Vulnerability Management

Flash is dead. Long live Flash.

Share

Like a character in a zombie flick, Adobe Flash (formerly called Macromedia Flash and Shockwave Flash) is a software platform used for creating graphics, animation and rich internet applications that refuses to die. Despite a plethora of well-publicized security issues, it's simply too useful and too much a part of current tech culture to go away.

Designed originally with little concern for security, Flash has become a weak link that organizations must plan around and suffer with as they strive to defeat attackers. This chronic problem has led to calls for replacing Flash with something better – or upgrading Flash itself. However, according to Adobe and outside experts, it won't be that simple.

Is Flash in fact dead (or dying)? According to Andrew Frank, an analyst at Gartner, the short answer is “yes.” A better answer, he explains, is that the Flash brand represents a number of technologies, some of which, such as Flash Professional, Adobe's popular tool for producing web animations, will live on under a different name – in this case, Adobe Animate CC. Frank says he expects Adobe to continue to support Flash's SWF (small web format), a file extension for a Shockwave Flash that can contain video and vector-based animations and sound. And, Adobe will increasingly embrace open standards, particularly HTML5. “Flash concepts also continue to play a role in securing premium video delivery in the Adobe Primetime suite,” he adds.

And just how did something so embedded in modern computing become so problematic? Blame rapid tech evolution. “I think you could summarize a complex history by noting that Adobe's attempts to transition Flash formats into open standards that would be embraced by all mobile platform developers, crucially Apple, were superseded by the evolution of HTML5,” says Frank (left). Indeed, HTML5 also addresses animation and video and has the advantage of neutral standards-body origins.

So, it is no surprise that HTML5 is often mentioned as an actual alternative to Flash. Adobe, for its part, has developed a tool that converts Flash to HTML5 (as did Google). More famously, Google-owned YouTube made HTML5 its default player as of January 2015, though Flash is still supported.

On the open source front, a Linux Project called Flash 4 (later renamed UIRA) has been proposed as an alternative technology 

Still, Adobe has initiated many programs to improve security. A spokeswoman for the company suggests that some of the animus directed against Flash may be misplaced. In particular, she says, attack techniques that seemed unimaginable even two years ago are commonplace today. The key goal of the industry at large will always be to stay a step ahead of the attackers, she says. However, vulnerabilities and exploits are unlikely to disappear completely as technology and attack techniques evolve. 

“We adjust accordingly and continue to explore new mitigation techniques to defend against attacks,” she says. Critically, she notes, the majority of attacks involving Flash exploits also involve software installations that have not incorporated the latest security updates.

But the company isn't just blaming bad patching practices. The Adobe spokeswoman notes that there have been multiple updates to Flash over the past several years as well as special adaptions within browsers, such as Google Chrome, that have improved security. “Additionally, we continuously perform general security activities, such as heap hardening and general code hardening,” she explains. In 2015, Adobe deployed a rewrite of its memory manager to create the foundation for widespread heap isolation. This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities (a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code), she says.

Gartner's Frank points to HTML5 and WebGL support in Adobe Animate CC as another important modernization. “Adobe claims over a third of content created in Flash Professional uses HTML5, so I believe Adobe is committed to supporting its users as they transition to open formats,” he says. 

Rick Holland, SVP and principal analyst at Forrester Research, points to his own experience to illustrate the Flash conundrum. “I myself have disabled Flash on my computer,” he says. “Still, because so many sites I visit want me to enable Flash, I have set up a special browser just for that purpose.” He also disputes the notion that Flash is indispensable because even with Flash disabled, on many websites there is little noticeable loss of functionality.

But Flash is out there. And its vulnerabilities have made it closely associated with so-called watering hole attacks, a security exploit in which attackers seek to compromise a specific group of end-users by infecting websites that members of the group are known to visit. “Flash is one of the tools used for taking over a website and pushing out malware,” he explains

On the bulk of “public” web pages, Holland predicts that there will be little movement away from Flash simply because there is little incentive and few immediate benefits. 

For enterprises, a key action would be to look at one's own web properties and understand which ones use Flash -- and then determine if it is really necessary. “If you are in an industry that is suffering a lot of watering hole attacks and strategic web compromises, it will be important to have protection on your endpoints, too, because you could be vulnerable to a zero-day attack, says Holland. Tools such as Palo Alto Networks Trap can also help prevent endpoints from being attacked, he explains. 

In other words, as with other security vulnerabilities, a key to survival is having visibility “into what's going on,” adds Holland (left).

Unfortunately, functionality and ease of use (and ease of development) still seem to trump security for many organizations and individuals, he notes. While some may still be unaware of the vulnerabilities posed by Flash, others know but can't muster a commitment to change. “As with Java, this is still a story about a long tail,” he says. Fortunately, while Flash may also be deployed extensively it is generally in less critical locations than Java, he notes.

In the end, Flash is not dead but it is being wound down slowly, says Al Hilwa, program director, software development research at IDC, a global provider of market intelligence, advisory services. Hilwa says its fate was sealed going back to the “Thoughts” memo from Steve Jobs (see https://www.apple.com/hotnews/thoughts-on-flash/). In that long document, Jobs declared independence from Flash not only because of its security issues but also because it was often linked to crashes on Apple products. Penultimately, though, Jobs pointed out that Flash was a creature of its times. With its roots in the mid-1990s, it accomplished its wizardry, particularly relative to video, through software. Now, though, to support performance and to reduce demands on battery life, most devices handle video processing through specialized hardware. Thus, Flash is a bit of an antique.

In reality, says Hilwa, Adobe started shifting away from being strategically dependent on Flash over four years ago. “We can point to the time in 2011 when Adobe stopped developing Flash for mobile platforms,” he says. The remaining challenge is that developer and designer skills shift slowly and a great deal of content and websites, including the top web games, are still in Flash. What's more, hundreds of thousands of developers and designers continue to use Flash, which means the technology will be around for some time. Therefore, he adds, “platform owners like Google, Microsoft and now Facebook have an interest in keeping it secure.” And so does everyone else. 


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.