And so continues the slow strangulation of Flash with weak hands as both Google and Microsoft promise to begin...
blocking Flash content in certain situations.
Google said it would start by blocking Flash for about 1% of users with the stable release of Chrome 55, and with the release of Chrome 56 in February, all users will see HTML5 content by default and Flash blocked.
"Starting in January users will be prompted to run Flash on a site-by-site basis for sites that they have never visited before," Eric Deily, wrangler of the default at Google, wrote in a blog post. "We want to avoid over-prompting users, so over time we'll tighten this restriction using Site Engagement Index, a heuristic for how much a user interacts with a site based on their browsing activity. In October all sites will require user permission to run Flash."
Microsoft had already made Flash content click-to-run in the Edge browser with the Anniversary Edition of Windows 10, but said it would "extend this functionality and encourage the transition to HTML5 alternatives" in the Windows 10 Creator's update scheduled for release next year.
"Sites that support HTML5 will default to a clean HTML5 experience. In these cases, Flash will not even be loaded, improving performance, battery life, and security," Crispin Cowan, senior program manager for Microsoft Edge, wrote in a blog post. "For sites that still depend on Flash, users will have the opportunity to decide whether they want Flash to load and run, and this preference can be remembered for subsequent visits."
Both Apple and Mozilla have already taken steps to reduce Flash Player usage in the Safari and Firefox browsers, respectively. Experts said even though Microsoft is not altering how Internet Explorer handles Flash, the popularity of Google Chrome should expedite the death of Flash. And, John Bambenek, threat systems manager at Fidelis Cybersecurity, told SearchSecurity: "Even Adobe has said they believe the future is HTML5, the sooner we have the funeral and bury this dead horse, the better."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the decision to block Flash by default will lead to the software dying quickly.
"Google is giving websites using HTTPS and digital certificates higher search rankings," Bocek told SearchSecurity. "There are big incentives to move apps over to HTML5 running native on HTTPS -- this will make HTML5 go even faster."
Bambenek said there were big security benefits from blocking Flash by default.
"Flash is a notoriously insecure plug-in that a large portion of active web attacks are directed against. Malicious advertising is almost exclusively Flash-based exploitation," Bambenek said. "By disabling by default, this puts a significant dent in the exposure of consumers to malicious attacks since it is difficult to rely on those same users to reliably patch their machines."
Experts roundly agreed that the death of Flash has been a longtime coming and Bocek said Adobe has proven Flash cannot be secure.
"Time has come for Flash to be killed off. Unlike every mobile app, Flash lacks the core security of identifying developers uniquely with code signing digital certificates," Bocek said. "Adobe's Flash sandbox has been riddled with holes. It should be blocked by all browsers, everywhere."
Bobby Kuzma, system engineer at Core Security, said the "death of Flash has been a foregone conclusion since Apple decided to not support it on iOS."
"I'd be lying if I said Flash was anything other than the security equivalent of a festering open sore that could cause it's host to die of sepsis at any moment," Kuzma told SearchSecurity. "Let's get on with putting a stake through its heart, burying it at a crossroads and salting the ground nearby. Flash needs to become a figure of mythology, like a vampire."
Learn more about the calls for the death of Flash.
Find out how the most popular exploit kits target Flash, Java and IE.
Get info on how to reduce the risk of Flash security issues.