Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Amazon to Stop Accepting Flash Ads Due to Browser Limitations

Amazon announced last week its intention to stop accepting Flash-based advertisements for Amazon.com. The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Amazon announced last week its intention to stop accepting Flash-based advertisements for Amazon.com. The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Adobe Flash Player has been in the news a lot lately due to the large number of serious vulnerabilities identified by both white and black hat hackers. Adobe was forced to issue emergency patches on several occasions this year after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.

In a notice posted on its ad specs and policies page, Amazon informed advertisers that it will no longer accept Flash ads on its online shopping website starting with September 1, 2015.

“This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance,” Amazon said.

Apple, Mozilla and Google have been limiting Flash content in their web browsers, and security experts have often advised users and developers to move away from the insecure software.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.

Adobe on the other hand seems determined to keep the product alive. The company has been working with external security researchers on identifying serious vulnerabilities. In addition, Google’s Project Zero announced in mid-July that it had been working with Adobe on implementing “significant” Flash exploit mitigations.

“While it may seem obvious that Amazon’s decision was made with security in mind, it’s not necessarily true. With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively. After all, who specifically enables Flash to view a banner ad?” Tim Erlin, director of IT security and risk strategy at Tripwire, told SecurityWeek

Advertisement. Scroll to continue reading.

“This is an example of security driving a meaningful change in the industry. While Amazon may not be directly concerned about the vulnerabilities in Flash, enough users (and browsers) have disabled it because of security to effectively force a change from Amazon. If other advertising networks follow suit, it will force attackers to move to a different, and hopefully less effective, platform for malvertizing,” Erlin added.

A Flash Player update released by Adobe earlier this month patches a total of 35 security vulnerabilities, including use-after-free, integer overflow, buffer overflow, and type confusion flaws that can be exploited for arbitrary code execution.

*Updated with comment from Tim Erlin

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights