Earlier this year, I asked “Are We Witnessing the Death of Flash?” A blog post prompted by a series of Flash exploits and a negative industry response to the ubiquitous software. At the time, Amazon and Google each announced they would be blocking or pausing Flash ads.
This week, Adobe told people to stop using Flash. Except really they just mean to stop using the Flash authoring tool. In its announcement, Adobe cites recent trends in HTML5 and open web standards, which have driven the creation of Adobe Animate CC. Of course, the question remains, is a rose by any other name still just as insecure?
A Bromium survey of Black Hat attendee found that 90 percent of security professionals believe their organization would be more secure if it disabled Flash. Unfortunately, this announcement from Adobe seems like little more than a marketing move. Adobe Animate CC has the potential to produce HTML5, but it can still continue to produce Flash content.
The announcement itself has nothing to do with Flash players and Flash content, which refuse to die, despite being an overwhelmingly popular attack vector. For example, malicious advertisements can be served through Flash without an end user even having to click on them.
The only silver lining to this announcement is that Adobe is well aware of the security issues of Flash and has pledged to continue working with Google and Microsoft to secure Flash content. Adobe is also working with Facebook to ensure the security of Flash-based games on Facebook.
There continues to be a huge amount of Flash content out there, especially video and gaming content, and we plan to do all we can to keep Flash Player stable and secure because it is the responsible thing to do.
There is a very real risk that some Web sites will become unusable or insecure because of all of the Flash content that exists. Even if Adobe pledges to keep supporting Flash, not every organization will be able to manage.
If you’re an optimist, this announcement from Adobe acknowledges the ongoing adoption of the more-secure HTML5 standard and a commitment to better security, but if you’re a realist you know that Flash content refuses to die.
Earlier this year, Brian Krebs spent a month without Adobe Flash, so uninstalling the browser plug-in is certainly an option. However, 41 percent of organizations believe that disabling Flash would break critical applications or negatively impact productivity.
Another option is to deploy threat isolation security solutions. Bromium vSentry uses micro-virtualization to isolate the Web browser from the host system. This means that users can keep using Flash, even if it is vulnerable, because any threats (even zero-day attacks) will be contained in a micro-VM.