For those who haven’t seen the writing on the wall, it’s finally being read aloud for you. Google is removing Flash from Chrome, and they’ve laid out a timetable for doing it.
Timeline of the Flash Phase out
When Chrome 53 rolls out t
his September, it will start blocking tiny Flash-enabled content. This is what is responsible for things such as page analytics. Although running in the background, Flash-based page analytics can drag down a web page’s load time and responsiveness while also draining precious battery life.
But that’s just a prelude to what will happen before the year ends. When Chrome 55 arrives in December, that iteration of the world’s most widely used web browser will feature HTML5 as the default enabler for all web media. When that happens, it will signal the end of Adobe Flash’s lengthy reign as the de facto platform for web animations, games, videos, and interactive content.
Many people saw this coming. Back in September 2015, Chrome 42 was released with a default setting that paused Flash-enabled animations that were smaller than 400 x 300 pixels. That default setting did not include content 5×5 pixels and below. The main reason? There was no other way to detect viewability then. With the introduction of Intersection Observer, that is no longer an issue
Chrome isn’t the only browser distancing itself from Flash. The makers of Edge, Firefox, and Safari have all announced similar plans. Like Google, they plan on starting with click-to-play settings before eventually blocking Flash content by default.
Security Implications
Although what most people notice are the browser crashes, the battery drain, and the sluggish webpage responses, Flash has one more weakness that’s making it even more difficult for companies to justify supporting it. Flash has too many vulnerabilities. Adobe releases security updates quite often,yet the vulnerabilities just keep popping up.
This onslaught of vulnerabilities is the primary reason why Flash is a constant target of exploit kits and other attack packages that pave the way for ransomware, viruses, malware, rootkits, trojans, and a host of other malware. When malware infects systems through drive-by downloads, it’s usually through Flash plugin vulnerabilities.
Flash can put businesses at even greater risk when system admins and users fail to patch or when a zero day vulnerability emerges. A zero-day is a vulnerability that’s initially unknown to the vendor (in this case, Adobe). Until the vendor is informed of the vulnerability, and more importantly, releases a security update, that vulnerability can be exploited.
Because Flash is used in a wide range of Web elements, attackers can get quite creative in crafting an exploit. An attacker can gain access into a system by tricking users to:
- Launch a PDF
- Play a video
- Visit a website (drive-by downloads)
- Install the “Flash plugin”
- Or even install a “critical Flash update”
When the time comes for Flash to finally bow out, it will be taking along with it the security holes that attackers have long been taking advantage of.
So does that mean the Web will now be a safer place? Hopefully. HTML5, Flash’s designated successor for browser enhancement and rich internet applications, is considered to be more secure – at least for now. But to clarify, HTML5 is no panacea. It hasits own share of vulnerabilities (e.g. XHR, tag, fat client, and DOM vulnerabilities, to mention a few). We’ll talk about those HTML5 vulnerabilities in a later post. In the meantime, if you’re looking to enhance the security of your organization, give us a trial run today.