Citing security concerns, Sen. Ron Wyden is urging the government to create a plan to transition away from Adobe Flash before the vendor stops supporting it in 2020.
To that end, the Oregon Democrat delivered a formal request to the National Security Agency and the National Institute of Standards and Technology (NIST) to mandate a ban on Flash, via an open letter sent Wednesday (PDF) to the agencies.
“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a vistor’s computer, reaching deep into their digital life,” Wyden wrote.
In 2020, in collaboration with Apple, Facebook, Google, Microsoft and Mozilla, Adobe will retire the much maligned Flash Player. Open standards such as HTML5, WebGL and WebAssembly will replacing Flash after it is phased out of use, and Adobe will no longer provide security updates.
Wyden pointed out that that the government has “too often failed to promptly transition away from software that has been decommissioned.”
Specifically, Windows XP is one example of a lack of modernization at the federal level: According to the senator, the U.S. government has spent “millions of dollars” for premium after-life support for the operating system since Microsoft retired it in April 2014.
Wyden is calling for a government mandate that will require agencies to cease deploying Flash-based content, and to remove Flash-based content from their websites, by Aug. 1, 2019. He is also calling for the creation of a small pilot program that removes Flash from government employee desktops by March 1 of next year.
For more than a decade, the ubiquitous Flash player has been a favorite target for attacks; the typical gambit involves browser pop-ups that trick users into installing and running a bogus Flash player, which turns out to actually be malware. Flash has been also abused by hackers who exploit vulnerabilities in the legitimate Flash player; its appeal lies in the fact that a single Flash exploit could target multiple browsers, since most of them support the program.
Despite progress in hardening its attack surface, Flash security holes still dominate the threat landscape. Since 2005, it has amassed over 1,050 unique CVE entries. That’s more than Windows XP or Internet Explorer, according to CVEDetails.com.
Last year alone, there were 71 unique CVEs associated with Flash, with 56 of them rated critical and allowing attackers to remotely execute code. Just this month, Adobe patched two Flash bugs – a critical arbitrary code execution bug (CVE-2018-5007) and an important information disclosure out-of-bounds read bug (CVE-2018-5008).
This state of affairs is only set to get worse once Adobe ceases support for the player. Like Windows XP, Flash is likely to live on in legacy installations across the web for years, perhaps decades, to come, and more vulnerabilities are sure to surface. After 2020 though, there won’t be patches for newly discovered flaws, which will turn Flash into a wide-open doorway into networks for cybercriminals.
“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Wyden wrote.