The acceleration of Flash’s ride off into the sunset hit top speed with Microsoft on Wednesday following up a similar announcement last week from Google that it would block Flash by default in the Edge browser.

Google confirmed last Friday that it would be moving to HTML5 by default in Chrome in a measured rollout beginning this week with 1 percent of Chrome 55 users.

Microsoft, meanwhile, described how in the next version of Edge, Flash will be blocked by default on sites that support HTML5.

“In these cases, Flash will not even be loaded, improving performance, battery life, and security,” said Microsoft’s Crispan Cowan, a former Linux security expert and now longtime member of Microsoft’s security operation. “For sites that still depend on Flash, users will have the opportunity to decide whether they want Flash to load and run, and this preference can be remembered for subsequent visits.”

Microsoft cautioned that it would regulate how quickly it moves to HTML5 by default across the board. For example, Microsoft said the changes would not immediately impact most popular sites still reliant on Flash.

“In the coming months, we will actively monitor Flash consumption in Microsoft Edge and will gradually shorten the list of automatic exceptions,” Cowan said. “At the end of this process, users will remain in control, and will be able to choose Flash for any site they visit.”

This summer, Apple and Mozilla also said they would begin to reduce their support of Flash in Safari and Firefox respectively. While most of these changes are couched in language of features and performance, the shadow cast by constant reports of serious security vulnerabilities in Flash cannot be escaped.

Just this week, the most recent Flash Player update from Adobe included a patch for a zero-day vulnerability under attack. This year, there have also been emergency security updates for Flash in April, May, June and in October, proving that attackers still finding ways to exploit victims regardless of improvements to the code and swift patching by Adobe.

In 2015, Adobe took new measures to secure the weak spots in Flash favored by attacks with mitigations added to the software to hold off memory-based attacks. Regardless, a report by security company Recorded Future released last week pointed out that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs; the report singled out a zero-day patched in October 2015 that found its way into seven different exploit kits.

A little more than a year ago, Adobe began internal movement away from Flash and toward HTML5, and that it had renamed Flash Professional to Animate and said it would be Adobe’s preferred platform for HTML5 content development.

“Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that,” Adobe said in announcing the move.

As expected, it’s the browser makers that will truly accelerate Flash’s deprecation. Google, for example, said that HTML5 by default will be enabled for 50 percent of Chrome 56 beta users, and when Chrome 56 stable is rolled out in February, it will be enabled for all users.

“Starting in January users will be prompted to run Flash on a site-by-site basis for sites that they have never visited before,” said Google’s Eric Deily in a post to the Chromium blog last week. “We want to avoid over-prompting users, so over time we’ll tighten this restriction using Site Engagement Index, a heuristic for how much a user interacts with a site based on their browsing activity. In October all sites will require user permission to run Flash.”

Categories: Web Security

Comments (2)

  1. Flash Supporter
    1

    All software has security risks. Now, try and follow me on this. The attack on Flash is an attempt to remove plugins that compete with sales from app stores.

    Steve Jobs attacked Flash because it was a threat to his app store. He said it was a security threat and when Adobe defended Flash he started listing features that Flash didn’t have on enabled on mobile devices.

    The biggest attack vector is the browser itself including JavaScript. You now have popular websites everyone goes to being infected by advertisements served through cross site JavaScript.

    Google, Apple and Microsoft all have their own app stores. Flash in the browser is able to run full apps, games and video. This cuts into their profit margin. They say they value the open web yet they attack Flash.

    They then attack Flash in the news as a security vulnerability when in fact Flash Player has had a better security record than all of the browsers for multiple years on end. Look at the data in NSVD.

    The thing that these companies like Google, Microsoft and Apple are not telling you is that they are installing their own plugins, and without your permission (or in fine print), into all of your browsers while decrying plugins as security risks.

    Look up the EME plugin. This allows special tracking and adds DRM to video content. Mozilla was the only company with ethics and morals to oppose it but they now install it anyway! Then they attack Flash. They are hypocrites.

    Firefox had severe security vulnerabilities but instead of “Firefox is dead! Uninstall Firefox!” here is how the news reported it:
    http://www.eweek.com/security/mozilla-ups-security-tracking-protection-in-firefox-43.html

    When they bring up Flash there is a distinct bias in the news. Half of it is competition, half of it is journalists attempting to get clicks on their story by this made up war between Flash and HTML5 and the other half are web developer hacks that are parroting what they here from journalists or organizations with vested interests in competing technology.

    While Flash Player is used as a tool for video and games, JavaScript can infect your computer through ads served on the most popular websites:
    https://heimdalsecurity.com/blog/javascript-malware-explained/

    And Adobe has never said they will stop supporting Flash they’ve said they are offering tools that support other technology as well as Flash. They’ve also said that Google is implementing a click to play.

    Look in your browser and look in the plugins sections. You’ll see plugins from Apple (Quicktime, App store launcher), Google (Hangouts) and Mozilla (EME).

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>