back to article Dear Adobe: It's time for security rehab

The stories about Adobe software keep coming, and the news hasn't been good. Critical bugs in Reader and Flash have come under real-world, zero-day attacks so many times in the past year that the exploits almost seem routine. Security researchers such as Mike Bailey, Dan Kaminsky and Jeremiah Grossman and Robert "RSnake" Hansen …

COMMENTS

This topic is closed for new posts.
  1. Matthew Anderson

    Name that quote

    Stand back boy! This calls for divine intervention!

  2. Rogerborg

    I'm puzzled

    How, exactly, does your charming dictat make money for Adobe? It's not like there's a viable alternative - at least if you want to actually serve content to customers. What's the downside for them if they don't fix it?

    1. Adam Salisbury
      FAIL

      Good thinking

      That kind of attitude is the perfect example of 'head in the sand' thinking, if Adobe don't fix their products then why should anyone bother with security? If your ultra-secure software is inevitably, as you suggest, going to be compromised then lets all just throw our firewalls, AV software and malware protection out the window, eh? That'll make us safer and breed some respsonsibility and accountaability into us all won't it?

    2. Anonymous Coward
      Anonymous Coward

      I cannot believe that question has been asked!

      It should glaringly be obvious. So it's ok to say to your punters "Fuck you! This is what you are getting!" The downside to that approach, incase it isn't obvious, is to reply "Fuck you! We just won't use your product! It's not THAT good!". I do hope you are not in a position to direct policy for your employer! By following what is proposed in this"charming dictat" give's Adobe a leg to stand on when people like Jobs call them "lazy" and refuse to put Flash on their products. This not only applies to Flash, but Adode's portfolio as a whole. In the 20 odd years hat I have been using Adobe software, it has been getting progressively worse. Bad UI design, bloat and instability affects all their products. As for "makeing money"; Adobe's ridiculous pricing structure that is only beaten by Autodesk! You see, with 70-80 million purchases of devices that run iPhone OS worldwide, Apple have set a dangerous precedent; flash is entirely unnecessary for surfing the web. It would seem that people aren't bothered if Flash isn't present or not. That is possibly set to expand. Let also not forget the growing popularity of plugins like FlashBlock for Firefox and Chrome and ClickToFlash for Mac. Adobe need a reality check, or at least time for Warnock to step aside.

      1. frank 3

        about to lose their enviable position

        Flash is bundled with many browsers by default. That kind of ubiquity is worth £Billions.

        If it's a big security hole (and it is increasingly problematic), then how long before MS, with a clear competing product in Silverlight, will tolerate Adobe making them look bad.

        Adobe. Have been going downhill since a sales guy displaced a tech. guy as CEO.

        'Snot just their plugins, installing CS3 was such a massive headache that we haven't bothered to update to CS4.

        And expensive.

        We pay more per year in the Adobe tax for 1 seat of graphics programs, than we pay to M$ for 10 OS seats + servers + 10 office seast + databases + 3 Visual Studio seats COMBINED.

        And I'm led to understand that open source is even cheaper!

        Adobe needs a competitor, and fast.

    3. Steven Knox
      WTF?

      I'm puzzled as to why you're puzzled

      " It's not like there's a viable alternative - at least if you want to actually serve content to customers. "

      Really? There's about a billion or so free PDF readers and writers (the spec is open, so anyone can make one), and Silverlight and HTML5 to replace flash... I can't think of one Adobe product that doesn't have a viable (if not better) alternative.

    4. Anonymous Coward
      FAIL

      Ask GM & Chrysler

      Neither of them gave a hoot about quality and both went bankrupt. Toyota - which did care - was a small nothing of a company and is now the largest car company in the world. Soooooooo - if they want to stay in business they need to produce a good product.

    5. JoeTheAnnoying
      Thumb Down

      It prevents Adobe from losing money...

      To be blunt:

      - I run Firefox with FlashBlock and NoScript (on a Mac. Safari is crap. Sorry if that offends), and don't allow Flash to run, period

      - I use Apple Preview instead of Adobe Reader to read my PDFs

      - If I encounter a Web site that requires me to have Flash enabled (a refreshing few, fortunately), I send a polite e-mail to the vendor explaining that I will not be purchasing from them because I will not run Flash on the machine on which I do all my financial work

      So not only is Adobe not gaining any money from me, they're putatively losing money as I refuse to use vendors that require their software. As time goes on and these security holes become more (in)famous, I suspect more and more users will refuse to install Flash, and Adobe will face serious competition.

      So right now, only a few psychotic geeks like me refuse to run Flash. (Yeah, I ran 1000' of CAT 6 through the house instead of using wireless, too). As Adobe continues to ignore security, our numbers can only increase. At some point, Adobe will start losing serious money because of it.

  3. Velv
    FAIL

    Not just security

    In my experience Adobe products in general are shoddy. The security holes are just symptomatic of bad practise in the development cycle.

    Adobe - as the article says - go away and get your house in order. If you're worried about shareholder value, worry about what the stocks going to be worth when something like Flash spreads the next big virus or malware attack.

  4. Cameron Colley

    How about Mr Jobs stops being a twat...

    ...and allows Ogg/Theora as part of the HTML5 spec? It would also help if YouTube were to try and move away from the magical "free until 2016, then it's $1Million!" CODEC.

    We only need Flash because idiots won't look at open source solutions for HTML5.

    1. Michael C
      WTF?

      uninformed, ignorant.

