You would be surprised at the number of people who still make Flash games using Flash CS where a lot of the game is done with timelines and just a bit of code to glue everything together (ie artists who want to make games but don't want to code). Those would be pretty hard to port over to HTML5. And while JavaScript and ActionScript both are based off EMCAScript, ActionScript has went well beyond the standard with a lot of additions. There could be quite a bit of work involved in porting a Flash game to HTML5 depending on what was used. Maybe nearly impossible with out porting a lot of Adobe's standard library.

Just my 2 cents, but...

Porting a Flash game to HTML5/Javascript would only be difficult for the group you describe here ("artists who want to make games but don't want to code"). When I made a small game in Flash just to try it out, I used notepad2 and compiled with a batch file (command prompt). When you're writing all the Actionscript and MXML yourself, it's literally the same experience as writing all the Javascript and HTML5 yourself (which I've also done, just to try that out as well).

Given, I'm not a regular web developer. Both Flash and HTML5 come with tons of features that you'd usually have to implement yourself off the web when you make your own engine (ex. buttons, textboxes that come with word wrapping, etc.). I tried HTML5/Javascript before Flash. Once I got over Actionscript's declaration syntax, I could just use my [somewhat limited, but working] knowledge of Javascript to code the game. And it works!

I just really wanted to stress this point so that Flash developers unfamiliar with HTML5/Javascript don't get the wrong idea about it being unreasonably difficult to approach.

The thing is, someone will make a flash emulator for HTML5 once it takes off. At that point flash will be useless anyway.

This flash exploit has mostly been used by government spies up until this point, but now that it's "burned" by the leak, Adobe and anti-virus companies are quickly patching it up.

You guys seem to be surprised about those vulnerabilities and seem to assume they happen accidentially.

The reason why they persist for decades (and are used mainly by government agencies) is that the vulnerabilities have been placed deliberately for that purpose. That's actually pretty obvious (unless you assume that the guys at Adobe are complete idiots).

I'm not suprised, but there is a big difference between something being obviously plausible, and obviously factual. I wouldn't be surprised if flaws such as heartbleed were deliberately engineered, but at the same time, these bugs also happen on their own anyway... So Occam's razor means we don't have to declare conspiracy conjecture as fact to explain them.
There actually is more than just raw conjecture linking the NSA to heartbleed's creation though... That's one downside to open-source -- it's trivial for an attacker to infiltrate the development team.

I've shipped games containing "use after free" bugs (just like this flash one) which persisted in the codebase for YEARS later, until eventually being found by a code audit (and lots of luck) -- these bugs could potentially allow user save games to inject code into the game (and potentially hack the game's host OS).
Even super mario world speedruns rely on exploiting bugs that allow turning sequences of game events into executed code :lol:

After working in huge corporate environments, which are internally like miniature oligarchies, I realized just how exactly alike human error/ignorance and perfect malevolence are :( :lol:
Sometimes it's impossible to know if you're up against a hostile conspiracy, or whether you're just stuck with run of the mill incompetence :D

Mostly at the managerial/political level internally it was just incompetence... But I did hear of one engineer who deliberately created a non-obvious flaw in our PNG loader, so that he could embed malicious code (the stealing-money-from-our-customers kind) into a PNG file, in order to avoid it being detected by our own code reviews and from being seen by the government regulator who kept copies of all our source code...

You may call it tin-foil-hatting, but National Security Letters are a reality. You wouldn't know (I wouldn't either, obviously) whether companies like Adobe and Microsoft are being required to build in backdoors.

I don't doubt their existence and the chilling effect they can have, but if you are a government which can force people to write such messy code, why go through the extra trouble? You could just get your spyware forced through Windows Update. All those security holes just make people wary of the products you would want them to use. Also, why bother with a security hole at all when you could just force them to insert a proper downloader of your malicious code which only triggers when a special cryptographically signed piece of data is seen?

I find it far easier to believe there has long been a culture of horribly bad code at a lot of companies, especially if it involves a lot of legacy code from, say, ten to twenty years ago. Thinking all those security holes are intentional for NSA et al services feels like a Rube Goldberg machine to me.

Especially considering your most interesting targets can just avoid you by not installing an optional add-on with a horrible reputation.

Is that so? Let's see what Microsoft has to say about their webbrowser that comes with Windows:

Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both Internet Explorer and Internet Explorer for the desktop.

You may call it tin-foil-hatting, but National Security Letters are a reality. You wouldn't know (I wouldn't either, obviously) whether companies like Adobe and Microsoft are being required to build in backdoors. However, you can read the signs, and the signs are pretty clear if you ask me.

Windows has been full with security exploits for two decades with slap-forehead things like doing truetype rendering in kernel mode (or other GDI builtin-exploits). If this happens accidentially, you should think that every programmer at Microsoft and every team leader is a complete idiot, and no such thing as quality review or the like ever happens.

