Adobe Flash is a historical platform that has permeated the entire Web, and only recently started giving ground to newer technologies such as HTML5. It still has an immense range of applications, from Web animations and banners to games and interactive presentations. As such, it has spread across almost all of the Windows-based PCs connected to the Web in the world. Unfortunately it also has a long history of successful exploitation from cybercriminals.<\/p>\n
Rise to fame<\/strong><\/p>\n It would take too long to tell the whole story of Flash. So, we\u2019ll just point out some highlights. The software was initially called SmartSketch, then FutureSplash, then Macromedia (Shockwave) Flash and eventually Adobe Flash, after Adobe bought it ten years ago along with the Macromedia company. The name Macromedia is still around, though, and for a reason.<\/p>\n It was Macromedia who introduced loads of modern features such as MovieClips, JavaScript, and later ActionScript with all of its advanced programming capabilities, along with video container functions. This eventually led to Flash becoming de facto standard for video online \u2013 YouTube initially used it as its \u201cweapon of choice\u201d to conquer the world in its entirety.<\/p>\n A flashy rise and a reluctant fall of Adobe #Flash #security<\/p>Tweet<\/a><\/blockquote>\n Macromedia distributed a free Flash Player, which allowed it to quickly gain market share. By the time of Adobe\u2019s buyout, more computers worldwide had the Flash Player installed than any other Web media format, including Java, QuickTime, Windows Media Player, or the almost forgotten \u00a0RealNetworks\u2019 RealMedia plugin.<\/p>\n The platform\u2019s versatility, together with support for video, and since 2011, 3D graphics ensured its success, and it would be fair to say that Adobe\u2019s buyout of Macromedia along with further development of Flash was indeed a spectacular achievement. As with Photoshop, Adobe has been a de facto industry standard tool with millions of developers, billions of users, and countless examples of use.<\/p>\n Unfortunately not all of them are legit.<\/p>\n Wheels of fortune<\/strong><\/p>\n Flash has had its share of criticism over the years, as it is always the case with any popular (and especially hyper-popular) software: vendor\u2019s dependency, dissatisfying experience on mobile devices (due to sensitive CPU and battery life drain), and many other issues. In 2010, late Apple head Steve Jobs wrote a memorable open letter<\/a> on why Apple chose not to support Flash on its mobile devices:<\/p>\n Mr. Jobs quite openly said that Flash belongs to PC era, while mobile era is at hand, and it is all \u201cabout low power devices, touch interfaces, and open web standards \u2013 all areas where Flash falls short.\u201d<\/p>\n He also mentioned that Flash has had \u201cone of the worst security records in 2009.\u201d<\/p>\n \u201cWe have been working with Adobe to fix these problems, but they have persisted for several years now. We don\u2019t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash,\u201d Jobs wrote.<\/p>\n It was, again, in 2010.<\/p>\n Fast forward five years, and we observe a steady, steamy stream of nasty Flash-related security hiccups<\/a>, which led to a massive thumbs-down ragefest both in social media and hi-tech mass media outlets.<\/p>\n In 2015 everyone hates #Flash because of #security failures<\/p>Tweet<\/a><\/blockquote>\n Wired published the\u00a0\u201cFlash. Must. Die.\u201d<\/a> headline in the mid-July, and the first paragraph reads: \u201cAdobe Flash, that insecure, ubiquitous resource hog everyone hates to need\u2014is under siege, again, and hopefully for the last time.\u201d<\/p>\n Facebook chief security officer, ex-Yahoo CISO\u00a0 Alex Stamos called Adobe for a \u201cend-of-life date for Flash\u201d, and Mozilla had disabled all current versions of the plug-in by default in its Firefox browser (they later re-enabled it). Even Google has been limiting Flash\u2019s impact. Last month, it announced that future versions of Chrome will \u201cintelligently pause\u201d Flash-based content that isn\u2019t part of a website\u2019s core experience (e.g. video ads).<\/p>\n The reason? There are many. In fact, almost as a matter of routine, Adobe has to issue emergency patches. But it was a recent disastrous data breach<\/a> that ignited the current anti-Flash crusade.<\/p>\n Especially since there was a previously unknown Flash in the leaked data dump that had been quickly weaponized<\/a>. Which means it wouldn\u2019t take long for any business to \u201cfeel the taste\u201d of this kind of attack.<\/p>\n Longevity and security <\/strong><\/p>\n Every technology, solution, and platform becomes obsolete one day, even the most popular ones. Perhaps\u00a0Flash has outlived its usefulness, especially since there are newer \u00a0\u2013 and arguably better -alternatives such as HTML5 (which is, unlike Flash, an open standard). Or maybe it hasn\u2019t:\u00a0After all, it is up to Adobe to decide whether it has a need and interest to regain the ground Flash has definitely lost lately. It is clear that Flash isn\u2019t going to die out on a whim, but perhaps it is the right time to let it go.<\/p>\n At present, Flash is a reputable source of serious security concerns with multiple exploits packed in a number of kits, and a \u201cgood\u201d possibility of yet-unknown zero days being exploited against unsuspecting targets. It is also installed on almost every other PC, which forms a huge attack surface. While security experts point out that there is a life without Flash<\/a>, and it doesn\u2019t really cripple the working experience. So, unless you are a huge die-hard fan of Flash games, it can be dropped with ease.<\/p>\n At least until Flash gets upgraded to stop being a source of permanent headache for your IT staff. Which is, frankly speaking, unlikely to happen any time soon. The more appropriate way to go is to simply get rid of a problem altogether, if at all possible. It is not uncommon for the old junk<\/a> (obsolete software included) to grow into a constant source of cyberthreats, which is not necessary to tolerate.<\/p>\n