Is Flash Dead?

Flash has become a nightmare for people in the security industry with tale after tale of vulnerabilities being found in the ancient development environment. But is it time to call it a day for the adobe flash player?

This may have already been answered for us with Adobe themselves saying in July 2017 it would be stopping distribution of the player and fully killing it off by 2020. (Adobe End Of Life Announcement [1]) Although, this could have been foreseen for a long while as Apple decided to ditch flash in 2010 from their IOS devices [2] with Android following suit in 2012. [3]

How will the web cope with the loss of flash from our browsers? Many companies will already be aware of this issue and started to migrate existing flash services to more up to date languages like HTML5. However, there are still many companies and services relying on flash for critical services like training materials, video players and even some login scripts.
(Not to mention the nostalgia of playing flash games!)

Most of the reason for flash being culled is the hacker’s paradise it created. Due to its age and the prevalence across the internet. This has meant so many hackers have been finding holes in this ageing language causing Adobe a large headache to keep up. The scale of the problem becomes clear from looking at the CVE numbers, over 667 exploits being found since 2015 and 321 being critical. [4] These exploits have ranged from the tame to background bitcoin miners to full remote code execution.

These vulnerabilities don’t just affect the web, these malicious flash scripts can be embedded into office documents which could then be emailed to a victim, highlighting the importance of disabling scripts as well as ensuring a robust email security solution.

Not all is lost if you still need to run flash player within your business, the latest versions of flash player has all current vulnerabilities patched. You can check if you are on the latest version here: http://helpx.adobe.com/flash-player.html

Flash losing popularity could be down to languages like HTML5 & WebGL appearing, which being a modern language are far more capable, efficient and has a greater focus on security.

Now that flash is officially dead we will see more companies removing legacy flash applications and moving across to more modern tools, although due to the investment this will take time so for now what can businesses do to protect themselves?

Companies should ensure they have up to date web gateway and email gateway protection to try strip out any malicious code that could be run. Also, if your business does not need to run any flash applications this can be disabled or made ‘click to play’ in the browser following the steps below.

IE removal

Within Internet Explorer, if you head to the settings ‘Gear’ in the top right of the browser. Then select ‘Manage Add-ons’ -> ‘Toolbars and Extensions’, find flash, Right click and ‘Disable’

This will stop all flash content running.

Chrome removal (or click to play)

In Chrome head to ‘chrome://settings/content/flash’ here, you can disable the content or choose to ask first for a ‘click to play’ option.

Firefox removal (or click to play)

In Firefox, click the menu icon and select ‘Add-ons’, find adobe flash and either ask to activate (Click to play) or never activate.

(Flash could also be uninstalled from a PC to ensure it cannot be run)

Ant Robinson – Senior Cybersecurity Specialist

 

[1] Adobe – Flash & The Future of Interactive Content
https://theblog.adobe.com/adobe-flash-update/

[2] Apple – Thoughts on Flash
https://www.apple.com/hotnews/thoughts-on-flash/

[3] BBC – Adobe Flash Player exits Android Google Play store
http://www.bbc.co.uk/news/technology-19267140

[4] CVEdetails.com – Flash vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html