As we enter December, we also enter the last month of support for Adobe’s Flash software. This veteran concept of rich internet content is facing its retirement on New Years’ Eve, and come January 1 2021, there will be no more support for it.
It’s not like this has come as a surprise though. Over the years it has faced numerous security fixes and faced the challenge of newer options such as HTML5, WebGL and WebAssembly. These options have come to replace it in order to provide a better online experience than the text only options which preceded its use.
In fact, web developers have had over two years to prepare for the end of support, as it was announced in July 2017 by Adobe that the Flash Player would no longer be supported after December 2020. It’s fairly easy to see why – this updates page shows 292 fixes in the last 14 years. In particular, vulnerabilities in Flash have allowed attackers to compromise targets through adverts and distribute ransomware in just two instances.
So come January 1, if you’re still running Flash, it is unlikely your laptop is going to explode, whether you’re hosting or visiting Flash, and at worst, the website or frame will not load. According to an NCSC advisory, users will likely not even notice when Flash disappears, as long as they are using a modern browser receiving regular updates. “Many sys admins will be breathing a sigh of relief, as for years the Flash Player plugin was a ripe target for bug hunters, requiring regular updates,” said NCSC device security researcher Josh D.
Specifically, Adobe said it will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to the more modern open formats.
As for the browsers, Microsoft said by the end of 2020, it will remove the ability to run Adobe Flash in Microsoft Edge and Internet Explorer across all supported versions of Microsoft Windows, and users will no longer have any ability to enable or run Flash.
Google Chrome product manager Anthony Laforge said it has “taken a lot of close work with Adobe, other browsers and major publishers to make sure the web is ready to be Flash-free.”
Laforge also said if a website that uses Flash migrates to open web standards, “you shouldn’t notice much difference except that you will no longer see prompts to run Flash on that site.”
“For years, the Flash Player plugin was a ripe target for bug hunters, requiring regular updates”
However, the end of support is likely to bring about some threats; the NCSC advisory warned of “Fake Flash” trojans as having been a popular method of compromising unsuspecting web users. Speaking to Infosecurity, Tim Mackey, principal security strategist at the Synopsys CyRC, said he could recall a time when there were weekly Flash updates, and he was “happy to see Flash go into a museum of internet technology.”
He believed that there were a large number of websites still using Flash though, and those “are tremendously behind the times” and Flash is still seen in visually active websites, specifically gaming. Mackey also said the end was likely brought about due to a lack of support for Flash from Apple devices, and it was part of a three-stage challenge for Adobe: the challenge of supporting Flash and creating its security fixes, the roll out of the iPhone and iPad and a lack of support, and hiring new developers who have an interest in working with 20+ year-old software. Add to that the money being paid out in bug bounties by Adobe, and the end of support could be a serious cost saving.
So will January 1 2021 be a Y2K moment for Flash player faults? Mackey said there is the danger of phishing emails capitalizing on the end of support offering rogue downloads from malicious websites, or even malware masqueraded as the Flash player fix, “if the user believes that Flash should be enabled and is not recognizing the browser has disabled it.”
What is the best case scenario? Mackey said users will see a message that Flash is “no longer supported” rather than an option to download or update it.
“So security will improve, but if the CISO doesn’t manage it correctly, there could be push back”
From the CISO’s perspective, is this a positive, as it is one less thing to apply patches to? Quentyn Taylor, director of information security at Canon Europe, told Infosecurity that CISOs will not have to do much in this instance, as there will be a patch to disable it and work by browser vendors will end support also. “The important proviso is that this will be seen as a security change that, if not tested properly, will cause outages as people suddenly discover that interactive aspects of some applications stop working,” he said.
“So security will improve, but if the CISO doesn’t manage it correctly, there could be push back.” However, Taylor admitted that many CISOs would have disabled it years ago if they could, and if there was a suitable alternative.
Of course that raises the issue of HTML5, and Taylor said almost all major websites have moved across to HTML5, but there are more than likely still applications running inside major corporates that require Flash. “It is probably not going to be websites, but interactive elements of internal reporting frameworks probably in ERP platforms,” he said.
“Whilst I would absolutely not state that Flash needs to stay because of this dependency, it is something that people need to be aware of; there is going to be a big change and they may need to prepare to develop alternative solutions quickly to keep certain processes running.”
He said a security team would be well advised to attempt to identify where there may be potential issues so that you can think now about what they may do to fix them if the issues materialize.
So, will Flash be consigned to the museum of internet technology’s hall of fame, or wall of shame? Taylor said Flash has had a long and happy life “and is probably one of the only technologies I remember from when the internet started to become visual.” He said he could remember when macromedia used to provide the plugin before Adobe acquired it, and “it was one of those technologies that was used instead of HTML by many designers that has now gotten to the end of its life.”
“In one way, I'll be sad to see it go, because it made the web really interactive back in the late 90s and early 2000s, but go it must as it's just been superseded by much more secure technologies.”
Therefore, we see another major part of the 1990s and 2000s internet infrastructure taken away and consigned to history. As Mozilla’s update from 2017 stated: “Over the years, Flash has helped bring the web to greatness with innovations in media and animation, which ultimately have been added to the core web platform.” Many will appreciate what it brought to enable the internet experience we have now, but many will also be glad to see its expiration.