Why are Flash and Java so Vulnerable?

We’ve all heard that it’s important to keep your operating system and programs updated, and often these two—Flash and Java—are called out as being extra important because of how often issues are discovered and exploited by hackers. What is it that makes these two so vulnerable?

Content creators in the computing world have it rough. Not only are there dozens of computer languages, there are also quite a few operating systems. Android, macOS, iOS, Windows, a few dozen flavors of Linux—it can be a *lot* of work trying to get a given program to run reliably and consistently on multiple systems. Both Adobe’s Flash and Oracle’s Java make this task easier by providing a platform that is ubiquitous so code can run on any operating system. Flash ties into most of the popular browsers allowing multimedia content and programs to work reliably across all systems. Java likewise provides a platform for development that works across any device, regardless of operating system, and supports client/server web relationships.

Unfortunately the complexity of these systems, combined with their near-universal use and accessibility from the internet means they have become a favorite target of hackers. Flash Player’s issues are legion, to the point where we recommend uninstalling it. While not quite as abundant as Flash, Java’s vulnerabilities are still serious, as the San Francisco Metropolitan Transit Agency learned when a Java exploit let to a ransomware infection.

Because these platforms are universal even Apple devices are just as exploitable. Fortunately, both Apple and Microsoft (and software vendors such as Google) are moving away from Flash and Java by not including them by default. HTML5 is the up and coming universal platform that promises to fulfill the same functions with fewer flaws, though even it isn’t perfect.

Though we recommend uninstalling software like Flash if possible, some websites still require it. Protect yourself from known threats by keeping your software up to date is vital (not just Java and Flash!).