Gone in a flash? Facebook says Adobe's plug-in is a security risk no longer worth taking

Steve Jobs' 2010 appeal for a Flash-free world echoes again from Facebook and from Firefox maker Mozilla after revelations of just how vulnerable Adobe's animation software actually is.

Brett Murphy Summer Intern / CNET News
Brett Murphy is an editorial intern for CNET News. He attends the University of California at Berkeley Graduate School of Journalism. His work has appeared on KQED, AJ+, New American Media, the San Jose Mercury News, and several regional magazines in Pittsburgh, Penn., where he went to college and put french fries in sandwiches.
Brett Murphy
4 min read

Another Silicon Valley giant calls for the sunset on Adobe's Flash. Adobe Systems

Adobe Systems' Flash software has come under fire yet again after a prominent Facebook executive called for the end of the animation software.

"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," Facebook security chief Alex Stamos said in a tweet on Sunday. Stamos joined Facebook last month after less than a year at Yahoo.

On Monday, browser maker Mozilla piled on. In a feisty tweet, its head of Firefox support, Mark Schmidt, declared that Flash is "blocked by default in Firefox as of now."

Mozilla offered an understated explanation on a support page about software add-ons: "Old versions of the Flash Player plugin have known vulnerabilities." The organization also clarified in a statement that "we have only disabled the current version of Flash, not all versions and not forever." Firefox users also can choose to manually activate the disabled plugin.

Adobe on Tuesday posted a security bulletin with an updated version of Flash and a response to the vulnerabilities. Firefox soon after lifted the default block, allowing for the newest version of Flash to run after you download it. The "outdated" Flash plugin is still blocked.

"As part of the many security initiatives we engage in to help keep our products and our users safe," Adobe said in an emailed statement Tuesday, "we work closely with our counterparts in other organizations (including the browser vendors) on finding ways to encourage users to stay up-to-date on the latest security updates."

Stamos' death-to-Flash tweet came a week after cyberthieves released 400GB of internal documents stolen from HackingTeam, a Italian security company that helps governments and other organizations steal information. Those documents included details for exploiting weaknesses in Flash, which the HackingTeam called "most beautiful Flash bug for the last four years."

Independent researchers further verified three previously unknown attacks using Adobe's streaming-video software for browsers. HackingTeam even warned developers and companies to be wary.

"Before the attack, HackingTeam could control who had access to the technology, which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost," the company said in a July 8 press release. "Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

Whenever Adobe does get around to releasing a version of Flash that isn't being "actively exploited by publicly known vulnerabilities," Mozilla's Schmidt said, Firefox will cease blocking the plugin.

Stamos' call to end the Flash browser plugin echoes a demand by the late Steve Jobs. "Flash was created during the PC era -- for PCs and mice," Apple's former CEO wrote in a 1,600-word open letter, "Thoughts on Flash," in April 2010. "But the mobile era is about low power devices, touch interfaces and open Web standards -- all areas where Flash falls short."

Flash was once the de facto standard for websites to run games, stream video and deliver animation over browser software. Before Jobs' high-profile attack on the software, Flash ran on more than 800 million mobile phones manufactured by 20 handset makers. The exception was Apple, which banished Flash from iOS, the operating system that powers the iPhone and iPad, and stopped preinstalling the software on Mac computers. These days, Flash is on the wane as more in the online video industry turn to HTML5, a developing language that can run graphics without plugins.

But while it's fading, Flash is far from forgotten. Flash is still used on 23 percent of the 483,000 Web pages tracked by the HTTP Archive, a resource for Web developers. Even though that usage has dropped from 39 percent three years ago, removing Flash from browsers would break much of today's Web. That's why browser makers such as Google and Microsoft have granted Flash special status even as they try to wean the Web from it and other browser plugins.

Killing Flash, though, would be difficult: It's not just decade-old websites that rely on Flash for streaming video. Many top video networks rely on it, said Jan Ozer, a streaming-media consultant and author. Flash, he said, "has its negatives, but why banish Flash altogether if companies like NBC and MLB want to use it?"

According to Adobe, more than 500 million devices are "addressable today with Flash technology" and 110 million websites run the plugin. Adobe has issued more than a dozen Flash security advisories since the beginning of this year.

Stamos, who helped strengthen Yahoo's security prowess before joining Facebook, tweeted that Adobe needs to set a date for Flash's sunset so that browsers could coordinate their dropping the software.

"Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."

Update, July 14 at 6:14 a.m. PT: Added information about Firefox maker Mozilla blocking Flash by default.

Update, July 14 at 4:07 p.m. PT: Added information about Adobe's response to the vulnerabilities and software update. Added information about Firefox maker Mozilla lifting default Flash block.