Flash is Dying a Death by 1,000 Cuts, and That’s a Good Thing

The end of Adobe’s video carrier is nigh as Amazon marks the first of the big-name advertisers to block Flash ads, while Google’s Chrome will ‘intelligently pause’ them

Samuel Gibbs

Monday 24 August 2015 10.24 EDT


Adobe’s Flash, hated the world over for slowing down computers, containing more holes in security than swiss cheese and stubbornly being the video carrier of choice until recently, is dying.

Video players are migrating to other systems, even if Microsoft’s Silverlight isn’t much better. HTML5-based video and animations are becoming mainstream, and uploaders and other more advanced web-based features can now be replaced with code that doesn’t rely on Flash.

And it’s happening for a good reason. As other components of a web browser and operating system have become more secure, Flash is one of the biggest sources of security vulnerabilities. Hackers love it.

Hacking Team’s commercially available government-supplied tools relied on holes in Flash to hack individuals and companies, for instance, just by users browsing sites unknowingly being digitally broken into.

Even Adobe, Flash’s developer, doesn’t seem to love the much maligned system. Like Microsoft with Windows XP, Adobe’s been trying to migrate companies away from using its own tools while putting out fires left, right and center.

The one major hold out for dumping Flash wholesale has been advertisers. In June, over 100m adverts were displayed to users globally with Flash, while 84% of banner ads are still Flash, according to Ad Age.

Google took the first step by announcing that come September its Chrome browser will not run Flash adverts by default, meaning that the user has to click to enable the advert. Something virtually no one is likely to do. Firefox also blocked Flash over security concerns.

Now Amazon has banned Flash ads from appearing on its ad platform across its sites. Amazon is not the biggest advertising platform, but it is one of the first big name ones to adopt such a policy.

It marks the beginning of the end for Flash (Occupy Flash will be happy). More advertising platforms are likely to follow. When Chrome and its 51% of global browsers, according to data from Statcounter, start to “intelligently pause” Flash ads in September advertisers will be forced to switch wholesale.

The reasons for Flash to exist will then, hopefully, peter out to embedded tools and systems built within Flash, such as administrative tools. Most home users will no longer be burdened with Flash, which will be good for your computer, your battery, your security and your sanity.

For those that want to experience a Flash-free world right now, it is possible to disable Flash entirely within your browser or set it to require a click to enable it each time something wants to use Flash.

Mobile devices such as iOS and Android smartphones and tablets have mostly been Flash-free for years and they work just fine for the most part. Soon everything will have that speedy, Flash-free existence and humanity will be all the better for it.

Warning Over Adobe Flash Vulnerability Revealed by Hacking Team Leak

Tech company promises patch within a day for major new flaw uncovered by leak of 400GB of documents from hacking firm

Alex Hern | @alexhern

Wednesday 8 July 2015 05.15 EDT


An unpatched security flaw in Adobe Flash, discovered then kept secret by Italian cyber-surveillance firm Hacking Team, is now being used by malware developers to hack victims’ computers following the leak of over 400GB of data from the company’s servers.

Adobe, which says it expects to publish a patch for the vulnerability at some point on Wednesday, warns that “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system”.

Symantec warned on Tuesday that “it can be expected that groups of attackers will rush to incorporate it into exploit kits before a patch is published by Adobe”. And, sure enough, it appears that virus writers are already using the security flaw to deliver cryptolocker software, which encrypts a users’ data and demands payment to unlock it, on to unsuspecting computers.

The Hacking Team hack, which saw a BitTorrent file of the massive data dump posted to the company’s public twitter feed, contained emails, presentations and source code for its software.

The initial effect of the leak was an embarrassing number of revelations about the actions and clients of the firm, which largely provides software for law enforcement and national security to hack into the computers and mobile devices of targets.

But the leak also included the code for much of the company’s hacking software, and now virus writers are incorporating the code into their own malware. While many of the security holes used in the company’s “remote control service” (the name for its hacking software) were already publicly known and patched, there were a few vulnerabilities the company had managed to keep secret.

Known as “zero-day” vulnerabilities – because the affected companies have had zero days to release a patch – they are now being used by the wider community of malware authors, as well as Hacking Team itself. The new vulnerabilities were even accompanied by readme files, intended for internal use at Hacking Team to explain how to deploy them, which likely further reduced the time until the virus authors were able to use them in their own software.

Until the Adobe Flash patch is published, web users should be wary of visiting untrusted websites, and may want to enable “click to play” to prevent untrusted Flash files from activating.

Questions in Brussels

Meanwhile, Dutch MEP Marietje Schaake has asked pointed questions in the European parliament about the revelations contained within the Hacking Team data dump. The documents suggest that two of Hacking Team’s clients include Russia and Sudan, two countries covered by EU sanctions.

Schaake asked of the commission whether it believed that the company “has violated EU sanctions regimes”.

She also asked the commission whether it knew of “any prior authorization given by the Italian authorities that would allow Hacking Team to export its products to Sudan or Russia”, and whether or not the company asked the commission explicitly about export controls to those two countries.

In one document leaked from Hacking Team, which listed a number of nations as either “active” or “expired” clients, Sudan and Russia were both marked out as “not officially supported”.