Security-conscious IT administrators around the globe know that they shouldn’t really have Adobe Flash in their organisation.
For years, researchers have bemoaned Adobe Flash Player for being riddled with critical security holes, commonly exploited and fundamentally broken.
It’s not as if Adobe Flash has a future.
Last year, Adobe announced that it will be no longer be updating or distributing Flash Player at the end of 2020 and is encouraging content creators to migrate to non-Flash formats.
Read that again. After 2020, there won’t be any more security updates for Adobe Flash Player. Which means that if new remotely exploitable vulnerabilities are found (as they surely will be), it won’t matter how long you wait until Adobe gets around to distributing a patch, as it won’t be coming.
Of course, this is a problem for all businesses that may have computers running Flash Player or may be reliant on websites that use Flash content. If they haven’t already done so, they need to think about what they are going to do to migrate seamlessly away from Flash and ensuring that the program is disabled or uninstalled from their population of PCs.
In short, eradicate Flash and use an alternative such as HTML5.
For some companies, that’s going to be a significant job. And it may be an even bigger challenge for very large organizations such as the U.S. government.
Oregon senator Ron Wyden highlighted the issue this week with a letter he wrote to government agencies responsible for federal cybersecurity. In it, he called on the Department of Homeland Security (DHS), NSA, and NIST to work together to end the U.S. government’s use of Adobe Flash before it’s too late:
“The federal government has too often failed to promptly transition away from software that has been decommissioned. In just one example, agencies were forced to pay millions of dollars for premium Microsoft support after they missed the deadline to transition away from Windows XP at its end-of-life in 2014, even though the technology’s last major update had been six years prior. The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020.”
Wyden, backed by respected privacy researcher and activist Chris Soghoian who works as the senator’s senior advisor for privacy & cybersecurity, finished the letter by calling for the following three actions to be taken:
- Mandate that government agencies shall not deploy new, Flash-based content on any federal website, effective within 60 days.
- Require federal agencies to remove all Flash-based content from their websites by August 1, 2019. To aid agencies with this effort, please:
- Promptly expand the routine cyber-hygiene scans that DHS performs on each federal agency to include Flash content on the agency websites.
- Provide each agency with a list of all Flash content on its websites along with guidance to promptly transition away from it.
- Require agencies to create a pilot program to remove Flash from a small number of employee desktop computers by March 1, 2019 and then remove it agency-wide no later than August 1, 2019.
Too many websites are still using Adobe Flash. Too many organizations haven’t yet felt comfortable ripping Flash Player off their users’ computers.
We – like Adobe Flash – are living on borrowed time. Whatever the size of your organization, you need to start taking steps now to eradicate this magnet for attacks and hackers from your systems. Because after 2020, it’s only going to get worse.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.