ra2 studio - Fotolia

Adobe's Flash end of life scheduled, finally, for 2020

News roundup: Adobe announced that Flash end of life will happen by the end of 2020. Plus, Microsoft expands its bug bounty program, the 2017 Pwnie Awards winners, and more.

Ding dong, Adobe Flash is finally dead. The online citizens of Oz, and everywhere else, will soon be free from the tyranny of unsecure interactive web content.

Adobe revealed that the Flash end of life will take place at the end of 2020. The company said that it will "stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to" other formats.

"As open standards like HTML5, WebGL and WebAssembly have matured over the past several years, most now provide many of the capabilities and functionalities that plugins pioneered and have become a viable alternative for content on the web," Adobe said in a statement. "Over time, we've seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards. Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins."

Adobe said it is collaborating with Apple, Facebook, Google, Microsoft and Mozilla to bring about the Flash end of life smoothly. It also said it will continue to support the software with patches and updates on Windows operating systems, Mac OS and Linux through the Flash end of life date.

Adobe Flash Player has been a thorn in the side of security professionals for years with numerous critical vulnerabilities causing problems, but the real decline in its use started in 2010 when then-Apple CEO Steve Jobs decided not to allow Flash software on iPhones, iPods and iPads for security reasons.

"We don't want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash," Jobs wrote in an open letter, adding that a Symantec report called out Flash "for having one of the worst security records in 2009."

Google also cited the decline in popularity on its Chromium blog, with Anthony Laforge, technical program manager at Google, writing that "three years ago, over 80% of Chrome daily desktop users visited sites with Flash. Today only 17% of users visit sites with Flash and we're continuing to see a downward trend as sites move to HTML."

There was a glimmer of hope in 2015 that the Flash end of life would be around the corner when Adobe announced it would start using HTML5 for one of its web animation tools and a video player for desktop browsers. Adobe first released Flash Player in 1996.

In other news

  • Microsoft expanded its bug bounty program to cover more ground and, potentially, increase bounty amounts. "In the spirit of maintaining a high security bar in Windows, we're launching the Windows Bounty Program on July 26, 2017," Microsoft said in the announcement of the program. "This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We're also bumping up the pay-out range for the Hyper-V Bounty Program." The pay-out bump means security researchers can earn between $500 and $250,000 depending on the type of bug discovered and disclosed. The highest payout is for critical remote code execution vulnerabilities in Microsoft Hyper-V. Microsoft has had bug bounty programs since 2013, but this new program covers more ground, offers a higher reward and doesn't have the time limit typical of a Microsoft bug bounty.
  • Kaspersky Lab now offers free antivirus software. In a blog post, the company's co-founder and CEO Eugene Kaspersky announced Kaspersky Free will start to roll out globally over the next few months. The free version of the antivirus won't compete with the full version, according to Kaspersky, because it includes just "the bare essentials." That means "file, email and web antivirus; automatic updates, self-defense; quarantine; and so on." Kaspersky noted the motivation behind offering free antivirus was to help users who can't afford the paid version of the software and also to "positively affect the quality of protection of all users." While the company has been working on the product for a year-and-a-half -- and tested it in Russia, Ukraine, Belarus, China, Denmark, Norway, Sweden and Finland -- the gradual global release of the free software follows increasing suspicions in the U.S. government of Kaspersky Labs' ties to the Russian government. These suspicions have resulted in the U.S. government being banned from using the antivirus software and, most recently, Kaspersky Lab being removed from the U.S. General Service Administration (GSA), making the vendor ineligible for any GSA Schedule 70 contracts.
  • The winners of the annual Pwnie Awards were announced this week in Las Vegas at Black Hat USA 2017. The awards recognize the best and the worst in the security vulnerability space. This year there were 16 categories with awards like Best Client-Side Bug, Best Bug Branding and Lamest Vendor Response. Notable winners include the NSA's Equation Group, which won Best Server-Side Bug for the remote code execution vulnerability in nearly all Microsoft systems that lead to Microsoft releasing a patch for Windows XP well after its end of life. Drammer, the bug  that exploits the Rowhammer vulnerability, took home the Pwnie for Best Privilege Escalation Bug, and researchers from Google and the Cryptology Group at Centrum Wiskunde & Informatica, the national research institute for mathematics and computer science in the Netherlands, received the Pwnie for Best Cryptographic Attack for breaking the SHA-1 standard. NotPetya won Best Backdoor, and the Pwnie for Epic Ownage resulted in a tie between WannaCry and the Shadow Brokers.

Next Steps

Find out more about Adobe's plans to kill off Flash Player

Check out what else happened at Black Hat USA 2017

Learn about Adobe's attempt to implement same-origin security in Flash

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing