Last week, a group of hackers known as The Hacking Team was itself hacked. This led to information they were leveraging a vulnerability in the Adobe Flash browser plugin, commonly used to display video on the web, to remotely take control of people's computers. This new information (both that the vulnerability in the software exists, and that it was being actively used to infect computers with malware) has led to a fairly intense backlash against the web plugin, adding to a long history of blows against the software.
Kicking off the Internet's response was Facebook's security chief tweet firmly suggesting that "It is time for Adobe to announce the end-of-life date for Flash" which opened the floodgates of commentary, including UK publication The Independent providing readers instructions (heads up: their page is ad-heavy) for removing the software altogether. The latest response was from Mozilla which as of late Monday night blocked the plugin from their Firefox browser, until an update could be released.
On Tuesday, Adobe released the patched update and a response, but the conversation has hit a new stride. Should Flash die? The software undoubtedly has a rocky security record, and will likely remain "a target of malicious hackers" until the plugin is no longer used.
So why join the conversation? First, Flash is reportedly used by under 11% of websites, which is down significantly from usage a decade ago. YouTube launched in 2005 using only Flash, but as of January has abandoned it completly in favor of HTML5, and Facebook seems to be not far behind. Steve Jobs famously wrote his "Thoughts on Flash" in 2010 when Apple refused to include Flash on the then newly released iPad, and the software remains unavailable on iOS devices.
If you or your site relies on Flash:
- it may be wise to consider leveraging HTML5 technologies instead
- consider the drawbacks of performance, stability and security and stay informed
- Be sure to keep the plugin up to date in your browsers and do your best to stay apprised of any future vulnerabilites, disabling the plugin as needed.