How to survive the death of Flash

What should an enterprise ban Flash, phase it out, or accept that it will remain as legacy software for the foreseeable future? Here’s a guide

Seven years ago, Steve Jobs launched the once-popular Abode Flash into a long, slow death spiral when he announced that Flash would not be installed on any of his cutting-edge products, particularly the iPad and iPhone. Jobs argued that Flash was slow, cumbersome, battery intensive, incompatible with touch-screens, and had massive security issues.

Since then, Flash has fallen out of favor for a number of very good reasons. First, it remains a serious security concern. Second, around five years ago, Adobe announced that Flash would not be available for mobile devices, which is where Internet users were headed. And third, HTML5 emerged in 2014 as an adequate replacement for Flash as a development platform for multimedia applications such as animation and games.

Five years ago, Flash was active on close to 30 percent of all websites. Today, that number is down to less than 8 percent, according to W3Techs, a division of Q-Success Management Consulting.

However, Flash is still being used on some of the major sites on the Internet, including the New York Times, salesforce.com, Fox News, Spotify and Starbucks. And while Adobe has recognized that Flash’s best days are behind it, the company is continuing to patch and update the software. And end users continue to download the Flash player plug-in, even though most security pros consider it a serious risk.

So, what should an enterprise do with Flash. Ban it? Phase it out? Or accept that it will remain as legacy software for the foreseeable future? Here’s a guide. (Check out a timeline of Flash’s different iterations.)

Down, but not out

ray valdez Twitter

Ray Valdes

“Flash technology has clearly been on its way out for the past five years,” says Ray Valdes, research vice president at Gartner. “Nevertheless, there is still a lot of lingering Flash content on the Web in the form of advertising, legacy content that has not been updated, games, and the occasional application.”

Valdes adds that in the enterprise, Flash has played a niche role in applications, similar to Java applets and desktop-based Java applications. However, HTML5 is now a full and complete replacement for Flash’s plug-in-based, rich-Internet applications.

Forrester’s Senior Security and Risk Analyst Josh Zelonis says the factors contributing to the demise of Flash have been its vulnerability to attacks and the fact that Adobe announced in 2012 that it was no longer pursuing the mobile market.

+ ALSO ON NETWORK WORLD Firefox sets kill-Flash schedule +

Zelonis points out that roughly half of the traffic on the web is mobile, so that puts Flash on the outs in terms of a broad-based development platform for web apps.

“Still, I don’t see this as the final demise of Flash,” says Zelonis. “Enterprises have had five years to adapt to not having Flash in the mobile browsers and, yet, we’re still seeing it in native applications via Adobe AIR.” Adobe Air was used to build apps like Angry Birds and websites like TweetDeck.

Block Flash on enterprise endpoints

In 2009, Symantec reported that “a remote code execution in Adobe Reader and the Flash Player was the second most attacked vulnerability” of that year. And that was just the beginning. In 2010, Adobe suffered many additional, critical vulnerabilities that affected Windows, Mac, Linux, Solaris, UNIX, and Android operating systems and devices. In a 2012 report published by the Kaspersky Lab revealed that 47.5 percent of its customers had suffered attacks through one or more of Flash’s critical vulnerabilities.

And the attacks have continued on through today. In April 2016, all versions of Flash Player on Windows 10 (and earlier) suffered from more than two dozen vulnerabilities including a zero-day attack. Patches were dispatched to correct memory corruption bugs, stack errors, type-confusion flaws, heap buffer overflows, and security bypass vulnerabilities—just to name a few.

In July, Adobe launched an updated version of Flash Player with patches for 52 more vulnerabilities. These weaknesses were exploited in targeted attacks that allowed the hackers to control the systems they assaulted. And, as recently as Oct. 26, Adobe released another security update. This patch addressed a Flash Player vulnerability that, again, allowed remote hackers to control infected systems. Platforms include Windows (versions 7, 8.1, 10), Macintosh, Linux, and Chrome OS.

