The writing has been on the wall for quite a while. Flash is dying a slow death, yet it continues to gasp for air. After some new vulnerabilities were discovered, many have been calling for the plug to be pulled.
Facebook’s Chief Security Officer called for its demise the other day.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” he said. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
Then, Mozilla blocked all versions of Flash in Firefox after security researchers discovered vulnerabilities that affect various operating systems, that hadn’t been patched.
A few days ago we were notified of two vulnerabilities within the Flash Player that could potentially allow an attacker to take control of an affected system. Upon investigation, we confirmed and fixed the issues, and took steps to ensure that this class of attack cannot be used as a future attack vector.
We released an update to Flash Player this morning, and are proactively pushing the update out to users. We are also working with browser vendors to distribute the updated player.
We would like to thank Dhanesh Kizhakkinan of FireEye and Peter Pi of TrendMicro and slipstream/RoL for reporting the issues and working with us to help us quickly address them.
Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers. We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered.
Nothing in there about killing Flash. Still, the calls for its death continue.
Wired, one of the most well known magazines in tech, published an article on Wednesday called, “Flash. Must. Die.” In that, the technology is called “That insecure, ubiquitous resource hog everyone hates to need.”
The headlines related to Flash are rarely positive. Earlier this year, YouTube deprecated Flash embeds and its Flash API. Then Google started automatically converting Flash ads to HTML5. Flash can potentially hurt websites in search rankings. Google even announced that it would try to save people’s laptop batteries by pausing Flash in Chrome.
Despite the wide disdain for Flash, it’s still being very heavily used in advertising. We recently looked at a study from Sizmek, which called this a “major issue”.
What’s happening is that Flash ads that would otherwise be dynamic are appearing as static images on mobile device, and this can ultimately cost the advertiser clicks and conversions.
“This raises questions as to whether or not marketers are aware of how many of their ads are not being seen properly and how much ad spend they are wasting,” a spokesperson for the firm tells WebProNews.
“As mobile inventory grows, the channel is also changing, particularly in the realm of rich media. The days of Flash-supported inventory on mobile devices are numbered,” the report says. “iOS devices have never had native Flash support, and it’s been six full operating system versions since Android devices supported Flash. This means that only 11% of Android devices are capable of supporting Flash, and those devices are running significantly out-of-date software. Because mobile support for Flash inventory is nearly extinct, rich media ad formats that rely on Flash are likely to default – or revert to a single, static image – nearly 100% of the time. This means 5.35 billion rich media impressions served to mobile devices were squandered in Q1 of 2015 alone.”
According to Sizmek’s findings, only 8.3% of HTML5 impressions defaulted, while these formats represent less than half of rich media ads served to mobile devices.