Three new vulnerabilities in Adobe Flash Player have been reported over the past two weeks, triggering a storm of protest and leading Mozilla and Google to ban the plug-in from their Firefox and Chrome browsers, respectively.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook Chief Security Officer Alex Stamos tweeted Sunday.
Flash “currently poses a huge risk to security — these latest events are a perfect example of that,” said Kasper Lindgaard, director of research and security at Secunia.
The majority of zero-day vulnerabilities reported this year have targeted Adobe Flash, “so, by having Flash installed and enabled, companies will be exposed to much higher risks,” he told TechNewsWorld.
Adobe is attempting to quell anxieties over the issues.
“The vulnerabilities in Flash Player have already been addressed,” said Adobe spokesperson Wiebke Lips of the three latest flaws.
Adobe released updates Tuesday morning, she told TechNewsWorld.
Blame It on the Hacking Team
The latest Flash Player exploits are the result of the recent breach of the Hacking Team, an Italian firm that unapologetically creates software nasties, including malware, for the United States National Security Agency, the U.S. Drug Enforcement Administration, and various repressive regimes around the world.
That could point to further trouble, because “if Hacking Team had these exploits and was keeping them unpublished, then it’s likely other hacking organizations did as well,” Tripwire Director of Product Management Tim Erlin told TechNewsWorld.
Git Along, Little Plug-in
Vulnerabilities have been rife in Adobe’s various software products over the years, leading late Apple CEO Steve Jobs to publish an open letter criticizing Flash in 2010.
Flash is proprietary, dated, unreliable, insecure, can’t handle touchscreens, guzzles battery juice, and is not suitable for the mobile era, Jobs wrote.
His stance back then drew supporters as well as detractors.
“I and many other Web users hate Flash sites,” wrote “myanr” in a comment on Jobs’ accusations. “There’s nothing that we need Flash for and very interactive apps can be built without it.”
However, “tens of thousands of developers are now making real business applications in Adobe Flex that happen to run in the Flash player,” commented “alangrus” in response to Jobs’ letter. “This is the most advanced and richly featured development out there.”
It’s not as if there is no alternative to Flash. HTML5 has been gaining support from high-tech firms including Amazon, and Mozilla in 2012 released Browserquest, a massively multiplayer HTML5 game experiment.
“The days of Flash are numbered,” said Ken Westin, a senior security analyst at Tripwire.
“With the advancement of HTML5 and more powerful and standardized JavaScript frameworks and more flexible video support, Web developers no longer need to rely on Flash to create highly interactive Web experiences,” he told TechNewsWorld.
Is Adobe the Real Culprit?
The security issues that have plagued Flash over the years have helped accelerate its end of life, contended Westin.
However, users may be to blame if their systems are taken down by a Flash vulnerability, because the majority of them don’t update their systems in a timely fashion.
Adobe software has the dubious distinction of being listed in three places in Secunia’s top 10 end-of-life programs.
Flash Player 16.x is No. 1, with 78 percent of the market; Adobe Air 3.x is No. 7 with 15 percent of the market; and Adobe Air 2.x is No. 10, with 13 percent of the market.
End-of-Life programs no longer are maintained and supported by the vendor, and they don’t receive security updates.
“Private users are really bad at patching Adobe Flash Player,” Secunia’s Lindgaard said.
“Make sure your patches are always applied and installed as soon as possible,” he added, “and only allow Flash to run on trusted content.