Monday, August 16, 2010

On Backward compatibility and security bugs

One of the 6 critical vulnerabilities reported on Aug 12, 2010 for Adobe Flash is CVE-2010-0209. US-CERT shares some interesting details:

Adobe Flash supports two main types of ActionScript, which is the scripting language for Flash. ActionScript 3.0 is supported by the ActionScript Virtual Machine 2 (AVM2), while previous versions are supported by the ActionScript Virtual Machine 1 (AVM1). Flash 9 and later provide both AVM versions for compatibility with both ActionScript varieties. The AVM1 implementation provided with Flash 10.1 contains a vulnerability...

Backward compatibility is the source of the security bug in this case. If the developers had only to maintain AVM2, this bug would have not emerged. Apparently, backward compatibility is a common source of security problems. In the first chapter of the book Beautiful Security, the author explains how the developers' psychology often contributes to overlook the security of the functionality that's only there for backward compatibility. In some cases, it's also just the accumulation of code. More code means more bugs, simply because the rate with which developers generate bugs is pretty much constant.

Some more examples
In general, supporting old formats is only a source for more security bugs -- even if, in theory, libraries that handle these old formats have matured. CVE-2010-0041 and CVE-2010-0042 from a recent iOS vulnerability report are caused by libraries handling BMP and TIFF images respectively. Another vulnerability in Adobe Reader for Windows, Mac and Unix (CVE-2010-0188) was again related to how Adobe Reader handles TIFF images.

Browser plugins
In a sense, a lot of the web browser plugins today are still around for backward compatibility. Many websites were built to stream audio or video with RealPlayer, Windows Media Player, or Quicktime. These days, most websites use Flash instead. 

In the new operating systems that have been introduced in the past 3 years, such as Apple's iOS, Android and ChromeOS, browser plugins are either completely unsupported or there is only limited support for them. You are probably familiar with the Apple/Adobe debate on Flash on iOS, and that Android, Chrome and ChromeOS support/bundle Flash. 

No matter what your position is on Flash's role on the web today, if you take Flash out of the picture, there is very low demand for porting the traditional plugins (Java, Windows Media, Shockwave, RealPlayer, DivX, Silverlight, Quicktime) to the modern OSes. Either via native apps, or by means of HTML5, services find ways to reach their audiences. 

Backward compatibility is everywhere
Old code (by definition) accumulates as time goes on. Why do Adobe Reader and iOS have support for TIFF, a standard first developed in the 1980s? Probably because nobody was encouraged to take the time to analyze its (lack of) usage, and support a case that it should no longer be supported. 
Even if your iOS, Android or future ChromeOS device is in theory a brand new OS, it is bundling code that's quite old, and is only getting older.

If you are a developer, think of dropping features that are only there for backward compatibility. Try to make a case that nobody uses them. My favorite argument is that, once we drop them, if users need them, they'll ask for them. How many iPhone would complain if their browser could not render BMP images? And out of the myriads of feature requests for the iPhone, how far on the top would this complaint rank?

If you can't eliminate old features, can you make them load on-demand? Maybe the user needs to run the program with a different configuration in order to get the old features. This way, you can protect the majority of users and still support the minority's needs. How many Flash movies run only on AVM1? Is it mostly sites built in 1995, and are these movies mostly their "intros"? In that case, disabling AVM1 could be thought of as a pretty good feature, actually :). 

As a user, take a minute and uninstall old software, old plug-ins and old browsers from your system. And keep the rest up-to-date with security updates.