Facebook info security chief: 'Death to Adobe Flash'
social network’s Internet protection provocateur is wasting no time in
his new post. He wants this buggy software condemned to death.
Add another enemy to the list of people who despise
Adobe Flash Player: Facebook’s new chief information security officer
Alex Stamos, who the social network poached from Yahoo
Adobe’s ADBE 0.55% often flaw-ridden software Flash has long been a point of contention among Internet security experts. Its monthly, and occasionally more frequent “emergency”patches, are a nuisance to security pros who must perpetually update their versions in order to keep their machines clear of cybercriminal malware infections. Even the late Apple AAPL -0.01% CEO Steve Jobs penned a takedown of the insecure browser plugin in 2010.
Over the weekend, Stamos directed his own frustration at the San Jose, Calif.-based company’s code via a couple of tweets. “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits”—meaning instructions to disable the software—”on the same day,” he wrote. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
Stamos has long been a champion of improving the safety of the Internet, even getting into an heated confrontation with Michael S. Rogers, director of the National Security Agency, at a conference earlier this year over the prospect of adding “backdoors” into Silicon Valley’s encrypted products. His latest call to arms? Presumably, the comment was prompted by a series of previously unknown, or “zero-day,” Flash vulnerabilities that were released into the wild over the past week, the result of Italian spyware vendor Hacking Team getting royally hacked.
Stamos’ execution plea begs the question: Does the Internet really need Adobe Flash? Security analyst and blogger Graham Cluley, for one, says no: “The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure,” he wrote on his blog. “As it is, the only people who truly seem to love Adobe Flash these days are the criminals themselves.”
That assessment is backed up by investigative cybercrime reporter Brian Krebs, who recently tried to go a month without using the Adobe software. “So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin,” he wrote. In fact, Krebs caved only twice. (He needed to watch an instructional video for a home gym and a live-streamed legislative hearing, he said.)
Interestingly, Facebook FB -0.40% , Stamos’ new employer, is one company that has helped perpetuate the use of Flash on the Web, especially as the social network aggressively pushes its video business, which, as Fortune reporter Erin Griffith will tell you, has been tremendously successful. (Lots of companies have been forced to accommodate the faulty plugin, Facebook just happens to be a highly visible one.)