Wednesday, June 09, 2010

Security issue with Adobe software; deeper IP issues?

The SWF file format [Small Web Format" or "Shockwave Flash" ] was created by FutureWave Software, which was acquired by Macromedia, which was acquired by Adobe. It is estimated that over 99% of Web users now have an SWF plugin installed, with around 90% having the latest version of Adobe Flash Player.

An Adobe security advisory notes:

A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

One notes that the security issue may play into a more visceral conflict between Adobe and Apple.
From CNN--> The new version of Apple's Safari also includes more support for HTML5, a coding language that Apple has touted over Adobe Flash. Apple no longer supports Flash on its popular mobile devices like the iPad.

There are some interesting IP issues lurking beneath the surface here, which have emerged in "dialog" between Steven Jobs and Jonathan Gay.

Jonathan Gay (Harvey Mudd, 1989) created Flash software. In January 1993, Jonathan Gay, Charlie Jackson, and Michelle Welsh started FutureWave Software. The purchase of FutureWave by Macromedia was of interest; as wikipedia notes:
The acquisition of FutureWave by Macromedia was unusual in that Macromedia's flagship product, Macromedia Director, overlapped with FutureSplash's functionality in many ways. Flash came to dominate, because the web was a bigger market than CDs. Wikipedia notes: the Director team would shrink to a handful of people and the Flash team would grow rapidly as Flash came to dominate the market for Web-based interactive media.

Licensing and patent pools come up. From an interview given by Jonathan Gay:

The second challenge was selecting a video codec. We wanted to use the cool new H.264 open standard but Macromedia did not feel they could afford the H.264 license fee. I believe that the capped $5M per year H.264 license fee was similar in scale to the annual Flash engineering budget at the time. The H.264 license fee model is very anticompetitive. H.264 licensing is free for very small users, expensive for medium size companies and inexpensive for very large companies. This model puts the midsize companies who could challenge the dominant companies at a significant competitive disadvantage and is the reason that we implemented the proprietary but affordable On2 codec in Flash instead of the open and expensive H.264 codec. The capped license fee also discourages large companies from building a competitor to H.264 because they can simply pay the capped license fee and know they are managing their patent risk and suppressing their smaller competitors. For example, it would have cost Macromedia $5M per year to add H.264 to Flash but it probably cost Adobe much less to add H.264 because they were probably already paying a substantial fee for their video editing products. You can probably thank the success of Flash video for the fact that streaming H.264 video over the Internet is free for another 5 years. Solving this patent license problem is probably why Google purchased On2. However, if they open source the latest On2 codec as people suspect they want to, it’s much easier to launch a patent lawsuit against them because anyone can inspect the source code. Given the large number of patents in the video space, it may not actually be possible to build an open source codec that does not inadvertently infringe on someone’s patent. The MPEG Licensing Authority solves the problem in a Borg-like way by adding any new patent challengers to their patent pool.

And of Jobs' concerns:

I think Steve Jobs is willfully missing a key point with his arguments against Flash. The important reason to put Flash on the iPhone is that millions of developers have invested millions of hours building Flash content in Flash. The Flash content out there in the world is an asset of our society and the people who created it. People built it in Flash because there was no other decent technology from companies like Apple, Microsoft or Real Networks that enabled this kind of content to be created and delivered. To say that all this content should be discarded because Steve Jobs is afraid that people will build Flash content that runs on mobile devices running any operating system instead of building content that will only work on Apple mobile devices is doing a disservice to the efforts of all those individuals. Personally, I think that Flash content will probably outlive iPhone and iPad apps because Flash is designed to deliver media content while the iPhone/iPad development tools are designed to build applications for a specific hardware platform that will be obsolete in 5 or 10 years. Many years ago, we talked about the idea of “Forever Flash.” The idea was that it should be possible to create interactive multimedia content with a lifetime like a famous book, painting, or movie.

What Gay mentions of the H.264 licensing approach evokes the aviation "patent pool" during World War I. While people as John Simpson tout the aviation pool as something to emulated in the area of stem cells, the aviation patent pool was a device to thwart smaller competitors, as Gay observes with H.264. [Also, Gay's reference to the Borg was cute.]

**See also the following on the security matter-->

Technewsworld notes:

Victims could be hit in various ways, Symantec said. For example, they could receive an email with a malicious PDF attachment; or receive an email with a link to the malicious PDF file or to a website containing malware embedded in HTML code. Victims could also be hit when they stumble across a malicious PDF or SWF file while surfing the Web.

Details On The Unpatched Flash Bug

post at


Trojan.Pidief.J TROJ_PIDIEF.WX


Post a Comment

<< Home