Skip navigation

Chrome Browser Protects Against Flash Exploits

Google Chrome recently announced that by Q4 of this year, HTML5 will be the default in the Chrome browser, switching over from Adobe Flash Player.

That excludes content on the top 10 whitelisted sites that will continue to play Flash, in efforts to avoid over-prompting users. Those sites include YouTube, Facebook, Yahoo, VK, Live, Yandex, OK, Twitch, Amazon and Mail. The whitelisting will expire after one year, meaning users will be prompted before playing Flash content on these popular sites.

According Threatpost, Google will continue to ship Flash Player with Chrome, and a prompt will ask a user if they want to run Flash for sites that truly require it.

Some of the reasons for the shift to HTML5, aside from the glaring security one, include a more integrated media experience, faster load times and lower power consumption; delivering a much-improved user experience. Ultimately, it makes sense for a modern browser to default to HTML5 if a website offers it.

Security Issues with Flash

Flash Player has been patched repeatedly for countless critical vulnerabilities. Flash zero-days have prompted a few out-of-band emergency updates, meaning new patches that are released sooner than the typical Patch Tuesday schedule.

Known Flash vulnerabilities that target older and unpatched versions of the plugin are used in eight of the ten top exploit kits used by attackers to install malware on victims’ machines. Other vulnerabilities used include ones that targeted Internet Explorer 10 and 11. The popular Angler exploit kit delivers malware mainly through exploits that target Internet Explorer (IE) (59%) and Flash (41%), according to Sophos.

More recently, Microsoft released a security update for Adobe Flash Player that patches for the software affecting Adobe Flash libraries contained within IE 10, 11 and Microsoft Edge. According to Microsoft, an attacker could host a spoofed site designed to exploit these critical vulnerabilities targeting users browsing on IE

Enterprise Devices at Risk

According to a recent Duo 2016 Trusted Access Report based on our dataset of two million devices, we found that 25 percent of all Windows devices were running an outdated and unsupported version of IE, putting them at risk of a possible Flash exploit.

Unsupported means they can no longer receive security updates from Microsoft, meaning they are absolutely at risk, even if users don’t use IE as their primary or default browser. As long as it’s installed on their device, it can put their apps and data, as well as any company apps and data at risk if the device is used to log into them.

Another half of all Windows XP devices are running either IE 8 or 7, putting them at risk of more than 700 known vulnerabilities, including those affecting IE 11 and Edge.

IE Usage on Windows Devices

We also found that Google’s Chrome was the most up-to-date browser of all the browsers used in our dataset at 82 percent, followed by Firefox (66 percent), IE 11/Edge 13 (58 percent) and Safari (49 percent). We recommend using Chrome for optimal security, as they roll out updates automatically and frequently enough to patch for known vulnerabilities.

Duo's Data on Up-to-Date Browsers

And 60 percent of enterprise devices are running an out-of-date version of Flash on their browsers, putting them at risk of known vulnerabilities that target the older plugin.

Outdated Flash Player

A History of Moving Away from Flash

Late last year, Adobe announced that its Animate CC development tool would be updated to support HTML5 over Flash, acknowledging that their customers requested new tools to support different industry standards.

The final decision to default to HTML5 comes at the end of long trail of decisions to move Chrome users away from Flash. Back in June 2015, Google enabled click to play for Flash, pausing content that isn’t central to the web page.

Then, in February, Google announced its decision to move advertising, including its Google Display Network and DoubleClick Digital Marketing services to move entirely to HTML5 as of June 30, according to InformationWeek.

Similarly, Mozilla has dropped support for Flash around this time last year for their Firefox browser. While users can still reactivate the feature, it has been disabled by default.

However, many popular games, videos and other web content and applications rely on Flash, and as long as those are around and profitable, Flash will persist - as will vulnerabilities and attackers.

Get tips on how to secure your organization against the threat of outdated devices by downloading our report to learn:

  • A breakdown of how many Mac, Windows and other users and devices are running outdated, unsupported browsers, operating systems, Java and Flash
  • The types of known vulnerabilities your users and company are susceptible to
  • Duo’s security hygiene recommendations to secure your devices, users, apps and data
  • A real-life breach scenario and how a Trusted Access solution can prevent a breach

Download The 2016 Duo Trusted Access Report: The Current State of Device Security Health.

Download The 2016 Duo Trusted Access Report

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.