Flash Exploit Shows the Dark Side of Web 2.0

Update: As pointed out in the comments below, Symantec has since clarified their original worries about this being a zero-day exploit affecting current versions of Flash. However it still remains a problem affecting earlier versions of Flash. For details about the specific issue, see Adobe’s post on the problem.

Yesterday’s news of an exploit in Flash that gives hackers the ability to redirect a web site’s visitors to malware-laden servers highlights one of the biggest dangers and problems around the interactive web. Allowing third-party programs — such as Flash, mashups, widgets, or even specialized programs for activities such as bill payments — to run in web sites introduces vulnerabilities and performance troubles that are outside the web site owner’s control.

The Flash exploit is noteworthy because people take Flash for granted, the way they do JPEG and GIF images. So they are willing to let third-party content providers such as video sites or advertisers insert Flash into pages. The problem with this is that Flash is much more than an image or video; it’s a powerful programming language. And as a result, it’s vulnerable.

Mashed-up sites are becoming commonplace. Bloggers and site designers grab snippets of code, inserting them within tags in a page, and build a mashup. But it’s often unclear what they’re inserting. For example, recently-launched Apture shows relevant content when users mouse over a link, but they can also insert advertising.

Such third-party applications also slow down the performance of a web site, leading to irritated users and site owners who have less control over a site’s reliability and the overall user experience. This opens up opportunities for companies such as Gomez, AlertSite and Keynote Systems which provide different types of performance monitoring from a user perspective.

The allure of a component Internet is strong. By assembling widgets, Flash elements and third-party plug-ins, developers can quickly build dynamic applications. But unless they know everything that could be injected into their pages, they’re running a significant risk by doing so.