Amazon will stop accepting Flash ads on its advertising network on Tuesday, and it will help make the entire Web more secure, security experts say.
According to Amazon, the move was prompted by a recent update from Google Chrome that limited how Flash was displayed on Web pages. Mozilla Firefox and Apple Safari already had similar limitations in place.
"his change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance," the company said in its announcement.
Bad, bad Flash
By enabling games and streaming videos, Flash revolutionized browser-based content, said Adam Kujawa, head of malware intelligence at San Jose, Calif.-based Malwarebytes Corp.
"However, over the last few years, the biggest thing Flash has been known for is its use by cyber criminals to infect users with malware," he said. "Flash exploits are one of the most commonly used tools that the bad guys use to trick your browser into downloading and installing malicious software."
The exploits mostly target old, out-of-date versions of Flash, he admitted -- but those are also the versions that are mostly commonly installed.
In particular, advertising networks have proven to be vulnerable to Flash-based malware.
"Flash advertisements are the primary method in which attacks like malvertising are able to work," he said.
Attackers either buy advertising space legitimately or via stolen credit cards numbers, or infiltrate the networks through other channels, and then create ads that exploit Flash vulnerabilities to install malware on user computers, or send users to malicious sites.
Ad networks get blamed for failing to protect users, he said.
"It would be in the best interest of the ad networks to no longer support the user of Flash based advertisements," he said.
But it's not just about security, added Tim Erlin, director of IT security and risk strategy at Portland, OR-based Tripwire, Inc. It's about the bottom line for the ad networks, as well.
"With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively," he said.
"After all, who specifically enables Flash to view a banner ad?"
Is this the end, my friend?
Many of the features formerly only available via the Flash plugin, like animated graphics, are now part of HTML 5, said Kujawa.
"Flash is becoming obsolete," he said. "This new technology can do everything that Flash can, without the risk of infection or the requirement for users to use browser extensions and plugins that need to be updated."
Flash probably won't go away entirely, he said, and will continue to be used to support older applications that haven't been ported over to HTML 5.
"However Flash should not be relied upon anymore as a popular method of providing dynamic content to users," he said.
On the other hand, Amazon is a relatively small player in the advertising industry, said Anup Ghosh, founder and CEO at Fairvax, Vir.-based security firm Invincea, Inc.
And Flash did survive Apple declaring it persona non-grata on Apple devices, he added.
"Flash is still used extensively on Web pages beyond advertising, including most of the active content and videos we see on Web pages today," he said. "So Flash exploits probably won't be stopping anytime soon, though seeing it go away from advertising would be a positive step."
Other troubled Web technologies, like Java, are also still around, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security. It make take years before all the Flash content is gone from the Internet.
Franklyn Jones, CMO at Los Gatos, Calif.-based Spikes Security, suggested that eliminating Flash completely would negatively impact users -- and maybe a different solution can be found.
"It’s understandable why Flash content is getting a bad rap," he said. "But perhaps a better option is to find a way to securely render and isolate Flash content to eliminate the threats but preserve the experience."
A more secure Web
According to Invincea data, the majority of malvertising attacks today take advantage of Flash-based exploits, said Ghosh.
Flash exploits are cyber criminals' favorite tool for drive-by malware downloads and malvertising, said Malwarebytes' Kujawa.
"Removing this insecure technology that makes that possible from the equation will make a huge difference and reduce attacks by a significant amount," he said.
Criminals will then go on to find new ways to attack people, he added.
"But at least, if Flash was phased out, we would be able to breathe a little easier knowing that a huge vulnerability was taken care of," he said.
The industry is moving away from browser plugins like Flash, said Amol Sarwate, head of vulnerability management at Redwood Shores, CA-based Qualys, Inc.
"Traditionally, browser plugins had numerous problems including security, no sandboxing, cross-platform and stability issues, and I believe the web could be more secure with open standards," he said.
"Disabling the ability to run dynamic Flash applications on the majority of systems will absolutely make the Web safer," he added. "Flash and Java have been significant sources of exploitation and compromise over the past few years. Flash makes it easy for attackers to cast a wide net against targets of opportunity."
"Flash should die in favor of HTML 5," said David Goldschlag, SVP of Strategy at San Jose, Calif.-based security firm Pulse Secure, LLC. "Standards based on open protocols tend to more secure, and more innovative. Flash has already been teetering thanks to the lack of support on mobile devices, and it's time for the transition to complete."