Software // Enterprise Applications
03:19 PM
Connect Directly

Critics Throw Stones At Security Of Adobe's Flash

The problem with Flash is its absence of controls to disable behavior like Web site redirection, critics say.

Hackers and malware writers are moving aggressively to take advantage Adobe's Flash technology in ways that let them infect computers. And critics say that some of the key features of Flash make it vulnerable to manipulation.

"The problem is that [Flash] .swf files are being actively manipulated by malware authors to deliver [malicious] ads, and it's nothing to do with a particular vulnerability," explained Alex Eckelberry, President and CEO of Sunbelt Software, in an e-mail. "It has to do with the flexibility the Flash format offers, and the fact that end-users have no control over what's offered in Flash (it's all or nothing)."

Like ActiveX, QuickTime, and other browser components, Flash has had security vulnerabilities. In a December 18 Security Advisory, Adobe fixed 9 different Flash flaws. But the updates didn't make Flash any less viable as a media for badvertising, which is to say ads that lead to malware.

The problem with Flash is its absence of controls to disable behavior like Web site redirection.

Sandi Hardmeier, an IT coordinator based in Australia, says: "Flash has turned into the Typhoid Mary of the Internet."

Hardmeier, a Microsoft Most Valued Professional, wrote those comments in a blog post. She believes that Adobe's Flash multimedia technology leaves users vulnerable to malware and that it lacks adequate malware mitigation controls.

Microsoft's antipathy toward Flash, which competes with Microsoft's new Silverlight technology, is no secret. It would thus be easy to dismiss Hardmeier's assertion as techno-partisanship were it not for others who share her opinion.

"Basically, I single out Flash because there is nothing the end-user can do to avoid the malicious behavior," explained Hardmeier in an e-mail. "Also, the behavior is not dependant on any sort of vulnerability or exploit -- the criminals are using built-in abilities in Flash, abilities that the end user cannot control or turn off."

Web site redirection can be done in a variety of ways and it has legitimate uses, such as sending Web users from a defunct site to a functioning one. In the wrong hands, however, it can be used to send people to sites where malware exploits await those with vulnerable systems.

Because most people try avoid such sites and the spammed Web links that try to send people there, malware authors have taken to putting pointers to their sites -- redirection commands -- into Flash ads. In theory, advertising networks should be able to detect redirect commands that send ad viewers to malicious sites.

But as Eckelberry pointed out in a blog post last November, ad network personnel often can't tell that ads contain redirection commands. And when they can, the destination site often looks innocuous until a specific time- or event-based trigger reveals malicious behavior.

"Unless and until Adobe gives end-users the ability to stop Flash from doing any more than displaying a composite of pretty pictures and sound and motion then, I am sorry to say, the only thing you can do if you want to avoid any risk of being redirected is to dump Flash -- if Flash is not installed on your system you will not be hijacked," said Hardmeier in her blog post.

Without specifically refuting Flash's alleged shortcomings, John Dowdell, an Adobe employee, responded to Hardmeier by arguing that the problem isn't just Flash. "I believe the core problem is actually larger: the execution of instructions from strangers -- the mashup culture -- this is the real issue here," he said in a blog post last Thursday. "The site owner accepted content from an ad network which did not fully vet its content providers. A .swf can redirect without a click, as can an IFRAME, an analytics script, or any other bit of third-party JavaScript. We need to trust the content we're integrating into our own Web pages."

Until someone figures out how to restore that trust, users may choose to take matters into their own hands, at the expense of untrustworthy and honorable marketers alike. "With more Web sites including third-party content, and with those third-party servers not providing transparency into their proprietary databases of your habits, it seems a reasonable defensive tactic to monitor and control the third-party requests your own browser makes," said Dowdell in a January 20 blog post. "Tools such as Adblock Plus, although controversial, do give you transparency into, and control over, the third-party requests that the world's Web pages make of your browser.

Adobe did not immediately respond to a request for comment.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.