Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Adobe to kill Flash (in 3½ years): It's 2015 all over again

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Your humble blogwatcher, dba RJA
RIP, Flash
 

Flash Player gets a date for EOL. If you’re still relying on Flash plugins in 2021, you’ll be SOL. That’s the not-very-startling news from Adobe this week.

In recent years, it seemed as if Flash was a constant source of zero-day vulnerabilities. So infosec professionals have welcomed the news. But others aren’t so sure.

It’s a shame we have to wait until the end of 2020. In this week’s Security Blogwatch, we come to praise Flash, not to bury it (only joking).

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: It’s déjà vu all over again 

Flash: Savior of the universe? Frederic Lardinois greases the wheels, with Get ready to finally say goodbye to Flash:

Adobe today announced that Flash … will be phased out by the end of 2020. [It] doesn’t come as a major surprise. … Flash (and especially outdated versions of it) quickly became one of the main targets for hackers.

To be fair, Adobe probably wanted Flash do go away as much as everybody else. … At this point, there’s very little that Flash can do that HTML5 can’t handle.

It’s a miracle? Shaun Nichols hopes for no more updates, support, tears, pain:

Programmers, designers and companies whose websites still rely on Flash … are being encouraged to start planning now to transition to … HTML5 [or] WebGL, though they probably should have already done that already.

The announcement will be welcome news for security professionals. … The notoriously insecure Flash Player plugin has emerged in recent years as the favorite target for automated exploit kits.

In the meantime, however, it will be at least another three-plus years of dutifully patching Flash Player every month.

King of the impossible? Let’s hear from Adobe’s spokesdroids:

Adobe has long played a leadership role in advancing interactivity and creative content … on the web. [But] open standards like HTML5, WebGL and WebAssembly … now provide many of the capabilities and functionalities [so] have become a viable alternative.

We will … encourage content creators to migrate any existing Flash content to these new open formats. … We remain committed to supporting Flash through 2020, as customers and partners put their migration plans into place. … This will include issuing regular security patches, maintaining OS and browser compatibility and adding features.

He’s for every one of us. Brian Feldman will save every one of us: [You’re fired—Ed.]

Another day, another crumbling pillar of the ugly old internet finally collapses. … For years, Flash … gobbled up system memory and was a persistent security vulnerability.

What’s left now is an incalculably sprawling cleanup operation. … What will become of Flash-powered sites like Homestar Runner and Newgrounds and approximately 14 bazillion spammy banner ads?

He’s just a man, with a man’s courage. James O’Brien (@sparrk)‏ says we shouldn’t laugh:

While you're busy sniggering about this, don't forget it means a ton of legacy content will disappear. Or does link rot not count this time?


No one but the pure in heart may find the golden grail. Channeling #45, it’s JLP !@DC/BH‏ (@jlphpc):

I'd be happier if they'd deprecate it by 2018. Flash is still a top bane of #secops. Installed everywhere, used little, many vulns. BAD!

But Train0987 dreads 1/1/2021:

The day they end support for Flash there will be millions of vulnerable PC's with Flash installed that will never be patched. We're still going to be dealing with Flash problems for years to come, there just won't be any more security patches. It'll be open season with all the 0-days.


Speaking of kings, this anonymous coward calls it a Pyrrhic victory:

The alternatives aren't really much better. … At least with Flash we had the ability to just … disable it.

It can [be] impossible, to separate "good" JavaScript from "unwanted" JavaScript for any given page. … WebAssembly is particularly insidious. … WASM's binary encoding makes it even harder to figure out what remotely-served code executing in the browser will actually try to do.

You’d be surprised at all the enterprisey Flash dependencies, according to Tristan Payne:

VMware vCenter's Web UI by default runs in Flash. … There's an option for an HTML5 interface, but it's not feature-complete and is far buggier and laggier.

I hope that this gives VMware the kick in the pants to finally … finish up the HTML5 version.


Meanwhile, cue a million Apple fanbois, screaming, “Steve was right!!1!” Here’s but curun1r:

It was bewildering how bad Flash on the Mac was. Simple animations and videos would spin all of my cores up into the high 90%s. I installed a CPU throttling command line tool and would set the flash process to 30% of one core and the animation or video would still play fine.

I've always wondered whether part of the monetization of Flash was an embedded Bitcoin Miner or other such code to make use of our spare CPU cycles.

The moral of the story? Old, vulnerable code never dies. It only fades away (slowly).

And finally …

The death of Flash? Haven’t we been here before? Yes, in 2015:

 Hat tip: Geoffrey Thomas (@geofft)


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk.

Image source: JD Hancock (CC BY 2.0)

Keep learning

Read more articles about: SecurityData Security