The same goes for major Adobe products such as Flash and PDF. How is the 201x PDF different from the 199x PDF? Only in features that deliberately implement exploits. Really, who needs scripting for something that is supposed to display a report, a paper, or a book? Why do those scripts need to be able to write to the filesystem (WTF, really)? Why is there no way in Reader's so-called safe mode to enable printing a document (which is rather harmless security-wise, worst that can happen is that someone prints out 20 black pages and wastes some of your toner...) without also completely dropping your pants and enabling everything else? Surely, if I want to print out a document, I also want to allow it to run scripts and write to my harddisk. Who doesn't want that. The guys at Adobe are just stupid? You think so?

Or maybe, just maybe, the cores of a lot of these programs that people are complaining about (like Windows and Flash) were developed at a time when programmers were trusted to not aggravate their users and before anyone actually gave any serious thought to security for the average user. It wasn't too long ago that people thought the only targets of hackers would be businesses and governments, not some random cell phone that a single person owned.

Heck, with Windows, you have an ancient API which trusts the developer to do the right thing, but which ignorant or lazy developers exploited to create their products and now MS is on the hook for supporting those hacks because they are major programs that people would blame MS for if they didn't work on the new OS versions.

Remember Vista? Remember how "bad" it was? It wasn't bad because of MS. It was bad because they implemented a much more secure OS which broke compatibility with all drivers and exposed several major programs that were coded poorly, not following guidelines MS had set for developers years in advance.

Businesses do not intentionally implement exploits. If they did, they would lose customers extremely quickly. Just look at how many customers several large businesses have lost on the mere implication that they might expose user data to the NSA in the future under US law. Not because they actually have, but because they might, simply by being in the US or hosting data in the US.

Never attribute to malice that which can be adequately explained by stupidity (or naiveté)

Businesses do not intentionally implement exploits. If they did, they would lose customers extremely quickly. Just look at how many customers several large businesses have lost on the mere implication that they might expose user data to the NSA in the future under US law. Not because they actually have, but because they might, simply by being in the US or hosting data in the US.Never attribute to malice that which can be adequately explained by stupidity (or naiveté)

Google, Microsoft and Facebook still have plenty of customers despite revelations that they actually are completely complicit with five eyes spying... So ironically, us customers are also pretty naive/lazy.
E.g. I'm aware of this, but too lazy to change :(

Every single flash banner ad on the internet could potentially be as dangerous as downloading and running random EXE files.

For the record, I had been thinking about this some time ago. Before we could get away with being careful and maybe having an antivirus around, but now we can get malware injected just by accessing any random page. It's no wonder that the trend is to sandbox programs as much as possible.

... Every single flash banner ad on the internet could potentially be as dangerous as downloading and running random EXE files.

Which...a lot of people still do, surprisingly. Really, we're taking a gamble by just getting online. There's no guarantee that our anti-virus software will know about every single harmful file on the internet, even with regular updates.

I wouldn't trust Anti-virus software with that job.

I don't, at this point. A long time ago, I was browsing for language podcasts online and my computer was hijacked completely. Had to reformat to get rid of it. And I didn't even download anything.

Anti-virus/firewall/security has failed me before.

Every single flash banner ad on the internet could potentially be as dangerous as downloading and running random EXE files.

For the record, I had been thinking about this some time ago. Before we could get away with being careful and maybe having an antivirus around, but now we can get malware injected just by accessing any random page. It's no wonder that the trend is to sandbox programs as much as possible.

Exactly what 'before' are you talking about? Drive-by infections have been a problem since the Internet existed as something slightly accepted by the public mainstream. Back then it helped a lot not to use Internet Explorer. First, it was full of holes to start with and ActiveX components added a huge welcome sign to it.
I remember flaws in some image formats (or more accurately, a specific implementation which was widely used) being exploited to infect users. I remember a certain proprietary image format of Microsoft which could by definition include code to execute if the system could not deal with the content (something that made a lot of more sense somewhere in the 90s when it was defined). The exact delivery vectors have shifted over the years (although targeting some or the other Flash vulnerability was always a good bet), but the problem is extremely far from new.

So Occam's razor means we don't have to declare conspiracy conjecture as fact to explain them.

Mind that Occam's Razor it's not a "law of nature", and that it has a slightly different meaning. It doesn't mean "the easiest explanation is the correct one", nor "the least troublesome explanation is true". He said, and that is a wise thing, that you should not needlessly complicate things when a satisfying explanation exists.

Is "duh!" a satisfying explanation when obvious bugs are built into previously working code (referring to Heartbleed here) without any obvious need? Is it a satisfying explanation for a very major exploit, or rather a dozen of them, that has demonstrably been used by governmental agencies for years (which must either have been obvious enough for them to find easily, or deliberately placed so they knew about them), especially in an age of "revelations" à la Snowden (who, truth being told, didn't reveal anything that you didn't already know, only now it's "kinda official" whereas before it was "tinfoil-hat theory").

