Written by Nick Heer.

Salvaging Flash

Dan Goodin, Ars Technica:

A string of weaponized attacks targeting Adobe’s Flash media player — including three in the past 10 days — has kept software engineers scrambling to fix the underlying vulnerabilities that make the exploits so dangerous. Fortunately, they have also been busy making structural changes to the way the program interacts with computer operating systems to significantly reduce the damage that can result not only from those specific attacks but entire classes of similar ones.

At the moment, the defenses are fully implemented only in the Flash version included in Google Chrome, having made their debut earlier this week. One of the two mitigations is available in other versions of Flash, and the remaining one is expected to be added to other browsers in August.

As Google has opted to bundle Flash into Chrome, thereby creating one of the biggest and most popular security risks around, this is a welcome improvement.

I’ve got to wonder if this is a last ditch effort on Adobe’s part to prolong Flash’s welcome life, which, as far as I’m concerned, it has long surpassed. When will these improvements be rolled into Adobe’s software that relies upon Flash for various UI elements? When can we finally say goodbye to Flash entirely, the way we did for Java on the web? Is Adobe aware that this is only prolonging the agony of a product that is well beyond its sell-by date? Can we just move on already to discover the new and exciting security holes that are surely in HTML5 local storage?