Facebook’s new chief security officer wants to set a date to kill Flash

Facebook’s new chief security officer wants to set a date to kill Flash

By James Vincent on July 13, 2015 12:18 pm @jjvincent
http://www.theverge.com/2015/7/13/8948459/adobe-flash-insecure-says-facebook-cso

Alex Stamos, the recently appointed chief security officer at Facebook, has called on software company Adobe to announce an “end-of-life date for Flash.” In a pair of tweets sent over the weekend, Stamos echoed a number of recent complaints from the security community that the software has become the vector for just too many hacking vulnerabilities.

Last week, a 400GB cache of files stolen from spyware company Hacking Team revealed a major vulnerability in Flash that allowed hackers to execute malicious code on a target’s machine via a website. Although Adobe quickly issued a patch to fix the problem, Hacking Team’s internal memos describe the flaw as “the most beautiful Flash bug for the last four years,” suggesting it had been known about — and used — for some time previously. This is far from an isolated incident: two additional vulnerabilities for Flash were found in the same 400GB trove in the following days, and earlier this year, Adobe was forced to release emergency security updates in both February and January.

FLASH HAS BEEN HIT BY A SERIES OF CRITICAL FLAWS THIS YEAR

This seemingly unending list of vulnerabilities is why individuals like Stamos have turned against Flash, but the industry’s ire against the software is nothing new. In 2010, Apple CEO Steve Jobs famously penned an open letter called “Thoughts on Flash,” explaining why the company would not allow Adobe’s software on its devices. He cited issues with performance, battery life, and security as major problems, noting that Flash had “one of the worst security records in 2009.” So far, 2015 isn’t shaping up to be a good year for the software either.

Stamos is not calling for Adobe to immediately pull the plug on Flash, of course, but instead, for Adobe to announce an eventual retirement date for the software, giving websites the time to move to more secure technology like HTML5. Flash has been suffering from shrinking relevance in recent years, with former strongholds like Facebook games collapsing (see the burnout of Zynga), and YouTube moving away from the technology (in January this year this company deprecated Flash in favor of HTML5). Still, the transition would be difficult for smaller companies an if it really is time for Flash to die, it’s likely to be a long, painful struggle.

Leave a Reply