Adobe Flash: Kill it now

It’s time to put Flash out of our misery once and for all. And, thanks to Google, it may finally happen.

Some programs — cough Windows cough — are full of security bugs, but they’re so popular we can’t get rid of them. That is why Adobe Flash continues to be widely used. But it could be that the end is near at last for the bug-ridden multimedia platform.

Flash, of course, though widely used, is also vehemently hated in some quarters. Steve Jobs famously trashed Flash twice. First, in 2008, he said that Flash for desktops and notebooks “performs too slow to be useful” on the iPhone, and the mobile version “is not capable of being used with the Web.” Then, far more famously, in 2010, he declared that Flash wasn’t good enough for iPhones and he wouldn’t have it in his devices.

He was far from the only hater, but it didn’t do any good. Today, you can still run Flash on iOS using third-party programs like the Puffin Web browser to get your Flash fix.

It’s no secret that when it comes to security, Flash leaks like a sieve. And while that cliche is appropriate, it doesn’t capture the magnitude of the problem. We’re all techies here; let’s look at some hard numbers. Computerworld’s Michael Horowitz counted up Flash’s bugs through mid-May for 2015. Take a guess how many he found. I’ll wait.

Give up? He found 78 Flash bugs in the first five months of the year.

And has a chagrined Adobe done much better since then? Not on your life. In the last three months alone, 86 more Flash bugs have been found. That’s 164 all together, which means a bug was being discovered every day and a half, on average, or one bug every day for the five-day business week.

That’s got to be some kind of record — but not one that anyone will want to match anytime soon.

If you’re an Adobe Flash programmer, this is all great news; you’ve got excellent job security as long as advertisers and websites continue to use Flash. If you’re anyone else, there’s nothing great about it.

But Flash’s days may be numbered.

You might find that hard to believe if you have any idea how much Flash is still being used. When I browse the Web with Google Chrome, I block Adobe Flash content automatically, so instead of Flash content, I see gray boxes. And I see them everywhere. There are few sites I visit that don’t have Flash-based ads. According to Ad Age, who should know, 84% of banner ads are still built from Flash.

People are also still playing Flash games. Jerome Segura, senior security researcher at Malwarebytes Labs, says that developers are still using Flash for games. “There are people in the gaming industry who are still very attached to Flash,” he says.

And while YouTube dropped Flash for HTML5-based video in January 2015, many other video sites still use Flash. Last, but oh I how wish this were least, some websites’ user interfaces are still written in Flash. Oh, the humanity!

But Web companies have had enough.

First, Mozilla began blocking all versions of Flash Player from running automatically in Firefox in mid July. Then Facebook admitted in an SEC 10-Q that Flash vulnerabilities are affecting its “ability to generate Payments revenue.” This prompted fed-up Facebook chief security officer Alex Stamos to tweet, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

You think?

Then, on Aug. 27, the grumbling about Flash got serious. Google announced in its AdWords Google+ page that “Chrome will begin pausing many Flash ads by default to improve performance for users. This change is scheduled to start rolling out on September 1, 2015.”

That means all those splashy video Flash ads will stop in their tracks. That’s no way to impress the punters.

Google will automatically translate some of these ads into HTML5 video. But some ads won’t convert. The only way you can tell beforehand is to test the ads with Google’s Swiffy. If your ads don’t come over — well, Google suggests you get cracking in creating HTML5 ads.

Yikes! Sept. 1 is tomorrow. Sorry I didn’t warn you sooner, but you really should have been paying attention.

This move is going to be the real Flash killer. Google AdWords accounts for about two out of three ads seen on the U.S. Web. If vendors can’t reach their customers with Flash ads, they’re going to abandon Flash in a jiffy.

Flash is finally coming to the end of its road. Adobe has no one to blame but itself for this. Flash is almost 20 years old, and still a month doesn’t go by without a serious security problem. That’s why I seriously doubt it will live to see its 21st birthday.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGoogleMalwarebytesMozillaQSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place