a subscriber base in excess for 1,000,000+ users, the fee maxes out at $100,000 annually (0.10 per user per year). Entities with fewer than 100,000 subscribers pay NO FEES unless they direct charge for video viewing. when combinations of direct and indirect models are in use, fees max out at $5M per year regardless of number of subscribers, and those fees can not go up more than 10% from the previous year (if the cap was previously met). Anyone who makes no profit from these videos (they exist say for training, are on personal web sites (myspace), etc, no fees are pair.
Additionally, there's a clause stating "the royalty shall be no more than the economic equivalent of royalties payable during the same time for free television."
Use of H.264, for most people, will cost nothing. For major commercial sites like YouTube, $5M is NOTHING, they pay far more in other royalties and software costs every months, let alone annually.
Between now and 2016 (which likely would be extended again, this is their 3rd extension without debate...) do you seriously think there might not be another viable alternative codec we'de migrate to if one came out completely free, and do you not think the MPEG LA would again extend the free term, and for those who were paying come up with fees low enough that switching to a free alternative would actually cost more?
There is no guarantee that Ogg or Theora are unencumbered by patents. It costs serious money to research that and even then patent trolls pop up out of nowhere. So far there is no one using Ogg/Theora with any real money in their pockets so there is no reason for said trolls to tip their hand.
As soon as an Apple or suchlike adopt it watch the patent lawsuits start flying. It's just better business sense to go with MPEG/LA as they are a known entity and all the major patent holders have been identified and have agreed to pool their interests. Much easier to negotiate with a single entity.
Not to mention that Ogg/Theora is technologically well behind the curve.
Given that everyone's got Flash, and those with an opinion likely hate it for the "99% ads, 1% useful ratio - do Microsoft have an an opportunity to get Silverlight out and out? Granted, MS are hated too - but they are better at security.
The platform won't stop the ads though...
Adobe has a security problem on the scale of Microsoft's back in the even-worse old days. As long as they keep denying it the exploits will keep coming.
As for Flash, they be better served just dropping it altogether, it's had its day. No-one needs it any more. But if they do end up repairing it, how about getting shot of those long-term cookies while they are at it?
Excellent article - well done, now I hope that all at Adobe HQ are reading it, (hence the icon choice). I'm surely not the only one that's quite uneasy with the barrage of criticism levelled at Flash/Shockwave? And if I'm typical then surely this is a threat to Adobe's earning's potential - something that I would have thought the shareholders etc would be more worried about than any investment in security, (which can easily be spun into some positive PR).
I suspect that - like most tech - Flash was okay to start with, but as the marketing folks have had more and more "features" added, the code quality has gone down. But what's the alternatives - only one I can see is Silverlight - and that's from a company that's, ahem, not exactly got a stellar reputation for black-hat proof coding to date, (no MS bashing intended - at least they're trying to improve).
Given the problems and Adobe bosses apparent unwillingness to fix them, what are Joe/Jane Public to do? Only thing I can see is to use Flash blockers like AdBlock+ et al until Adobe 'wake up and smell the coffee'. Not a good situation to be in.
How is their browser plugin allowed to run with permissions that affect events outside of the browser? Why isn't there a "you're not getting out" sandbox around the whole thing?
No doubt that they're responsible for the rubbish coding of their plugin, but shouldn't there be some shared blame as the fact that the plugin has enough privilage granted to it to be able to crash / exploit applications outside of itself?
I took flash off of my Linux box a while ago, but ended up putting it back on because it is so heavily used. It clearly needs fixing.
But, I don't think its just a matter of fixing bugs. To my mind, the main problem with it is that it is deliberately going around all restrictions that its hosting environment (usually a browser) might want to put around it. Firefox, for example, lets you control some of the things that JavaScript can do. Where are the controls for what Flash can do? Various versions give you a little bit of control, like turning off access to a camera or microphone. How do I stop it from doing *any* file system access whatsoever? I don't care if it burns CPU - I want it to have no access to anything I care about. But, I doubt Adobe would ever do that, because they *want* it to bypass any protections the browser might try to put in its way. About all that a browser could do would be to put the Flash engine into a very solid OS-supported sandbox. Until Adobe puts reasonable restrictions on it, that's what browser developers should do. At least make that an option!
I have no problem with Flash being a way to play videos and to implement platform-independent games. I doubt I'll ever want to allow it to do anything else, so please, someone, give me a tool that lets me prevent it from doing more. And yes, in an open source world, I could get the source to Firefox and do it myself. However, I'm already working hard on my own to-be-open-source project, and the current Firefox developers could do it much faster and more reliably.
I agree almost entirely with the article, except for the part about suspending development. How many drugs is the writer currently on?
It may be true that Silverlight is hardly beating Flash at the moment, but the last thing Adobe (or in fact anyone sensible) will do is give away a lead to a competitor.
Yes, fix the security problems, but also move the software forward at the same time.
"Yes, fix the security problems, but also move the software forward at the same time."
Stick more duck tape and bubble gum on the security problems and hack some more "features" into the code to keep the knobs in marketing happy? No.
If they rebuild it with security and portable code from the ground up then they will have some useful features to list on the box. Like Smaller, Faster, Secure. Then maybe they can get it onto the assorted iThings.
With a life-threatening device like a car or home electrical appliance, there are national and international bodies that over see the pratices of members.
