Gone in a flash? Facebook says Adobe's plug-in is a security risk no longer worth taking
Steve Jobs' 2010 appeal for a Flash-free world echoes again from Facebook and from Firefox maker Mozilla after revelations of just how vulnerable Adobe's animation software actually is.
Adobe Systems' Flash software has come under fire yet again after a prominent Facebook executive called for the end of the animation software.
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Facebook security chief Alex Stamos said in a tweet on Sunday. Stamos joined Facebook last month after less than a year at Yahoo.
On Monday, browser maker Mozilla piled on. In a feisty tweet, its head of Firefox support, Mark Schmidt, declared that Flash is "blocked by default in Firefox as of now."
Mozilla offered an understated explanation on a support page about software add-ons: "Old versions of the Flash Player plugin have known vulnerabilities." The organization also clarified in a statement that "we have only disabled the current version of Flash, not all versions and not forever." Firefox users also can choose to manually activate the disabled plugin.
Adobe on Tuesday posted a security bulletin with an updated version of Flash and a response to the vulnerabilities. Firefox soon after lifted the default block, allowing for the newest version of Flash to run after you download it. The "outdated" Flash plugin is still blocked.
"As part of the many security initiatives we engage in to help keep our products and our users safe," Adobe said in an emailed statement Tuesday, "we work closely with our counterparts in other organizations (including the browser vendors) on finding ways to encourage users to stay up-to-date on the latest security updates."
Stamos' death-to-Flash tweet came a week after cyberthieves released 400GB of internal documents stolen from HackingTeam, a Italian security company that helps governments and other organizations steal information. Those documents included details for exploiting weaknesses in Flash, which the HackingTeam called "most beautiful Flash bug for the last four years."
Independent researchers further verified three previously unknown attacks using Adobe's streaming-video software for browsers. HackingTeam even warned developers and companies to be wary.
"Before the attack, HackingTeam could control who had access to the technology, which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost," the company said in a July 8 press release. "Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."
Whenever Adobe does get around to releasing a version of Flash that isn't being "actively exploited by publicly known vulnerabilities," Mozilla's Schmidt said, Firefox will cease blocking the plugin.
Stamos' call to end the Flash browser plugin echoes a demandby the late Steve Jobs. "Flash was created during the PC era -- for PCs and mice," Apple's former CEO wrote in a 1,600-word open letter, "Thoughts on Flash," in April 2010. "But the mobile era is about low power devices, touch interfaces and open Web standards -- all areas where Flash falls short."
Flash was once the de facto standard for websites to run games, stream video and deliver animation over browser software. Before Jobs' high-profile attack on the software, Flash ran on more than 800 million mobile phones manufactured by 20 handset makers. The exception was Apple, which banished Flash from iOS, the operating system that powers the iPhone and iPad, and stopped preinstalling the software on Mac computers. These days, Flash is on the wane as more in the online video industry turn to HTML5, a developing language that can run graphics without plugins.
But while it's fading, Flash is far from forgotten. Flash is still used on 23 percent of the 483,000 Web pages tracked by the HTTP Archive, a resource for Web developers. Even though that usage has dropped from 39 percent three years ago, removing Flash from browsers would break much of today's Web. That's why browser makers such as Google and Microsoft have granted Flash special status even as they try to wean the Web from it and other browser plugins.
Killing Flash, though, would be difficult: It's not just decade-old websites that rely on Flash for streaming video. Many top video networks rely on it, said Jan Ozer, a streaming-media consultant and author. Flash, he said, "has its negatives, but why banish Flash altogether if companies like NBC and MLB want to use it?"
According to Adobe, more than 500 million devices are "addressable today with Flash technology" and 110 million websites run the plugin. Adobe has issued more than a dozen Flash security advisories since the beginning of this year.
Stamos, who helped strengthen Yahoo's security prowess before joining Facebook, tweeted that Adobe needs to set a date for Flash's sunset so that browsers could coordinate their dropping the software.
"Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."
Update, July 14 at 6:14 a.m. PT: Added information about Firefox maker Mozilla blocking Flash by default.
Update, July 14 at 4:07 p.m. PT: Added information about Adobe's response to the vulnerabilities and software update. Added information about Firefox maker Mozilla lifting default Flash block.
THIS WEEK'S MUST READS
Mobile screens: Do they really turn your kids' brains to mush?
From CNET Magazine: Babies and toddlers love looking at the screens of tablets and smartphones -- but doctors warn that too much screen time could cause problems later in life. How much is too much?
