Dump Adobe Flash NOW?
Adobe Flash has a long history of security vulnerabilities; over a dozen have required patching in 2015 so far. Three more zero-days in Flash that were discovered and fixed recently have some in the tech industry crying, “Enough! Time to kill Flash forever!” But is it? Read on for the scoop...
Can the Web Survive Without Flash?
The most recently discovered holes in Flash were being exploited by The Hacking Team, an Italian cyber-spying firm that claims to sell its services only to government agencies. The Hacking Team’s own network was hacked in late June, and 400 GB of internal documents were released via Bittorrent.
Among the embarrassing emails, invoices, and other evidence that the company helps repressive governments, were the recipes for exploiting three previously unpublished Flash vulnerabilities. Hacking Team’s staff described one of them as the "most beautiful Flash bug for the last four years” in a leaked email.
It’s unclear how long Hacking Team kept these bugs a profitable secret instead of helping Adobe fix them. Audaciously, Hacking Team blames the unknown data thieves for exposing the bugs’ existence, as if they were safely in HT’s hands alone.
The tech community’s response has been pretty standard, despite journalists’ efforts to hype it up. Apple quietly continued to ignore Flash, which it has not supported on mobile devices since 2010. Internet Explorer and Google Chrome automatically patched their built-in Flash players. On July 13, Mozilla Firefox took things a step further. Instead of automatically updating the plugin like its competitors, Firefox disabled the Flash plugin.
Users could re-enable it in Firefox’s settings, if they knew how. When Adobe released a patched version the very next day, savvy users who downloaded and installed it could view Flash videos, games and other missing content again.
Setting a Date
Facebook’s security chief, Alex Stamos, Tweeted on July 12, “It is time for Adobe to announce the end-of-life date for Flash and to ask the (developers of) browsers to set killbits on the same day.” Stamos added that it doesn’t matter if the kill-date is 18 months in the future, as long as it’s taken seriously and developers begin now to prepare for it.
Flash has been in decline since 2010, when the late Steve Jobs published a widely-cited blog post explaining why Apple banned Flash from iOS. Jobs said that Flash is inherently unstable, a system resource hog, lacks touchscreen controls, and worst of all is proprietary. "New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too),” he wrote.
Today, Adobe claims more than 500 million devices are “addressable today with Flash technology.” Flash is still used on 23 percent of the 483,000 Web pages tracked by the HTTP Archive, down from 39% three years ago. NBC and Major League Baseball are among the high-profile sites that still cling to Flash technology. But untold numbers of smaller sites use Flash to display content, or offer games.
Even Facebook still uses Flash, despite the wishes of its chief security officer. Mobile users get HTML5 videos, but desktop browsers are stuck with Flash. Stamos has taken the reasonable position: announce an execution date for Flash at a reasonable time in the future, and pull the trigger as scheduled. The holdouts at NBC, MLB, and other sites will get busy converting to HTML5 when they believe there’s a credible threat to their click-streams.
The rub is that for users, there's no magical way to switch to some other method of viewing or playing Flash content. And almost one quarter of all web pages contain Flash elements. Website developers will have to re-code those Flash-based videos, pages and games in the HTML5 language. That's not a trivial undertaking, and some legacy content will never be converted.
Should You Panic?
As of this writing, all known Flash vulnerabilities have been patched. So if your version is up to date, you can continue to use Flash safely. As I mentioned earlier, Google Chrome and Internet Explorer keep Flash updated automatically.
If you use some other browser, you should make sure that you have the latest, patched version of Flash installed on all of your devices. Go to the Adobe Flash Plugin Update page to get it. (Uncheck the “optional offer” checkbox in the middle of the page.) And during installation, be sure to set the plugin to update itself automatically in the future.
If you're worried about future Flash bugs popping up, go ahead and remove it via the Control Panel. You may find that you don't miss it at all. But if you do, you can always install it again. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 16 Jul 2015
|For Fun: Buy Bob a Snickers.|
A Big Milestone + Geekly Update
The Top Twenty
Yes, The Feds Can Read Your Email (and more)
There's more reader feedback... See all 29 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Dump Adobe Flash NOW? (Posted: 16 Jul 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved