When it comes to Flash, the only thing you hear more about than its ubiquity are its problems. Despite denunciations from some of technology’s biggest names, Adobe’s Flash player still seems to be everywhere. For almost ten years now, people have been dealing with the security warnings, critical updates and browser incompatibilities for which Flash is infamous. Yet even now, 0-day exploits of Flash’s seemingly unending vulnerabilities threaten users as third-party Flash ads on otherwise trusted websites are used to breach security. The result of this is that any applicationor service that relies on Flash lowers its overall resiliency. With privacy and security concerns higher than ever, that’s a price fewer people are willing to pay.
Having the most up to date Flash version isn’t enough. All of the 0-day vulnerabilities that have been exploited in the past were effective on the latest version, and every successful exploit raises Flash’s reputation as an effective vector of attack, which in turn increases the number of people trying to exploit it. One might remember Steve Jobs’ 2010 open letter creatively titled “Thoughts on Flash” where he wrote “Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash.” Fast-forward to 2016 and you get Google’s announcement that it will be phasing out all Flash ads within a year.
Customers aren’t looking to fix Flash, or improve it. They’re abandoning it completely. The fact is, there are better technologies available, such as HTML5, to replace Flash and they don’t have the baggage of a chronically insecure and unstable product. It’s difficult to tout Flash as an effective content delivery system when security issues force browser developers to block the plugin by default, as Mozilla did in July of 2015. People have been commenting on the death of Flash for some time now, but here we are and Flash is alive and...well, it’s alive anyway.
The exploit code is being used by the politically-motivated cyberespionage group Pawn Storm in a widespread spear phishing campaign targeted at various government entities.
One reason for this is that applications have been built on top of Flash that people want to use. More than just a audio-video delivery system, Flash is used for millions of games written specifically for the platform. Even some enterprise software requires Flash, meaning those businesses are tied to Flash whether they like it or not, unless they replace their software entirely. Flash has also been known for cross-platform compatibility, offering a way to create content once and make it accessible to a wide audience on many different devices. While this may have set Flash apart ten years ago, now there are other ways to achieve those goals without resigning yourself to Flash’s shortcomings, and industry leaders abandoning the technology means it will start to get less compatible over time.
Here's what you can do to keep protected:
This list of CVE details provides a clear picture of the ongoing problems Flash has and causes. It's worth noting that almost every single one of these vulnerabilities has a CVSS score between 9-10, the most severe, and allow remote code execution and/or denial of service. Just as recently as March 10th of this year, a critical Flash vulnerability was exploited in targeted attacks.
All of this has driven many users to disable the plugin completely, prompting tech news outlets to provide detailed how-tos. Because Flash exploits can give attackers full access to a compromised device, businesses should move away from software that incorporates Flash and consider policies to disable it across user workstations, because ultimately they have to ask: is suffering a data breach due to Flash-delivered malware worth it?