August 2, 2017

Adobe last week detailed plans to retire its Flash Player software, a cross-platform browser plugin so powerful and so packed with security holes that it has become the favorite target of malware developers. To help eradicate this ubiquitous liability, Adobe is enlisting the help of Apple, Facebook, Google, Microsoft and Mozilla. But don’t break out the bubbly just yet: Adobe says Flash won’t be put down officially until 2020.

brokenflash-aIn a blog post about the move, Adobe said more sites are turning away from proprietary code like Flash toward open standards like HTML5, WebGL and WebAssembly, and that these components now provide many of the capabilities and functionalities that plugins pioneered.

“Over time, we’ve seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards,” Adobe said. “Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins.”

It’s remarkable how quickly Flash has seen a decline in both use and favor, particularly among the top browser makers. Just three years ago, at least 80 percent of desktop Chrome users visited a site with Flash each day, according to Google. Today, usage of Flash among Chrome users stands at just 17 percent and continues to decline (see Google graphic below).

For Mac users, the turning away from Flash began in 2010, when Apple co-founder Steve Jobs famously penned his “Thoughts on Flash” memo that outlined the reasons why the technology would not be allowed on the company’s iOS products. Apple stopped pre-installing the plugin that same year.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

“Today, if users install Flash, it remains off by default,” a post by Apple’s WebKit Team explains. “Safari requires explicit approval on each website before running the Flash plugin.”

Mozilla said that starting this month Firefox users will choose which websites are able to run the Flash plugin.

“Flash will be disabled by default for most users in 2019, and only users running the Firefox Extended Support Release will be able to continue using Flash through the final end-of-life at the end of 2020,” writes Benjamin Smedberg for Mozilla. “In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin.”

Facebook has long hosted plenty of games that invoke Flash, but over time more Facebook apps and games turned to HTML5, the company said.

“Today, more than 200 HTML5 games are live on our platform, most of which launched within the last year,” wrote Facebook’s Jakub Pudelek. “Many of the largest developers on the platform…migrated at least one Flash game to HTML5 on the Facebook platform with minimal impact to their existing customers.”

Finally, Microsoft said it has begun phasing out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. For now, Microsoft Edge, the default browser on newer versions of Windows, will continue to ask users for permission to run Flash on most sites the first time the site is visited, remembering the user’s preference on any subsequent visits.

By mid- to late 2018, Microsoft says, Edge will require permission for Flash to be run each browser session. But by mid 2018, Microsoft will disable Flash by default in both Edge and Internet Explorer. Read more about Microsoft’s timeline for Flash elimination here.

For years, unpatched vulnerabilities in Flash plugins have been the top moneymaker for users of various commercial “exploit kits,” crimeware designed to be stitched into the fabric of hacked or malicious sites and exploit browser plugin flaws.

An analysis of exploit kit activity  by Arlington, Va.-based security firm Recorded Future showed that Flash Player vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016 [full disclosure: Recorded Future is an advertiser on this blog].

Image: Recorded Future

Image: Recorded Future

I look forward to a time when Flash Player is in the rearview mirror entirely. Until then, KrebsOnSecurity will continue to call attention to new security updates for Flash Player and other widely used Adobe products.

Even so, I’ll also continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

39 thoughts on “Flash Player is Dead, Long Live Flash Player!

  1. IRS iTunes Card

    I just went into “chrome://settings/content” and disabled Flash in Chrome 60

  2. Max

    Some sites require flash only if they detect you have it. So it’s better to disable entirely rather than use “click to enable”.

    1. Steve

      More over, some federal applications require flash in order to be complaint with their software requirements. See FRBs new requirements for Fedline Web. “Adobe Flash 11 or higher”…oh look!, they also require JRE. Sighhhhhhhh

  3. Quote Police

    You’re misusing this ancient quote. The phrase “The King is dead, long live the King!” meant in fact “The [Old] King is dead, long live the [New] King!”.

    So your quote ought to be “Flash Player is Dead, Long Live HTML5!” (0r some such)

        1. Larry

          Opps! Should be “yours”. Sure wish I could edit comments here!

