To say that Adobe Flash has been mired in controversy for much of its existence is something of an understatement. For millions of computer users around the world, Adobe Flash represents a catch-22 of the highest order. While it is necessary to play many of the streaming videos that users have come to enjoy on a daily basis, it also brings with it a large number of disadvantages that are difficult to ignore. Not only is Flash a huge burden on the resources of older computers, but it also opens a machine up to a huge number of potentially devastating vulnerabilities, as the news of the last week has so expertly illustrated.
Adobe Flash and Security: What Happened Now?
Last week, a new series of catastrophic Adobe Flash vulnerabilities were uncovered during some routine testing by Alex Stamos. For those unaware, Stamos acts as the chief security officer for social media giant Facebook. Not only could these new vulnerabilities potentially be used to overload a system’s resources, but they could also likely be used as a “backdoor” into the system that would allow a hacker to compromise the sensitive information stored inside. As a result of his findings, Stamos publicly stated that he hoped Adobe would finally use this as an excuse to discontinue the antiquated software once and for all.
The backlash of this news was swift and immediate. Both Mozilla Firefox and Google Chrome, the two most popular Web browsers on planet Earth, released new versions that specifically disabled Adobe Flash functionality by default as a result of these security issues. Developers for both Mozilla and Google indicated that Flash would continue to remain disabled indefinitely until the security issues were properly addressed by Adobe. Users could still opt into the use of Flash on their systems if they wanted to, but the process can be difficult for someone without at least an intermediate level of computer knowledge. All current and past versions of Flash were blocked by both of these browsers.
Many people took this as a sign that the winds of streaming content are truly changing and that Google and Mozilla were teaming up in an attempt to “kill” Flash once and for all. They are hardly the only two companies to attempt to do so in the last several years for these very reasons. Streaming video site YouTube has been steadily moving away from its dependence on Flash, allowing users to opt into the use of HTML5 for all streaming video needs for some time now.
What Is Adobe Doing?
To its credit, Adobe has quickly taken a number of steps in order to improve the security capabilities of Flash and address the issues of the past week as wholly as possible. Three new defenses were released in the latest version of Flash, for example, that were designed by developers at Adobe and Google working in conjunction with one anther.
One of these fixes included a new vector unit buffer heap partitioning system, which keeps arrays separated from other heap objects. An attempt by a hacker to overflow a vector’s length is therefore much more difficult than it had been in the past. Stronger randomization for Flash heaps was also released, closing off one channel that was previously used by hackers in the past. In order to properly exploit Flash, a hacker needs to know the way that Flash is laying out memory on a particular system. Thanks to this new, higher level of randomization, the aforementioned process has become exponentially more difficult.