A flashy rise and a reluctant fall of Adobe Flash

If it is not possible to get rid of a risky software for some reason, it is better to exist in a “presumption of guilt” mode, with an efficient security solution keeping it in check and preventing exploits from successful attacks, targeted ones included.

Adobe Flash is a historical platform that has permeated the entire Web, and only recently started giving ground to newer technologies such as HTML5. It still has an immense range of applications, from Web animations and banners to games and interactive presentations. As such, it has spread across almost all of the Windows-based PCs connected to the Web in the world. Unfortunately it also has a long history of successful exploitation from cybercriminals.

Rise to fame

It would take too long to tell the whole story of Flash. So, we’ll just point out some highlights. The software was initially called SmartSketch, then FutureSplash, then Macromedia (Shockwave) Flash and eventually Adobe Flash, after Adobe bought it ten years ago along with the Macromedia company. The name Macromedia is still around, though, and for a reason.

It was Macromedia who introduced loads of modern features such as MovieClips, JavaScript, and later ActionScript with all of its advanced programming capabilities, along with video container functions. This eventually led to Flash becoming de facto standard for video online – YouTube initially used it as its “weapon of choice” to conquer the world in its entirety.

Macromedia distributed a free Flash Player, which allowed it to quickly gain market share. By the time of Adobe’s buyout, more computers worldwide had the Flash Player installed than any other Web media format, including Java, QuickTime, Windows Media Player, or the almost forgotten  RealNetworks’ RealMedia plugin.

The platform’s versatility, together with support for video, and since 2011, 3D graphics ensured its success, and it would be fair to say that Adobe’s buyout of Macromedia along with further development of Flash was indeed a spectacular achievement. As with Photoshop, Adobe has been a de facto industry standard tool with millions of developers, billions of users, and countless examples of use.

Unfortunately not all of them are legit.

Wheels of fortune

Flash has had its share of criticism over the years, as it is always the case with any popular (and especially hyper-popular) software: vendor’s dependency, dissatisfying experience on mobile devices (due to sensitive CPU and battery life drain), and many other issues. In 2010, late Apple head Steve Jobs wrote a memorable open letter on why Apple chose not to support Flash on its mobile devices:

Mr. Jobs quite openly said that Flash belongs to PC era, while mobile era is at hand, and it is all “about low power devices, touch interfaces, and open web standards – all areas where Flash falls short.”

He also mentioned that Flash has had “one of the worst security records in 2009.”

“We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash,” Jobs wrote.

It was, again, in 2010.

Fast forward five years, and we observe a steady, steamy stream of nasty Flash-related security hiccups, which led to a massive thumbs-down ragefest both in social media and hi-tech mass media outlets.

Wired published the “Flash. Must. Die.” headline in the mid-July, and the first paragraph reads: “Adobe Flash, that insecure, ubiquitous resource hog everyone hates to need—is under siege, again, and hopefully for the last time.”

Facebook chief security officer, ex-Yahoo CISO  Alex Stamos called Adobe for a “end-of-life date for Flash”, and Mozilla had disabled all current versions of the plug-in by default in its Firefox browser (they later re-enabled it). Even Google has been limiting Flash’s impact. Last month, it announced that future versions of Chrome will “intelligently pause” Flash-based content that isn’t part of a website’s core experience (e.g. video ads).

The reason? There are many. In fact, almost as a matter of routine, Adobe has to issue emergency patches. But it was a recent disastrous data breach that ignited the current anti-Flash crusade.

Especially since there was a previously unknown Flash in the leaked data dump that had been quickly weaponized. Which means it wouldn’t take long for any business to “feel the taste” of this kind of attack.

Longevity and security

Every technology, solution, and platform becomes obsolete one day, even the most popular ones. Perhaps Flash has outlived its usefulness, especially since there are newer  – and arguably better -alternatives such as HTML5 (which is, unlike Flash, an open standard). Or maybe it hasn’t: After all, it is up to Adobe to decide whether it has a need and interest to regain the ground Flash has definitely lost lately. It is clear that Flash isn’t going to die out on a whim, but perhaps it is the right time to let it go.

At present, Flash is a reputable source of serious security concerns with multiple exploits packed in a number of kits, and a “good” possibility of yet-unknown zero days being exploited against unsuspecting targets. It is also installed on almost every other PC, which forms a huge attack surface. While security experts point out that there is a life without Flash, and it doesn’t really cripple the working experience. So, unless you are a huge die-hard fan of Flash games, it can be dropped with ease.

At least until Flash gets upgraded to stop being a source of permanent headache for your IT staff. Which is, frankly speaking, unlikely to happen any time soon. The more appropriate way to go is to simply get rid of a problem altogether, if at all possible. It is not uncommon for the old junk (obsolete software included) to grow into a constant source of cyberthreats, which is not necessary to tolerate.

And if it is not possible to get rid of a risky software for some reason, it is better to exist in a “presumption of guilt” mode, with an efficient security solution keeping it in check and preventing exploits from successful attacks, targeted ones included.