As you are reading this, there are security holes in Flash that are currently being used by crackers to hijack computers.
By Swapnil Bhartiya, CIO
If you remember, back in 2011 there was a massive breach of Gmail accounts in an attempt to steal information about senior U.S. government officials, Chinese political activists, military personnel and journalists. Many fingers pointed at vulnerabilities in Adobe Flash that may have been exploited by crackers.
I don’t recall the last time I heard anything good about Adobe Flash. Every time a journalist wastes ink on Flash, it’s always about new security vulnerabilities. Always. And Flash is in the news again — for all the wrong reasons.
Recently, the IT infrastructure of the infamous spyware firm Hacking Team was breached. The culprit, once again, was Adobe Flash, along with its buddy Internet Explorer.
Adobe responded by releasing a patch, though the damage was already done. And that was not the end of it. After the patch release, two more critical vulnerabilities were found in Flash; Adobe has yet to release patches for them. As you are reading this story, bad people around the globe are busy exploiting those vulnerabilities and taking control of PCs.
Beyond the porous nature of Flash, which provides a perfect attack vector, the bigger concern around Flash is its closed nature. Since it’s proprietary, technology experts can’t audit the source code to see if there are indeed any backdoors that are being exploited by spy agencies like the NSA or GCHQ.
Second, we have to rely on Adobe, which has failed to make Flash secure. If it were an open source project, the brightest minds from the community could have taken over the project and kept it secure and updated. In the Linux and open source world, patches are released in a matter of hours, not months, after a vulnerability is discovered.
Pressure to end Adobe’s dominance
The industry seems to have had enough of Flash and is starting to protest. Mozilla has blocked all versions of Flash on its Firefox browser by default. Google has also started to nail Flash by pausing Flash content by default on future releases of its Chrome browser. System76, a small company that sells Ubuntu PCs, has announced it has purged Flash plug-ins from its systems.
The strongest words come from Alex Stamos, the new security chief at Facebook, who tweeted, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”
Stamos is quite firm about this, stating in the following tweet: “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
In other words, we need a concrete death date of Flash so the industry can plan, prepare and move on.
Flash is almost extinct. Why won’t Adobe kill it?
Adobe Flash is already an extinct animal on mobile devices. Neither Apple nor Google support Flash on their platforms, meaning it has no future in this space. It exists only on the desktop, which many claim is a dying breed itself.
But Adobe hasn’t given any indication of killing Flash. And it probably won’t want to give up a technology that single-handedly dominated the web.
Adobe didn’t fix Flash after Steve Jobs wrote his infamous blog banning Flash from all iOS devices, losing the entire iOS empire, along with Android one. So now the question is this: Why isn’t Adobe killing the technology? Why is it keeping it alive on an insecure support system, causing irreparable damage to those who use it.
Will Adobe take a stand and give up its insecure dominance of the web, or will it continue to try to patch Flash? I don’t know. My advice to you (whether you are on Linux, Windows or Mac OS X) is to remove any Flash plug-in from your system and move to Google Chrome, which offers a more contained Flash experience via the Pepper plug-in. The Adobe technology may still pose serious risks to your digital life, but these simple moves could help.