      Mr Jobs has nothing to do (directly) with what the HTML spec does and does not include. Apple is a member of the coalition, and they submit technology and ideas, but they are but one member...

      Also, no one is claiming any costs for h.264 outside of the people who WRITE codecs, sell software including them, or manufacture devices with hardware h.264 decoding, and those that broadcast non-free TV content using the codec, and some broadcast websites that profit directly from the use of the codec.

      YouTube falls in a grey area, as there are no fees for accessing their content, however, they do profit from the advertising. This is covered under the provision for videos less than 12 minutes, for which there are no fees for "indirect revenue". Videos longer than 12 minutes cost 2% of the retail price to view, or 0.02 per year for indirect revenue viewing. However, the MAX annual fee, for an organization with a subscriber base in excess for 1,000,000+ users, the fee maxes out at $100,000 annually (0.10 per user per year). Entities with fewer than 100,000 subscribers pay NO FEES unless they direct charge for video viewing. when combinations of direct and indirect models are in use, fees max out at $5M per year regardless of number of subscribers, and those fees can not go up more than 10% from the previous year (if the cap was previously met). Anyone who makes no profit from these videos (they exist say for training, are on personal web sites (myspace), etc, no fees are pair.

      Additionally, there's a clause stating "the royalty shall be no more than the economic equivalent of royalties payable during the same time for free television."

      Use of H.264, for most people, will cost nothing. For major commercial sites like YouTube, $5M is NOTHING, they pay far more in other royalties and software costs every months, let alone annually.

      Between now and 2016 (which likely would be extended again, this is their 3rd extension without debate...) do you seriously think there might not be another viable alternative codec we'de migrate to if one came out completely free, and do you not think the MPEG LA would again extend the free term, and for those who were paying come up with fees low enough that switching to a free alternative would actually cost more?

      1. A J Stiles
        Stop

        Simple solution

        The Government give patents, and the Government can take them away.

        I'm sure there is a precedent for annulment of patents when it was in the national interest.

    2. MD Rackham

      No Guarantees with Ogg/Theora

      There is no guarantee that Ogg or Theora are unencumbered by patents. It costs serious money to research that and even then patent trolls pop up out of nowhere. So far there is no one using Ogg/Theora with any real money in their pockets so there is no reason for said trolls to tip their hand.

      As soon as an Apple or suchlike adopt it watch the patent lawsuits start flying. It's just better business sense to go with MPEG/LA as they are a known entity and all the major patent holders have been identified and have agreed to pool their interests. Much easier to negotiate with a single entity.

      Not to mention that Ogg/Theora is technologically well behind the curve.

      1. A J Stiles
        Alert

        Patents can be annulled

        Patents can be annulled, you know.

        Especially if they should never have been granted in the first place. A codec is a mathematical operation, which has no business being patented.

  5. Will

    Fully agree

    I'm fed up with on every machine I use I'm constantly bombarded to update what is only a pdf reader, why does something so mundane have so many holes that it needs almost constant security updates.

    I'd love to not have to use it at all

    1. Adam Salisbury
      Thumb Up

      Foxit

      Go and get Foxit PDF reader then, it's what I use when I want a PDF reader isn't a fat bloated pile of w**k

      1. Charles 9

        I use PDFXchange myself.

        Pretty good at even the latest documents, has a few nice additional features, and no nagging.

    2. blackworx
      Pint

      Why?

      "why does something so mundane have so many holes that it needs almost constant security updates"

      Because the last piece of worthwhile dev on Acrobat happened over a decade ago, and Adobe have spent the intervening time adding nothing but soft, mushy bloat.

  6. Whitter

    An opportunity for Siverlight?

    Given that everyone's got Flash, and those with an opinion likely hate it for the "99% ads, 1% useful ratio - do Microsoft have an an opportunity to get Silverlight out and out? Granted, MS are hated too - but they are better at security.

    The platform won't stop the ads though...

    1. Trevor Pott o_O Gold badge
      Joke

      MS are hated too - but they are better at security.

      I demand you go back to the year 2000 and post this on the internet somewhere.

      The resultant shock and nerd rage would alter the timeline.

  7. Bilgepipe
    FAIL

    Absolutely Right(tm)

    Adobe has a security problem on the scale of Microsoft's back in the even-worse old days. As long as they keep denying it the exploits will keep coming.

    As for Flash, they be better served just dropping it altogether, it's had its day. No-one needs it any more. But if they do end up repairing it, how about getting shot of those long-term cookies while they are at it?

    1. Disco-Legend-Zeke
      FAIL

      Time for...

      ...a class action suit.

      Only money gets the attention of bean counters.

  8. Eddie Edwards
    Joke

    Slight difference with Toyota

    I'm on my computer ... and I'm running IE8 and Flash has opened a security hole ... the close window button isn't working ... it's opening pr0n all over the screen ... hold on ... hold on and pray ... pray

    1. Adam Salisbury
      FAIL

      Bad publicity...

      ...Made worse by idiot drivers who don't bother to learn enough to know you don't need prayer and police to stop car with a jammed accelerator, someone with a brain would've taken it out of gear and saved themselves the brown trousers, god bless merkia i guess

  9. SynnerCal
    Megaphone

    This article is spot-on

    Excellent article - well done, now I hope that all at Adobe HQ are reading it, (hence the icon choice). I'm surely not the only one that's quite uneasy with the barrage of criticism levelled at Flash/Shockwave? And if I'm typical then surely this is a threat to Adobe's earning's potential - something that I would have thought the shareholders etc would be more worried about than any investment in security, (which can easily be spun into some positive PR).

