Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe to Kill Flash Player, End Support by 2020

Adobe on Tuesday said that it would kill its Flash Player and stop providing security updates by the end of 2020.

Adobe on Tuesday said that it would kill its Flash Player and stop providing security updates by the end of 2020.

Adobe Flash Player has made headlines over the years due to the large number of serious vulnerabilities identified by both white and black hat hackers. The company has been forced to issue emergency patches on several occasions after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.

According the company, the decision was made in collaboration with several Adobe technology partners including Apple, Facebook, Google, Microsoft and Mozilla. 

“Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats,” Adobe said.

Adobe said it would continue to support Flash on a number of major OSs and browsers that currently support Flash content through the planned EOL. 

“This will include issuing regular security patches, maintaining OS and browser compatibility and adding features and capabilities as needed,” Adobe said in a blog post. “We remain fully committed to working with partners, including Apple, Facebook, Google, Microsoft and Mozilla to maintain the security and compatibility of Flash content.”

While Adobe has officially made the decision to kill-off the vulnerable software product, many other leading internet firms have been pushing hard against the software over the past years and trying to limit the use of Flash across their products and services. 

In May 2016, Google announced its plans to block Adobe Flash and implement an ‘HTML5 by Default’ policy on Chrome by the end of 2016. 

Advertisement. Scroll to continue reading.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July 2015 after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.

In June 2016, Google stopped accepting display ads built in Adobe Flash, not long after Amazon stopped accepting Flash ads on its online shopping website. At the time, Amazon said that the move, which went into effect on Sept. 1, 2015, was prompted by browser setting in Chrome, Firefox, and Safari, which were meant to limit Flash content displayed on web pages.

Nathan Wenzler, chief security strategist at security consulting company AsTech, believes there will be a lot of split feelings about the official EOL announcement for Flash.

“On one hand, a great deal of the multimedia games, videos, graphics and other rich services that have helped make the Internet what it is today were originally built on Flash. It provided a great platform for a huge array of products, and it could be argued we wouldn’t be where we are today without it,” Wenzler told SecurityWeek. “That said, the security world will likely rejoice at the retirement of a product which has had a huge number of well-known vulnerabilities and flaws over the years, which have been the entry point for malicious tools that have compromised millions of systems across the globe.”

“While Adobe has been increasingly more vigilant about hardening Flash and more consistently providing patches and hotfixes whenever a vulnerability was identified, it still served as a particular pain point for a lot of organizations to keep Flash patched and maintain a consistent security posture for their systems which had Flash installed,” Wenzler added.

Chris Roberts, chief security architect at threat detection and defense solutions provider Acalvio, pointed out that the end of Flash Player has been coming for a while.

“It’s been good while we had it, but let’s face it, it’s been a whipping boy of the security industry for a while with more than 1000 CVE’s dedicated to it throughout the years,” Roberts said via email. “Kind of like many of us in the industry that find ourselves getting grayer and less tolerant of others, it’s time to hang up the hat and work out how to retire. At least in Flash’s world, it’s been given a nice sunset (until 2020) and probably a good pension in the vaults of software somewhere.”

Flash Player was originally developed by Macromedia, which was acquired by Adobe in 2005.

*Updated with comments from Nathan Wenzler and Chris Roberts

Related: Top 10 Security Threats for HTML5

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.