So Facebook disabled Flash for video finally, sadly it’s still there for games but a large use case for it just went out the window. And really, it’s not surprising after the recent mega patch in Adobe Flash that fixed 78 CVE classified vulnerabilities.
There’s just no good reason for anyone to still be using Flash and browsers, if they don’t block it completely, should at minimum make it click to enable on a site by site basis.
That doesn’t guarantee safety though with Flash vulnerabilities floating around in drive-by malware hiding in Flash based ad units. Just say no to Flash.
Facebook recently announced it stopped using Adobe Flash for web videos that appear on its News Feed, Pages and the embedded Facebook video player, instead deploying a video player built around HTML5.
Facebook is not the first substantial organization to move away from Flash, with YouTube switching to a HTML5 based player in January 2015 and Mozilla having blocked it completely from its Firefox browser earlier this year, in response to its continued exploits. But the move marks a significant change for Facebook, which built its first HTML5 video player five years ago.
Adobe is aware of the issues and introduced automatic updates in 2012 and monthly patching in 2013, bringing Flash up to the industry standard and closing the large attack vector of outdated software installations. But attackers continue to exploit new vulnerabilities in the product, as we have seen in this year’s multiple 0-day occurrences. But it is not only attackers.
Security researchers have developed tools that are capable of finding vulnerabilities in astounding numbers – the latest monthly bulletin addressed 70+ vulnerabilities.
Limiting Flash use is an interesting route to take, after all iPhones and iPads have shown that it is possible to be Flash free. So what does this mean for users?
Less of the web is becoming reliant on Flash with video being one of the big hold outs, Youtube moved away earlier this year – but most WordPress plugins, private sites players and anyone else playing or streaming video still use Flash based players.
With a big site like Facebook going fully HTML5 for video, it should lead the way and push people in the right direction (hopefully).
The immediate implication is that security can now be much improved. Facebook is removing one of the reasons to have Flash which will allow users a new chance to limit Flash use either by uninstalling all together. Browsers vendor can also take this opportunity to refresh their mechanisms to encourage “click-to-play” for Flash as it should now be less widespread.
Facebook has not stopped supporting Flash for all cases, allowing its continued use for games – the other popular use case for Flash. But other organizations might have an internal policy that users should not be playing games on work devices and automatically block Flash. However, there are plenty of business applications requiring Flash so your mileage on this may vary. The best approach is to combine blocking and checking. Make sure that all machines that have to have Flash installed are continuously checked to be secure. If Flash is in place and not up to date, then these assets can be automatically blocked while updates are continued to be rolled out.
In eliminating Flash in its video serving, Facebook has managed to serve two of its highest goals: faster and better interaction with its users (yes all metrics are up for Facebook since its introduction) and making that interaction more secure. Other organizations can now follow and see if the HTML5 technology can be used in their application as well.
It’s one thing I am grateful to Apple for – leading the anti-Flash movement since the very beginning. Can’t blame them really, why implement such an insecure piece of software into your walled garden.
I don’t see the big Facebook games reimplementing in HTML5 any time soon unless Facebook forces their hand, I hope it’s already tabled though and Facebook has given a deadline to totally stop the use of Flash on the platform.
Source: Helpnet Security