A search for the most commonly targeted vulnerabilities determined “systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL” in 2015, according to US CERT in 2015.
That found that Microsoft products were top, which as the most ubiquitous operating system is not a surprise, but it was followed by Adobe – manufacturer of Reader, Acrobat and the unloved Flash Player. Why is it unloved? Well over the past couple of years more ‘how to’ guides have appeared online offering instructions on how to disable Flash player and in the browsers I’ve used, I’ve seen functionality lacking as Flash has often been unsupported.
In his 2015 article on not using Flash for a month, Brian Krebs said that the Flash Player “is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)” and he commented that it is “not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs.”
As a result, many opted not to use Flash at all, and the browsers heard the noise and decided to end support for Flash: Mozilla said that from “2017, Firefox will require click-to-activate approval from users before a website activates the Flash plugin for any content”; Google Chrome confirmed that it would block Flash from version 53; and Apple Safari added next steps for legacy plug-ins in June 2016.
As it turned out, after a couple of years of a lack of love, Adobe announced this week that it plans to bring down the curtain on the Flash Player in three years. “Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats,” it said in its blog.
Adobe acknowledged that many “industries and businesses have been built around Flash technology” and that was the reason for the lengthy support ahead of its demise, but the days of websites being built entirely in Flash seem to have disappeared into the dot com history books.
Adobe also said that it will continue to support Flash on a number of major OSs and browsers that currently support Flash content through the planned end of life, and this will include issuing regular security patches, maintaining operating systems and browser compatibility, and adding features and capabilities as needed, while it plans to ‘more aggressively’ end support to Flash in certain geographies where unlicensed and outdated versions of Flash Player are being distributed.
The fact is that Flash has been a drain on vulnerability patching resources for Adobe, and its bulletins show that seven patches were issues for the Player alone in 2017. Therefore, I would guess it has come to some relief to those responsible for patching Flash both internally pushing the patches out, and within IT departments who are responsible for such duties.
Where does the industry go from here? Adobe acknowledged that open standards like HTML5, WebGL and WebAssembly have matured over the past several years, and in its roadmap, Mozilla stated that from August 2017, users must choose which sites are allowed to activate the Flash plugin.
As of the second half of 2018, Firefox will no longer ‘remember’ the Flash setting, and users will have to choose whether to activate Flash and from 2019, show a visible warning on websites that continue to use Flash.
Benjamin Smedberg, architect for the Firefox product integrity team, said: “Over the years, Flash has helped bring the web to greatness with innovations in media and animation, which ultimately have been added to the core web platform. The end of Flash offers an opportunity to bring legacy design and content in the Flash format into a new era using HTML and web technologies.
“Reducing Flash usage now is an important part of making the web and Firefox better together, and will support the end of Flash in 2019 and 2020.”
Ending support for a technology or software has proved to be a challenge; it’s not just a case of pulling the plug and dropping your users a message, it requires preparation and time to switch. Take the case of Windows XP, despite the end of support in 2014, statistics show that 6.94% of Window users are still on XP and the case of WannaCry caused Microsoft to issue an emergency patch.
Will the end of support for the Flash Player cause many security issues? Giovanni Vigna, CTO and co-founder of Lastline said that given the pace at which most sites evolve, he would expect that most people will simply migrate their apps from Flash to other formats, as this is not a difficult task.
He said: “Many major vendors were already finding ways to ditch Flash completely, or finding ways to isolate the plugin from the rest of the browser/OS more effectively. It was only a matter of time before Flash would become obsolete and unsupported.”
Mark James, security specialist at ESET, said that this announcement had “been a long time coming”, particularly with so many developers moving away from Flash for many years, so the chances are you already have less to do with Flash than you actually think.
“Many of our mainstream browsers already either block it completely or enable ‘click-to-run’ features if you need to allow Flash to run, which is fantastic, thus making the internet a little safer,” he said.
“I would like to think three years is plenty of time to remove or change something that most of us know is bad, don’t use, and if honest had actually forgotten was still around. As with all change, there will be some old remnants still around that are going to cause glitches or the odd hiccup. The good news is there are plenty of alternatives; HTML5 and WebGL spring to mind, but with so many platforms offering alternatives it won’t be hard to find something else to do the job.”
If you are a Flash Player fan, there will be an option to still use the plug-in: Microsoft Internet Explorer. Andrew Clarke, EMEA director at One Identity said that Internet Explorer is about to be the only widely used browser to run Flash-powered animations and video out of the box. “By default, Microsoft Windows 10’s Edge browser will come without Flash to provide dynamic content.”
For most people and businesses though, this will have come as no surprise as it is part of the evolution of the internet to more open standards and away from a more proprietary software. If the browsers do their job as they intend and phase out the plugin altogether in updated versions, this should not have a bearing upon users and their security. For those applications and platforms that remain reliant on Flash, the three year process of change began this week.