Aral Balkan: Historical Archive

Flash is secure.

I had recently posted about enterprises that block ActiveX content (and thus Flash), asking for real-world experiences of developers who had encountered such a practice. Needless to say, I didn't receive too many responses. The reason, I believe -- as I had suspected all along -- is because this is a myth. This is not to say that paranoid system administrators with far too much caffeine in their veins and too little understanding of Flash may not be implementing such policies. After all, there are still those who believe that Flash is nothing but a bloated vector animation tool (these misinformed individuals can usually be found on Slashdot, regurgitating ancient history as if it were breaking news.)

The truth of the matter is this: Flash is secure.

I had a client ask me yesterday about this and I found myself writing back my usual response about how Macromedia is very serious about security when it comes to the Flash player and explaining how sandbox security is implemented. I still found myself yearning for some empirical data to present. Well, here it is:

According to Secunia, the Flash player has had a total of 8 security advisories filed for versions 5, 6 and 7 (and their subversions) combined. Let us, for the moment, take the version 5 family to be historic (I know it is not and many systems still utilize it) and the version 7 family as cutting edge and focus rather on a version family that has been in existence for some time now: Flash 6. Look at the advisory graph for Macromedia Flash Player 6 and all sub-versions, showing only 2 reports:

Security advisories for Macromedia Flash Player 6.x

Let's compare this with another well-known application, Internet Explorer and focus on version 6 of that product. For the same period, Secunia collected 38 security advisories for Internet Explorer 6 and has a total of 54 on file for all periods:

Security advisories for Internet Explorer 6

Isn't it ironic that Internet Explorer remains a cornerstone of the enterprise while security concerns are raised about the Flash Player?

"But," you may interject, "I have to run the Flash Player inside Internet Explorer!"

Of course, the answer to that is that you don't have to do any such silly thing. The Flash Player will happily run within Firefox, other Netscape and Mozilla-based browsers, Opera and even on Linux. For the same 2003-2004 period, FireFox received 4 security advisories for all its 0.x versions. You will notice a similarly low number of advisories for the various Mozilla versions.

Security advisories for FireFox 0.x

I can only conclude, based on these statistics and my personal experience over a period spanning over half a decade that the Flash Player is secure and if you're really concerned about security you should stop using Internet Explorer and enjoy the interactivity and user experience of well-architected Flash applications and web sites on your FireFox browser.

Comments

security of flash player can no long be guarenteed. a friend of mine recently discovered a way around it, try me, put any mp3 or video (that is impossible for me to download for free anywhere else) in a secure flashplayer and il email it back to you as it is. regards
by david roma on 2007-09-05 07:32:34
Hi David, That's not what we're talking about when we talk about security. There is no obfuscation or DRM in Flash at the moment, that's a given. By security, we're talking about exploitable security holes within the player. You can reverse-engineer any SWF file and find the paths to used MP3s, FLVs or any other assets. This is not a revelation, it's just the way it's always been. Nothing in a SWF is any more hidden than anything in an HTML page. It's just a little harder to get to it as you need to decompile the SWF bytecode. Many tools (like Burak's excellent ASV) exist that can do this. Hope that clears things up.
by Aral on 2007-09-05 10:19:38