If Adobe Won't Retire Flash, Just Hit Delete
Arguably the most useless and obnoxious piece of near universally installed software, Adobe Flash has received another kick that ought finally to send it to its grave. A cyber-espionage operation whose attack patterns suggest ties to the Russian government has been discovered using one of Flash's endlessly emerging vulnerabilities.
The operation, running at least since 2007, is known to security researchers as Pawn Storm. It has targeted U.S., North Atlantic Treaty Organization and Ukrainian governments, militaries and media, as well as the political opponents of Russian President Vladimir Putin. It uses a malicious iOS application to steal data from iPhones and employs "spear-phishing" to get information from targeted computers, typically sending purported links to articles on various geopolitical issues to entice people to open websites that install malicious software.
On Tuesday, analysts from Trend Micro published a blog post saying Pawn Storm now uses a "zero day" -- previously undiscovered -- Adobe Flash vulnerability, and it has succeeded against at least one country's foreign ministry. The cybersecurity company and Adobe say they're working together to provide a fix, but instead Adobe should finally retire Flash for good.
There were loud calls for this last July, after security firm Hacking Team, controversial for straddling the line between hacking and protecting people against it, suffered an embarrassing breach. The firm's cache of documents, released by the hackers for all to peruse, contained the description of a wide-open security hole in Flash. This caused Mozilla, the maker of the Firefox browser, to disable the Flash plug-in, and Facebook's chief security officer, Alex Stamos, to call on Adobe to set an "end-of-life date" for the product. Yet Flash is still alive and kicking.
According to Adobe, the Flash Player is installed on 99 percent of Internet-enabled computers, not counting smartphones and tablets, which means they are all vulnerable: Security holes, major or minor, pop up all the time. Flash Player is highly exploitable; last year more serious vulnerabilities were found in Flash Player than any other software except two Web browsers -- Microsoft's Internet Explorer and Google's Chrome -- and browsers are the No. 1 destination for hackers since practically everyone accesses websites through them.
Flash is so widespread because it used to be the standard for Internet video, casual games and any kind of animation. In 2010, Apple founder Steve Jobs declared war on it, saying it was a resource hog and a battery drainer while better technology -- such as the open standard HTML5 -- existed for the same purposes. Flash's banishment from Apple's iOS pushed website developers in other directions, though Adobe's software still managed to gain a foothold in mobile computing: about two-thirds of smartphones shipped this year can technically use it.
What does Flash actually do? Well, it powers lots of ads. In the first quarter of this year, more than 90 percent of "rich-media" (non-static) ads displayed to users were Flash-based banners. Ad makers still use the outdated technology mainly because they're used to it and it takes time to learn new tools. Technologically backward advertisers accept Flash ads from their agencies, even though on most smartphones the moving banners default to static images because Flash is disabled out of the box to stop it from draining batteries.
The technology is gradually dying out. Nowadays, only about 20 percent of websites use Flash content, compared with 50 percent in 2011, and that includes ads. Take them out -- do you really want to see them, anyway? -- and there will be almost nothing left. By uninstalling Flash and all of its components, the typical user won't miss out on anything these days. Even the annoying self-launching videos many sites use will still be there. YouTube, which was the biggest reason to use Flash until this year, dropped it for modern browsers in January, switching to HTML5.
Adobe makes a little money selling Flash tools to developers, but as it moves to a subscription-based model for its core products, that revenue is insignificant. The reason Adobe hasn't scrapped Flash yet is probably a matter of client relationships rather than profit.
Flash's continued existence is one of the clearest manifestations of backwardness and laziness in the tech world. At the same time, it exposes pretty much every computer to significant dangers from hacking and spying. Until Adobe gets up the courage to retire Flash and force its loyal clients in the advertising industry -- a top buyer of Adobe's Creative Suite applications, which include Photoshop and Illustrator -- to move on to better alternatives, it makes sense to eradicate the pest from all computers near you. Companies and government organizations ought to be the first to do it following the Pawn Storm revelation.
No one will notice it's gone.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Therese Raphael at email@example.com