What have we got with software? ISO standards on certain things, but no body ensures its members adhere to basic checks and standards. Nothing stopping any one of us setting up shop as a software vendor and flogging software to anyone, with no warranty other than maybe a basic agreement about fitness for purpose to stop you getting dragged through the courts if it blows up.
It isn't all adobe's fault; a large part is that after decades micros~1 still haven't mastered this sandboxing thing that any multiuser system must have lest it crash and burn every day. Which micros~1 products duly do, and the things running on top do too.
On the shinier but equally dark side there's the minor issue of adobe refusing to provide flash for too many platforms and forbidding others from doing the same. This is amazingly bad not just for those weirdo non-windows-users (with systems that do sport proper sandboxing and thus suffer a lot less from adobe's software's security problems), but also for archiving websites. It means the canned user experience will go bad that much sooner when stored.
So for all I care flash dies a fiery death and gets replaced by something with a good and stable open specification behind it. What that'll do to all people and companies already committed to flash, well, they could've chosen not to go down the dark alley in the first place.
On the gripping hand, silverlight goeth a long way but isn't practicable seeing how they're clearly trying to run moonlight into the ground with spec updates, ensuring the thing gets too complex to duplicate soonest. So we'll turn to HTML5 first.
AFAIK, The Prius has NOT been recalled as you stated in your article. In fact the 'fault' doesn't even appear to be a safety issue - more a driver issue where, when the ABS kicks in, it doesn't feel 'right' (because of the hybrid system it has a different feel to a normal ABS system).l
Bit of a storm in a teacup I think, although exacerbated by the frenzied media, reporting it as a safety issue, when at this stage IT ISNT.
Don't have a Prius, just a sense of proportion.
The Prius has a "software clash" between the braking system and the regenerative braking system, as admitted by Toyota. The problem can be overcome by "braking harder." (A symptom of letting a computer control the brakes, I suppose - that can only end badly)
I think you'll find a recall is probably imminent.
Has anybody considered in launcing an attack against Adobe itself? What's good for the goose, must also be good for the gander.
Maybe then they'll change their tune.
Besides that, they need to take a serious look at reducing bloat with their applications. If open-source tools is leaner and better, then surely the same can apply to Adobe?
Gotta uninstall the bloated v8 reader soon...
terminator... because they're gonna get terminated
Why? Just let 'em drill themselves into obscurity ...
Seriously, who, with a clue, allows anything Adobe on systems that matter?
The sheeple will figure it out, eventually (I hope!), but none of my clients have issues with Adobe ... for the simple reason that they don't allow Adobe software on their hardware.
Paraphrasing, "It hurts when I do this!" ... Answer "Then don't do that!"
How hard is it?
Less bloat would be good to... Acrobat used to be a document *reader*. Now it's a security nightmare sub-system in it's own right. Quite how it's expanded from a small, light document reader to a 37MB exercise in bloat and inefficiency is another good question to ask as well.
Adobe can't even get a 64-bit version of the software out, their Linux port is barely functional, their Mac port is woefully behind the Windows version in performance, and security holes abound. This has been true for years and is not getting any better.
My best guess is that the Flash codebase is such an utter mess that Adobe can't do a thing with it. They're just scrambling to patch the leaks and keep it running on current platforms. They can't admit this, of course, but given that they're unable to make headway on any of the issues plaguing their most popular product, they don't have to. If this is the situation, you can expect it never to improve until a complete rewrite of the software takes place. If Adobe is currently doing this, they should be up front about it and give us a deadline for the fix. If they are not then the future of Flash is behind it.
The economic culture today is that of a betting-shop! If, in the longer term, Adobe don't shore up their security problems, amongst other things, there will be NO BUSINESS to invest in! If, as a share holder, you don't like this, DON'T INVEST! Investing isn't a short term license to print money! For a business to grow, it need to look to the long term. Sensible investors (Warren Buffet for example) look at the long term prospects for a business above anything else. Besides, the most important people to a business aren't it's shareholders, rather it's their customers. No customers, no business. It really is that simple. It fast becoming a new meme in these sorts of threads; "Won't somebody think of the poor shareholders?!"
...are the people and institutions that buy stock at the IPO. Their money flows into the corporation to capitalize whatever.
Buying stock after that is merely betting, just like a horse race. Worse, the stockholders pressure management for more profits with performance based rewards.
Once profits have been maximized by better planning and more efficient production, all that's left is screwing people.
Adobe really needs to focus on security and bugs, followed by efficiency.
Its products have become so problematic I wish they did not have such a high usership so I could leave them off my computers.
Hopefully webmasters and content authors will start using the alternatives (I hold out little hope for Adobe to turn itself around).
[AGREE]
Indeed I do. Adobe seem to be the main focus for hack-attacks these days, what with later versions of Windows being somewhat more secure than their predecessors. They should definitely think about taking some time to get their house in order - a lot of people already block Flash and most would gladly replace Adobe Reader.
[/AGREE]
Never mind security, we've had years of acrobat full version and readers that break backward compatibility, throw in thirdparty crapware on install and now have a footprint of similar size to donald trumps greenhouse one. Kick them while their down I say, since the lowley 'users' can never pass on our frustrations normally. Funny that, always takes a crisis for companies to suddenly get all humble and back 'in touch' with the customer.
"if there was such a widespread problem historically Flash could not have achieved its wide use today." As if the Ford Pinto, Chevy Covair, or indeed the Toyota Camry didn't gain popular acceptance as well.
And I guess he also feels Microsoft could never have achieved wide use of Windows with any frequent crash problems (BSOD, anyone?)...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
