Time to get a few things off my chest.
I stand by my statement - Adobe Flash is turning into, nay is, the Typhoid Mary of the Internet.
Information Week has picked up on my Typhoid Mary statement, and written about it here. Let's have a look at the article, and the comments.
Those who have commented on the Information Week article have turned the problem of malicious banner advertisements, and the fact that there is no way for the end user to turn off or control the functionality in Flash that is being misused by criminals, into a Microsoft versus Silverlight fight. Have I held up Silverlight as some sort of panacea or cure? No, I bloody well have NOT! On the contrary, it is the Information Week reporter who brings up Silverlight and "Microsoft's antipathy towards Flash" which the commentators then latched on to and started an Adobe versus Microsoft fight. How the hell Thomas's sentence morphed into Silverlight being held up as a cure to the malicious banner advertisement problem, by me or anybody else, is beyond comprehension. As far as I know Microsoft has never said anything like that. I don't say anything like that. I don't know of anybody in my field who has said that.
I have not looked at Silverlight; I have not tested Silverlight; if you search my blog you will find that I have mentioned Silverlight *once*, and even then it was NOT mentioned in relation to malicious advertisements. I do not know what user controls (if any) Silverlight provides, and I don't know if the criminals behind the malicious Flash advertisements will be able to abuse Silverlight in the same way that they do Adobe Flash. So do me and everybody else a favour - stop putting words in my mouth.
I also see that "magenta" calls me a "Microsofter". And Thomas Claburn says "It would thus be easy to dismiss Hardmeier's assertion as techno-partisanship..."
Let's make something perfectly clear. Yes I am a Microsoft MVP (here is my profile), and have been since 1999, but I am *NOT* and never have been an employee of Microsoft, nor am I a techno-partisan, nor am I biased towards Microsoft products.
My little black book of contacts includes upper-management names and email addresses at Microsoft and AOL and Google, at Doubleclick and ITV, at RealMedia and at Sensis, and at Valueclick, and contains the names of those responsible for management and control of myriad web sites around the world. I am 'non denominational' and do not recommend Microsoft over another company unless I think they offer the best solution for a particular need. Heck, for years I promoted Deepnet Explorer as an alternative Web browser on my own web site (which is an Internet Explorer technical support site, by the way) until I got sick of Deepnet breaking file type associations all the time. Even now it features Kopassa as an interesting alternative browser.
"magenta" then goes on to say "Let's see a study comparing how many people worldwide have been infected over the years with viruses due to Flash vulnerabilities, compared to how many have been infected due to Outlook vulnerabilities!" Is "magenta" saying that it doesn't matter that Flash is being used a conduit to expose people to fraudware because Outlook has a problem too? If so, that attitude sucks. And anyway, Microsoft changed Outlook's (and Outlook Express) behaviour to address the problem of viruses by blocking access to some attachments and increasing security levels etc. Is Adobe going to do the same with Flash now that they know that their product is being misused?
With regard to "how many people worldwide have been infected over the years", I would not be at all surprised if the number of computers exposed to fraudware via malicious banner advertisements is as high as the number of computers infected by Outlook vulnerabilities (there are a lot more Internet Explorer and Firefox users than there are Outlook users). How many visitors do you think sites like expedia.com, rhapsody.com, nationalgeographic.com, excite.com, yahoo.com, mlb.com, ok-magazine.com and the myriad other sites that have been affected see per day? Per month? Per year? That is how big this problem is.
Then we have BruceB saying "the ultimate responsibility is on the end user to keep their system up to date". I'd love to know what update it is that BruceB thinks fixes the problem of the malicious SWF creatives and the redirects that they trigger.
This is what it all boils down to:
Victim visits a web site
Web site displays a malicious SWF advertisement
Malicious SWF advertisement redirects victim to another web site, immediately and without any user interaction required
Victim is exposed to fraudware and other security risks
Give us a way to stop that redirect - change things so that the redirect will not occur without user interaction.
Edited for clarity and to fix typos.