Two writers try to debate with each other “Are all browser plug-ins a security risk?” (The question actually covers both cross-browser plugins as well as single-browser extensions… longtime semantic imprecision.)
Objectionable line: “Moreover, you’re putting Adobe Flash (which is a commodity plug-in full of documented security holes) with NoScript, which is the very security tool providing that ‘per-site granularity’ in disabling plug-ins like Flash that you’re advocating…”
If you read through the security alerts and can work through the rather politic language of the addressed issues, you’ll see that most of the recent Player security improvements the last few years have been to prevent browsers from fulfilling requests they really don’t want to fulfill. The biggest recent exploit was clipboard pollution from untrustworthy ads hosted in your HTML pages. The biggest black eye for Player last year was the clickjacking issue, in which Player was a victim of browsers’ inability to guarantee their own clicks, yet for which Player took the fall. Nothing is perfect, but Flash is actually pretty good.
“Full of documented security holes” means… what?
Check out with what fervor he defends his own baby, and with what casual ease he slurs other babies.
[Update, after two hours: Added source link in first paragraph!]
[Update, after three hours: My characterizations of “errant mental shortcuts” etc were too strong, apologies… a cumulative reaction to a series of similar bashings from varied writers.]