Flash on the rack as Mozilla and Facebook call for end to flawed tool

The future of Flash appears to be in the balance as heavyweights in the technology world call for its demise.

The latest complaints follow a leak of 400GB of data from Italian security company Hacking Team which revealed that previously unknown flaws in Flash were being used by the firm to infiltrate machines and install its monitoring software.

Adobe has rushed to fix these flaws since they were revealed, issuing two patches in rapid succession.

However, while Adobe has acted promptly, Mozilla has blocked the use of Flash in Firefox, while Facebook chief security officer Alex Stamos has called for Adobe to put Flash out of its misery.

It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.

— Alex Stamos (@alexstamos) July 12, 2015

However, given the widespread use of Flash, how likely is this and what can businesses do to defend against the risks?

Security expert Graham Cluley said that Adobe is unlikely to put an end to Flash. "The problem is that perhaps Adobe doesn’t feel happy acknowledging that securing Flash is beyond them, so is unwilling to drop the product,” he said in a blog post.

However, Cluley added that Adobe should seriously consider ditching Flash.

“The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure,” he said.

“The only people who truly seem to love Adobe Flash these days are the criminals themselves.”

Tim Erlin, director of Security and Risk at Tripwire also noted that it is likely Adobe is probably beholden to contractual issues regarding its support of Flash.
 
“It’s easy for a vendor unencumbered by any of the business requirements of Adobe to call for a blanket end date for Flash, but it’s likely that the situation is more complicated for Adobe," he said.

"It’s entirely possible that they’re contractually obligated to continue supporting Flash for some period of time."

V3 contacted Adobe for its comments on the criticisms and whether it would consider killing off Flash, but had received no reply at the time of publication.

Take matters into your own hands
Adobe may not be willing to end Flash, but Mozilla has shown that it is possible for organisations to deal with the problem themselves.

Sean Sullivan, security advisor at F-Secure, told V3 that companies should consider ditching Flash wherever possible, something F-Secure has been doing for many years, underlining just how long Flash has proved problematic.

"Organisations should consider limiting Flash to browsers from which it can be limited - if they really need it at all. Fortunately, more and more sites are moving towards HTML5 content, reducing the need for Flash. It's something business users should be able to live without for the sake of security," he said.

"I uninstalled the Active X version of Flash about five years ago. I don’t use Internet Explorer all that often, and I don’t want Flash objects in my Excel spreadsheets.

"Chrome currently sandboxes Flash, which is a great feature, and I think Firefox is working towards that as well. The bigger problem out there is Internet Explorer."

Meanwhile, Trend Micro’s vice president of security research, Rik Ferguson, was strident in his criticism of Flash, urging people not to use the software unless absolutely necessary.

“For businesses and those responsible for website development, please consider avoiding Flash content wherever possible. Not only is it a security nightmare, it can be an incredible resource-hog for your users,” he told V3.

“Add to that the limited support for mobile browsers, and Flash looks less attractive than ever.”

Ferguson also said that individuals should remove Flash from any computer if feasible and enable it only when absolutely necessary.

“If you can I would recommend using Google Chrome or Mozilla Firefox as your ‘Flash browser’, as both of these include a ‘click to run’ mode for Flash which will also help to keep you safe from exploits,” he added.

Not just a Flash in the pan
The criticisms of Flash are strong, but Adobe has survived similar assaults on the software. Those with a long memory will recall Steve Jobs voicing his disdain with Flash, labelling it buggy and a resource hog.

"We know from painful experience that letting a third-party layer of software come between the platform and the developer ultimately results in sub-standard apps, and hinders the enhancement and progress of the platform," said Jobs in 2010.

Five years on and Flash still remains a problematic piece of software and one that the security community and technology industry is lining up to bury. Adobe will do well to keep it alive for another five years.

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• Operating Systems
• Adobe
• Adobe Flash
• Mozilla
• Firefox
• Facebook