Avast 6 and Flash required - Vulnerability?

I'm just trying Avast for fun, and noticed I need Flash installed to get full access of file activity. I'm using Chrome as browser and therefore don't need Flash. I find it outrageous that a security application is relying on something as vulnerable as an external Flash player! At least Chrome has its one sandboxed. What do you guys think?

 

Re: Avast 6 and Flash required -Vulnerability?

Eh... so live without the graphs? It is NOT really required for Avast functionality.

 

To me its a big problem too, and I wonder why Avast! has made this plugin needed. Especially because of the vulnerabilitys in flash shoftware. Well spotted btw

 

The plugin is not NEEDED. As said, just live without the graphs, they are not NEEDED for Avast functionality, at all.

P.S. Your suggested alternative would be exactly what? Silverlight (equal junk) or java eating all your CPU cycles?

 

Please read the first post, they're needed for the functionality of displaying past statistical data. If you're trying to claim that it's not important, then that's a different matter, and also purely your personal opinion.

 

Please answer my question regarding what alternative do you suggest. And of course, fancy realtime statistical graphs are absolutely critical part of AV (or any other security solution) functionality.... Or live without the graphs, as said.

 

My ESET also draws graphs, anyone knows what, if any, program is used to do this?

 

removed ot posts.

 

nice find shadek. Personally i believe that security applications should be using flash as an sandboxed app. as it is a most vulnerable application. But, am not sure how much avast is isolated from flash vulnerabilities. Only avast dev team can reveal.

 

* There's hardly the need to "suggest" an "alternative" - especially from among the options you provided - when common sense dictates that if you're writing a security program optimized for efficiency, you simply avoid interpreted languages altogether. And if a user is opting to avoid a runtime environment known for its security vulnerabilities, you don't encourage the user to install it on their machines.

Yes, they are, at least for me and apparently quite a few others here.*

 

What, which better alternative that I have NOT provided would you suggest for "realtime" graphs?

 

The point is that Flash (and Java/Silverlight) isn't needed. Any further questions?

 

So, you do NOT want the graphs any more*

 

Well, gee... I don't have flash, java, silverlight (...) installed; Just plain ol' XP SP3 with no added programs/plugins and my security program shows realtime graphs... How is it possible
It certainly doesn't have those bundled with it... and even if it does, it's certainly better than installing it system wide like with avast.

 

Indeed. It seems some people are under the impression that the only way to draw a graph is using Flash. :/

 

Complete fail. Bundling is baaaad security-wise, much worse that you realize. There is pretty much a policy in tons of Linux distributions that bundled libraries are considered a security bug. Since it is hard to track bundled stuff, and since the upstream never manages to keep the pace with the bundled stuff's upstream when it comes to these. Since it requires patching is tons of places instead of one system-wide implementation. Etc. etc. etc.

Case in point - go look at those outdated vulnerable Java versions bundled with Adobe suites

Maybe it is just that some vendors focus on the real meat of their products instead of reinventing the wheel, such as inventing more ways how to draw fancy graphs.

 

Lol, I'm sorry but I couldn't help but chuckle at the logic.
@
The OP has this requirement:
I want to be able to see realtime graphs (our personal opinion doesn't matter)
How does avast do it? You have to install flash, system wide, meaning in your browsers as well which in returns means that the attack surface is increased (not only is your sec. solution susceptible, but your browsers are as well now)

Given that, my point in the part you quoted still stands: it's better to bundle them with the app that needs flash to draw graphs because the attack surface is lower than having the plugin installed in your browsers too.

(nice to see you avoiding the other part of my post )

I find it rather "unfocused" that a security application needs something as prone to vulns. as flash to display graphs.

 

No, it does not stand at all. These is absolutely no guarantee that the bundled version will not get abused. In fact, given that Avast has some 150 million users, the bundled flash will get targeted as soon as a vulnerability gets published in the bundled version. And there is absolutely no point in updating an antivirus every time a Flash security fix is released by Adobe.

I find it rather unfocused that noone so far offered any better alternative, instead of this unproductive ranting.

 

This is my alternative: Excel or some other alternative users already have.

avast! just creates a sheet file, on demand, and the user opens it... Would it work?

At least, no more vulnerabilities would be introduced to the system by installing Adobe Flash Player...

Otherwise, no such crap that introduces more vulnerabilities to the system should be required/bundled... specially not with a security application... quite contradictory, IMHO.

 

Yes, I completely agree with you on that: it's possible to exploit the bundled flash. Let's take that probability as some sort of "constant" or "fixed group" in the equation... doesn't adding of browser plugins increase the exposure, thus only worsening the situation?
But I digress, lets forget bundling... That returns us to the original Q which you avoid repeatedly: "Why is 3rd party framework such as flash (or java, silverlight) even necessary to display graphs"?

Unfortunately, avast hasn't left us with much alternatives now, have they... If you want graphs with avast you need to install flash (activex version).
It would take an avast developer to tell us how to have graphs without the need to install flash system wide.

 

Well, I have asked about 10 times about your alternatives so far, I got absolutely no answer at all. Just beating around the bush.

Or, let me put it this way - do you prefer the security vendor to spend their resources on improving the detection and prevention rates of their products, implementing new security features - or would you rather have them spend more time on reinventing the wheel by writing code to draw the graphs?

P.S. It actually it the ActiveX version being used.

@m00nbl00d: Excel is not really realtime, but log analyzers are commonplace of course. I do not need such eye-candy like these realtime graphs at all. And actually providing something to analyze the malware distribution (time, samples, etc.) would be relevant security-wise, the current one, really is not IMHO.

 

How time consuming can it be? Every other security vendor that has graphs of some sort has their own codebase for displaying graphs. If you're so "anal" about vendors being focused solely on improving detection/removal etc. there's a lot of things in avast that are simply "showing off": sound packs, animated popups, much of the existing UI etc. which have little to do with security/detection/removal.

Oops, yes my mistake.

 

Sound packs, graphics etc. have a marketing purpose (make the SW attractive to users), thus providing a direct or indirect financial benefit to the vendor (and are beneficial the users as well, as long as the GUI appearance is important to them).

OTOH, ranting about a design choice that does NOT affect the functionality of a product in any way except for the fact that you dislike Flash does not have any marketing benefits for the vendors, the hard fact being that they will waste money reinventing the wheels wrt graph drawing and the obvious alternatives here are no better than the current choice. Live with it, pretty much.

 

why a fast scanner like Avast is using a slow plugin like Flash for rendering the GUI statistics?

 

i assume for some reason alternatives were slower, memory hungrier or just wasn't time use anything else

yet it uses java
http://www.live-graph.org/index.html

many others use .net or python or java or else ....

Silverlight may be good choice thanks to it's nix fork ...

and i'm sure there are many native C++ ones opensource too