Retiring Adobe Flash Will Make the Web More Secure—Eventually

The news that Adobe had set an expiration date for the Flash media player was likely greeted in various ways at Web businesses around the world depending on whether they had already migrated to more modern multimedia platforms.

In some IT departments, the word that Adobe will stop supporting Flash at the end of 2010 means more work to check how many corporate Websites and applications still depend on flash and what needs to be done to update them to more modern players.

For the security staff, the end of Flash is very good news indeed. Flash, despite its many updates over the years, remains inherently insecure. The Flash player itself is a nearly irresistible target for hackers and it provides a wealth of entry points for malware of all sorts. Worse, Flash updates were easily spoofed, tricking end users into installing fake updates that contained malware.

RIP Flash

The size of the problem depended on what platform your organization supports Users of Apple’s iOS, for example, should already know that their devices do not support Flash.  Android, on the other hand, used to support Flash in versions 4.0 and below, but Flash support ended with Android version 4.1.

The problem is there are a lot of malware attacks that start with a browser pop-up that announces that the mobile device isn’t running Flash and then asks to install it. But since the device won’t support Flash, what’s actually being done is to install some kind of malware that happens to look just like the Flash installer you’d get from Adobe.

Something similar can happen to the Flash players in Windows and MacOS. Flash is supported in those environments, but these days it’s usually turned off. Just like on Android devices, you’ll see the prompt appear from a pop-up asking to install Flash from some unknown website. If you do, you will be installing malware unless you get the installation directly from Adobe.

But the threat doesn’t end there. Flash apps can make use of legitimate Flash players to install and run malware that can sometimes elude antivirus software. Of course, the Flash player itself was a favorite target for hackers because of its ubiquity and its ability to gain control of computer resources.

All of this means that the security staff will need to make sure that your organization, as well as devices that can access the company network, run frequently-updated Flash players.

Or they can solve the whole Flash problem by not allowing Flash on any computer or device that’s able to connect to the company network.

Originally published on eWeek

Read more on Page 2…