Could Open Sourcing  Adobe Flash Preserve Internet History?

Open Source Security, Adobe Flash and a Little Internet History 

Anyone who has spent time on the internet over the last quarter of a century has probably seen Adobe Flash in one iteration or another, and has likely spent quite a bit of time updating it in light of newly discovered security vulnerabilities. There have been over 1,000 vulnerabilities in the Adobe Flash Player since 2005 (when Adobe acquired Macromedia), and they tend to have fairly high CVE scores. Considering the dominant use of Flash in online multimedia content, these security issues have been a concern for an eternity in internet time.

Security issues were part of why Adobe Flash has never been allowed on the iPhone. Steve Jobs shared his "Thoughts on Flash" in 2010, clarifying many of the reasons he didn't want to allow it on Apple's mobile devices, citing security along with reliability and performance as some of the key reasons for the exclusion of Flash. Symantec highlighted Flash as having one of the worst security records in 2009, but you can find many news stories over the years addressing security issues in Flash, record numbers of patches to critical Flash vulnerabilities, and articles guessing when Adobe Flash will finally die.

Adobe Flash Retires... Finally

On July 25, Adobe finally announced plans to end Flash support by the end of 2020. Adobe credited the maturity of open standards including HTML5, WebGL and WebAssembly as viable alternatives for the capabilities formerly provided by Flash and other plugins. Because there are industries and businesses built on the technology, the hope is that content creators will migrate existing Flash content to the new open formats. 

It's easy to understand why Flash is being retired — security experts have long been discussing the significant attack vector Adobe Flash offers. Still, a 2020 date seems pretty far off. In the interim, users worldwide need to either block Flash or maintain their version with regular updates. Unpatched vulnerabilities in Flash plugins have offered easy money to users of commercial "expoit kits," providing six of the top 10 vulnerabilities used in them in 2016. While "Flash is dead" is resonating around the world, the security community has made it clear that it's still here to worry about for a couple more years. 

Learn Your 4 Options for Vulnerability Remediation

Open Source Flash?

Why then is there a petition to open source Flash? The community agrees that Adobe has played a leadership role in providing interactivity and creative content on the web, creating gaming, education and video content that built what we know as the web today. That's actually the primary reason web developer Juha Lindstedt is asking Adobe to release it as an open source project:

“Flash is an important piece of Internet history and killing Flash Player means future generations can’t access the past,” Linstedt wrote. “Games, experiments and websites would be forgotten.”

Does Lindstedt have a point? Maybe. Linus's Law has long been used to argue that "many eyes make all bugs shallow," making open source more secure than closed source. That assumption relies on many eyes paying attention to the code, and an active open source community maintaining the project. It may be possible that open sourcing Adobe Flash makes it more secure, but given the open standards now available it seems unlikely that a dedicated team will maintain an outdated plugin like Flash for long. 

What Would Work?

As a parent, I can certainly understand the desire to access content created with Adobe Flash. At summer camp my kids have created Flash animation for years, and I'd love to be able to access those in future years. And while a professional developer might make an effort to port their creations to newer platforms, it's pretty unlikely that our children experimenting with Flash will have the skills, time or inclination to do the same. 

Commenters Y Combinator suggested that a stand-alone emulator capable of running Flash’s .SWF format might be a good solution for accessing cultural artifacts such as games, movies and "internet history" relatively safely. In an article by Gizmodo, Lindstedt agreed.

“We don’t want to preserve Flash Player, but to open source Flash spec so that there’s some way to access the history of Flash in the future,” he told Gizmodo.

Who knows? Maybe open sourcing Flash could evolve into a new, secure open source project that preserves the past while protecting the future. What do you think?

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Q&A on Risk-Ranking Open Source Vulnerabilities

| Aug 3, 2017

Earlier this year VP of Security Strategy Mike Pittenger presented a webinar on risk-ranking open source vulnerabilities, and how that process can increase security effectiveness while maintaining developers' agility. As developers continue their rapid adoption of both containers and Continuous

| MORE >

NotPetya Strikes, Patching Is Vital for Risk Management

| Jun 30, 2017

News about NotPetya is rebounding around the world this week as malware experts quickly determined that the resemblence to Petya is superficial. The consensus is now that NotPetya is a wiper, designed to inflict permanent damage, not ransomware as initially reported. Following closely on the heels

| MORE >