Google is the latest, announcing recently that by Q4 of this year, HTML5 would be the default in the Chrome browser, except for content on 10 high-traffic, high-profile sites such as YouTube, Facebook, Yahoo, Amazon, Twitch and Live.com.
“We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site,” said Anthony LaForge, a technical program manager with the Google Chrome team.
LaForge said in a post to the Chromium-dev mailing list that the whitelist would disappear after one year, and in the interim, sites would be removed from the list if usage no longer warrants an exception.
“While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption,” LaForge said. “This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience.”
Members of Google’s Project Zero research outfit have been instrumental in finding and privately disclosing vulnerabilities in Flash Player. Adobe continues patch Flash Player at a monthly or better frequency, having already this year pushed out a pair of out-of-band emergency updates addressing zero-day vulnerabilities under attack.
Project Zero team member Natalie Silvanovich said during a talk at the recent Infiltrate Conference in April that she spends most of her day looking at Flash Player vulnerabilities, and shared a timeline spanning back to the start of 2015 Flash bugs she and others at Google found and reported.
Silvanovich said during her talk that despite the rancor against Flash and demands for it to be deprecated, things are better.
“I was finding one bug a day at the start,” she said. “And now it’s probably one bug a week.”
Silvanovich said that efforts by Adobe to introduce new exploit mitigations into the Flash Player code base have slowed down exploit development and made it more difficult for researchers looking for bugs. Silvanovich said that, for example, use-after-free bugs are more difficult to exploit and that other classes of vulnerabilities such as redefinition bugs may be going away. She added that information garnered from the Hacking Team data breach last summer was also important to her work.
“The Hacking Team dump was an unprecedented source of information on how Flash exploits work in the wild,” she said during her talk.
Adobe too, however, is conceding that Flash has likely run its course. Last December, Adobe said that its Animate CC development tool will primarily support HTML5 over Flash.
“Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that,” Adobe said in announcing the move.
Adobe has committed to Flash feature development and security updates to lessen the risks around the software; it’s unlikely Flash will ever completely disappear since too many legacy applications and existing web content relies on Flash.
That means that hackers will continue to prey on Flash; the Hacking Team, for example, had at least two zero days at its disposal and government agencies and commercial outfits such as Zerodium covet Flash zero days.