It has not been a good week for Adobe Flash. First Facebook's new security chief called for an end to the plugin and now Mozilla is blocking Flash software by default on all versions of its Mozilla software.
At issue are security problems highlighted when a vulnerability was made public after an Italian security company, Hacking Team, was hacked last week. The company developed spyware and malware which it sold to agencies around the world. A tool leaked online by the hackers target a bug in Flash that Adobe had yet to fix. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected computer," security firm Symantec said in a blog post.
Adobe released an update addressing the first bug on July 8 but since then two more similar 'zero-day' bugs have been discovered in the Flash software by another security firm Trends Micro.
No doubt, Adobe is furiously working to find a patch for the vulnerabilities but it is a PR disaster for Flash. It isn't exactly the first time Flash has faced criticism. In 2010 Steve Jobs famously wrote an open letter entitled "Thoughts on Flash" where he explained why he wouldn't allow the software on Apple products due to its security flaws and it's impact on performance and battery life. Google's Chrome browser automatically pauses Flash videos because they drain so much processing power.
Mark Schmidt, head of Firefox support at Mozilla, tweeted the news late on July 13 alongside an image of a clenched fist and an 'Occupy Flash' banner.
BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now. https://t.co/4SjVoqKPrR #tech #infosec pic.twitter.com/VRws3L0CBW
— Mark Schmidt (@MarkSchmidty) July 14, 2015
Flash has long been considered to have weak security and a vulnerability has recently become publicly known, making the software a target for hacking attempts. On July 12, Facebook's chief security officer, Alex Stamos, called for Adobe to announce an "end-of-life date for Flash."
Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.
— Alex Stamos (@alexstamos) July 12, 2015
The use of the classic protest symbol would seem to suggest that Schmidt would also like to see the end of Adobe Flash. However, Schmidt has since backtracked with another tweet supporting Flash, saying: "To be clear, Flash is only blocked until Adobe releases a version which isn't being actively exploited by publicly known vulnerabilities." On its support pages Mozilla also said the block would remain until "Adobe releases an updated version to address known critical security issues".
To be clear, Flash is only blocked until Adobe releases a version which isn't being actively exploited by publicly known vulnerabilities. — Mark Schmidt (@MarkSchmidty) July 14, 2015
Flash was once the software to watch video on the web, but that position has been dwindling ever since Jobs' 2010 rebuke and there are now plenty of alternatives. Significantly, in January 2015 YouTube moved away from Flash, playing videos using HTML5 by default instead.
Adobe is unlikely to comply with Stamos' request and announce the death of its own product. Millions of online videos and software still run using Flash so if the software is to die out it would likely take a long time as individual sites drop the platform.
