This week's security theater woes surrounding Adobe's Flash platform have exposed an underlying problem affecting all browsers. The problem is that browsers use plug-ins in the first place.
The impetus for the use of plug-ins -- the kind that execute on websites, in contrast to browser extensions -- can be laid at the feet of Microsoft. About 15 years ago, Internet Explorer 6 and Windows XP were kings in the PC universe.
Microsoft had won.
Of course, Redmond stopped developing and improving IE6. A minor improvement in the form of IE7 took five years to show up.
IE8 -- another small improvement -- took them another three years.
Internet Explorer 6 was limited in what it could do. It really couldn't handle embedded data types other than static text. That deficiency created an opening for others to fill.
Adobe did best to fill the void with Flash. Flash allowed video and animations to be shown from a website. It was a cross-platform solution that users liked.
But if every user, no matter their machine or operating system, is running the same Flash player, that makes it a great attack surface that is inherently cross-platform.
Not all plug-ins will run on all operating systems.
Silverlight currently powers Netflix, though they have stated they are moving to HTML5. If you have a Linux box and want to look at Netflix, you are out of luck. Microsoft doesn't make a Linux Silverlight plug-in. If the plug-in writer has some exclusionary goal in mind, that can be accomplished by not porting that plug-in to a specific OS.
[Want to learn Web programming? Check out these 10 sites. ]
Plug-ins generally use Netscape Plugin Application Programming Interface (NPAPI) to communicate with the host browser. Like its alternative (ActiveX), it was not developed with security in mind. These APIs are not sandboxed, which implies isolating the running program thread from the system. This means that if attackers can break through the plug-in, then they can get access to everything else.
Mozilla admits that plug-ins are a legacy technology.
Further showing how far plug-ins have fallen out of favor as a technique, they haven't made it to mobile operating systems. The two most popular, Android and iOS, do not make use of them.
So, how can plug-ins be eliminated?
Most will admit that they are both a security and maintenance problem.
The full answer may come from the Web itself.
Web standards are evolving at a much faster rate than they were in 2001. HTML5 is coming along nicely, and has the functionality to replace Flash. HTML5 is extending itself to allow data protection of the viewed images through encrypted media extensions that allow a key exchange to enable viewing.
While it is tempting for some just to trash Flash, that is only a partial, knee-jerk reaction. True progress will come when content consumers demand better from those who create Web tools.