Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Amazon to Stop Accepting Flash Ads Due to Browser Limitations

Amazon announced last week its intention to stop accepting Flash-based advertisements for Amazon.com. The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Amazon announced last week its intention to stop accepting Flash-based advertisements for Amazon.com. The decision comes after major web browser vendors decided to implement restrictions for Flash content.

Adobe Flash Player has been in the news a lot lately due to the large number of serious vulnerabilities identified by both white and black hat hackers. Adobe was forced to issue emergency patches on several occasions this year after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.

In a notice posted on its ad specs and policies page, Amazon informed advertisers that it will no longer accept Flash ads on its online shopping website starting with September 1, 2015.

“This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance,” Amazon said.

Apple, Mozilla and Google have been limiting Flash content in their web browsers, and security experts have often advised users and developers to move away from the insecure software.

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.

Adobe on the other hand seems determined to keep the product alive. The company has been working with external security researchers on identifying serious vulnerabilities. In addition, Google’s Project Zero announced in mid-July that it had been working with Adobe on implementing “significant” Flash exploit mitigations.

“While it may seem obvious that Amazon’s decision was made with security in mind, it’s not necessarily true. With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively. After all, who specifically enables Flash to view a banner ad?” Tim Erlin, director of IT security and risk strategy at Tripwire, told SecurityWeek

Advertisement. Scroll to continue reading.

“This is an example of security driving a meaningful change in the industry. While Amazon may not be directly concerned about the vulnerabilities in Flash, enough users (and browsers) have disabled it because of security to effectively force a change from Amazon. If other advertising networks follow suit, it will force attackers to move to a different, and hopefully less effective, platform for malvertizing,” Erlin added.

A Flash Player update released by Adobe earlier this month patches a total of 35 security vulnerabilities, including use-after-free, integer overflow, buffer overflow, and type confusion flaws that can be exploited for arbitrary code execution.

*Updated with comment from Tim Erlin

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.