Re: FINALY
Flash? Maybe. But why bother attacking Flash? The numerous opportunities offered by HTML 5 and Javascript must surely be very tempting.
Every time anyone does a new execution environment it takes years and years before all the bugs get ironed out. OSes aren't bad now, but they're still finding problems 22 years in. JAVA is riddled with problems seemingly, and that's been around for a long time now. Javascript has been terrible too, until browser people started implementing half decent sand boxes. Flash has had its problems too... Even .NET has had to be patched many times, though because hardly anyone used Silverlight no one noticed the vast security holes it probably blew in your browsing experience.
So remember that HTML 5 is just another environment, is brand new, and does not require an attack to break out of whatever sandbox the browser has wrapped around it. That's because HTML5 is now the OS as far as Web apps are concerned; there's already proof of concept attacks on it. It's bound to be riddled with flaws, and one day the anti virus vendors will be selling AV for your browser...
The HTML 5 proponents are being highly overconfident in my view, and the more it gets extended and the more OS-like it becomes the more dangerous it is. If Web apps really take off as replacements for JAVA, OSes, native apps, Flash, etc it won't take long before attackers start finding the holes in it and using them. Except their attacks may well be successful across a wider range of machines, because the browser author has probably made the same mistakes in the Windows, Mac and Linux versions.
Quick question. If JAVA and Flash are bloatware, why isn't Javascript and HTML 5? HTML 5 in particular is the thickest of layers imaginable to lie between executable code and the CPU. It's a crazy way of running code.