    I suspect that - like most tech - Flash was okay to start with, but as the marketing folks have had more and more "features" added, the code quality has gone down. But what's the alternatives - only one I can see is Silverlight - and that's from a company that's, ahem, not exactly got a stellar reputation for black-hat proof coding to date, (no MS bashing intended - at least they're trying to improve).

    Given the problems and Adobe bosses apparent unwillingness to fix them, what are Joe/Jane Public to do? Only thing I can see is to use Flash blockers like AdBlock+ et al until Adobe 'wake up and smell the coffee'. Not a good situation to be in.

    1. Charles 9

      And what happens when...

      ...Joe/Jane Public realize that their favorite site(s) (with no alternatives) REQUIRE Flash to run. With no alternatives, they can't walk away, and it's their favorite site, so they can't ignore it.

  10. The Original Ash

    Is it their fault?

    How is their browser plugin allowed to run with permissions that affect events outside of the browser? Why isn't there a "you're not getting out" sandbox around the whole thing?

    No doubt that they're responsible for the rubbish coding of their plugin, but shouldn't there be some shared blame as the fact that the plugin has enough privilage granted to it to be able to crash / exploit applications outside of itself?

  11. Chris Gray 1
    Stop

    Flash inherently unsafe?

    I took flash off of my Linux box a while ago, but ended up putting it back on because it is so heavily used. It clearly needs fixing.

    But, I don't think its just a matter of fixing bugs. To my mind, the main problem with it is that it is deliberately going around all restrictions that its hosting environment (usually a browser) might want to put around it. Firefox, for example, lets you control some of the things that JavaScript can do. Where are the controls for what Flash can do? Various versions give you a little bit of control, like turning off access to a camera or microphone. How do I stop it from doing *any* file system access whatsoever? I don't care if it burns CPU - I want it to have no access to anything I care about. But, I doubt Adobe would ever do that, because they *want* it to bypass any protections the browser might try to put in its way. About all that a browser could do would be to put the Flash engine into a very solid OS-supported sandbox. Until Adobe puts reasonable restrictions on it, that's what browser developers should do. At least make that an option!

    I have no problem with Flash being a way to play videos and to implement platform-independent games. I doubt I'll ever want to allow it to do anything else, so please, someone, give me a tool that lets me prevent it from doing more. And yes, in an open source world, I could get the source to Firefox and do it myself. However, I'm already working hard on my own to-be-open-source project, and the current Firefox developers could do it much faster and more reliably.

    1. MyHeadIsSpinning
      Thumb Up

      @ Cris Gray

      No Script

  12. Peter Kay

    Sensible article, silly timescales

    I agree almost entirely with the article, except for the part about suspending development. How many drugs is the writer currently on?

    It may be true that Silverlight is hardly beating Flash at the moment, but the last thing Adobe (or in fact anyone sensible) will do is give away a lead to a competitor.

    Yes, fix the security problems, but also move the software forward at the same time.

    1. Tom 35
      Thumb Down

      That's how they got into this mess...

      "Yes, fix the security problems, but also move the software forward at the same time."

      Stick more duck tape and bubble gum on the security problems and hack some more "features" into the code to keep the knobs in marketing happy? No.

      If they rebuild it with security and portable code from the ground up then they will have some useful features to list on the box. Like Smaller, Faster, Secure. Then maybe they can get it onto the assorted iThings.

  13. Anonymous Coward
    Thumb Down

    There in lies the problem with software.

    With a life-threatening device like a car or home electrical appliance, there are national and international bodies that over see the pratices of members.

    What have we got with software? ISO standards on certain things, but no body ensures its members adhere to basic checks and standards. Nothing stopping any one of us setting up shop as a software vendor and flogging software to anyone, with no warranty other than maybe a basic agreement about fitness for purpose to stop you getting dragged through the courts if it blows up.

  14. Anonymous Coward
    Anonymous Coward

    Meh

    It isn't all adobe's fault; a large part is that after decades micros~1 still haven't mastered this sandboxing thing that any multiuser system must have lest it crash and burn every day. Which micros~1 products duly do, and the things running on top do too.

    On the shinier but equally dark side there's the minor issue of adobe refusing to provide flash for too many platforms and forbidding others from doing the same. This is amazingly bad not just for those weirdo non-windows-users (with systems that do sport proper sandboxing and thus suffer a lot less from adobe's software's security problems), but also for archiving websites. It means the canned user experience will go bad that much sooner when stored.

    So for all I care flash dies a fiery death and gets replaced by something with a good and stable open specification behind it. What that'll do to all people and companies already committed to flash, well, they could've chosen not to go down the dark alley in the first place.

    On the gripping hand, silverlight goeth a long way but isn't practicable seeing how they're clearly trying to run moonlight into the ground with spec updates, ensuring the thing gets too complex to duplicate soonest. So we'll turn to HTML5 first.

  15. James Hughes 1

    Toyota Prius

    AFAIK, The Prius has NOT been recalled as you stated in your article. In fact the 'fault' doesn't even appear to be a safety issue - more a driver issue where, when the ABS kicks in, it doesn't feel 'right' (because of the hybrid system it has a different feel to a normal ABS system).l

    Bit of a storm in a teacup I think, although exacerbated by the frenzied media, reporting it as a safety issue, when at this stage IT ISNT.