When my 15-year-old daughter was a baby, I let her watch some TV. But I didn't worry about smartphones or tablets. Those devices weren't even around then.
My 2-year-old twins, on the other hand, were born into a world packed with screens on smartphones and other devices. These shiny mobile devices record their milestones, let them chat via video with their grandparents on Google Hangouts and entertain them through apps like Elmo Calls and Peekaboo Barn.
I often joke they never would have crawled if we hadn't dangled an iPhone before them as incentive.
Born 13 years apart, my girls bookend a surge in interactive media pouring out of smartphones, tablets and computers. But one thing hasn't changed. The American Academy of Pediatrics still sticks to its 1999 recommendation that children under 2 should not watch media on screens. The concerns? Too much time in front of a screen might slow language development, cause attention disorders, disrupt sleep, lead to aggressive behavior and promote obesity in preschool and school-age children.
The thing is, the AAP recommendation is based on passive television watching. This made sense in light of research showing TV offers almost no learning benefits for the very young. Now, however, new studies are starting to show that today's interactive screens can actually promote learning.
"It's all happening so quickly that we're calling it the digital Wild West," says Michael Levine, who heads Sesame Workshop's Joan Ganz Cooney Center, a nonprofit research lab that "focuses on the challenges of educating children in a rapidly changing media landscape."
That leaves parents like me in a quandary. Do I heed the AAP's warning to ensure my daughters' brains won't turn to mush? Or do I focus more on how my kids use screens, rather than whether they do.
Screen time-out
You'd think Apple CEO Steve Jobs' kids would have had free rein to use the iPad. Not so much, according to The New York Times' recounting of a conversation from 2010. "We limit how much technology our kids use at home," Jobs reportedly said not long after Apple's first tablet reached consumers.
While Jobs may have had a rigid attitude about screen time, other tech-savvy parents say they often think about their kids' digital playtime.
"It used to be you only had a screen or two to police," says David Morken, father of six and CEO of Bandwidth, which provides the Republic Wireless mobile-phone service. "Now every screen is potentially an immersive experience."
Mike Abbott, a general partner with venture capital firm Kleiner Perkins Caufield & Byers, ran software development at Palm and oversaw more than 350 engineers at Twitter. So he's not afraid of technology. Yet he wonders how constant distractions from smartphones and smartwatches could affect his 7-year-old daughter.
"Your focus is everywhere and nowhere at the same time," Abbott says. "Personally, that sense of focus was a real benefit in school, in starting companies, in building things."
Life lessons
For many experts, the crux of the issue comes down to how digital play affects young brains.
The AAP rightly points out that time in front of a screen could mean less time doing important things, like playing with blocks or digging in a sandbox. Such creative play encourages mental development in young minds, giving kids a way to explore ideas and find new ways to solve problems.
Seattle pediatrician Dr. Dimitri Christakis, who helped write the no-screens-under-2 warning the AAP reaffirmed in 2011, now says it's OK for toddlers to spend up to an hour a day with smartphones and tablets. In an opinion piece in the Journal of the American Medical Association last year, he compared interactive apps to physical toys. Both can teach cause and effect and give babies the satisfaction of making something happen.
But Christakis' advice comes with caveats: First, remember screen media can be addictive, so set time limits and stick to them. And second, don't let media supplant time with friends and family in the real world.
"I worry when I'm at a restaurant and I see the entire family on their screens," he says. "There's something that's being displaced there."
Other organizations -- including Zero to Three, Common Sense Media and the National Association for the Education of Young Children -- have released findings supporting Christakis' more-lenient recommendations. None encourages an outright ban on interactive media.
Guilt complex
So how guilty should I feel if I let my twins look at interactive screens for more than 60 minutes a day? A few experts say the rules have some wiggle room.
Christakis, for example, says we don't have to count activities like Skyping with grandparents or cuddling up with a simple e-book as screen time.
And if a little extra media time helps parents get through the day, so be it, says Heather Kirkorian, who led the "Toddlers and Touch Screens:Potential for Early Learning?" study out of the University of Wisconsin at Madison. "If parents use video for 15 minutes so that they can take a shower in peace and know their kids are safe, maybe we shouldn't make them feel terrible about that."
As the saying goes, "everything in moderation." And until research catches up to the crazy pace of technology, it's going to be up to us parents to figure out just what that means.
No comments:
Post a Comment
Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered