Browser Flash Security Issues

Solution
Flash let you write pretty much any code (script) you wanted. HTML 5 adds some common website elements (e.g. drop-down menus) which previously had to be created with a script (since it required if/then decision processing). Since the decision processing is limited to that one specific function (selecting a choice from a drop-down menu), you can't exploit it to do something outside its intended function. A general script on the other hand can do and access anything it wants.
In layman's terms:

Your browser accepts code from random websites and uses it to render (originally) text and images on your computer. Since the only thing it can do is write text or show images, there's not much harm it can do.

Flash was designed to be an animation tool. Back in the dialup days, streaming video was impossible. So animators would use flash to send you a drawn background and sprites, and animate them locally on your computer. Doing this required a lot more access to the local computer than a browser normally gave. Memory for storing the backgrounds and sprites, disk for caching these things, access to the audio and video hardware for doing the animation and synchronizing it with audio. Crucially, it also allows scripting - the website can send code which runs on the local computer.

In the 1990s, website developers begged for a standardized way to add audio, video, and scripting to websites. The W3C (who approves changes to the HTML spec) dragged their feet. So website developers looked elsewhere and discovered Flash. They quickly turned it from an animation tool into a tool for making websites - drop-down menus, video, etc.

Combine scripting capability, direct access to the local computer's hardware, and development as a niche tool (animation, with little thought given to security) which suddenly became a ubiquitous global web standard, and you've got a recipe for disaster. Malicious software authors quickly figured out ways to use it to do things on your computer without you knowing it.

Edit: In 2014 the W3C finally relented and released HTML 5 which included more scripting-like and multimedia capability. That's what's allowed the phase-out of Flash.
 

errorpipelistening

Distinguished
Jan 6, 2012
4
0
18,510
Solindri

Thanks for the great explanation.
So the browser is like a window and Flash opened the window to malicious stuff !

Solindri Wrote:
Edit: In 2014 the W3C finally relented and released HTML 5 which included more scripting-like and multimedia capability. That's what's allowed the phase-out of Flash.

Can you explain a little further how HTML 5 might be more secure ?
 
Flash let you write pretty much any code (script) you wanted. HTML 5 adds some common website elements (e.g. drop-down menus) which previously had to be created with a script (since it required if/then decision processing). Since the decision processing is limited to that one specific function (selecting a choice from a drop-down menu), you can't exploit it to do something outside its intended function. A general script on the other hand can do and access anything it wants.
 
Solution

InvalidError

Distinguished
Moderator

Flash is a single-vendor solution from a company who has a long-standing record of horrible software security. HTML5 is a W3C standard which allows each browser engine to have its own implementation, meaning that an attack valid against Firefox might not work on Safari, Chrome, Edge, IE and other browsers, idem for attacks that work on any of those other browsers against the others.

Basically, Flash is a single-point failure which opens the doors to all platforms that depend on it.