Paulista - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is Project Shumway a viable enterprise option to replace Flash?

Mozilla's Project Shumway was designed to replace the security-troubled Flash Player, so should it be on an enterprise's radar? Expert Michael Cobb discusses.

Mozilla Foundation's Project Shumway appears to be getting closer to release. Shumway was designed to be a viable, more secure replacement for Adobe Flash. How does Mozilla hope to achieve this? Are there any security risks with Shumway that enterprises should be aware of?

Flash was first released by Macromedia in the late 1990s, and is currently developed and distributed as Adobe Flash Player by Adobe Systems Inc., as the result of its 2005 purchase of Macromedia. Flash is freeware for viewing multimedia, such as streaming video, animation and audio, which can run as a browser plug-in or on supported mobile devices. It also plays small Web format (SWF) files.

However, Flash has been plagued with security vulnerabilities; so much so that in 2010, Steve Jobs, CEO of Apple Inc. at the time, published an open letter explaining that Apple wouldn't support Flash on the iPhone, iPod touch and iPad, blaming -- amongst other things -- the abysmal security of the Flash Player. Despite its poor security record, though, Flash Player became the de facto standard for online video publishing. And while most mobile browsers no longer support it, Flash Player remains widely used on desktop browsers.

In an effort to reduce the dangers of playing SWF files, the Mozilla Foundation announced Project Shumway, an HTML5 technology experiment created to explore the possibilities of building an efficient renderer for the SWF file format, without proprietary or native code assistance -- a polite way to replace Flash and its security vulnerabilities by using HTML5 and JavaScript. For Mozilla, this is the second major project that replaces an Adobe technology; its PDF.js has pretty much supplanted Adobe Reader as the default technology for rendering PDF files in the browser.

First started in 2012, Shumway is appearing in the latest Firefox Nightly builds. And although it's still some way off being production-ready, it's clearly getting closer to inclusion in the official browser version. For now, the code can only play certain videos hosted on Amazon, but developers intend to expand the list of sites that Shumway will support.

It's worth noting that other projects exist that are also looking to replace Flash Player. Google's Swiffy project, for example, launched as an SWF file to HTML5 converter in 2011. Adobe itself has also been stepping away from Flash; virtually all of its recent projects for Web developers have been about supporting Web standards and creating HTML5-based sites. Additionally, Adobe isn't involved with patching the integrated Flash Player that is part of Google Chrome or Microsoft Internet Explorer, leaving Google and Microsoft to take care of the patching process when a new plug-in version becomes available.

Those enterprises that already ban Flash have no need to enable Shumway on their network machines. Shumway is a workaround for an insecure technology and will only be of interest to enterprises that still require the use of Flash in legacy applications or content. Seeking to prolong Flash may seem odd, and Shumway only solves the security problem: Flash files are not accessibility- nor Web crawler-friendly. But porting Flash content to HTML5 while maintaining the quality of the user experience, such as frame rate and sound across a wide range of devices, is not easy; on Samsung S4 and S5, iPhone 5, iPod Touch, iPad and so on, it takes time and often requires the use of third-party frameworks, which only increases the attack surface.

Until all devices and browsers can handle HTML5, a different, secure way of viewing SWF files is still needed. Shumway's eventual arrival should make the Internet a safer place to browse and help make the Web's transition from the aging and vulnerable Flash to HTML5 easier.

Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)

Next Steps

Learn more about different Adobe Flash alternatives

This was last published in September 2015

Dig Deeper on Productivity apps and messaging security