The end of the line for Flash? Not so fast
Flash has long been a favorite target for attackers; but with Adobe revising strategy, how long before Flash-free is a reality?
In late 2015 Adobe announced it was renaming Flash to Adobe Animate which reinvigorated cries that “Flash must die!” from Fortune, Wired, PCWorld, CIO.com, and bloggers in general. Flash, per Adobe, allows reach to over 1 billion connected desktops. While there is a movement to replace Flash with some of the elements in HTML5, it is likely going to be a long road. Moreover, the mapping from Flash to HTML5 is not a simple like-for-like swap. If operating systems are a good parallel, Flash has years to go; Windows XP, an OS that was EOL’ed nearly 2 years ago and has seen multiple replacements launched since, still shows over 11% market share and more widely used than Windows 8 and Windows Vista per NetMarketShare.
Why is Flash panned? In a word: vulnerabilities – critical vulnerabilities in particular; 5 Flash zero days were discovered in 2015. Flash is on, or can be on, almost any browser, making the potential target list essentially anyone with a computer – this alone makes it a risky application. If every house in the entire world uses the same brand of lock and that lock has a defect, then the entire world is at risk. Apple took stand against Flash several years ago, with the letter entitled “Thoughts on Flash” that understandably ruffled some feathers around the industry, but I am a believer that the end result is a better product for the consumer.
Flash will remain in use for the foreseeable future, but once attackers need to find a new target, what will they latch on to? Let’s look at what makes an attractive target:
- Breadth – An attacker wants to cast as wide of a net as possible, software that is used by a variety of endpoints including mobile devices provides the largest attack area.
- Authority – A successful attack means access to something of value; any vector compromised must lead to the crown jewels, or at least something financially desirable.
- Stealth – Smash and grab tactics are somewhat inelegant; financially minded attackers are often better rewarded for longer term projects as opposed to the smash and grab, where they only capture what can be carried out in one “handful.”
Flash will still be targeted in attacks going forward; until Adobe flat out stops supporting it *and* the general public stops frequenting Flash-based websites, it will live on. Where will attackers put their effort as their Flash business begins to wither?
- Macro malware attacks are making a comeback – perhaps due to complacency after people felt that macro-based attacks were “very ‘90s,” but they are re-emerging. Office 365 and the cloud offer new avenues for these old methods to bear fruit.
- Emerging rich media technologies present new targets – finding unique ways to engage prospects on the web can lead to early adopter risks for both ends of the equation. As the attention span of prospects drops, more engaging technologies open up more risks. Flash filled a need, and the disruptive solution will not be a seamless – or necessarily secure – transition.
- Mobile – mobile devices have been seen as a potential threat vector for some time, but mobile attacks have yet to move the needle in terms of major incidents. Given that mobile devices provide access to essentially someone’s entire life, this vector seems ripe for greater interest.
If you think Flash can’t provide anything of interest browse to The Favorite Website Awards site and see what else Flash can do.