    Don't have a Prius, just a sense of proportion.

    1. Bilgepipe

      The Clash

      The Prius has a "software clash" between the braking system and the regenerative braking system, as admitted by Toyota. The problem can be overcome by "braking harder." (A symptom of letting a computer control the brakes, I suppose - that can only end badly)

      I think you'll find a recall is probably imminent.

  16. Anonymous South African Coward Silver badge
    Terminator

    give them a taste of their own medicine

    Has anybody considered in launcing an attack against Adobe itself? What's good for the goose, must also be good for the gander.

    Maybe then they'll change their tune.

    Besides that, they need to take a serious look at reducing bloat with their applications. If open-source tools is leaner and better, then surely the same can apply to Adobe?

    Gotta uninstall the bloated v8 reader soon...

    terminator... because they're gonna get terminated

  17. zenkaon

    Bring on html5

    Really like the Canvas part of html5, no need for a plugin. Now if they can just agree on a codec.....

  18. jake Silver badge

    "Adobe needs to follow suit. Now."

    Why? Just let 'em drill themselves into obscurity ...

    Seriously, who, with a clue, allows anything Adobe on systems that matter?

    The sheeple will figure it out, eventually (I hope!), but none of my clients have issues with Adobe ... for the simple reason that they don't allow Adobe software on their hardware.

    Paraphrasing, "It hurts when I do this!" ... Answer "Then don't do that!"

    How hard is it?

  19. Nick Ryan

    Less bloat would be good to...

    Less bloat would be good to... Acrobat used to be a document *reader*. Now it's a security nightmare sub-system in it's own right. Quite how it's expanded from a small, light document reader to a 37MB exercise in bloat and inefficiency is another good question to ask as well.

  20. Pavlovs well trained dog
    Thumb Up

    Brilliant

    Hallelujah Amen to this

    Flash, in its current incarnation is shyte - but that doesn't mean it can't be good.

    Lets hope they do something about it

  21. joe_bruin

    spaghetti code

    Adobe can't even get a 64-bit version of the software out, their Linux port is barely functional, their Mac port is woefully behind the Windows version in performance, and security holes abound. This has been true for years and is not getting any better.

    My best guess is that the Flash codebase is such an utter mess that Adobe can't do a thing with it. They're just scrambling to patch the leaks and keep it running on current platforms. They can't admit this, of course, but given that they're unable to make headway on any of the issues plaguing their most popular product, they don't have to. If this is the situation, you can expect it never to improve until a complete rewrite of the software takes place. If Adobe is currently doing this, they should be up front about it and give us a deadline for the fix. If they are not then the future of Flash is behind it.

  22. herbland
    Stop

    One problem

    This is a sensbile business approach that would benefit the long term heatlh of the company, not short term gain of shareholders......not very likely then.

    1. Anonymous Coward
      Anonymous Coward

      And herein lies the problem...

      The economic culture today is that of a betting-shop! If, in the longer term, Adobe don't shore up their security problems, amongst other things, there will be NO BUSINESS to invest in! If, as a share holder, you don't like this, DON'T INVEST! Investing isn't a short term license to print money! For a business to grow, it need to look to the long term. Sensible investors (Warren Buffet for example) look at the long term prospects for a business above anything else. Besides, the most important people to a business aren't it's shareholders, rather it's their customers. No customers, no business. It really is that simple. It fast becoming a new meme in these sorts of threads; "Won't somebody think of the poor shareholders?!"

      1. Disco-Legend-Zeke
        FAIL

        Investors...

        ...are the people and institutions that buy stock at the IPO. Their money flows into the corporation to capitalize whatever.

        Buying stock after that is merely betting, just like a horse race. Worse, the stockholders pressure management for more profits with performance based rewards.

        Once profits have been maximized by better planning and more efficient production, all that's left is screwing people.

  23. Keith T
    Grenade

    Adobe desperately needs to work on security and bugs

    Adobe really needs to focus on security and bugs, followed by efficiency.

    Its products have become so problematic I wish they did not have such a high usership so I could leave them off my computers.

    Hopefully webmasters and content authors will start using the alternatives (I hold out little hope for Adobe to turn itself around).

  24. Anonymous Coward
    Anonymous Coward

    Agree

    [AGREE]

    Indeed I do. Adobe seem to be the main focus for hack-attacks these days, what with later versions of Windows being somewhat more secure than their predecessors. They should definitely think about taking some time to get their house in order - a lot of people already block Flash and most would gladly replace Adobe Reader.

    [/AGREE]

  25. Stu 18
    FAIL

    adobe features don't work let alone security

    Never mind security, we've had years of acrobat full version and readers that break backward compatibility, throw in thirdparty crapware on install and now have a footprint of similar size to donald trumps greenhouse one. Kick them while their down I say, since the lowley 'users' can never pass on our frustrations normally. Funny that, always takes a crisis for companies to suddenly get all humble and back 'in touch' with the customer.

  26. ForthIsNotDead
    FAIL

    While they're at it...

    Perhaps they could shave, oh, I dunno, about 9 10ths off the size of the memory footprint, and make it load a bit faster.

    You know, like Foxit reader does?

  27. lucmars

    it's too late

    Everybody got it, like everybody get Windows. So, why Adobe would do something ?

  28. Chris Bradshaw

    Analogy closer to home..

    "if there was such a widespread problem historically Flash could not have achieved its wide use today." As if the Ford Pinto, Chevy Covair, or indeed the Toyota Camry didn't gain popular acceptance as well.

