Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Edge to Block Flash by Default

Microsoft Edge is the latest Web browser to switch to HTML5 and keep Flash blocked by default unless users enable it to run on sites that require it.

Microsoft Edge is the latest Web browser to switch to HTML5 and keep Flash blocked by default unless users enable it to run on sites that require it.

Both Google and Mozilla announced similar moves for the Chrome and Firefox browsers, and Microsoft appears determined to join the pack. While Chrome 55 started blocking Flash by default earlier this month, Mozilla announced in July that Firefox would make a similar move next year. For now, only some Flash content on web pages is being blocked.

Adobe’s Flash Player has been a key driver for rich online content for a very long time, but the large number of vulnerabilities constantly discovered in it, coupled with performance issues, encouraged large Internet players to move away from it. In fact, even Adobe is currently encouraging the deprecation of Flash, and it doesn’t come as a surprise that major browsers are already taking big steps in this direction.

Microsoft Edge is already providing users with some control over Flash through selectively pausing certain Flash content that is not central to the page, such as ads. All users of the Windows 10 Anniversary Update benefit from this increased control over Flash content, which is set to become even more aggressive next year, when Windows 10 Creator’s Update arrives.

“In our next release, we will extend this functionality and encourage the transition to HTML5 alternatives by providing additional user control over when Flash content loads. Windows Insiders will be able to try an early implementation of this feature soon in upcoming preview builds,” Crispin Cowan, Senior Program Manager, and John Hazen, PM Manager, Microsoft Edge, explained.

Starting next year, Microsoft Edge will deliver a clean HTML5 experience when encountering sites that support the standard, and will block Flash altogether in such cases, which should result in improved performance, battery life, and security. When encountering sites that still depend on Flash, the browser will request users to allow it to load and run, and the option will be saved for subsequent visits.

To ensure that the transition to HTML5 is smooth, however, the change will not be applied to the most popular sites in the beginning, Microsoft says. Following several months of evaluation and monitoring of Flash consumption in Microsoft Edge, the company will shorten the list of automatic exceptions.

“We advise web developers to migrate to standardized content delivery mechanisms like JavaScript and HTML5 Encrypted Media Extensions, Media Source Extensions, Canvas, Web Audio, and RTC in the coming months,” Cowan notes.

Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks

Related: Flash Player Remains Main Target of Exploit Kits: Report

Related: HTML5 Won’t Stop Malvertising, Brings New Threats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.