    1. zboot

      Actually, you’re the one misusing the quote. Just like the meaning of “a few bad apples” has changed in recent discourse so has this phrase. Now, it’s almost exclusively used to mean, even though X is reportedly dead, it really still is going to be around for a while (sometimes in slightly different form under a different name).

  4. Jon

    I can’t wait for Flash to die. In the environment I work in, Flash is a disallowed technology for new development and has been since 2012. However, with how sprawling the environment is, it still gets used all the time as there’s not enough oversight on that kind of thing. I worry that at some point the network is going to be breached and I just know flash is going to be the vector.

  5. JCitizen

    2020 seems like an awful long time to wait! 🙁
    Thanks Brian!

  6. jim miller

    Now if we could just get sites to stop requiring Java for special purpose calculations.

    Drives me crazy.


  7. David C.

    On my personal computers, I disabled Flash (set Firefox to “never activate”) about two weeks ago. It hasn’t been a problem so far.

    On my work computer, I’ve left it in “ask to activate” mode, but I haven’t had a need to activate it recently, so maybe it is finally safe to turn it off for good.

    All this having been said, Firefox’s ask-to-activate mode (and similar features from other browsers) is really not good enough. They only offer coarse-grained configuration – enable it on a per-page (or per-site) basis, affecting every flash object that may load on that page (or site).

    The problem is that although you may want to view Flash content from a site (because that’s the content you’re seeking), you still don’t want to load the Flash content that’s fed into the site by some advertising network – that just consumes CPU, destabilizes your browser, and has the potential to introduce malware.

    To solve this problem, I use two tools (one is probably sufficient). AdBlock Plus (or any reasonable ad blocker) will block the advertising networks that feed the Flash-based ads (and most other ads, including JavaScript ones, which can be just as obnoxious without using Flash).

    FlashBlock (from the Mozilla add-ins site) replaces Flash objects with placeholder objects. The Flash object doesn’t load until you click on the placeholder. So you can see the ones you want and block the rest. It includes a whitelist that can be used to match against the source of the Flash object instead of the page that’s embedding it (so, for example, back when YouTube was Flash based, you could allow all YouTube videos wherever they may be found but block Flash from all other sources, even when embedded on the same page).

    I’ll be keeping AdBlock Plus for a long time, since it blocks more than just Flash. After I’ve decided that I can truly disable Flash, I’ll get rid of FlashBlock, since it will have become unnecessary.

    1. Dave

      >I’ll be keeping AdBlock Plus for a long time, since it blocks more than just Flash.

      Well, until November anyway when Mozilla kills off all existing extensions and hastens Firefox’s slide into oblivion.

  8. user

    Now if MS would allow us to remove flash from W10 …

  9. Grey Peterson

    The question is, once Flash is gone, how long will it take for hackers to pick a new attack vector to relentlessly hammer away at?

  10. Aurangzeb

    I used to play online games with flash player 🙁 That’s the only thing that will be missed I think!

  11. user2

    Flash dies when the top 10 Facebook games stop using Flash.

  12. Dave

    Interesting to note from the Chrome-users graph you’ve posted that most of the use of Flash seems to be for web bugs. So alongside the huge security risk you’re not even getting any value from it, just an invasion of privacy.

  13. someone

    @Grey: the answer is already been there, done that. It’s Java. For a while there were more critical java vulnerabilities being announced than Flash.

    Now, Oracle finally caved and exempted Java from their “all updates come once per quarter” and pickings eventually grew thinner with the Java plugin being less commonly installed. But until Oracle sunsets Java (not likely, they paid a lot of money to Sun in order to sue Google over Java and for other financial reasons) it is the best known, widely installed, vulnerable plugin.

    Looking to the future expect to see attacks going after some of what gets (correctly or not) lumped into “html5”. For example, expect to see attacks on WebGL (security? what security? we don’t need no stinking security!). Currently, penetration is pretty low, but that can reasonably be expected to pick up and — as always — no effort will be put into security until its too late.

  14. The48thRonin

    I absolutely hate flash. It’s one of the worst, slowest plugins that I’ve ever encountered. It also doesn’t run on one of my laptops (a PowerBook G4, if you’re curious).

