The headline read: “As Flash 0day exploits reach new level of meanness, what are users to do?” Wanting to know the answer, I read the article on Arstechnica.com about another set of hackers (or the same, who knows?) exploiting bugs in Adobe’s Flash software.
Three times already in 2015 (at the time this blog was written) hackers had exploited bugs in the software. Research into the hacks showed they are primarily focused on cryptoware – malware that encrypts documents, images, and personal data until the user pays a ransom to unencrypt it. Until recently hackers tried to trick users into visiting an infected website, but with the Flash vulnerabilities users just need to click on an ad seen on a legitimate website to get infected.
The worst part of this is that these are 0day attacks. That means the security holes were known to Adobe, but they hadn’t been fixed. That left them open to hackers. In recent weeks Adobe has begun pushing out fixes, but security experts are wondering if that will ever be enough.
At one time, Adobe Flash was the de facto standard for online video and games. But Apple, Steve Jobs in particular, refused to support Flash on iOS. That was somewhat the beginning of the end. In time, Google dropped support of Flash in Android, thus making the mobile web pretty much Flash free. But desktop users still had, and used, Flash frequently for streaming videos and playing games.
But the tide is finally shifting away from Flash even on desktop systems. Google announced in January it now converts all ads to HTML5 (it had already switched standard video playback to HTML5 sometime ago). Google Chrome is also the only browser immune to the recent Flash 0day attacks because of the way it is designed to limit software from running outside of the Chrome browser. Users of IE, Firefox and other browsers on OSX and Windows are still vulnerable to Flash 0day exploits. Most security experts now are recommending people disable it entirely in order to protect themselves since Adobe can’t patch it fast enough.
Will Adobe finally capitulate on Flash, forcing content creators to stop using it? Or will users disable it in order to protect themselves? Whichever comes first, or whatever the combination of events will be, the days of Flash are truly numbered. There was once a time I couldn’t view many videos, or even whole websites from my iPad because they were in Flash. Today I can’t remember the last time that happened. Not in years at least. It’s good to know we’re all moving in the direction of open, secure standards for all devices. Though that won’t stop the hackers, but perhaps it will slow them down.