Flash Lives On: IT Still Needs to Detect Outdated, Unmanaged Devices
While Adobe Flash isn’t going away, it will be called something different come January 2016. Flash Professional, the software used to create Flash animations, will be rebranded as Adobe Animate CC, part of the Creative Cloud update to come next year.
However, Adobe will continue to support the Flash Player browser plugin, as they stated they would for the next five or 10 years in 2012, according to Arstechnica.com.
According to Adobe, the “emergence of HTML5 and demand for animations that leverage web standards” drove the company to rewrite the Flash Professional tool to include more HTML5 support.
It’s a sign of the times, as the company acknowledges the rest of the world’s move away from Flash, due in large part to major security issues. However, they will still support Flash as long as video and gaming Flash content persists.
Ad & Gaming Revenue Incentives
Ultimately, it’s up to web developers to stop creating content in Flash. At the end of August, Google announced they would begin blocking Flash-based Internet ads, which is one way to force advertisers’ hands and the companies that rely on them for revenue to discontinue developing Flash content.
Flash content is now ‘click to play’ in the Chrome browser, meaning users must click before videos or ads start playing. Internet ads revenue reached $13.3 billion in 2015, showing a 16 percent increase over last year. And in 2014, Internet ad revenue surpassed broadcast TV for the first time.
Facebook’s head of security Alex Stamos called for an end-of-life date for Flash and suggested that web browsers should strive to stop supporting technology at that date. He also stated that no one (developers) takes the time to rewrite their tools and upgrade to HTML5 because they expect “Flash4Eva.”
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.— Alex Stamos (@alexstamos) July 12, 2015
However, Facebook also relies on revenue via their games platform, so they’re continuing to support and run Flash games, working with Adobe to ensure it’s done securely.
Despite the high number and severity of security vulnerabilities affecting Flash, it may be realistic to conjecture that companies will be more so motivated to abandon developing Flash content by the loss of customers and profit. And similarly, companies may be motivated to keep supporting and developing Flash content by the gain of customers and profit (gaming industry as one example).
Nearly 600 Known Flash Vulnerabilities
Security researchers have reported of a Flash zero-day that was used in phishing campaigns targeting foreign affairs ministries, while a recent security update patched for 17 critical vulnerabilities, bringing the number to 80 vulnerabilities reported since July of this year.
The Common Vulnerabilities and Exposures (CVE) database lists the total number of documented and reported Flash vulnerabilities as just shy of 600 (who knows how many are unreported). CVE also lists 349 of them with a Common Vulnerability Scoring System (CVSS) score of 10, which is the highest vulnerability severity ranking. The CVSS was recently updated in June 2015 to version 3.0 to address modern threat advancements.
Updating to Avoid a Potential Breach
As long as people fail to update or disable Flash, exploits will continue to be successful via known vulnerabilities. And research shows that users often fail to update as frequently or timely as they should, which is just the nature of several different factors - lack of timely knowledge that a new version has been released, avoidance of updating due to the belief that will be too time-consuming, etc.
Duo is helping out administrators that may not realize that unmanaged devices are running outdated versions of Flash, Java, or web browsers. While employees may be using their own personal devices to authenticate into work-related apps, services or email, they may not always realize that their software hasn’t been updated, leaving them (and your company) open to a potential breach.
With our recently released Self-Remediation tool, you can choose to give your users the ability to update their own devices. After logging in and completing Duo’s two-factor authentication, users will be notified in the authentication prompt screen that they are running an old software version. Then, Duo will provide a link to update, and notify them of any other outdated software.
This closes any security gaps that may exist on devices outside of IT management, and gives users a fast and immediate resource for securing their own devices. Learn more about Self-Remediation, part of the advanced feature set available in Duo Access. Other features include Device Insight, Device Analysis, Policies & Controls and Duo Access Gateway.