Amazon dumps Flash, and the Web is better off

Amazon will stop accepting Flash ads on its advertising network Tuesday

Amazon will stop accepting Flash ads on its advertising network on Tuesday, and it will help make the entire Web more secure, security experts say.

According to Amazon, the move was prompted by a recent update from Google Chrome that limited how Flash was displayed on Web pages. Mozilla Firefox and Apple Safari already had similar limitations in place.

"his change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance," the company said in its announcement.

Bad, bad Flash

By enabling games and streaming videos, Flash revolutionized browser-based content, said Adam Kujawa, head of malware intelligence at San Jose, Calif.-based Malwarebytes Corp.

"However, over the last few years, the biggest thing Flash has been known for is its use by cyber criminals to infect users with malware," he said. "Flash exploits are one of the most commonly used tools that the bad guys use to trick your browser into downloading and installing malicious software."

The exploits mostly target old, out-of-date versions of Flash, he admitted -- but those are also the versions that are mostly commonly installed.

In particular, advertising networks have proven to be vulnerable to Flash-based malware.

"Flash advertisements are the primary method in which attacks like malvertising are able to work," he said.

Attackers either buy advertising space legitimately or via stolen credit cards numbers, or infiltrate the networks through other channels, and then create ads that exploit Flash vulnerabilities to install malware on user computers, or send users to malicious sites.

Ad networks get blamed for failing to protect users, he said.

"It would be in the best interest of the ad networks to no longer support the user of Flash based advertisements," he said.

But it's not just about security, added Tim Erlin, director of IT security and risk strategy at Portland, OR-based Tripwire, Inc. It's about the bottom line for the ad networks, as well.

"With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively," he said.

"After all, who specifically enables Flash to view a banner ad?"

Is this the end, my friend?

Many of the features formerly only available via the Flash plugin, like animated graphics, are now part of HTML 5, said Kujawa.

"Flash is becoming obsolete," he said. "This new technology can do everything that Flash can, without the risk of infection or the requirement for users to use browser extensions and plugins that need to be updated."

Flash probably won't go away entirely, he said, and will continue to be used to support older applications that haven't been ported over to HTML 5.

"However Flash should not be relied upon anymore as a popular method of providing dynamic content to users," he said.

On the other hand, Amazon is a relatively small player in the advertising industry, said Anup Ghosh, founder and CEO at Fairvax, Vir.-based security firm Invincea, Inc.

And Flash did survive Apple declaring it persona non-grata on Apple devices, he added.

"Flash is still used extensively on Web pages beyond advertising, including most of the active content and videos we see on Web pages today," he said. "So Flash exploits probably won't be stopping anytime soon, though seeing it go away from advertising would be a positive step."

Other troubled Web technologies, like Java, are also still around, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security. It make take years before all the Flash content is gone from the Internet.

Franklyn Jones, CMO at Los Gatos, Calif.-based Spikes Security, suggested that eliminating Flash completely would negatively impact users -- and maybe a different solution can be found.

"It’s understandable why Flash content is getting a bad rap," he said. "But perhaps a better option is to find a way to securely render and isolate Flash content to eliminate the threats but preserve the experience."

A more secure Web

According to Invincea data, the majority of malvertising attacks today take advantage of Flash-based exploits, said Ghosh.

Flash exploits are cyber criminals' favorite tool for drive-by malware downloads and malvertising, said Malwarebytes' Kujawa.

"Removing this insecure technology that makes that possible from the equation will make a huge difference and reduce attacks by a significant amount," he said.

Criminals will then go on to find new ways to attack people, he added.

"But at least, if Flash was phased out, we would be able to breathe a little easier knowing that a huge vulnerability was taken care of," he said.

The industry is moving away from browser plugins like Flash, said Amol Sarwate, head of vulnerability management at Redwood Shores, CA-based Qualys, Inc.

"Traditionally, browser plugins had numerous problems including security, no sandboxing, cross-platform and stability issues, and I believe the web could be more secure with open standards," he said.

The use of HTML, JavaScript and mobile app development platforms to serve as user interfaces is growing, said Ben Johnson, chief security strategist at Waltham, Massachusetts-based Bit9, Inc.

"Disabling the ability to run dynamic Flash applications on the majority of systems will absolutely make the Web safer," he added. "Flash and Java have been significant sources of exploitation and compromise over the past few years. Flash makes it easy for attackers to cast a wide net against targets of opportunity."

"Flash should die in favor of HTML 5," said David Goldschlag, SVP of Strategy at San Jose, Calif.-based security firm Pulse Secure, LLC. "Standards based on open protocols tend to more secure, and more innovative. Flash has already been teetering thanks to the lack of support on mobile devices, and it's time for the transition to complete."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCMOGoogleInc.MalwarebytesMozillaQualysTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts