If one good thing has come out of the recent Hacking Team hack (apart from a fairly scummy company getting their come-uppance and failing to initiate their own internal kill processes), it’s a salutary warning on the issues with mobile code. In particular, the issues with our old friend, Adobe Flash.
3 o-day vulnerabilities in Flash have been released in 2 weeks, and the frequent upgrade cycle can’t be helping with not introducing other issues. Yet we still see a huge number of sites (and even better, security tools) using it. Among the best was the US Senate debate on cybersecurity requiring you to load flash to watch it — while there were 0-day flash vulnerabilities in the wild).
Cisco, for all that I’ve spent a lot of time working with and promoting their products, requires flash for functions in the console of ISE. It’s time for this to stop; HTML5 is available, and we can use more secure (in fact, I’m not sure we can use less secure unless it’s Java) methods to present data. Flash WWW sites have been irritating for years — now they’re irritating and dangerous. Yet if industry leaders and vendors continue to REQUIRE Flash to effectively use their products, how fast can we actually get rid of it?
On a more personal note, I’ve been endorsing running a flash-blocker, click-to-flash, or some sort of browser plug-in for years. It’s even more pressing these days — just do it. Once you’ve done it, think before you click on that flash video elf-bowling game!