In the first five weeks of this calendar year, Adobe had to hustle to patch multiple critical unpatched zero-day vulnerabilities that hackers were actively exploiting in Flash. Security firm Trend Micro reported seeing about 3,300 “hits” related to one exploit, which allowed hackers to infect video site Dailymotion and its users, among others, via computer-hijacking malware, by the time Adobe got around to releasing a security advisory about it.
This was enough to lead The Register to declare “Enough is ENOUGH: It’s time to flush Flash back to where it came from – Hell” in one of its more-than-typically snarky headlines. Calling Flash apologists “the antivaxxers of the Internet,” the article argued: “… If you’re still using the plug-in, you may as well hang a sign out for hackers reading: ‘Here’s my arse, please kick it. And then empty my [bank] account.'”
Apple’s Line in the Sand
These criticisms are far from new. In April 2010, Steve Jobs wrote an open letter titled “Thoughts on Flash” and published it to Apple’s website. The letter served as a tempered yet outstandingly harsh denouncement of Adobe’s signature platform. Citing basic technology, reliability, performance, and — yes, security — issues, Jobs outlined why Apple refused to allow Flash on any of its mobile devices.
Among many other reasons for eschewing Flash — including the platform’s closed, proprietary nature compared to that of technologically superior open standards such as HTML5 — Jobs cited then-recent Symantec research indicating that Flash had “one of the worst security records” for the previous year. (Although Symantec had detected four more vulnerabilities in Apple QuickTime than in Adobe Flash in 2009, Flash remained one of the most attacked applications that year — and was repeatedly criticized in Symantec’s report.)
“We…know first hand [sic] that Flash is the number one reason Macs crash,” wrote Jobs. “We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”
A February article-cum-press release in the San Francisco Chronicle paints a picture of an Adobe that has made a huge comeback despite these criticisms, pointing out that the company “has become one of the hottest technology stocks on Wall Street by transforming its core business” – specifically, by focusing more on digital marketing and its “Creative Cloud” solution.
And, as one reads between the lines, by paying only lip service to its Flash platform.
Even Adobe Not That Enthusiastic
Adobe abandoned all plans to bring Flash to Apple’s iOS, and its subsequent rollout of Flash for Android proved disastrous. In November 2011, Adobe announced that it would cease all mobile Flash development in favor of HTML5 — later pulling Flash support entirely for Android in 2012.
Meanwhile, TechCrunch has noted that “Flash had never been a huge business for Adobe, even when development for interactive websites using the plug-in were in high demand.”
To be certain, as Adobe has enjoyed its potentially overpriced stock (trading at approximately 150 times the company’s earnings), suffered from reduced revenues and shifted its focus to cloud development, the company has failed in substantially improving Flash; the same basic security and technological flaws of Flash that Jobs cited five years ago apparently persist. It is little wonder, then, that Flash’s security remains lackluster.
Accordingly, other tech heavies are now starting to join Apple in shunning Adobe Flash. On February 25 (one day after the San Francisco Chronicle’s love letter), Google announced that the company will now automatically convert ads on the Google Ads Display Network from Flash to HTML5 by default. The move comes on the heels of an announcement by YouTube (which is owned by Google) last month that the video platform would also default to HTML5 — a move that has been in the works since 2010.
Mozilla, too, is working on ditching Flash; its new Project Shumway allows Firefox users to access and play certain Flash content without actually having to use Adobe’s Flash plug-in.
Adobe does not have the best track record for information security. The company’s need to constantly patch its software has become a joke of meme-worthy proportions. Its cloud services suffered a massive breach in 2013 that compromised more than 150 million customers’ data, impacted hundreds of thousands of government and military accounts, and led to further breaches of numerous high–profile enterprise clients. Making matters worse was the fact that the passwords obtained by Adobe’s hackers all used the same symmetrical encryption key and were not salted or hashed — a major security no-no.
Even still, Flash remains, arguably, the centerpiece amid Adobe’s infosec failings. It has long been known for its seemingly unending barrage of security vulnerabilities. In particular old exploits based on unpatched Flash vulnerabilities remain popular with hackers, according to Hewlett-Packard’s 2015 Cyber Risk Report.
These security problems have led the tech world to become growingly concerned with — and antipathetic toward — Flash. Consequently, Flash’s days may be as effectively numbered as the days on this year’s calendar.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.