It is no secret that the vast majority of cybersecurity professionals would like to see the Adobe Flash end of...
life come sooner rather than later, and recent changes by Adobe indicate that dream might come true.
Adobe recently announced that Flash Professional CC would be renamed Animate CC and "will be Adobe's premier web animation tool for developing HTML5 content while continuing to support the creation of Flash content." The new software will be released in early 2016 and will arrive along with a new HTML5 video player for desktop browsers.
Adobe said open standards like HTML5 have matured sufficiently to provide many of the capabilities that Flash offers. Adobe said it would continue to develop security and feature updates for Flash, but also admitted that standards like HTML5 "will be the web platform of the future across all devices."
This new support for HTML5 has experts wondering if the Adobe Flash end of life may finally be on the way.
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, said he hopes Adobe will eventually kill off Flash because although the software has been useful, its security flaws have led to the risks outweighing the benefits.
"Adobe will probably try to hold on as long as they can and they might even just keep patching new Flash versions for as long as there are folks out there who still need to use it," Kujawa said. "Within a year, it's unlikely there will be many groups still using Flash, and within five years it's likely that it will not even be installed on very many systems."
Michael Taylor, product manager at Rook Security, said that how soon Adobe Flash end of life arrives will depend on whether Adobe expands porting tools.
"There is currently some functionality for converting Flash content into HTML5 within the Flash Professional CC platform. And, Google automatically converts Flash ads into HTML5," Taylor said. "I believe Adobe is attempting to situate itself as a side-by-side solution to the growing amount of HTML5 content which is available."
Taylor also noted that content hosted predominantly via Flash today includes web-based games and streaming video services, and Adobe claimed that HTML5 and other "new standards have yet to fully mature" enough to match Flash Player in these uses.
Taylor said the best option for enterprise would be to prevent Flash from being installed on any corporate devices and to invest in transitioning from Flash to HTML5.
"This will allow them to provide that content, which is typically targeted for the entertainment and less technically adept market, without the security risks of the Flash plugin," Taylor said. "Additionally, with more browsers disabling Flash by default, they would be able to penetrate the casual market by going through that conversion, since their content would work immediately after the installation of a browser and would not require the additional installation of an add-on that could hamper some users."
Wes Widner, director of threat intelligence and machine learning at Norse Corp., said organizations should keep in mind that HTML5 is not immune to vulnerabilities.
"Think of it as taking all of the features that java and flash provided, such as file and multimedia access, and moving those to the browser," Widner said. "This eliminates third party plugins from being security concerns, but it opens up all of those security concerns directly in the browser now."
"These include items which can allow for cross communication between HTML5 assets, cross-site scripting attacks of local storage, SQL injection attacks, which can maliciously consume CPU resources, and more," Taylor said. "HTML5 is not a silver bullet that will solve all the security concerns about hosting dynamic web content. What it provides is a sound and open framework for creating content and hosting it without the third-party Flash add-ons which have been the vector for a significant amount of browser-based attacks."
Learn why HTML5 must replace Flash.