Tuesday, 16 February 2016 01:38

Flash is certainly on its way out, but will that really fix much?

Written by

Reading time is around minutes.

Last week Google announced that they will no longer be accepting ads that feature Flash. This new should really come as no surprise as Flash (and its spirit brother Java) have taken a beating on the security front for years. Abobe and Oracle have been unable to keep the bad guys from running rampant with their code. Of course the change will not take place overnight so everyone has the chance to swap out that old and insecure Flash for the new and (insecure) HTML5.

What makes things more interesting about this (to me anyway) is that it has not always been Flash or even Java that has been exploited. It is what your system has to do to execute that code that is the problem. Both Java and Flash require elevated permissions to run. These elevated permissions are what can give the attacker the chance to push their malicious payload through in the background. There is also the bugging and cumbersome update mechanism.

Even though there is a way to automatically update both, most people are so familiar with the “you need to update Flash/Java” pop up that they click on it automatically. This has opened up even more holes in an already insecure process (browser helpers and plug-ins). The focus has always been on the plug-in or helper and not the system behind everything. The current BHO and Plug-in system is seriously flawed, but since Java and Flash are the current boogeymen it is not likely that anyone will take a look at that anytime soon. Even sandboxed browsers had had their issues when it comes to BHOs and Plug-ins which should be an indication of where the real problem lies.

In the end Flash based ads will slowly disappear from the internet. Google has given a dead line of June 30th 2016 for uploading new ads and January 2nd 2017 they will all stop working. The good news is that Video ads using Flash get to stick around for a little longer…

Read 5142 times Last modified on Tuesday, 16 February 2016 11:55

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.