According to Jane Wright, principal security analyst at Technology Business Research, the CIOs and CISOs that she talks to say Flash has been one of their key concerns for the past few years. Even as organizations diligently install Flash patches, hackers continue to find new ways to exploit Flash and download malicious content.

jane wright Twitter

Jane Wright, Technology Business Research

“Many organizations already depend on their endpoint security vendor’s blacklist to block Flash from playing on their employees’ computers. But blacklisting is not yet as widely deployed on employees’ mobile devices,” Wright says. “So CIOs and CISOs are still concerned about the Flash vulnerabilities, as employees’ devices move in and out of their organization’s networks. We expect companies to increase their spending on IT security solutions by 10.7 percent over the next year. That includes increased spending for patch management, blacklisting, and mobile application management solutions, which help reduce risks from vulnerable programs such as Flash.”

2. Make sure end users update their browsers

Google plans to phase out the Flash Player in its Chrome browser by the end of this year. Mozilla is also divorcing Adobe Flash from its Firefox web browser by end of year, except for legacy Flash content.

Forrester’s Zelonis says, “I applaud Google and Mozilla for this customer-focused decision, as it will greatly reduce the security exposure to the general public.”

Stuart Williams, vice president at Technology Business Research, adds, “Several browsers such as Safari and Chrome, for example, have already—or will soon—discontinue support for the plug-in.”

3. Shift development to HTML5

Al Hilwa, program director at IDC Research in Seattle, explains that many designers and developers with Flash skills have brushed up on HTML5, but most say that the capabilities of Flash remain unmatched. The issue is the amount of content already developed in Flash on so many websites, including video formats. In order to access much of this content, Flash is still required; though, over time, it will become less of a problem.

“Most enterprise software has already shifted from Flash,” says Hilwa, “With minor exceptions; that is, those with legacy apps that have not been replaced yet. I think most IT organizations are on top of this and understand that they have to migrate them in the long-term. There are some inherent security weaknesses that make the plugin model, which Flash uses, harder to secure; which is why HTML5 that’s native to browsers, is preferable.”

Senior Network Engineer Chris Ajello at Fastmetrics

Florian Lopez, senior web developer and designer at Fastmetrics.com, agrees that HTML5 has replaced Flash as the new standard. Combined with CSS and JavaScript—and libraries like jQuery, HTML5 offers a better, faster, and safer experience to users across all devices. HTML5 can also be used for video players, animations, ads, and even games now.

“HTML5 is great in terms of accessibility, performance, and Search Engine Optimization (SEO),” Lopez says. “Now that websites are viewed more from mobile devices, a cross-device technology is important. And, since HTML5 is just a revision of the HTML language, it doesn’t require learning a new language from scratch. There are lots of frameworks now available, such as Bootstrap and/or Backbone, that make it easier to build a website.”

4. Be patient

Flash is not completely gone yet, says staff product manager Randy Jessee at HEAT Software USA. HEAT has replaced the use of Flash within its applications where possible. And a number of HEAT’s customers have disabled Flash in their browsers.

According to Jessee, it’s still used quite a bit in many websites and web applications. If properly patched, Flash is not a bad technology by itself. However, since almost all software manufactures include mobile in their plans, and Flash is not available on iOS, building in Flash restricts market potential. So, HEAT developers are typically designing new applications without it.

“We have found that HTML5 can replace everything we were doing in Flash,” says Jessee. “And it’s much more cross-device compatible. Most Flash applications are redeveloped using a framework such as Sencha or Angular JS to make the transition easier. We have had 100 percent acceptance of the components that were previously built in Flash and have now been replaced with analogs in HTML5.”

Senior Network Engineer Chris Ajello at Fastmetrics agrees with Lopez and Jessee. “The trend is very clear. From the interfaces that we use today, Adobe Flash is rarely used. It is rapidly being replaced by HTML5.”

In summary

Adobe spokesperson Devon Smiley says, “As stated back in November 2015, Adobe supports Open Web standards and believes that HTML5 is the web platform of the future. Adobe works closely with Mozilla, Google, Microsoft, Facebook, and others to facilitate the adoption of these open standards. This is an industry-wide evolution and Adobe is heavily invested in it.”

This story, "How to survive the death of Flash" was originally published by Network World.

Copyright © 2016 IDG Communications, Inc.