I'm not saying that there isn't a possibility that some of these exploits weren't done by accident, but some surely were done on purpose. And the sheer number and the fact that nobody seems to review mission-critical code raises a red flag for me. When you publish code that is known to be under constant attack (say, a TLS library), you necessarily have a different standard.

Simply "duh!" is not a satisfying explanation, so I'm reluctant to accept Occam.

I've shipped games containing "use after free" bugs (just like this flash one) which persisted in the codebase for YEARS later, until eventually being found by a code audit (and lots of luck) -- these bugs could potentially allow user save games to inject code into the game (and potentially hack the game's host OS).

Ah yes, but there's a couple of very important differences here.

First of all save games are something the user creates, not something that runs as drive-by when browsing a website. The user may create a malicious save game file and inject code, subvert the game, ok... but... that's not really big time scary. The user can already do that anyway. Having physical access to his own computer, he can do just what he wants, he doesn't need your bugs.

But let's assume it was something different, maybe not the save game but a flaw in the network protocol that you inadvertedly built in, so someone knowing a user's IP address (that would be the ISP or you, if you host a server-based game) could exploit it. Your code is already running on the client's machine, what else do you want? You don't need that exploit.

To another user, it's pretty useless unless they run portscans on random addresses or happen to know someone's IP address (and know that he has your game running) and manage to get past firewall/NAT/router/whatever, which usually isn't quite so easy. Most people are unable to MITM someone, and few are able to directly target someone at all, except maybe at a place like Starbucks' with inadequately set up WiFi.

The ISP knows your IP address, of course, and they can tell from the traffic that the user runs your game (and when!). But the ISP is already much more powerful than that, they control anything the user downloads. They could rather easily redirect DNS or any connection to any server, present wrong certificates, and finally replace any contents with malware (well, not that easily, and this isn't very likely to happen either... but... still... if there's someone who can fuck you hard, it's your ISP). So, they don't need your exploit either.

Most importantly, however, it's apples and oranges. What you wrote was code for a game. You didn't write an operating system or a general-purpose, widely deployed "run code on user machine" platform such as Java or Flash. These are different things.

Of course a game should preferrably be error-free and should not offer means to exploit a user's machine, but this is not such a hard requirement. A game shouldn't crash or have memory leaks either, but again... if it does, so what. After all, it's a game, and it's running on someone's home computer.

When writing software that controls a nuclear powerplant or a software that manages medical records or financial records, the expectations are much different. These programs really shouldn't fail, and they really shouldn't allow someone to do certain things. The requirements are hard because the possible consequences are hard.

Now, the thing is, all these super secure, super audited, certified programs run under an operating system which doesn't meet the requirements, and not few have a "run any kind of code here" platform installed which doesn't either. Yes, the computer controlling a reactor would reasonably (at least, hopefully) be airgapped, but that isn't the point.

If you can expect that high risk mission-critical stuff will run on a system, you must ensure to the best of your ability that this system is failsafe (both in a sense of crashing and exploits). Something like "allows you to run code on several million computers without the average user noticing" definitly counts towards "super high risk, mission-critical". It's not the same ballpark as "couple of teens play this on their home computer or mobile phone".

Also, why bother with a security hole at all when you could just force them to insert a proper downloader of your malicious code which only triggers when a special cryptographically signed piece of data is seen?

Because the people who are the most interesting don't run Windows Update. They're either wearing tinfoil, or their copy of Windows is pirated.

Besides, if I think about how Microsoft secretly placed a malware downloader (KB3035583) among its recommended updates not long ago, it looks like they're trying that anyway. Makes you wonder what's the intention behind the decision of their announcement of giving everybody in possession of some version of Windows (including people who have pirated it) a valid Windows 10 license, too.

Why would you give your best, most recent software version to someone who demonstrably steals your stuff and who is never going to pay you? Obviously because you want them to have that particular software for some reason. Marketing could be a reason (but you already know they're never going to pay you!), or trying to counter the adpotion of free software (pretty silly if you have to give your stuff away for free, too), trimming down botnets could be another (unlikely), but replacing their systems with something that has some particular property or functionality might be another valid motive.

When the next war begins, wouldn't it be nice for the US government to send a kill code over the internet, and all computers in China stopped working within a second or two? Of course, for that to work, the correct software must be installed on all those computers first.

Besides, if I think about how Microsoft secretly placed a malware downloader (KB3035583) among its recommended updates not long ago, it looks like they're trying that anyway.

Wait.. what?
You.. you are saying that a 'download latest thing' app is malware?
Seriously...

... because if so you've pretty much invalidated every other point you were going to try and make with that line of crazy thinking.