Cybersecurity

Flash Flames Out – but It Will Smolder for a While

Adobe on Tuesday announced its decision to pull the plug on its much maligned Flash format, citing the growing use of HTML5, WebGL and Web Assembly open standards.

Helper apps have evolved over time to become plugins, which then further evolved to become open Web standards, Adobe noted. However, because gaming, education and video have come to depend heavily on Flash over the years, its phaseout will be gradual.

The company will continue to update it with any necessary patches, maintain browser and operating system compatibility, and add features as necessary until 2020.

Adobe is working with partners Google, Facebook, Microsoft, Mozilla and Apple to smooth the transition. Each of those companies posted an update on how the shift will impact its browsers or interfaces.

Partner Plans

Eighty percent of desktop Chrome users accessed a page running Flash just three years ago, but that figure has declined to 17 percent currently, according to Google.

Google changed its policies late last year, requiring permission from users to make Flash a default experience for Chrome. It plans continue to ask permission to use Flash in different situations until the phaseout is accomplished, and it will remove the plugin completely by 2020.

Mozilla updated its published road map for Flash users. Starting next month, users will have to choose which websites use the Flash plugin. Mozilla will disable Flash by default in 2019, when access will be limited to users running the Extended Support Release. They will be able to continue using Flash until the phaseout is complete in 2020.

Microsoft plans to phase out support for Flash in Edge and Internet Explorer before 2020 and completely remove Flash from Windows. It already has begun the process for Microsoft Edge, with click-to-run for Flash found in the Windows 10 Creators Update. Through the end of 2017 into 2018, Edge will ask for permission on most sites and save the user preferences. Internet Explorer will continue to run Flash.

Flash will be disabled by default in both browsers starting in 2019, but users will be able to re-enable it. By the end of 2020, all computers running Windows will remove Flash in both browsers.

The iPhone, iPod touch and iPad never have supported Flash, Apple noted. Macs stopped providing it preinstalled starting in 2010. Flash remains off by default in those products, and Safari requires explicit approval before it will run Flash on any websites.

WebKit supports the latest standards, Apple said, including HTML Video and Media Source extensions for a wide range of video; HTML Canvas and WebGL for fast, dynamic games; CSS Transitions and Animations for animations to Web interfaces; Web/RTC for peer-to-peer video; and WebAssembly for faster games and compute-intensive applications.

“Flash has long been a challenged tech product with known operational issues, which is why Steve Jobs refused to allow it onto the Apple iOS hardware products,” said Tim Mulligan, senior analyst at Midia Research.

“Adobe is finally bowing to the inevitable and phasing out support for it in three years time,” he told TechNewsWorld.

Gaming Repercussions

“The move to open Web is stimulating a comeback of playing games inside the Web browser, rather than through an installed app or game. This is particularly true on mobile,” said Jelle Kooistra, head of product development — mobile, at Newzoo.

“For instance, we’re seeing the first experiments happen now with Facebook Messenger’s Instant Games,” he told TechNewsWorld.

“The advantage these games have is that the barrier to starting to play a game is much smaller: You just have to click a link,” Kooistra pointed out.

“We believe this area will grow heavily in the coming years, mainly in social and small experiences — e.g., playing a quick round of poker with a friend. The open Web provides an issue for Apple and Google, as it allows games to monetize outside of their closed ecosystem, in which they take 30 percent of all generated revenues,” he observed.

“However, it will be quite a while before experiences streamed through a Web browser can fully replace the quality and fluidity of installed games,” said Kooistra. “Furthermore, game developers will also have to re-invent how to monetize efficiently in these types of games.”

Game developer Kongregate published data showing that it has seen minimal impact on the quality and revenue potential of games going forward, Mozilla noted.

The technology for 2D games has changed little, based on Kongregate’s findings; however, there is still a gap for 3D.

Kongregate ported two of its top games, Tyrant Unleashed and Spellstone, from UnityPlayer to HTML5 at the end of last year.

Security Hassles

“As a security professional, I can’t overstate how happy I am that Adobe is finally retiring Flash,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

“Unfortunately, the actual date is still a couple of years away,” he told TechNewsWorld.

When Flash debuted in 1996, it provided a fantastic way to deliver rich Web applications and video, even though it needed a privileged position as a browser plugin to make that happen, Nunnikhoven recalled.

The security community has learned a lot since then regarding browser security, he said, and the threat landscape has undergone wave after wave of change. Better tools have been developed to deliver video and rich Web applications.

Flash has become an outdated source of vulnerabilities, Nunnikhoven noted. Over the last 10 years, more than 1,064 Flash vulnerabilities have been reported — the equivalent of 2 percent of all vulnerabilities in the industry.

Most of the vulnerabilities were rated high or critical, he said, as they exposed many Web users’ systems to threats when they did nothing more than visit certain Web pages.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by David Jones
More in Cybersecurity

Technewsworld Channels