[LINK] Any one else suffering Adobephobia?

Rick Welykochy rick at vitendo.ca
Fri Jul 10 11:12:31 AEST 2015 

Gentle Linkers,

Late in June, Adobe issued YAFU (Yet Another Flash Update). And then yesterdaym YAFU,
this one quite serious. It is being exploited in the wild. You are advised to update to Adobe Flash
18.0.0.203 (Windows and Mac), 11.2.202.481 (Linux).

I decided to read all about it here:

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Here is a summary of what went wrong in the penultimate release of Flash, along with my
observations of this billion dollar companies programming skillset:

heap buffer overflow:
programmer unable to count from one onwards correctly, i.e. he or she stuffed too many characters into a string buffer ... this is kindergarten stuff

memory corruption vulnerabilities:
programmer unable to stay within memory limits, i.e. he or she wrote code that accessed and wrote memory that does not belong to the Flash program - very naughty, stupid and once again,
kindergarten level programming

null pointer dereference:
this is plain silly: the programmer used an invalid (zero) pointer to access computer memory from within Flash. sheer idiocy

type confusion:
kindergarten programmers have trouble distinguishing apples from oranges, well, erm, integers from real numbers, that sort of thing

use-after-free vulnerabilities:
more kindergarten stuff - after freeing up system memory when it is no longer needed, the programmer went and reused that memory for another purpose, which of course would confuse the underlying 
operating system who will give that same memory (since it is now free) to another piece of software to use.

I would fail a year one programmer for a piece of software that had all of the above bugs been present in a programming assignment.

A question arises from the above list of country bumpkin programming gaffs. Can Adobe not afford
software sourcecode analysis kits? They ain't that expensive and would at least alert programmers at this
august company to the presence of ALL of the above exploits.

Why the rant? Because of all the software I use that must be updated, Adobe Flash is by far the software
that requires the most updates. Besides that, their update "app" for Macs running Mtn Lion is broken,
and one has to engage in a near fruitless and time consuming search through their tortuous website to
find a direct download for the DMG file containing the update.

Adobe bullied itself into web applications since the early days of the internet. As such, they have a responsibilty
to provide thoroughly tested and vetted plug-ins that guarantee online user safety. They have failed miserably
in their remit and deserve all of the flack and bile we hapless users can direct at them.

Bring on HTML5 with its embedded video and audio capabilities and banish Adobe Flash to the trash-heap
of crapuscent (my word) software for eternity.

regards
rickw


-- 
------------------------------------
Rick Welykochy || Vitendo Consulting

I contend that for a nation to try to tax itself into prosperity is like
a man standing in a bucket and trying to lift himself up by the handle.
     --Winston Churchill

More information about the Link mailing list