Adobe Flash -- the aging, bug-laden browser plug-in that's generally scorned by users and businesses -- has some new big-name haters in Mozilla, Google and Facebook's chief security officer (CSO).
Following the discovery of more Flash vulnerabilities that could allow hackers to remotely take over a computer and infect it with malware, Mozilla and Google decided to block the multimedia plug-in in their Firefox and Chrome browsers until Adobe released a new version of Flash that addressed the vulnerabilities. Mark Schmidt, the head of the Firefox support team at Mozilla, took to Twitter to make the announcement and show his support for Occupy Flash, the movement to rid the Internet of Flash:
To be clear, Flash is only blocked until Adobe releases a version which isn't being actively exploited by publicly known vulnerabilities.— Mark Schmidt (@MarkSchmidty) July 14, 2015
Although Adobe has yet to concede the death of Flash, Mozilla's and Google's ultimatum was a success. The Flash ban on Firefox was lifted Thursday after Adobe revealed it had patched the newly discovered vulnerabilities.
Mozilla wasn't the only one hating on Flash this week; Alex Stamos, Facebook's newly appointed CSO, jumped on the bashing bandwagon as well, calling for the plug-in's demise on Twitter.
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.— Alex Stamos (@alexstamos) July 12, 2015
Interestingly enough, Facebook has perpetuated the use of Flash by requiring the plug-in for its image uploader, games and video player. No word on whether this will change, but, if Stamos has his way, we can expect to see Flash's role soon diminish on the social media platform.
History of vulnerability
Flash is no stranger to big-name criticism. Steve Jobs wrote an open letter in 2010 ranting about the plug-in's security problems and buggy performance. Since then, little has changed in regard to Flash's security or performance. It regularly tops Symantec's annual list of vulnerable plug-in programs, as reported by CNN.
The use of Flash has been steadily diminishing over the years to the extent that now only about 11% of websites use Flash, according to technology survey company W3Techs. In one of the biggest blows to the plug-in, YouTube dropped Flash in favor of HTML as its default player earlier this year. Chrome also instituted a new setting that "intelligently pauses" instances of Flash video on its pages.
Will Lassalle, CIO of JLS Technology USA and SearchCIO follower, addressed Adobe's latest debacle in 140 characters:
@bmholak The Adobe Flash debacle shows a) that Steve Jobs was right & b) that Adobe did not take the threats/complaints against Flash srsly— Will Lassalle (@wlassalle) July 16, 2015
With a history of security flaws and constant need for patches, it's not surprising that people are abandoning the troubled browser plug-in. In today's threat-laden digital environment, security can be seen as a competitive advantage among both customers and businesses.
"Customers consider trust in their decision process, maybe more than anything," wrote Gartner analyst Glenn O'Donnell in an email. "If you can buy a 'C' product from trustworthy vendor C, or an 'A' product from risky vendor A, vendor C will win a huge majority of the business over vendor A.
"Such risks are firmly behind the decline of Flash. Steve Jobs may have been the first to challenge Flash so sternly, but many others feel the same way," O'Donnell wrote.
Adobe is finding itself on the wrong side of that competitive advantage, with customers and business continuing to turn to other, more secure software. Perhaps other companies can learn from Adobe's mistakes and recognize the importance of security in business and development.
"I think Flash's downfall is an example of security being an important aspect of software development, which can lead to a competitive advantage," wrote Lassalle.
Why does it matter to CIOs?
CIOs work hard to protect their companies from online threats, so Flash's frequent security lapses -- and Adobe's continuously inadequate threat management -- should set off red flags.
@bmholak It matters to CIOs because Security is a top priority for so many of us the great risk presented by the vulns in Flash are alarming— Will Lassalle (@wlassalle) July 16, 2015
The regular occurrence of Flash vulnerabilities and need for security patches can make the CIO's job more difficult by requiring extra vigilance on their part. The unpredictable and often insecure nature of Flash may ultimately make the risk greater than the reward.
"CIOs hate excessive risk. All sensible business leaders do," O'Donnell wrote. "If something like Flash is exposing them, they will do everything possible to avoid that risk. Because so much Flash remains in place, a full divorce will prove nearly impossible. In the meantime, they need to make sure their butts are covered by ensuring current patches are in place. The browser providers are helping [to] force this issue by blocking unpatched Flash."
All signs point to Flash's eventual demise. However, while many customers, businesses and CIOs are ready to see it die, Adobe isn't.
CIO news roundup for week of July 13
Here are more technology headlines from the week:
- It seems Amazon's Prime Day wasn't so … prime. Amazon claims the event was a huge success, but vocal online customers suggest otherwise. The much-hyped sale event was widely criticized by customers on social media because of its haphazard selection of goods and price cuts.
- Speaking of shopping, Google's making it even easier to buy what you want with its new feature, "Purchases on Google," which will allow consumers to purchase products directly from mobile search ads.
- Sick of reading about Reddit yet? Reddit's been in the news a lot recently after the firing of a key employee sparked protest and the eventual resignation of CEO Ellen Pao. Most recently, Reddit's new CEO laid out a new plan to crack down on inappropriate and hateful communities.
- The connected car race is heating up. Connected car company Zubie Inc. unveiled an open API for the "Internet of Cars," which offers the ability to access vehicle diagnostics and data, for use in its third-party applications. Who owns that data? That's another issue.
- Social media is good for more than just angry rants and selfies. A Pew Research Center study reveals Facebook and Twitter are increasingly being used as news sources, with Twitter being the main source for breaking news among survey participants.
Flash vulnerabilities are just one aspect of security that CIOs need to pay close attention to. For more on security, read how to survive cyberassualts in a digital business environment. Then, get pointers on next-generation security in a mobile culture from Harvey Koeppel.