Adobe Flash Player not dead, still a security problem
Adobe Flash Player is not only not dead, it won’t be for a long time. The browser plug-in that powers a multitude of online games and media playback—and that is notorious for its security holes—has plenty of life left in it despite declining use.
Many of Flash Player’s security problems have “allowed attackers to directly access control of the app itself,” Web security expert Robert Hansen of WhiteHat Security said. Because of the way Flash is built, that can include surreptitious control of your computer’s microphone and camera.
So when software maker Adobe Systems announced last week that is changing the name of its pro-level animation suite from Adobe Flash Professional to Adobe Animate, many media outlets jumped to a long-held conclusion that the company would dump the browser plug-in. Animate, Adobe said, will include support for Flash, its proprietary software, along with HTML5, the open-source language on which the Web is built.
“Now it would be a dangerous proposition to base your business model on Flash.” — Robert Hansen, Web security expert, WhiteHat Security
Unlike previous versions of HTML, the latest supports media playback. For a browser to run Flash content embedded in a website, it must have a Flash Player plug-in. Eventually, experts predict, HTML5 will do everything Flash can.
Rumors of Flash’s demise greatly exaggerated
This prediction has been a holy grail of browser development for years, most famously in 2010, when Steve Jobs reiterated in an open letter his refusal to support Flash on iPhones and iPads.
“The avalanche of media outlets offering their content for Apple’s mobile devices demonstrates that Flash is no longer necessary to watch video or consume any kind of Web content,” Jobs wrote at the time, and Apple’s mobile devices are even more popular now than they were then.
Yet five years later, Flash isn’t even close to dead. It is used less often for Web-based animation, and Google recently stopped Flash-based advertising from appearing to its Chrome browser users, citing security and performance concerns, but Flash is not going away anytime soon—and neither are the regular security updates it needs to remain safe to use. While Flash is used by significantly fewer websites overall than it was five years ago, down to 10 percent from 29 percent, the top 1,000 sites have been slower to move away. More than 15 percent of the top 1,000 websites still use it, down from only 22 percent in 2010.
So if Flash isn’t even close to death, is there any benefit to Web security? Hansen said the move “puts Webmasters and Web designers on notice. It encourages them to move away sooner rather than later. Now it would be a dangerous proposition to base your business model on Flash.”
Adobe declined to comment for this story, but it wrote in its blog post about the change that it wants Web designers to use “Web standards”—an indication that while it will continue to support Flash for the foreseeable future, the company is willing to downplay its own software.
“Looking ahead, we encourage content creators to build with new Web standards, and will continue to focus on providing the best tools and services for designers and developers to create amazing content for the Web,” the company wrote.
But having to fiddle with an Adobe Flash update once a month or so on your desktop or laptop? For now, it’s one Web tradition that isn’t going away.