Adobe flash was shut down for security concerns, but why didn’t they just patch the security flaws?

402 viewsOtherTechnology

Adobe flash was shut down for security concerns, but why didn’t they just patch the security flaws?

In: Technology

11 Answers

Anonymous 0 Comments

They did, and then people would find new flaws, then those would get patched, then people would find new flaws.

adobe flash was a flawed system from the start, on top of the security issue it also didn’t have great performance and would crash. So despite adobe trying to keep it around, companies like Apple decided to switch away from it to better alternatives 

Anonymous 0 Comments

The idea of having a plugin that could run a wide variety of code on the client’s device was inherently problematic. Trying to preemptively patch any potential security flaws before they were discovered was a futile effort.

In addition, the needs for such plugins decreased. Modern web standards allow nearly all of what Flash could do in a modern way without the issues the Flash plugin faced.

Anonymous 0 Comments

In short, because bad actors would find new ones.

Maintenance costs money, and the software was first released in the mid-90s. At some point, you just have to sunset the system because for as long as it’s in widespread use, it’s going to remain a lucrative target for people to find new vulnerabilities to exploit.

Anonymous 0 Comments

They did. A lot, and then more were found, so they patched those, then more were found, so they patches those as well…..and then more were found.

Anonymous 0 Comments

It was inherent in the design of the system. It required a thing called a Netscape plugin, and plugins were basically removed from all browsers and replaced with safer “extensions”.

Flash required quite a lot of access to quite a lot of things that you didn’t want to give it in a modern secure era. The same way DOS let you do anything you liked to the machine in the old days, and everyone was “administrator” and able to trash their computer.

Flash protocols weren’t just for drawing shapes and animating them or (later) displaying movies… they were basically entire machines-within-the-machine, and plugins were a way for those machines to interact through your browser past many security restrictions (which didn’t exist at the time and we added them as we discovered the need for them).

Same reason Java-in-the-browser died. Java required a plugin, a browser with plugin capability, access to the filesystem from the browser, etc. So it died. Javascript (very different) doesn’t have that and survived in your browser.

Security is almost never a question of “just plug this hole in the dyke”. It’s usually far more about “we’ve designed this dyke to be inherently vulnerable to everything, it’s actually cheaper to knock the whole thing down, build it again and build it better than it would be try to keep fixing it”.

Netscape plugins were not “reinvented”. They died.

ActiveX was not reinvented or fixed or patched. It died. (fun fact: “Windows Update” used to be an ActiveX control in your browser that had full permission to literally upgrade all parts of your Windows machine).

Flash, Java, “toolbars in your browser”, etc. all died because the way they were designed, there was no possible way to “secure them” properly and they inherently allowed things that were dangerous.

They were replaced (and sometimes 3, 4 or more times over as we still got it wrong!) with things that basically didn’t allow you to do those things. Your websites cannot access your entire file system any more. Java and Flash allowed that! Your websites cannot just turn on your cameras and record your video any more. Browser permissions were introduced to stop that and the USER / BROWSER controls them, not the sites.

Java literally let you run network servers in the browser and talk over people’s internal networks. You can’t do that any more.

ActiveX was literally just a Windows program running in your browser talking to websites and was inherently vulnerable. (But then Microsoft also invented WMF graphics files which people later discovered were just full standard executable programs that can be modified into viruses).

And all of them, at some time or other, tried to “patch out the flaws” and secure them. And failed miserably, because the only way to make it secure was to stop things working, things that people were ALREADY reliant on, and thus it would just “break” Java, etc. So they kept patching it and then one day the browser manufacturers basically called time on it, because they were getting flak for people opening up huge holes in corporate networks with this junk.

And when you’re running in an actual secure environment? Turns out you CAN’T run Flash, you CAN’T run Java programs, you can’t use ActiveX and many things made with them just stop working.

Browser-based Java at the end had a control panel icon(!) just for configuring the security of Java because the browsers couldn’t control it, and everything was just happening on the local machine. It’s like having to have a Windows Settings app nowadays to secure your streaming video because the firewalls and browsers just let it do what it likes.

That all died when browsers enforced security and, to be honest, nothing of value was lost. People instead finally got with the programme, secured their shit, and made pretty animations in your browser in safe ways that didn’t require complete control of your PC at an administrative level.

Anonymous 0 Comments

Originally Flash filled the need for interactive graphical web applications that web browsers couldn’t do on their own.

Over time, web browsers got more features like Canvas which filled the same needs that Flash did and more, plus the added benefit that those features came built into your browser instead of needing a 3rd party add-on.

They probably *could* *have* patched Flash, but by that point more and more security flaws were popping up, and since there wasn’t really a need for it anymore, it was just better to phase it out.

Anonymous 0 Comments

In short, it wasn’t worth the trouble.

There’s a concept called “defense in depth” that is about adding several layers of defense instead of using a single “stronger” defense. Modern browsers use this extensively to isolate websites (so that one website that you’re browsing can’t “see” things from other websites) as well as to prevent security flaws from being exploited successfully (you see, even if a security flaw isn’t patched, if you have another layer of defense that blocks the attack, it’s almost the same as it not being there).

Flash presented a problem for this, as it was essentially a shortcut to circumvent everything that the browsers were doing. Every security flaw in Flash was *very* useful. That is one issue which was shared by other similar technologies, such as PDF readers inside browsers (which were all replaced for embedded readers).

But there were other problems. Apple rejected Flash on the iPhone for probably good reasons (battery life) and convenient reasons (avoiding competition to apps in the App Store where they get commissions). From a usability standpoint, Flash was not ready to adapt to screens of different sizes, touch navigation, and other things which became more important with the rising popularity of smartphones and tablets. Fixing all of this would require quite a bit of work, and Adobe was falling behind.

Steve Jobs published an open letter regarding this situation, “[Thoughts on Flash](https://web.archive.org/web/20100501010616/http://www.apple.com/hotnews/thoughts-on-flash/).” This is was the beginning of the end for Flash.

At the same time, web technology was being extended with many of the features that used to be exclusive to Flash (graphics, animations, video). During the 2000s, there was a lot of pressure for websites and developers to rely more on standardized technology instead of proprietary tech like Flash. Flash had poor integration and poor usability which would prevent browsers from optimizing the user experience in both battery life and security.

Flash kept falling behind until there was no reason to use it, and basically the only ones looking at it were criminals and attackers that kept finding new security holes. Browsers wanted to be done with it, which would mean that Adobe would have to create a Flash client so people would manually download animations. This was too cumbersome, and it would be better to simply move to web “native” animations (no Flash). Thus, *it wasn’t worth the trouble* to keep fixing it.

Anonymous 0 Comments

They patched it over and over for years and years. But like “program that lets anyone run any program on your computer“ is just always going to be unsafe forever. Just the whole concept is a bad idea

Anonymous 0 Comments

It was Adobe’s policy to only fix bugs if they get discovered.

It is really that simple. They refused to fix it internally before somebody would find the bugs.

There really isn’t more to add except if I’d search for a link, but I won’t do that.

Anonymous 0 Comments

Imagine you have a doggy door in your front door. You can lock your door, but things could still get in, you can’t really “patch” a doggy door while having it still remain functional as a doggy door. So eventually people just stopped putting doggy doors in because in the end it’s better to have to manually let your dog out than it is to have to deal with critters always coming in without your consent.

To patch flash to make it “secure” would make it unusable for people. So they just got rid of it for better solutions.