    And I guess he also feels Microsoft could never have achieved wide use of Windows with any frequent crash problems (BSOD, anyone?)...

  29. Stu
    Thumb Up

    @Dan Goodin

    Hear hear.

    I think thats about the best thing I think I've ever read of yours, but I confess I didn't read it all - just the bits about Adobe getting their house in order.

    You're absolutely correct on the Flash front, but Mr *smartly dressed* Jobs is just as Guilty not letting Flash on his mobile platforms - if it were, it would result in some disappearing profit from his AppStore.

    All in all though, I'm glad its not on the iPhone or going to be on the iPad, its just a happy coincidence for Jobsey that it would drain the phone/pad battery and slow it to a crawl, AND open it up to virus/trojan attack. Oh, and . . . .

    "This Jen . . . is the internet"

    -(IT Crowd reference - directed towards all the Adobe flash applet developers of the world, and the people responsible for its creation).

    1. Anonymous Coward
      Anonymous Coward

      "it would result in some disappearing profit from his AppStore"

      App store isn't a profit centre. It runs just over break even. Yes, there is a small profit, but it seems to be more of a happy coincidence, much like the iTunes store. The App store exists to sell iPhone OS devices - if it needed to, Apple would run it as a loss leader. Your claim really falls down when one considers that originally 3rd party apps for the iPhone were to be delivered as web apps! For instance, Google have released Voice for the iPhone as a web app! This completely circumvents the Apps Store and the nefarious approval process! I do understand that the facts present a much less scandalous version...

  30. Jamie Kitson

    Popular Acceptance

    Or Windows for that matter.

  31. Howard Cole
    Megaphone

    Flash Bang!

    Agree with the article, and also the perception of Joe Bruin - the codebase is probably so shockingly bad now that it is a nightmare to maintain.

    I have seen this so often in the past. A large codebase is not properly managed. The original team that developed the software moves on as they see the project turn to mud. They get lots of junior programmers fresh out of college to implement hacks. Not their fault - they have no option but to build shit upon shit. Eventually even the smallest of changes just further corrupts the codebase. Any original design gets lost or smothered in tweaks. I suspect there are a few old-hackers who "know" the software and are the only ones capable of making any changes to the software now.

    A mess. They need a rewrite - from scratch. I doubt that they can re-write parts of it because it is probably a mess of interwoven dependencies that no one can untangle. We know it - they know it. But will they do it? It needs a brave decision from someone at the top.

    If they don't then I can see flash losing its dominance to Silverlight and HTML5. Its your last chance Adobe!

  32. Anonymous Coward
    Joke

    To make things easier to handle, Adobe could...

    ... split the company up into two seperate companies.

    Adobe could handle the fixes to acrobat.

    The other company could handle the fixes to Flash.

    All that remains is to name that company.

    I suggest something completely unrelated... hmm... how about Macromedia?

    Yeah, Macromedia is a good name. Perhaps they could remain seperate and compete with the parent company, Adobe? - they we'd actually have some competition in the marketplace...

    1. Mike Flugennock

      name the company?

      How about "Dried Mud Software Corporation"?

  33. Jacqui Smith's DVD Collection!
    Alert

    Sooo El Reg...

    The question is... When will you stop using Flash for adverts on your site?

  34. Harry
    Stop

    "it is so heavily used. "

    Yes, but rarely to the benefit of the end user. Mostly, flash conveys adverts, unnecessary annoyances which distract from the written material the user is trying to read and the output of idiot web designers that have used flash for a button where a static image ought to have been used instead.

    Firefox and flashblock circumvents most of the above. Its not obvious why *everybody* doesn't install firefox and flashblock, making *most* of the problem go away (and, ultimately, forcing idiot web designers to redesign their pages using pure HTML only).

    1. Mike Flugennock
      Thumb Up

      Hear, hear, Harry!

      I was an early-adopting Web designer (I started out in print, that how much of a geezer I am) about fifteen years ago when Flash first emerged; while everybody else in the design department was going all ga-ga over the product demos, my first thought was, "oh, fucking great; here come the Banner Ads From Hell."

      Turned out I was right. Add to that the fact that more and more sites these days force me to go into my Flashblock controls and add that site to the whitelist just so I can navigate and view their content, and I'm wishing the Web would knock off the bullshit and get back to the goddamn' roots, already.

      C'mon, HTML5... anytime you're ready...!

  35. Psymon

    hear hear!

    I've done a great deal of work on locked down environments, such as schools, call centres and prisons, where the end desktop is is a terminal, set up to perform an explicit set of finite tasks. That means you have to completely lock down all security settings, so that the user cannot change or introduce anything to the system.

    Most people assume the most obvious reason to do this is to prevent some user doing something untoward, and that certainly is an important factor, but the main reason is actually the sheer ratio of users to IT support staff. With the vast suite of machines set up identically and unchangable by the user, you introduce consistency and reliability.

    But I digress

    It's in these environments, you start to discover the dirty little secrets of 3rd party software, and any sysadmin that's done this type of work will tell you that Adobe products have always been a pain in the proverdial.

    It's not just bad coding practice that's prevalent in Adobe and their ilk, but bad program behaviour. You see, the NT series of windows was originally designed to be run in this manner (the end user running with USER rights), and despite what the ranting fanbois and trolls may say, is pretty good at it.

