Is Microsoft to blame; or is the Flash community looking for a scapegoat?

! Warning: this post hasn't been updated in over three years and so may contain out of date information.

An article today in Flash Magazine has got my somewhat annoyed. Apparently there is a gaping security hole in all but the latest version of Flash Player and MSN Norway has served up a flash-based advert that exploits this security hole. The article seems to imply that – because the flaw was revealed two months ago – web sites that serve flash adverts should be legally required to vet them for this flaw. Because Microsoft in Norway appear not to have done this, then Flash Magazine takes them to task.

Hang on a minute though. Since when has relying on customers of your product to check for exploits been an acceptable solution to preventing exploits of security holes? What ever happened to the idea of fixing the flaw? The flaw is fixed in the latest version of Flash Player 9, but how many people have this?  It’s not something I’d given any thought to before, but presumably Adobe have no way of pushing out patches to Flash Player when such flaws occur and so are reduced to the feeble “alternative” of expecting users of the product to simply be vigilant instead.

I don’t care if I’m the only flex developer in the world to use the flashblock plugin on FireFox. This handy plugin blocks flash content by default, requiring the user to explicitly give permission for it to be downloaded and run. If Adobe really do have such weak solutions to security flaws, then quite frankly I think everyone bloody daft if they don’t have flash blocker installed, whether they are a flash/ flex develpoper or not!

8 thoughts on “Is Microsoft to blame; or is the Flash community looking for a scapegoat?

  1. Hi David,
    If you read again, you’ll see that I’m not blaming Microsoft in any way, but rather the Ad-network they use. Anybody making a living from a trust-relationship (such as this network) should make sure they don’t serve their clients (msn.no and other sites) malicious content. If the Ad network did their job and screened the ad before putting it live, this would have been avoided.

    Flash ads can do a lot of annoying things (pop up windows, load URLs…), but here it’s somebody that intentionally serves a trojan virus without Microsoft knowing. My point is that Advertising networks HAVE TO check for this since they are responsible for the distribution. Since the bug is public, they should be able to do this easily by inspecting the SWFs and Javascript files.

    J

  2. Hi Jensa,

    You are right, I did misread it. Having re-read, I accept you were indeed criticising the ad network, not Microsoft. Apologies for misrepresenting you there.

    I still stand by the general thrust of my post though. If the flash player plugin checked back with an Adobe server periodically, it could notify the user of urgent security updates. The fact that the plugin doesn’t do this, leaves ad networks having to perform extra security checking at their own expense. Hopefully this incident might prompt Adobe to add automatic update checking to Flash Player 10 before a release version is produced.

  3. Have you ever seen flash player advise you to update when a new release comes along? I can’t remember whether it did when v9 was first released.

    I just checked the version of flash player on my copy of IE, and it isn’t the latest version. There is a known security flaw with the version I have, you have just pointed out that flash player can check for new version, yet it hasn’t advised me to upgrade. Maybe I’m missing the point here, but why isn’t my copy of flash player screaming at me to upgrade? Adobe appear at least to have seriously screwed up somewhere.

    Luckily for me, I only use IE for localhost dev purposes, not for browsing the web. Shame about everyone else…

  4. I think it only updates automatically for major versions, but it would be odd if Adobe didn’t have some trick up their sleeve?

    With IE8, Microsoft has introduced something called a “killbit”. They can trigger this via Windows Update to prevent ActiveX controls with issues from running. I don’t know the specifics around this, but it seems that when combined with the update mechanism, this could do the trick? The update-part of the player is not a control, but a system component so if this is cleverly built, vendors can kill a specific version of a plugin and then prompt the user to reinstall on the next occasion?

    http://blogs.technet.com/swi/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx

    J

  5. Hi Jensa,

    This sounds like a question to put to the Adobe guys at Flash on the Beach in a couple of weeks time. That now causes me a conundrum. The ideal time to ask the question is at the “Town Hall meeting”. This conflicts with Niqui Merret’s session on accessibility, which I have on good authority will be very good. Why do these things always clash?

    Oh well, thanks for taking the time to share your knowledge on this matter. If I find out anything more, I’ll email Flash Magazine and let you know.

Comments are closed.