The Adobe Flash Conundrum: Old Habits Die Hard
Is it time to hop off the endless cycle of Flash vulnerabilities and updates?
Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities:
At this time, only the first vulnerability has been patched. Adobe has already promised to fix the two remaining issues sometime this week, but this does not guarantee the extinction of future vulnerabilities for the platform. It is then only fair to ask: Is it time to stop using Adobe Flash?
Flash has been something of a security house of horrors for some time. For many years, this blog has been documenting various Flash vulnerabilities. Each time, consumers have had little recourse except to be careful about what sites they visit, disable Flash if they felt particularly concerned, and wait for Adobe to release an update.
The disclosure of the three Hacking Team zero-days has exposed just how vulnerable Flash is to vulnerabilities. If a relatively small company like Hacking Team (with all of 40 employees) can spot vulnerabilities this potent, imagine the tools available to other parties (such as nation-states)? Previously we only had suspicions of how bad this problem was; now we have a more precise idea of the risk.
In an ideal world, we’d say that Flash, in its current form, needs to go away. Either it is replaced by new web technologies (like HTML5), or Adobe finds a way to make Flash secure. However, neither is likely to happen.
Using Flash is much like smoking: we know it’s bad for us, but we can’t quit anyway. Despite the risks, people will continue to use it because security by itself is not a solid-enough incentive to do otherwise. Site owners will continue to use Adobe Flash for their websites since it entails less cost and good user experience. Users, on the other hand, will still use Flash because the sites they frequently visit require it. With both developers and users dependent on Flash, it’s safe to say that we won’t the see the end of Adobe Flash anytime soon.
So what can be done now?
For end users, the advice is simple: uninstall Adobe Flash if you are certain that you do not need it. Another option is to use a browser that has a click-to-run mode (available for Chrome and Firefox users) when running Adobe Flash. This reduces its attack profile significantly.
Will uninstalling Adobe Flash be a difficult experience?
A few years ago, it would have been unthinkable. Flash was too handy in providing multimedia to users, whether it be in the form of animation, videos, etc. However, things have changed. Flash substitutes now exist. The notable absence of Flash on iOS and Android has meant that alternatives have been developed. These said alternatives also work just fine on desktops. These will not guarantee 100% security, but they will be less of a problem compared to sticking with Flash.
For businesses, if you’re building a new web site, please consider not using Flash. Not only is it a security nightmare, it’s also an incredible resource hog for your users. And for your mobile customers, it’s pretty much useless. Google is already saying that a site’s mobile-friendliness may be cued as a score for its search ranking. Google is “encouraging” sites to become more mobile-friendly, and not using Flash is a good step in that direction.
To summarize: the zero-days Hacking Team revealed are only the latest in a long and continuing series of Adobe Flash zero-days. While Flash is a security risk that rightly deserves to go away, it will hang around in the foreseeable future. What we can do as end users and companies is to mitigate these issues moving forward.