Designed originally with little concern for security, Flash has become a weak link that organizations must plan around and suffer with as they strive to defeat attackers. This chronic problem has led to calls for replacing Flash with something better – or upgrading Flash itself. However, according to Adobe and outside experts, it won't be that simple.
Is Flash in fact dead (or dying)? According to Andrew Frank, an analyst at Gartner, the short answer is “yes.” A better answer, he explains, is that the Flash brand represents a number of technologies, some of which, such as Flash Professional, Adobe's popular tool for producing web animations, will live on under a different name – in this case, Adobe Animate CC. Frank says he expects Adobe to continue to support Flash's SWF (small web format), a file extension for a Shockwave Flash that can contain video and vector-based animations and sound. And, Adobe will increasingly embrace open standards, particularly HTML5. “Flash concepts also continue to play a role in securing premium video delivery in the Adobe Primetime suite,” he adds.
And just how did something so embedded in modern computing become so problematic? Blame rapid tech evolution. “I think you could summarize a complex history by noting that Adobe's attempts to transition Flash formats into open standards that would be embraced by all mobile platform developers, crucially Apple, were superseded by the evolution of HTML5,” says Frank (left). Indeed, HTML5 also addresses animation and video and has the advantage of neutral standards-body origins.
So, it is no surprise that HTML5 is often mentioned as an actual alternative to Flash. Adobe, for its part, has developed a tool that converts Flash to HTML5 (as did Google). More famously, Google-owned YouTube made HTML5 its default player as of January 2015, though Flash is still supported.
On the open source front, a Linux Project called Flash 4 (later renamed UIRA) has been proposed as an alternative technology
Still, Adobe has initiated many programs to improve security. Spokesperson Erika Strong suggests that some of the animus directed against Flash may be misplaced. In particular, she notes, attack techniques that seemed unimaginable even two years ago are commonplace today. The key goal of the industry at large will always be to stay a step ahead of the attackers, she says. However, vulnerabilities and exploits are unlikely to disappear completely as technology and attack techniques evolve.
“We adjust accordingly and continue to explore new mitigation techniques to defend against attacks,” says Strong. Critically, she notes, the majority of attacks involving Flash exploits also involve software installations that have not incorporated the latest security updates.
But the company isn't just blaming bad patching practices. Strong notes that there have been multiple updates to Flash over the past several years as well as special adaptions within browsers, such as Google Chrome, that have improved security. “Additionally, we continuously perform general security activities, such as heap hardening and general code hardening,” she explains. In 2015, Adobe deployed a rewrite of its memory manager to create the foundation for widespread heap isolation. This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities (a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code), Strong says.
Gartner's Frank points to HTML5 and WebGL support in Adobe Animate CC as another important modernization. “Adobe claims over a third of content created in Flash Professional uses HTML5, so I believe Adobe is committed to supporting its users as they transition to open formats,” he says.