    Right up until you install an Adobe or Apple product (or any from a pretty big list), and discover it doesn't work with all the major elements of the windows system locked away.

    Stupid things like storing log files in the windows folder, or assuming your software has automatic write access to its own program files folder. It's lazy programming practices like that that mean we are all running windows as admins.

    Maybe Microsoft should have taken a harder stance on the matter, a la Apple, and force badly written software to break. They did make a small step in the right direction when they added the AUC to Vista, but these standards and protocols have all been part of the NT system right from the start, and have all been extremely well documented.

    at the end of the day, if you're going to write software to run on windows, then make it windows compliant. It's not brain surgery. Then maybe, we can all enjoy a more secure, reliable desktop environment

  36. Hi Wreck
    Go

    One word

    Flashblock

    :-)

    You are running a real browser right?

  37. Chris Gray 1
    Unhappy

    @MyHeadIsSpinning

    I've had Flashblock for ages. Added NoScript now. However, I don't see that it prevents allowed Flash from doing things. Flash internally has "ActionScript" or whatever they call it, that is based on JavaScript, but it is Adobe's own engine and so will not be affected by NoScript. At least, that's my understanding.

  38. Carl 5
    Thumb Up

    The right idea

    Some years back, I managed the engineering for a software product which was experiencing a crisis of reliability. The best decision that we ever made was to focus exclusively on those reliability problems for an entire year, prohibiting any new features until we had quality under control. That intense focus helped the entire team to concentrate and achieve great progress.

    It's painful, yes. But if you want to keep your customers, they have to know that you're in it for the long haul, and listening to their concerns.

    The product I worked on, by the way, is still leading its particular market - many years later. The year we took to fix the problems has faded into a minor footnote of history.

    1. Paul RND*1000

      Great idea but will they ever do it?

      Like all the other major software companies, they seem far too obsessed with squeezing a constant stream of fancy-ass new features into Reader and Flash to bother with such distractions as security or reliability.

      But they really need to do what you said. Product bling and spokesperson spin aren't going to cut it any more, time for Adobe to focus on fixing their problems. I just don't see them being willing to do that.

  39. Timo
    Unhappy

    Foxit is the answer????

    So upon seeing all of the recommendations for Foxit, I promptly went and downloaded it. Nice. But those bastards dropped all kinds of "eBay" links on my computer. Not sure if I trust them now either.

    And the Foxit installer wanted to load yet another "toolbar". All I want to do is view PDF's, today, without delay, FFS!!!!!!

    1. Paul RND*1000

      The moral here is...

      ...never, ever trust an installer package. Assume that they'll try to do something you'd rather they didn't.

      There's some good free-as-in-beer software for Windows, Foxit being an example. But you do have to treat it all with some suspicion. Use the custom install options and carefully examine what the installer is about to do. "Typical install" + blindly clicking on "Next" will catch you out.

      Hell, even Sun's Java installer/updater tries to force the Yahoo toolbar on you these days.

      I know they're just trying to earn some affiliate money, but I'll be tarred and feathered before they earn it by screwing with my computer!

    2. Anonymous Coward
      Anonymous Coward

      Try Sumatra...

      It doesn't get much lighter-weight! Either that or Evince from the Gnome project has a Windows version.

      http://blog.kowalczyk.info/software/sumatrapdf/index.html

      http://live.gnome.org/Evince/Downloads (Windows is the last option)

    3. Mike Flugennock

      I just want to view the goddamn' document...

      I'm still looking for a lean, mean, simple and elegant PDF reader for MacOS.

      In the meantime, though -- luckily -- Apple includes a simple, bare-bones PDF viewer/printer with OSX. All it does is view and print PDF documents -- it doesn't run scripts or handle any other fancy bullshit, it just cracks open and displays PDFs.

      I can't remember the last time I've used Adobe's Reader to open a PDF. Even if it's just a simple InDesign layout exported to PDF, the Adobe Reader takes forfuckingever to just launch itself, let alone actually open the document. Screw it.

  40. Anonymous Coward
    WTF?

    lack of understanding

    The article and some of the people commenting on Adobe's security, lack basic understanding of how the reported vulnerability work.

    The text describing the technique is based on Flash, however the logic behind is not Adobe specific. Please read carefully something before commenting and ask someone who can understand before going ballistic about it.

    If Apple said something about Adobe, be sure they have 1 million other reasons to do so besides security.

  41. A J Stiles
    FAIL

    Screw Adobe

    Screw Adobe and the bike they rode in on.

    I can already read and create PDFs with Open Source software, and I wouldn't arse up my photos any less badly with Photoshop than I already do with the GIMP.

    All that's needed now, is for someone with a bit of money to sponsor development of a genuine Open Source alternative to the Adobe Flash player.

    It'd be really nice if that was Google, because they own YouTube -- which is probably the main reason anybody downloads Flash player in the first place, so the Open Source Flash alternative would be sure to work with it ..... but frankly, I'm not fussed as long as I get the Source Code.

    1. Anonymous Coward
      Thumb Down

      Adobe Forms

      @A J Stiles

      NONE of the current Open Source applications can deal with Adobe Forms. Yes, Ghostscript and OOo can make nice pretty PDF output files and OOo can semi-sort-of import PDF documents, but nothing in the *nix world can open a PDF Form, fill in some fields, save the form, open it again later and update or fill in more fields etc. etc. etc. Sadly I work in a world that revolves around use of PDF Forms so I'm stuck using Windows regardless.

