It's a ginormous codebase in a non-memory-managed language which was written back before the industry got serious religion on security. It is free, has a very wide install base, and in common deployments will execute code provided by any host on the Internet. This makes it a <i>very</i> attractive target.<p>Applications of similar complexity/surface area can swallow hundreds of millions of dollars of security research. Flash has not received this. (Windows/Office/etc have.)
I was listening to the Security Now podcast this morning. On episode 514, <i>Tor's Astoria Client</i> about the first 30 minutes of the podcast is spent going into extreme detail about how a recent Flash vulnerability was exploited.<p>I can't link to a page for the episode.<p>Here is the episode list:
<a href="https://www.grc.com/securitynow.htm" rel="nofollow">https://www.grc.com/securitynow.htm</a><p>The episode:
<a href="https://media.grc.com/sn/sn-514.mp3" rel="nofollow">https://media.grc.com/sn/sn-514.mp3</a><p>The transcript:
<a href="https://www.grc.com/sn/sn-514.txt" rel="nofollow">https://www.grc.com/sn/sn-514.txt</a><p>I think most of the content is sourced (and credited) to this post from FireEye:
<a href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" rel="nofollow">https://www.fireeye.com/blog/threat-research/2015/06/operati...</a>
To me, it seems like a combination of several factors:
* None of Adobe's products are particularly stable or secure - not even the ones they charge a lot of money for.
* Flash's wide install base and the fact that it's easy to invoke on a target (via the browser) machine makes it an inviting target for hackers.
* Flash is a fairly complex piece of software - after all, it's a language runtime.
* They don't charge for the Flash runtime, so there's no direct return on investment for making it more secure. The main losses are reputational and until there's a mass revolt (which might be coming) it's hard to quantify any financial losses.
I might be stating the obvious - it contains language interpreter. It is hard stuff to do and from the beginning the focus was on speed not the security. Now it is a high value target and it was probably checked for bugs more than any software in history.
That is how big organizations work:<p>1. they feel flash is slowly dying or that it could be potentially be sold<p>2. No more investment in order to get the biggest money from the already existing market of customers, a future sale, or force migration to other products of the same company.<p>They do not understand that the image of the technology and the community is damaged; and that is a pity when I think in the haxe project and the open source community around it.<p>Now even an open source alternative to the binary flash would not safe the damaged image and HTML5 canvas is predestinated to overtake it.<p>EDIT: I think adobe lost a big chance in the market with flash by being too much closed and not understanding modern development/online communities.
I blame Adobe's culture, their culture discourages good programming and their other projects suffer the same problems. For example, bread winners like CS/CC frequently crash, I have a collection of Indesign files that will crash on demand but my concerns have yet to be remedied after 4 years. Internally, they rely on a custom widgeting kit designed to match the functionality found in their pre-OSX mac software (over 20 years!). Build times are said to be several hours.<p>Adobe is simply not competent at writing modern software, don't forget that if you cant get a flash zero-day you might get one for Adobe Reader!