It’s old, cruft (an understatement in the eyes of many), crashes a lot, and worst of all: Adobe Flash player might be the most insecure thing installed on your computer right now (Java – I am looking at you as a close second). Recently, on March 12 Brian Krebs reported that Adobe patched 11 security vulnerabilities in the latest update patch. In the beginning of this, Adobe was slammed by three weeks of consecutive zero day exploits. But the honest truth is: it’s not going anywhere. It’s entrenched in many aspects of the internet advertising, legacy applications, website content, and even YouTube still uses it (they’ve started to move to HTML 5 for the benefit of humanity). Without being wildly annoyed by uninstalling it or using click to play options (Brian Krebs wrote a great piece on enabling this in web browsers), there is no escaping it: flash player is here to stay.
Flash player’s first iteration was released way back in 1996. Since then, there has been a lot of code between then and now. The corporate culture demands need to be met and thousands of lines of code suddenly have a deadline. It’s easy to imagine how best practices in security might be ignored somewhere between 1996 and now. On top of that, the overall design of flash has not really changed in some time the reason every few days Adobe is patching vulnerabilities that allow malicious code to be executed without the user knowing is because the plugins fundamental design makes this possible.
Imagine a program that has an embedded scripting language, is a run-time, operates within the browser to run programs on its own and is installed on the majority of computers. If you are a BlackHat, your mouth must salivating because I just described the features of Adobe Flash.
Though abstinence of flash is cumbersome, it may just be your best bet, as these security holes are not going anywhere. HTML 5 is slowly taking over and even Adobe admitted its development is probably the future but keep in mind how many years it took for IPv6 to be deployed.