Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/4/2020
10:00 AM
Rotem Iram
Rotem Iram
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Flash Dies but Warning Signs Persist: A Eulogy for Tech's Terrible Security Precedent

Flash will be gone by the end of the year, but the ecosystem that allowed it to become a software security serial killer is ready to let it happen again.

Flash is finally dying at the end of this year, and it will not be missed.

Let me be direct: We should be happy that this software, one of the worst ever to plague our lives from a security perspective, is going away, and at the same time, Flash was not a fluke. Security has come a long way, but the ecosystem that allowed Flash to become a software security serial killer still exists and is ready to let it happen again. This time, the stakes are infinitely higher.

Everyone Knew Flash Was Bad
As they promised way back in July 2017, Adobe will stop distributing, updating, or issuing patches for Flash Player after Dec. 31. Across a seven-year rampage from 2010 to 2017, Flash affected 1 billion users, dishing up more than 1,500 critical vulnerabilities — peaking with nearly one new vulnerability reported every day in 2015. Flash continued to grow despite very vocal, very prominent critics. Grassroots movements like Occupy Flash were founded, and major players like Facebook and Mozilla called to retire Flash.

Related Content:

Why Vulnerable Code Is Shipped Knowingly

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

One towering figure in particular, Steve Jobs, took a major aim at Flash. He had a complicated relationship with the software, initially embracing it, then becoming its biggest critic. In an infamous open letter, "Thoughts on Flash," in 2010, Jobs outlined his decision to ban Flash from iOS devices. In the letter, Jobs pointed out how Symantec had condemned Flash for having an abysmal security track record.

By and large, everyone seemed to understand that Flash was a Big Problem. Yet Adobe faced no true downside from the havoc it wrought. There were no government fines, no lost future business — no real consequences at all. But the businesses that fell victim to Flash's security vulnerabilities suffered. And they still suffer.

Consider this: We're now close to the end of Flash, and 2.5% of Internet users still use it every day. From top tech execs to thousands of developers and engineers to hundreds of thousands of consumers, most are very aware in 2020 of how bad Flash is, yet some won't begin their Flash detox until its dying day.

In the end, Flash gets to retire gracefully when it should have been aggressively put to pasture years ago.

What Went Wrong?
In the early days of software, there was a lot to gain from releasing quickly and cheaply and very little downside. Cybercrime was not a real threat. Software terms and conditions established that publishers could release untested software because it worked mostof the time. Nobody gave much thought to liability over software failings. Updates and patches were promised and provided, yes, but nobody was held accountable to make sure they were installed properly, on time, or at all.

This worked really well for a very long time and supported incredible rates of technology innovation. Today however, software is more mature. The gains from new releases are small, yet cyberattacks are the most colossal risk to businesses. Software controls every part of a business, and holding it for ransom has become immensely valuable for criminals.

In other words, the precedent set long ago that allows vendors to release compromised software into the world with impunity is a major crack in the digital economy's foundation.

We Aren't Safe From Software Security Serial Killers
Flash caused an onslaught of damage even limited to only one technology platform: Web browsing. Today, more businesses are online with more platforms and more devices. All of these systems are connected and often interdependent. The entirety of business today is online and digital — from financials to enterprise resource planning to customer relationship management. When everything is digital data, everything is at risk. As the complexity of software environments continues to grow, it becomes more difficult to prevent cyber-risk. And it doesn't help when the underlying software you buy becomes the Trojan horse.

None of this is theoretical. We know what happened with Flash and why. And yet creators continue to put software serial killers on the market and continue to avoid any significant consequences. Software companies aren't incentivized to protect their customers, whether the customer is a business or an individual. Why are we allowing this to happen? Clearly, everyone knows they have issues. Yet we continue to accept this as the way things are.

We should be outraged by software vendors' lack of action. More than that; we should be outraged that we have enabled them, just as we did Flash, for years and years.

Flash is nearly dead and good riddance, but at what cost to privacy and economic interests? Flash will live on in the terrible security precedent it helped perpetuate. And if we want to avoid another 10,000 Flashes, we cannot be complacent; we must acknowledge that we are complicit in the perpetuation of business-killing risk. Our decisions about which software to buy, which security settings to accept, and which upkeep to ignore make us complicit. We must demand better from those who have the power to determine our technological fates. And we must make better decisions about how we protect ourselves.

Rotem Iram is the Founder and CEO of cyber insurance company At-Bay. With nearly two decades of security and engineering experience, he previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...