      A Google-written Flash-alike? I trust Google even less than I trust Microsoft

      1. A J Stiles

        Google Flash-alike

        Any Flash player replacement would, of course, have to be Open Source.

        I don't trust Google, but I trust the experts at my preferred distro.

        As for the PDF forms; never had to bother with them, but I'm keeping a watchful eye out. If oKular gets it first then Evince will follow soon, and vice-versa. The adversarial relationship between the KDE and GNOME camps benefits everyone who can be bothered installing two sets of libraries .....

  42. Anonymous Coward
    Anonymous Coward

    Well Done!

    Let's hope Adobe learns the lesson of Microsoft, and starts taking security seriously. Adobe makes one of the most expensive consumer/professional software on the market. In recent years, these products were slow to ship and not equal across platforms. Add in the Flash and Acrobat Reader security holes and we have a company that is clearly resting on its laurels.

    Will 2011 be the year that HTML 5 and alternative PDF viewers start eating up Adobe's browser and document dominance? If 2010 is the "Year of the Adobe Hack," I'd say Yes.

  43. David 45

    PC says "ouch"

    Never have been a fan of Flash. Seems to send processor usage sky high. I use one of my older machines for internet radio but one particular station's Flash-based interface very nearly brings it to its knees. Unfortunately, if I want to listen, I have no choice.

  44. Flybert
    Stop

    not fair to Toyota to compare

    The rate of Toyota autos actually experiencing problems is about 20,000 of over 20,000,000, or less that 1 in 1000, and the vast majority of those instances aren't causing injury nor damage

    If there are security design flaws in Flash, that's like what ? .. 1 billion out of 1 billion defect rate ?

  45. James Katt

    Flash is like the Floppy Disk - Get rid of it.

    I block Flash using Click-to-Flash so that I only have to activate it when needed for specific areas of a webpage. The other areas - such as Flash ads - I leave completely blocked. Thus if advertisers want to reach me, they will have to use HTML 5, CSS, Javascript, Ajax, and H.264.

    Flash sucks. Flash causes almost all the crashes on my computer. Flash makes my computer hugely less secure to hackers.

    Flash is dead like the Floppy disk.

  46. jweb
    Unhappy

    When did you ever write anything good about Adobe

    I am sorry but The Register has never written anything worthy of Adobe. besides - what metric are you comparing Flash to? Name a single technology that has the same basic capabilities that is more efficient? There are none.

    People see right through your bias. I doubt you will even print this.

    1. Anonymous Coward
      Anonymous Coward

      Look at the site Header.

      Top right, what does it say? That's right, "Biting the hand that feeds IT" (its a 'clever' play on words.) and the one thing you cannot accuse El Reg of is bias towards anyone! There is history with Apple; they didn't invite them to a party or something, but by and large they mock EVERYONE. Adobe asked for this one. Ever since the iPad was announced they have been whining about mean old Apple. Then this shows up. Who'd have thunk that it'd be Microsoft that, in a round about way, added substance to Apples argument?! Let's not forget that Mozilla have disabled support for Flash in the Maemo version of Firefox because, and I quote “The Adobe Flash plugin used on many sites degraded the performance of the browser to the point where it didn’t meet Mozilla’s standards.” Like it or not, Jobs has a point -- Adobe ARE lazy...

    2. jake Silver badge

      @jweb

      "The Register has never written anything worthy of Adobe"

      When did Adobe ever do anything worthy of writing positive articles about?

      In the current context, what good is Flash in the great scheme of things? From my perspective, all it does is shove advertisements in my face when I'm looking for information on something completely different. I'll never click on anything delivered via Flash, so Flash is a waste of my bandwidth, and the bandwidth of the advertiser. Just to save both of us a little time/money, I block Flash with a little help from Flashblock. Win-win, right? And Adobe's usefulness is ... what, exactly? Other than employing so-called "content providers"?

  47. Wibble
    Flame

    Greed. Not good.

    Ever since Adobe swallowed Macromedia, they've jacked up prices, forced upgrades and done so very little for it. The only reason for upgrading was that operating systems change, e.g. Apple moving to Intel meant upgrading from Macromedia Studio 8 to CS4. Given that this was 4 complete generations, there's hardly anything aside from the re-compile to show for it. For goodness sake, it makes Microsoft's Office upgrades look like true innovation and real value for money:-(

    All Adobe appear to be interested in is money. Everything in this article rings true. Adobe utterly deserve the shit-storm that Jobs -- and Microsoft for that matter -- has smitten upon them.

    Adobe; you've got a golden chance to clean up your act. Either take it, or suffer the consequences.

    IMHO I don't know which I hate most: bankers taking their bonuses after being underwritten by taxpayers; or the havoc that Adobe wreaks upon the web industry.

    Quite why there's no real competition for Adobe is a real mystery. Does Adobe fall foul of the anti-trust regulations?

  48. DZ-Jay

    Re: lack of understanding

    @AC:

    I agree with Anonymous Coward here. Although the latest exploits announced were triggered by vulnerabilities in Flash, they expose underlying flaws in the security mechanisms of ASLR and DEP. This makes the bugs in Flash, at most, incidental in the overall security scheme of Windows (and other platforms that rely on ASLR or DEP for protection from unauthorised code execution).

    To say that Flash is the biggest threat in this regard is missing the point: Two of the most promising and popular last-ditch security protections (sometimes implemented in the hardware itself) have now been proven to be ineffectual to some very narrow attack vectors. The fact that these flaws were exploited with Flash is of no consequence--they are now known to be there and fully understood, which extends the risk surface of personal computers in general.

