Time to get a few things off my chest.

I stand by my statement - Adobe Flash is turning into, nay is, the Typhoid Mary of the Internet.

Information Week has picked up on my Typhoid Mary statement, and written about it here.  Let's have a look at the article, and the comments.

Those who have commented on the Information Week article have turned the problem of malicious banner advertisements, and the fact that there is no way for the end user to turn off or control the functionality in Flash that is being misused by criminals, into a Microsoft versus Silverlight fight.  Have I held up Silverlight as some sort of panacea or cure? No, I bloody well have NOT!  On the contrary, it is the Information Week reporter who brings up Silverlight and "Microsoft's antipathy towards Flash" which the commentators then latched on to and started an Adobe versus Microsoft fight.  How the hell Thomas's sentence morphed into Silverlight being held up as a cure to the malicious banner advertisement problem, by me or anybody else, is beyond comprehension.  As far as I know Microsoft has never said anything like that.  I don't say anything like that.  I don't know of anybody in my field who has said that.

I have not looked at Silverlight; I have not tested Silverlight; if you search my blog you will find that I have mentioned Silverlight *once*, and even then it was NOT mentioned in relation to malicious advertisements.  I do not know what user controls (if any) Silverlight provides, and I don't know if the criminals behind the malicious Flash advertisements will be able to abuse Silverlight in the same way that they do Adobe Flash.  So do me and everybody else a favour - stop putting words in my mouth.

I also see that "magenta" calls me a "Microsofter".  And Thomas Claburn says "It would thus be easy to dismiss Hardmeier's assertion as techno-partisanship..."  

Let's make something perfectly clear.  Yes I am a Microsoft MVP (here is my profile), and have been since 1999, but I am *NOT* and never have been an employee of Microsoft, nor am I a techno-partisan, nor am I biased towards Microsoft products.

My little black book of contacts includes upper-management names and email addresses at Microsoft and AOL and Google, at Doubleclick and ITV, at RealMedia and at Sensis, and at Valueclick, and contains the names of those responsible for management and control of myriad web sites around the world.  I am 'non denominational' and do not recommend Microsoft over another company unless I think they offer the best solution for a particular need. Heck, for years I promoted Deepnet Explorer as an alternative Web browser on my own web site (which is an Internet Explorer technical support site, by the way) until I got sick of Deepnet breaking file type associations all the time.  Even now it features Kopassa as an interesting alternative browser.

"magenta" then goes on to say "Let's see a study comparing how many people worldwide have been infected over the years with viruses due to Flash vulnerabilities, compared to how many have been infected due to Outlook vulnerabilities!"  Is "magenta" saying that it doesn't matter that Flash is being used a conduit to expose people to fraudware because Outlook has a problem too?  If so, that attitude sucks.  And anyway, Microsoft changed Outlook's (and Outlook Express) behaviour to address the problem of viruses by blocking access to some attachments and increasing security levels etc.  Is Adobe going to do the same with Flash now that they know that their product is being misused?

With regard to "how many people worldwide have been infected over the years", I would not be at all surprised if the number of computers exposed to fraudware via malicious banner advertisements is as high as the number of computers infected by Outlook vulnerabilities (there are a lot more Internet Explorer and Firefox users than there are Outlook users).  How many visitors do you think sites like expedia.com, rhapsody.com, nationalgeographic.com, excite.com, yahoo.com, mlb.com, ok-magazine.com and the myriad other sites that have been affected see per day? Per month? Per year?  That is how big this problem is.

Then we have BruceB saying "the ultimate responsibility is on the end user to keep their system up to date".  I'd love to know what update it is that BruceB thinks fixes the problem of the malicious SWF creatives and the redirects that they trigger.

This is what it all boils down to:

  1. Victim visits a web site
  2. Web site displays a malicious SWF advertisement
  3. Malicious SWF advertisement redirects victim to another web site, immediately and without any user interaction required
  4. Victim is exposed to fraudware and other security risks

Give us a way to stop that redirect - change things so that the redirect will not occur without user interaction.

Edited for clarity and to fix typos.

Published Wed, Feb 13 2008 7:39 by sandi
Filed under: , , ,

Comments

# re: Time to get a few things off my chest.

Wednesday, February 13, 2008 7:36 AM by Matt

You know, I am beginning to seriously dislike reporters.  I had naively assumed that reporters in the IT field would be more balanced then the regular news media, but I have been learning otherwise.

Your original post on this issue was quite clear.  The Silverlight issue was just for sales and the reporter should have his wrist slapped for it.

# re: Time to get a few things off my chest.

Wednesday, February 13, 2008 8:52 AM by Doug Woodall

Great post Sandi,

I dont see anything changing soon with this. Its Business, and business is about money.

The companies that allow these ads to be displayed are not held accountable. The user is not a consideration.

# re: Time to get a few things off my chest.

Wednesday, February 13, 2008 8:52 PM by Barry

The way I see it, this is battle between Flash versus animated GIFs.  Call me a Luddite, but the only thing that Flash ads do better than animated GIF ads is annoy people more.  Oh, yeah, and infect people's machines with malware.

# re: Time to get a few things off my chest.

Saturday, February 23, 2008 8:55 AM by Maik

Bit like reviews and 'tests' in computer magazines: you really have to wonder what qualifications some of these people have to write about computing issues. And if they have any qualifications in computing, some of these guys really don't understand real life.