Adobe: "Yeah, Flash has a flaw..."

[The Blackrose]

But it's the developer's responsibility to make sure it's not exploited!

Flash flaw puts most sites, users at risk, say researchers

What a fucking load of hogwash. Best of all, it's "unpatchable." Burn in hell Adobe.

[Khamsin]

Any programming platform can allow exploits if they are not safeguarded against.

If you use eval in a php script improperly, or don't safeguard against buffer overruns in arrays, is it your fault or php's fault?

If safeguarding against it requires the same level of effort and diligence as, say, stripping special characters and validating input server-side, then I don't see the problem.

If it's something that can not be safeguarded against with diligent programming methods, then there is a problem.

[The Blackrose]

If safeguarding against it requires the same level of effort and diligence as, say, stripping special characters and validating input server-side, then I don't see the problem.

If it's something that can not be safeguarded against with diligent programming methods, then there is a problem.

I agree. In this case, it seems to be the latter, since it's based how Flash and ActionScript operate. And so far, the solutions look to be half-assed.

[Correction]

This doesn't look unpatchable at all. Adobe made some poor assumptions about executable content security in their model and that's completely fixable. The bad news is it sounds like a major-revision type of change that would require a lot of catching up from existing sites to be implemented. It took ages for any mainstream site to even begin using Flash 9. "Flash 11" doesn't have a chance.

[Kirbyprime]

Considering that standard advertising practices still cater to Flash 8 which is 4 year olds, even if Flash 11 comes out right this moment, I don't expect people to actually use the thing until some time in the year 2015 >_>

[Zhais]

It's just a web security thing in general, nothing against Flash/Adobe directly...

If the site lets you upload a malicious flash file out of the norm in the first place, the site is not secure. It's a sad fact that a lot of web developers do not care about securing their site well enough. This article/idea should be a kick in the ass for developers to secure their sites, not necessarily to force flash to cater to the idiot masses.