V. Yakobchuk - Fotolia

Flash Player security failures turn up the hate

There have been calls for the death of the Adobe Flash Player for years either due to performance issues or the threat of exploit. But with a recent rash of zero-day vulnerabilities, those calls are getting louder.

The Hacking Team data breach last week uncovered three zero-day vulnerabilities in the Adobe Flash Player. Adobe patched one with an out-of-band fix and the other two in its Patch Tuesday update. This run of vulnerabilities seemed to be the tipping point for many.

Mozilla followed the news by announcing it would disable the Flash Player in its Firefox browser until Adobe issued a fix. The Flash Player has since been enabled in Firefox, as long as the newest version of Flash has been installed on a system.

Chad Weiner, director of product management at Mozilla, said the move was in an effort to protect users from active exploits, but also noted in a statement that Mozilla "will continue to work with developers to encourage adoption of safer and more stable technologies, such as HTML5 and JavaScript, and we look forward to helping drive that conversation."

Ubuntu computer manufacturer System76 Corp. announced it would cease to pre-install Flash on computers that it makes. But, the most widely noted comment came from Facebook CSO Alex Stamos.

"It is time for Adobe to announce the end-of-life date for Flash, and to ask the browsers to set killbits on the same day," Stamos wrote on Twitter. "Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."

To date in 2015, the Adobe Flash Player has had 131 vulnerabilities, according to the Common Vulnerabilities and Exposures (CVE) catalog, 103 of which have been rated 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

In recent blog post regarding the patch for the newest zero-days, Adobe painted itself as the victim, noting how quickly it remediates security issues in Flash.

Flash most definitely should be phased out. It was a great technology for its time, but it is now holding the rest of the Web back and it appears unfixable from a security perspective.
Rich MogullCEO of Phoenix-based Securosis LLC.

"Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and, as such, is a target of malicious hackers," Adobe wrote. "We are actively working to improve Flash Player security, and, as we did in this case, will work to quickly address issues when they are discovered."

Adobe did not respond to TechTarget requests for comment.

Experts unanimously said there are few good reasons for enterprises to continue running Flash.

Trey Ford, global security strategist at Rapid7 LLC, said the biggest impact of blacklisting a plug-in like Flash could be employee annoyance at not being able to play games.

"Aside from maintaining your property on FarmVille or making reservations on beautiful -- and hard to use -- restaurant websites, I'd be terribly curious to know how much of a business impact Flash going dark might mean," Ford said. "Managing enterprise code, maintaining the patch cycle and containing normal user entropy is plenty hard. The variability that plug-ins offer raises the attack surface, enterprise risk and associated costs of diagnosis, troubleshooting and remediation."

Rich Mogull, CEO of Phoenix-based Securosis LLC, was initially blunt when asked if there is a reason enterprise should trust or use the Flash Player, answering "None at all. Dump it," but pulled back a bit.

"Keep in mind [that] in a business that you could be blocking someone's critical app, so you want to do some analysis and testing first," Mogull said. "For example, see if you can use your Web gateway to measure and report on Flash use."

Freelance writer, producer, speaker, and integrated marketing and PR consultant, R. Michael Brown said every IT pro and Web development company he knows advises not using Flash.

"Adobe has a history of caring more about themselves and their products than customers. They're arrogant, so they're very late in killing this failed software," Brown said. "It doesn't make any difference how good their developers are, or how fast they turn around patches. Nothing is working, so it's obviously a failing technology. They need to kill it and give everyone that uses the Internet a break."

Ford said the security issues with Flash stem, at least in part, from difficulties testing the software.

"For the security world, Flash has been hard to test; it was its own beast, with its own standards and use cases, and a small collection of tools available to help," Ford said. "Flash has served a purpose, and I imagine product managers at Adobe are having a meaningful discussion about what the long-term future of the Flash business really looks like."

Mogull said the nature of Flash makes it inherently insecure. But while Flash should be phased out, there are still many services that rely on Flash and the companies responsible for them may not have the resources to transition to something like HTML5. So, the Web "may be stuck with Flash longer than most people want or realize," Mogull said

"Adobe has a great product security team, but you will notice that the two biggest browser issues -- Flash and Java -- are both runtime environments that execute arbitrary code. It's a tough technology problem to allow something like that to run securely in a browser," Mogull said. "Flash most definitely should be phased out. It was a great technology for its time, but it is now holding the rest of the Web back and it appears unfixable from a security perspective."

Next Steps

Learn about whether HTML5 replacing Flash will improve Internet security

Dig Deeper on Risk management