Ah, Adobe Flash, the bane of every security professional’s existence. The amount of hacking incidents that have resulted from this permeable Adobe product are far too many to count. As such, many in the InfoSec world have been begging major tech companies to drop the Flash Player all together. Slowly these companies have been listening and now we have the first definitive stance against usage of Flash by default.
In separate announcements, Google and Microsoft spoke about how they intend to block Flash in their newest browser versions in favor of HTML5 alternatives. In either case, be it for Edge or Chrome, the approaches are similar. In their Chromium blog, Google stated that HTML5 will be the default in Chrome and that the “change disables Adobe Flash Player unless there’s a user indication that they want Flash content on specific sites, and eventually all websites will require the user’s permission to run Flash.”
As for Microsoft, in their Edge Developer blog, the company announced that “Sites that support HTML5 will default to a clean HTML5 experience. In these cases, Flash will not even be loaded … for sites that still depend on Flash, users will have the opportunity to decide whether they want Flash to load and run.”
It should be noted that the transition to HTML5 alternatives for Adobe Flash will be a gradual process. It is likely that many high-traffic sites will still be using Flash, so it is ultimately up to user discretion if they wish to risk being vulnerable to hacking. It should be noted that at the time of this report yet another Flash zero-day was discovered and patched by Adobe.
Even Adobe knows that Flash’s time is nearly up as they, according to Kaspersky’s Threatpost, started an internal shift toward HTML5 and away from the Flash Player for the new “Flash Professional to Animate.” If the company that created Flash is phasing it out, it is safe to say that the obsolete plugin is about to be buried for good.
Photo credit: Flickr / Thiemo Gillissen