    One more thing: Although I agree with the overall sentiment of Mr. Goodin's article--that Adobe should endeavor to focus on securing its roster of applications and include security as a mainstay of their development practices--I disagree with its tone. In particular, I take exception to Mr. Goodin's tendency of directly comparing the risks of physical defects on vehicles to software security vulnerabilities: it is sensetionalist, and may attract more page views, but it overstates the latter and trivialises the former. An insufficiently secured application may result in embarrassment or inconvenience, and at most impose an economic burden on the victim; while a broken accelerator pedal will kill you.

    -dZ.

  49. Sureo

    Can someone explain why...

    Can someone with more knowledge of the MACOS explain why bugs in Flash crash the OS?

    As an aside I run WINXP and WIN7 here and Flash has never crashed the OS, nor has it ever crashed Firefox. Just wondering.

    1. Anonymous Coward
      Anonymous Coward

      They Don't...

      They crash the app. Up until 10.6, Flash could make the browser become unresponsive, effectively locking up the OS until the process was killed. Since the Safari 4 upgrade, all plugins are sandboxed, Flash seems to not have such and effect, however it is still prone to randomly falling over. This is also true of Chrome. Windows has a different problem with Flash, and typically it's a security based issue where Flash can render ASLR and DEP utterly pointless. As for Flash not crashing your browsers, I guess you've been lucky; It's happened to me plenty of times on XP and Vista.

  50. Mike Flugennock
    FAIL

    "...achieved its wide use..."??

    Achieved its wide shoving-down-peoples'-throats, more like.

  51. JMD
    Flame

    Just uninstall Flash, it's a plug-in...

    It might sound suicidal for a Flash designer and developer to invite people to uninstall the plug-in with which I have earned a living for the past 10 years.

    The bottom line is that Flash is a plug-in and that it can easily be removed from your computer. Adobe provides an uninstaller to do so. End of story. Problem solved. Your Windows machine will therefore be safe. Those annoying Flash ads will be no more. You can be proud to support open standards...

    But calling designers and developers idiots for using Flash over images, HTML, CSS and JavaScript is, at best, narrow minded. Flash would not be where it is today if it wasn't for, and this is a non exhaustive list, the huge discrepancies in rendering by the major browsers, the limitations of the languages, the ever raising expectations in user experiences, the need for maximum ROI by clients, advertisers and marketers. I am not going to touch on the fact that Flash goes way beyond the browser, which will soon include the Apple App Store.

    You can turn off images and JavaScript, overwrite CSS and uninstall Flash to completely remove distractions "from the written material the user is trying to read". But internet users do more than read. They watch videos, play games, want to interact with the content and others.

    Online games developer rely on Flash's performance and ubiquity. Video content delivery networks have elected Flash because it offers 98% market penetration. RIA and UGC platforms use Flash because they can shift most of the processing on the user's computer while protecting their code IP. To avoid the OS and Browser rendering issues content providers turn to Flash for its consistent rendering.

    Sites you may be reading, often rely on ads to generate revenues. Sure you could use a static jpg or an animated gif to deliver content. But Flash allows marketers to maximize that investment by delivering 10x the amount of content possible with a gif within same the file size limitation. You would be amazed at the amount of content that can be squeezed into a 35kb banner ad. That's without mention of the video, animation and interactivity capabilities.

    There are always going to be bad designers and bad developers but this is not unique to the Flash Platform.

    Saying that Adobe is in for the money is a pleonasm. Adobe is a publicly traded corporation and the bottom line are dividends. Now rise above the flame wars and over simplistic propaganda and you will see that Flash, images, HTML and CSS are just tools to deliver formatted content online. Finally, HTML5 is a Flash killer like the Zune was an iPod killer and the Palm Pre an iPhone killer.

  52. ukdeluded

    iPhone and iPad complaints?!

    I notice that numerous articles complain about the lack of Flash support on the iPhone and iPad, and as an iPhone user I can agree that not having Flash can be a real bugger, but this article suggests that Mr Jobs is correct in not allowing Flash onto these platforms until Adobe cleans up its act and releases a good version without all the issues.

    On the one hand we criticise Jobs for his stance, on the other, we criticise Adobe for releasing buggy rubbish, and hope that someone forces everyone into the brave new flash free world. Can't have it both ways, so are we saying iPad and iPhone right not to allow Flash for now, or are we saying allow it and we'll deal with the crashes, security issues, and so on?!

  53. Anonymous Coward
    Anonymous Coward

    Bottom line:

    Macromedia didn't care about code quality (or user interface quality - Flash is by far the worst UI I've ever used), and when Adobe bought them out they probably got a shock when they looked at the code.

    Flash, as a program, is probably a write-off to anyone that wants to fix it - that is, it would be cheaper to re-write from scratch. But what was the point of buying it, then? Adobe will need a lot of pushing to admit that the buy out was a total waste of money. Perhaps Apple can push that hard, perhaps not. The iPhone isn't that big a deal, really, and becoming less so every day. The iPad is a joke and dead in the water.

    Now, if Apple produced anything resembling a rival GUI kit and released it for the PC too (and Linux, ho ho - fat chance), THAT might make Adobe sit up and do something about it. But by then it would probably be too late for Flash. And good riddance.

This topic is closed for new posts.

Other stories you might like