Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Amazon to Stop Accepting Flash Ads Due to Browser Limitations

Amazon announced last week its intention to stop accepting Flash-based advertisements for The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Amazon announced last week its intention to stop accepting Flash-based advertisements for The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Adobe Flash Player has been in the news a lot lately due to the large number of serious vulnerabilities identified by both white and black hat hackers. Adobe was forced to issue emergency patches on several occasions this year after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.

In a notice posted on its ad specs and policies page, Amazon informed advertisers that it will no longer accept Flash ads on its online shopping website starting with September 1, 2015.

“This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance,” Amazon said.

Apple, Mozilla and Google have been limiting Flash content in their web browsers, and security experts have often advised users and developers to move away from the insecure software.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.

Adobe on the other hand seems determined to keep the product alive. The company has been working with external security researchers on identifying serious vulnerabilities. In addition, Google’s Project Zero announced in mid-July that it had been working with Adobe on implementing “significant” Flash exploit mitigations.

“While it may seem obvious that Amazon’s decision was made with security in mind, it’s not necessarily true. With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively. After all, who specifically enables Flash to view a banner ad?” Tim Erlin, director of IT security and risk strategy at Tripwire, told SecurityWeek

“This is an example of security driving a meaningful change in the industry. While Amazon may not be directly concerned about the vulnerabilities in Flash, enough users (and browsers) have disabled it because of security to effectively force a change from Amazon. If other advertising networks follow suit, it will force attackers to move to a different, and hopefully less effective, platform for malvertizing,” Erlin added.

A Flash Player update released by Adobe earlier this month patches a total of 35 security vulnerabilities, including use-after-free, integer overflow, buffer overflow, and type confusion flaws that can be exploited for arbitrary code execution.

*Updated with comment from Tim Erlin

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...