Compare Flash to Safari then: Flash is a comparatively small VM runtime and vector graphics engine while Safari is a whole browser, which has a much larger attack surface. And Safari, despite its increased complexity, had about the same amount of reported vulnerabilities around 2010:
"Comparatively small" is doing a lot of lifting, there. What about Flash was "comparatively small" compared with Safari, and why does that let Safari of the hook for its vulnerabilities compared with Flash?
I spelunked through the Firefox source code about 10 years ago.
A modern browser is an amazingly complex piece of software. A gazillion parsers with the ability to handle malformed content that should give anyone nightmares. Multiple JITs and interpreters. Layout handling with incremental grid calculation algorithms that gave me vertigo - before I understood that it was done asynchronously.
There is no way in hell flash is anywhere near as complex.
Your "no way in hell" is not really an answer, and any response will just devolve into "Uh huh!" "Nuh uh!"
Browsers now are very complex. At the time, we were still dealing with IE6 and JavaScript 3.
Flash could do literally everything that browsers at the time did, and more. Load and display multimedia files, animate them, interpret ActionScript, and do it cross platform, cross browser, in a performant, relatively secure manner.
You compiled to flash. Content served that were run by the flash runtime were valid or didn't work at all. The amount of code dealing with malformed content in browsers is staggering. A browser deals with everything that flash did, but in more complex ways, while also doing a LOT more.
"No well in hell" is a very good answer. Just the HTML DOM and layouting code in KHTML before it was forked into WebKit was an enormously complex piece of code. Then there is the JS implementation (including compiler - JS gets transferred as source code), the SVG DOM and renderer and other goodies that were integral parts of browsers already back then that I'm probably not thinking about.
Just adding to this: the attack surface of a web browser is humongous compared to that of a relatively small runtime, even in 2008. In 2011 when I had a look through the FF codebase, there were already 2 JITs for JavaScript, one which had been in for years (but I don't remember if it was in use).
On the other hand, flash was being used by everyone, windows, mac, linux, mobile... Safari was just being used by mac users. Les users, less bugs found.
So, you will ask for citations and then rip them apart because “every piece of software is vulnerable”?? If you don’t like what you get, why did you ask for it?
At first, you were merely overly aggressive. But this is turning into bullying.
Could you expand on this? Your point is the Flash had vulnerabilities?
What software doesn't? https://www.cvedetails.com/product-list/vendor_id-1224/Googl...
Remember, Jobs' contention was that Flash's problems were inherent. Can you support that?
reply