The acceleration of Flash’s ride off into the sunset hit top speed with Microsoft on Wednesday following up a similar announcement last week from Google that it would block Flash by default in the Edge browser.
Google confirmed last Friday that it would be moving to HTML5 by default in Chrome in a measured rollout beginning this week with 1 percent of Chrome 55 users.
Microsoft, meanwhile, described how in the next version of Edge, Flash will be blocked by default on sites that support HTML5.
“In these cases, Flash will not even be loaded, improving performance, battery life, and security,” said Microsoft’s Crispan Cowan, a former Linux security expert and now longtime member of Microsoft’s security operation. “For sites that still depend on Flash, users will have the opportunity to decide whether they want Flash to load and run, and this preference can be remembered for subsequent visits.”
Microsoft cautioned that it would regulate how quickly it moves to HTML5 by default across the board. For example, Microsoft said the changes would not immediately impact most popular sites still reliant on Flash.
“In the coming months, we will actively monitor Flash consumption in Microsoft Edge and will gradually shorten the list of automatic exceptions,” Cowan said. “At the end of this process, users will remain in control, and will be able to choose Flash for any site they visit.”
This summer, Apple and Mozilla also said they would begin to reduce their support of Flash in Safari and Firefox respectively. While most of these changes are couched in language of features and performance, the shadow cast by constant reports of serious security vulnerabilities in Flash cannot be escaped.
Just this week, the most recent Flash Player update from Adobe included a patch for a zero-day vulnerability under attack. This year, there have also been emergency security updates for Flash in April, May, June and in October, proving that attackers still finding ways to exploit victims regardless of improvements to the code and swift patching by Adobe.
In 2015, Adobe took new measures to secure the weak spots in Flash favored by attacks with mitigations added to the software to hold off memory-based attacks. Regardless, a report by security company Recorded Future released last week pointed out that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs; the report singled out a zero-day patched in October 2015 that found its way into seven different exploit kits.
A little more than a year ago, Adobe began internal movement away from Flash and toward HTML5, and that it had renamed Flash Professional to Animate and said it would be Adobe’s preferred platform for HTML5 content development.
“Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that,” Adobe said in announcing the move.
As expected, it’s the browser makers that will truly accelerate Flash’s deprecation. Google, for example, said that HTML5 by default will be enabled for 50 percent of Chrome 56 beta users, and when Chrome 56 stable is rolled out in February, it will be enabled for all users.
“Starting in January users will be prompted to run Flash on a site-by-site basis for sites that they have never visited before,” said Google’s Eric Deily in a post to the Chromium blog last week. “We want to avoid over-prompting users, so over time we’ll tighten this restriction using Site Engagement Index, a heuristic for how much a user interacts with a site based on their browsing activity. In October all sites will require user permission to run Flash.”