    That being said, I’ll be sad to see it go. The huge library of games on places like Newgrounds or will eventually not work again, and while I don’t frequent those sites anymore, they were a huge part of my childhood and a great time-waster during elementary and middle school, and I’m sure many other people have a certain nostalgia for these games.

  15. Moike

    Flash won’t be completely dead even after 2020: Flash applications will continue to run in the desktop-hosted Adobe Air environment.

  16. oliver

    But.. but.. what about all those porn sites?
    They will die w/o flash.

    1. bpratt

      I doubt that very many porn sites still use flash. These sites want to make money and poor security will kill that function so the tend to be quite savvy about things. Interestingly, what you really don’t want to mess with is church related stuff. Now THESE sites often have extremely poor security 🙂

    2. R417

      What sites do you visit? All main porn sites enabled html5 afaik. What strange stuff do you watch 😉 ?

    3. coakl

      Sites that claim to require Flash, *will* serve you HTML5 video, if they don’t detect Flash in your browser. They do this to avoid losing Flash-less customers, a.k.a. those with Apple products.

      The key is that there’s no Flash installed at all in that browser.
      Not just disabled. If a dual-format site detects installed, but disabled Flash, it may insist that you turn on Flash.

  17. 4360radialengine

    Even though flash player is being killed off thankfully, it will still be around for legacy apps and websites for a while so we will still have problems with it for a few years until it dies out completely by attrition.

  18. Ninja

    I hope they leave some player behind for legacy content. I have a few flash games I’m fond of saved on my hdd

  19. peter glasgiw

    I need remove the latest flash player of my pc or alone unistall it

  20. Ronm

    I quit using flash, I think somewhere in 2005…
    I quit using Adobe stuff soon afterwards.

    Using another PDF viewer because I was annoyed by the lack of speed because of all those plug-ins which ‘had’ to be loaded. You could move them out of the way. But I had to do it everytime I got some other notebook when hired by another customer.

    I quit Java.

    As a consumer you not really need it.
    Only use it on a development workstation if I need to write some stuff.
    Don’t use it privately.

    I quit using Microsoft Windows 10!

    Because Edge sucks. IE11 doesn’t work properly anymore, to ancient.
    I don’t like games. Don’t understand why you need it on a ‘Pro’ version. I don’t like it that everytime something like CandyCrush appears in your menu. If you remove it, it will soon reappear…
    Microsoft doesn’t deliver software for professionals, not even after so many years.

    MS Windows has become a sales platform instead of means to do your work…

    Somehow those management teams need a shake down. Need a reset or something. Need to see the difference between ‘Consuming’ and ‘Producing’.

    A computer is still just a machine to process information, create and manage…

    Sorry for my outburst, I think the words Adobe and Flash triggered it.


  21. Lennart

    If you must rely on Flash for legitimate reasons, and want to avoid loading flash player on your endpoint, take a look at Menlo Security – www.
    Menlo runs flash in it’s remote/isolated browser in Menlo’s cloud or the customer’s private cloud, re-encodes and streams the content as HTML5!

  22. samak

    “Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.”
    I’ve seen this said a few times – I’m not technical and don’t understand how it helps security. Surely the bad stuff is still on your computer. A non-technical explanation would be much appreciated!

    1. Nobby Nobbs

      The idea being, just having plash player on your computer doesn’t do anything. It’s when you browse to a malicious site that you get infested.

      So if you only use, say Opera, to go to your only Flash site, and use Firefox (w/o Flash) for daily browsing, you’ll be fairly safe.

  23. Sam

    Flash is dead. No doubt about it. But some sites still requires flash to work properly. sad.

  24. Chris

    We use Flash to integrate accessibility for people with disabilities and those who are aging which results in ROI and compliance for orgs. Efforts in the “alternative” have resulted in 4x file size, 400x code and 3x security risk. Don’t blame the tool for what people do with it. You can use a hammer to build an orphanage or a brothel…

    1. BrianKrebs Post author

      Sorry but I disagree about the tool analogy. Flash is way too powerful for how insecure it is, and attackers figured this out long ago. I used to go to hacker conferences where some attendees would brag they could hack 95 percent of the planet’s computers because they’d worked out a few flash zero days on their own.

Comments are closed.