Amazon announced last week its intention to stop accepting Flash-based advertisements for Amazon.com. The decision comes after major web browser vendors decided to implement restrictions for Flash content.
Adobe Flash Player has been in the news a lot lately due to the large number of serious vulnerabilities identified by both white and black hat hackers. Adobe was forced to issue emergency patches on several occasions this year after learning that malicious actors had been exploiting unpatched Flash Player vulnerabilities in their operations.
In a notice posted on its ad specs and policies page, Amazon informed advertisers that it will no longer accept Flash ads on its online shopping website starting with September 1, 2015.
“This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance,” Amazon said.
Apple, Mozilla and Google have been limiting Flash content in their web browsers, and security experts have often advised users and developers to move away from the insecure software.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” Facebook’s CSO, Alex Stamos, said in July after the existence of several Flash Player zero-day flaws was brought to light by the data breach suffered by Italian spyware maker Hacking Team.
Adobe on the other hand seems determined to keep the product alive. The company has been working with external security researchers on identifying serious vulnerabilities. In addition, Google’s Project Zero announced in mid-July that it had been working with Adobe on implementing “significant” Flash exploit mitigations.
“While it may seem obvious that Amazon’s decision was made with security in mind, it’s not necessarily true. With more and more users disabling Flash or using a ‘click-to-play’ setting in their browser, Flash-based ads simply aren’t being seen as effectively. After all, who specifically enables Flash to view a banner ad?” Tim Erlin, director of IT security and risk strategy at Tripwire, told SecurityWeek.
“This is an example of security driving a meaningful change in the industry. While Amazon may not be directly concerned about the vulnerabilities in Flash, enough users (and browsers) have disabled it because of security to effectively force a change from Amazon. If other advertising networks follow suit, it will force attackers to move to a different, and hopefully less effective, platform for malvertizing,” Erlin added.
A Flash Player update released by Adobe earlier this month patches a total of 35 security vulnerabilities, including use-after-free, integer overflow, buffer overflow, and type confusion flaws that can be exploited for arbitrary code execution.
*Updated with comment from Tim Erlin