Wednesday, May 07, 2008

Secure in their insecurities

I'm not going to mention names, but I want to throw this out and get some opinions.

I'm working with a company. We're developing a "rich internet application" (flashy cool web site). We are using FLEX, the cool new Adobe flash tool/language for developing rich internet applications. Flex requires the latest version of Flash Player. Our standard minimum requirements for all of our web tools is: Internet Explorer v6 or v7, Firefox v2+, or Mac Safari.

The year is 2008.

That's the background on our side.

Now for our biggest client so far for this tool. They absolutely love the concept. They love the design and the layout. They love what it will do for their company. This is a multi-million (billion?) dollar nationwide company with over 3000 physical locations.

In a meeting last week, their IT team got the first glance at the tool and our minimum requirements. Here comes the joy.

Of their 3000+ locations, fewer than half of them are on IE6 (running Windows 2003 server). Most are running IE5.5 (running Windows 2000). None of them have any version flash player installed. And they refuse to allow their IE5 users to upgrade to IE6.

Through some strange whim it was promised that we would look into the possibilities of our site running on IE5.5. (For some reason, I thought when you set a "minimum requirement", it was implied that you weren't going to try and support specs less than the minimum).

Fortunately, our site doesn't do anything fancy that caused it not to work with IE5.5. Even more fortunate, the latest version of Flash Player still supports IE5.5.

However, their IT team adamantly refuses to install flash player on their systems. We are still trying to get at the true reason for this, but the current thinking is that they fear it as a security risk. The company is looking into the possibility of setting up "kiosk" machines which will exist on completely isolated networks on which they will install flash player. Each location will have one of these kiosks setup in a corner of the office somewhere for each user to go to and logon to the system. However, the logistics of them doing this means that no one in their company will actually be able to use this system until ~4 months after we deliver it to them.

********* that you've read this story, please let me I off the mark in thinking this is just a little bit ludicrous? I know not a lot of people are fans of Vista, and for a business infrastructure and server environment, Vista doesn't make sense. I don't fully understand the network/IT logistics and architecture of this business. However, it seems crazy to me that their primary business machines are Server boxes. Having half of the servers on 2k and the others 2k3 isn't awful, but not allowing the 2k systems to upgrade to IE6 (and thus receive better stability and security) seems absolutely ridiculous.

Is it just me, or should this company be more concerned about running outdated and unsupported (or at least, less supported) software than they should be about installing Flash Player to access a web site? Let me add the caveat that security is a huge concern on our development site because we will be storing some personal data on this site...not a lot, but enough that we are taking security very seriously and will be making all necessary precautions in our code and on our servers.

Please, let me know your thoughts.

Is Flash Player really so insecure that a company should be terrified of installing it (and to taint the question, keep in mind that the company is running Win2K and IE5.5).


Kevin said...

Ha ha ha. That is great Okie. I was wondering when you were going to start writing another work of fiction ;) I can't wait to see the next installment. This one is so far out there I think you might actually get it published.

Anonymous said...

Um... yeah, actually. I totally understand your frustration, and I know just how widely used Flash is, but even as I write this the latest version (9.124) of Flash player has an actively exploited, unpatched hole (
These people are not capable of providing a product (Acrobat Reader, Flash Player) that is secure for more than a few months. When you consider the attack vector - surf to a page, whoops, game over - you can see why IT departments might give Flash a pass.

Okie said...

Perhaps I'm wrong and naive because I'm new to the flash development world, but it seems to me that particular security hole (and the others I've read about) are things that the developer/provider needs to be concerned about, not necessarily something that the client should be concerned about, right?

On our side, we are setting up extensive logging and will be doing all we can to make sure any and all data we collect from clients is secure.

This particular client is concerned that by running a flash application, they will risk compromising data on their own computers and on their network... they are specifically concerned about their clerks using our application on their Point of Sale computers and risking the flash application somehow tapping into the customer data that those PoS machines have access to.

Is that a reasonable fear?

Anonymous said...

OK, if there's no chance that the POS terminals can run flash content that you don't control (i.e. no ablility to follow links outside the network), then there's little risk. However if it is possible to follow a link outside the network, e.g. a banner or link in a page, then the risk is real.