Mozilla Foundation's Project Shumway appears to be getting closer to release. Shumway was designed to be a viable,...
more secure replacement for Adobe Flash. How does Mozilla hope to achieve this? Are there any security risks with Shumway that enterprises should be aware of?
Flash was first released by Macromedia in the late 1990s, and is currently developed and distributed as Adobe Flash Player by Adobe Systems Inc., as the result of its 2005 purchase of Macromedia. Flash is freeware for viewing multimedia, such as streaming video, animation and audio, which can run as a browser plug-in or on supported mobile devices. It also plays small Web format (SWF) files.
However, Flash has been plagued with security vulnerabilities; so much so that in 2010, Steve Jobs, CEO of Apple Inc. at the time, published an open letter explaining that Apple wouldn't support Flash on the iPhone, iPod touch and iPad, blaming -- amongst other things -- the abysmal security of the Flash Player. Despite its poor security record, though, Flash Player became the de facto standard for online video publishing. And while most mobile browsers no longer support it, Flash Player remains widely used on desktop browsers.
First started in 2012, Shumway is appearing in the latest Firefox Nightly builds. And although it's still some way off being production-ready, it's clearly getting closer to inclusion in the official browser version. For now, the code can only play certain videos hosted on Amazon, but developers intend to expand the list of sites that Shumway will support.
It's worth noting that other projects exist that are also looking to replace Flash Player. Google's Swiffy project, for example, launched as an SWF file to HTML5 converter in 2011. Adobe itself has also been stepping away from Flash; virtually all of its recent projects for Web developers have been about supporting Web standards and creating HTML5-based sites. Additionally, Adobe isn't involved with patching the integrated Flash Player that is part of Google Chrome or Microsoft Internet Explorer, leaving Google and Microsoft to take care of the patching process when a new plug-in version becomes available.
Those enterprises that already ban Flash have no need to enable Shumway on their network machines. Shumway is a workaround for an insecure technology and will only be of interest to enterprises that still require the use of Flash in legacy applications or content. Seeking to prolong Flash may seem odd, and Shumway only solves the security problem: Flash files are not accessibility- nor Web crawler-friendly. But porting Flash content to HTML5 while maintaining the quality of the user experience, such as frame rate and sound across a wide range of devices, is not easy; on Samsung S4 and S5, iPhone 5, iPod Touch, iPad and so on, it takes time and often requires the use of third-party frameworks, which only increases the attack surface.
Until all devices and browsers can handle HTML5, a different, secure way of viewing SWF files is still needed. Shumway's eventual arrival should make the Internet a safer place to browse and help make the Web's transition from the aging and vulnerable Flash to HTML5 easier.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
Learn more about different Adobe Flash alternatives
Dig Deeper on Productivity apps and messaging security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.