peshkova - Fotolia
It's no secret that many security professionals have long wished they could rid themselves of Adobe Systems Inc.'s high-risk Flash multimedia platform. After what's already been a turbulent, patch-ridden month, the world's most popular video-sharing website dealt it another blow, one that could lead to its obsolescence.
"The benefits of HTML5 extend beyond Web browsers," YouTube's Engineering Manager Richard Leider wrote in a blog post. "It's now also used in smart TVs and other streaming devices."
YouTube began dabbling in the world of HTML5 more than five years ago. A company blog post from June 29, 2010, discussed the company's interest in switching from Flash to HTML5, but at the time it cited a number of issues with HTML5 that prevented it from becoming the company's preferred video-delivery platform, including its lack of support for adaptive bitrate (ABR).
Now that HTML5 has adopted ABR, YouTube has made the swap, noting that the change will help improve user experience by reducing buffering rates by more than 50% globally and up to 80% on crowded networks. ABR also enables live streaming on Xbox One and PlayStation 4, as well as use of streaming devices such as Chromecast.
Consistent Flash security issues highlight product's turbulent past
Flash has had a rocky start to 2015. Adobe's first patch update of the year, released Jan. 13, fixed nine critical flaws in the video technology. Nine days later, the company released an out-of-band patch for a critical vulnerability, followed by another emergency patch released last Saturday to fix yet another critical flaw.
Flash security issues, however, aren't new; its history is riddled with problems. Year after year, it has required near-constant patching to fix a slew of zero-day vulnerabilities, same-origin policy bypass flaws, privilege-escalation issues, denials-of-service, memory-corruption errors, remote code-execution flaws and more.
In a detailed statement to SearchSecurity, an Adobe spokesperson highlighted the numerous security initiatives the vendor has rolled out for Flash in recent years, including sandboxing for various browsers, automatic background updates, and ongoing efforts to improve its secure development lifecycle.
"Over the last five years in particular, we have increased the investment in our security efforts with focused initiatives, faster response times, and improved communication to customers and stakeholders," Adobe said. "This included improving the security of legacy sections of the code base by targeting high-risk areas of the application for fuzzing, static code analysis, manual code review, threat modeling and strengthening input validation. And we significantly improved incident response processes for regularly scheduled updates as well as for urgent situations, such as a zero-day."
Adobe released a further statement on the issue, touching on Flash's significance and the company's stance behind HTML5.
"Flash is an important technology for media and content companies worldwide, with over 1.5 billion downloads and updates for the Flash Player every month," Adobe said. "At the same time, Adobe is a pioneer in the delivery of HTML5 development tools and a positive contributor to the HTML standard. Flash and HTML will continue to coexist and Adobe is committed to support and advancing both technologies."
Despite Adobe's efforts, the demise of Flash has been predicted for some time. Adobe itself said in 2012 that "HTML5 is now universally supported on major mobile devices, in some cases exclusively. This makes HTML5 the best solution for creating and deploying content in the browser across mobile platforms."
In a 2012 SearchSecurity article, expert Michael Cobb said that HTML5 was a more secure Web video platform than Flash because HTML5 is open source and does not require a plugin, eliminating a common attack vector for hackers.
"HTML5 means developers can now incorporate multimedia into their sites using an open standard," Cobb wrote. "This is a far better situation than using an assortment of third-party plug-ins. As long as developers take the time to learn how to use its many new features securely, the security industry can look forward to a richer and more secure Internet."
In 2010, late Apple CEO Steve Jobs stood behind the company's decision not to support Flash on iOS, and what was once criticized can be viewed as the start of Flash's downfall.
"Besides the fact that Flash is closed and proprietary, has major technical drawbacks, and doesn't support touch based devices, there is an even more important reason we do not allow Flash on iPhones, iPods and iPads," Jobs said. "We have discussed the downsides of using Flash to play video and interactive content from websites, but Adobe also wants developers to adopt Flash to create apps that run on our mobile devices." This was a process Jobs knew would be a "painful experience."
Apple announced Tuesday that due to security issues in older versions, its Web plugin-blocking mechanism would disable all Flash versions prior to 220.127.116.116 and 18.104.22.1684.
At press time, YouTube is using HTML5 video by default in Chrome, Internet Explorer 11, Safari 8 and beta versions of Firefox.
In other news
- A report released by Copenhagen-based vulnerability firm Secunia ApS this month stated that Oracle's Java Runtime Environment tops the list as the biggest desktop risk in the U.S. Using data from its Personal Software Inspector scans, the company found that 48% of users run unpatched versions of Java; its risk exposure, which was calculated by multiplying the percentage of market share with the percentage of unpatched PCs, was 31%. This means nearly one-third of all PCs are vulnerable because of JRE. The report also concluded that 12.9% of PCs run unpatched OSes, 11.6% use unpatched third-party programs, and 5.7% run programs no longer patched by the vendor.
- An announcement last week from the Internet Crime Complaint Center (IC3) published details about a global scam that cost businesses nearly $215 million over a 14-month period. Dubbed "business email compromise," or BEC, the scam targets companies working with foreign suppliers as well as businesses that regularly perform wire transfer payments. Of the 2,126 victims recorded, nearly 1,200 were from the U.S., accounting for nearly $180 million of the total. Based on IC3 complaints received Oct. 1, 2013, through Dec. 1, 2014, there are three known versions of the scam, including businesses being asked to wire funds to fraudulent supplier accounts, compromised email accounts of high-level executives, and compromised email accounts of lower-level employees. IC3 has urged enterprises to avoid using free Web-based email, implement two-factor authentication and use caution when opening email links and attachments.
- Just three days before the biggest football game of the season, and amid accusations involving deflated footballs and cheating, mobile data gateway vendor Wandera Inc. revealed that the National Football League's NFL Mobile app leaks user profile data including usernames, passwords and email addresses via an unencrypted API call. This data can be used to access member profiles on NFL.com. While it is unclear if credit card data is visible, data including full names, postal addresses, telephone numbers and more is. An NFL representative told The Register that the vulnerability has since been addressed.
Learn more about the HTML5 standard and HTML5 security.