It is a year since I last wrote about Adobe Flash and why everyone should stop using it. Since then, the leaks from the hack of the mass surveillance company HackingTeam have revealed three serious bugs (called zero-day) bugs) in Flash that they were exploiting to take over victims’ machines. It is likely that more Flash vulnerabilities will be revealed as security researchers work through the documents the hackers removed from the HackingTeam.
The leaked exploits have already appeared in hacking toolkits and are presumably already being used on the general public.
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
The reality is, there really is no reason for Flash to still exist or be supported by modern browsers. Steve Jobs made this point in 2010. Unfortunately, the reason that it still persists is because Adobe still makes money from it, a large number of people can’t be bothered changing how they produce their ads and websites and an even larger number of people are still running versions of software that is too old to run the modern replacement for Flash, HTML 5. The latter group probably also can be split into those who can’t be bothered to upgrade and those who can’t afford to.
One has to believe that Flash has become a huge liability for Adobe. Being known as a company enabling a large part of the Internet’s security problems is not good reputationally. However, Flash is still a part of its Creative Cloud product suite and so it seems that any moves to abandon it won’t come from Adobe voluntarily.
Usage is decreasing, albeit not fast enough. Flash is still used on around 11% of websites. This is down 2 – 3% from a year ago.
The environment has changed however, even from a year ago. Mobile is rapidly becoming the dominant platform for accessing the Internet and these devices don’t run Flash. More importantly, the pervasiveness of government surveillance and cyber-crime in general has become all too apparent, even to the general public.
Whilst, surveillance by our own governments may not impact everyone, cyber-crime has become so prevalent that the public is becoming more security conscious. This is being helped in part by companies making security and privacy a bigger part of what they do and simplifying access protection with mechanisms like fingerprint recognition on mobile devices.
Another factor is that Flash use is tightly coupled with how annoying and intrusive ads are displayed on websites. Removing Flash may be an inconvenience for accessing a small amount of functionality, but users actively removing and blocking ads has become much more common. As more ads get blocked, the incentives for advertisers to use Flash to create web ads diminishes significantly.
If you do want to remove Flash, and as a security measure, it is really advisable to at least limit its use, there are a number of different ways to disable it temporarily or permanently. An added benefit from removing Flash is that you won’t have constant messages asking to update it as daily security flaws are discovered and fixed by Adobe.