Why does adobe flash have so many security issues?

[lrbx4]

All sorts of software can have security bugs that need to be fixed such as windows, chrome, etc. However it seems like flash has disproportionally more than other software:
http://www.securityweek.com/adobe-patches-77-vulnerabilities-flash-player

Is there a technical reason for this?

I've heard a few explanations over the years but I don't know what to believe:

1)It is the most popular software so it is targeted more. Flash exists on different os and different browsers. Any software that is heavily targeted will turn up security bugs.

2)Old architecture. Flash was developed long time ago by macromedia and bad security decisions were made about how flash works. The only thing to do now is patch specific exploits or make broad changes to fix security issues that will also break compatibility.

3)Bad programming. Even before this year when Adobe announced shift to html5, in the past adobe wasn't spending enough on developers to manage flash.

 

[Elixer]

It is a combination of all those things you have mentioned.
This is why is should have died a long, long time ago.

There is no technical reason to keep using flash for anything, and the ad giants don't care, they will still offer flash ads instead of doing the right thing, and telling them to pound sand.

 

[sbpromania]

All that you've said is true, even Adobe recognized (finally!) that Flash breathes its last breath.

I think that Flash should be open sourced...and we'll see what comes of it!

 

[VirtualLarry]

There is no technical reason to keep using flash for anything, and the ad giants don't care, they will still offer flash ads instead of doing the right thing, and telling them to pound sand.

Skype on Windows (and Android?) now shows ads, and uses Flash.OCX on Windows.

Just when you thought that the internet community at large would be able to kill off Flash, Microsoft goes and embeds it into their ubiquitous chat client. ARG!!!

 

[PliotronX]

Skype on Windows (and Android?) now shows ads, and uses Flash.OCX on Windows.

Just when you thought that the internet community at large would be able to kill off Flash, Microsoft goes and embeds it into their ubiquitous chat client. ARG!!!

That made me chuckle because you would think MS would push its Flash ripoff Silverlight.

 

[Mushkins]

The real answer is because Flash was never developed with a security first strategy, because as a product it was never intended to be used the way it is used today. Adobe made Flash as a web video and multimedia format, which at the time were things where security was not even remotely a concern. Malware wasn't nearly as advanced, and security of a Flash video doesn't matter because nothing sensitive is passing through it, right?

Then people started using it in combination with ActionScript to make interactive web content and it took off. It was now a buzzword and people wanted whole websites made in Flash with all sorts of animations and interactivity. Adobe ran with its popularity and focused on adding more and more features, while the underlying code was still a spaghetti nightmare tacked on top of what was still at its core a video/multimedia format. Naturally it's full of holes and it's nearly impossible to patch them.

So now you've got businesses passing valuable and sensitive information through these pretty Flash interfaces and there's a big target painted on it's back. Might as well be storing gold bars in Old Man Jeb's rickety shack.

 

[PliotronX]

Might as well be storing gold bars in Old Man Jeb's rickety shack.