66

I was under the impression that Adobe Flash was dead, and that browsers were no longer natively supporting Flash? Why therefore, is there a large amount of hype online about a new remote code execution vulnerability in flash?

KingJohnno
  • 1,155
  • 2
  • 11
  • 19
  • 41
    Browsers still support it, they just disable it by default except for whitelisted domains, and allow the user to selectively enable it as needed for other domains. – Barmar Apr 11 '18 at 21:32
  • 2
    Some people play every game they can find online, including Flash games like [AntBuster](http://cache.armorgames.com/files/games/antbuster-522.swf) and [Manufactoria](http://pleasingfungus.com/Manufactoria). It's not just Flash games by the way: [android apps](https://www.zdnet.com/article/gooligan-android-malware-grabs-a-million-google-accounts-in-huge-google-play-fraud), [android games](https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/android-game-malware), [games from a bribed company](https://www.securityweek.com/cybercriminals-trick-qihoo-360-whitelisting-malware), ... – user21820 Apr 12 '18 at 06:04
  • 14
    Even when browser publishers will finally completely stop supporting it sometime in the future, and most already disable it by default, there are many (mostly not technically versed) people who for whatever reason disable updates or even just decline whenever the update message opens, and thus stay on years old browser and plugin versions. – Raimund Krämer Apr 12 '18 at 06:35
  • 2
    Companies can use HTML 5 to do everything Flash Player can do, but they have to learn different ways of doing things in order to do so. It's cheaper to keep using Flash. It's better and more secure to use HTML 5 techniques, but I'm sure there are some vulnerabilities there, as well. – Joshua Nurczyk Apr 12 '18 at 07:50
  • Also, sometimes (especially company internal) projects are simply structured to the rule of "build now, run for xx years, period". – rackandboneman Apr 12 '18 at 18:51
  • 1
    @Raimund Krämer or technically versed people that are not amused with the two major browser vendors doing what they want in their updates. – rackandboneman Apr 12 '18 at 18:53
  • 5
    *Why therefore, is there a large amount of hype online* - remember that a big part of the hype is various "security experts" trying to promote their "expertise" by writing scary articles about this new vulnerability. And then low grade tech journalists pick up the fake hype to write tons of articles on the subject. In the end you get the impression that its a big issue even if its not a big deal in the first place. – JonathanReez Apr 13 '18 at 03:01
  • 1
    You should care about flash for the same reason you care about cockroaches and cancer. –  Apr 13 '18 at 03:35
  • [Citi still uses Flash.](https://online.citi.com/US/VAN/webcard/ranwebcard.jsp) – user541686 Apr 13 '18 at 07:50
  • 1
    @JoshuaNurczyk wrong, Flash can use TCP sockets, HTML5 can not. (they can use the WebSocket protocol, to communicate with any WebSocket servers, which are based on TCP, but they can't use HTML5 to login on World of Warcraft, which use a custom protocol based on TCP, but Flash can do that.) – user1067003 Apr 13 '18 at 09:16
  • @JoshuaNurczyk or to say it easier, Flash can communicate with any tcp-based protocol, HTML5 can not. – user1067003 Apr 13 '18 at 09:16
  • 2
    It's not all dead! It's only *mostly* dead! – Nonny Moose Apr 13 '18 at 12:15

6 Answers6

100

The short answer is that it takes a loooooong time for software to die. Even in 2018 we still have COBOL running multi-billion dollar companies, despite COBOL being a "dead" language for decades.

The longer answer is there's still a significant amount of websites that require Flash, and people re-enable Flash for practical reasons.

Oftentimes these are "mission critical" internal corporate websites or schools that haven't put a priority on replacing legacy applications based on Flash. This might mean using older browsers where Flash isn't disabled, or just users being trained to re-enabled it every time.

Across the board, the numbers as of April 2018 are around 5% of websites according to https://w3techs.com/technologies/details/cp-flash/all/all

So I wouldn't say Flash is "dead", but it is slowly dying.

Peter Mortensen
  • 877
  • 5
  • 10
Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 29
    In Korea, there are still sites that _require_ Flash to function, and many that even require ActiveX to function at all! Imagine the horror, a site built entirely off of something like that, in 2018. – forest Apr 11 '18 at 23:06
  • 2
    Let's not forget government websites like http://stroke-order.learningweb.moe.edu.tw/wordDetail.do?big5Code=C5E9 from the Taiwanese Ministry of Education. It teaches people how to properly draw and pronounce every traditional Chinese character using Flash and probably hasn't been updated to not use Flash yet because of the huge amount of work involved. – Patrick Dark Apr 12 '18 at 05:21
  • 32
    5% of websites is still an incredibly huge number – usr-local-ΕΨΗΕΛΩΝ Apr 12 '18 at 08:25
  • 21
    The death of COBOL is greatly exaggerated. I still see plenty of job posting for COBOL developers. – Clearer Apr 12 '18 at 13:16
  • 5
    @Clearer how many of them are for supporting legacy system ? How manay for new devs ? – Walfrat Apr 12 '18 at 13:43
  • 55
    @Clearer: half of them is just retirement homes searching for new occupants. – PlasmaHH Apr 12 '18 at 13:45
  • 14
    Worse than legacy applications are the legacy _devices_. At my job, we have tens of thousands of dollars invested in hardware devices that can _only_ be managed via built-in web interfaces using Flash, Java or ActiveX components. It's a nightmare. – jmbpiano Apr 12 '18 at 16:46
  • 1
    @PatrickDark Indeed... a good chunk of those 5% will be those government websites that always seem to live on 20-year-old software to avoid hefty contracts to remake them. Unfortunate but important for many people. Also, there's Homestar Runner, which is worth 2-3 Internets on its own. – Luke Sawczak Apr 13 '18 at 02:10
  • 1
    Software does not just take a long time to die. There is also no such thing as a stopgap software, When i was young i wrote a script to help me help myself. That script was explicitly designed to work as a stopgap measure for 1 or 2 months. 15 years later that script was still there, it had become the cornerstone for the entire departments productivity. It was then they decided to rewrite it, up unto that point that simple loop was good enough. – joojaa Apr 13 '18 at 07:02
  • 2
    COBOL isn't dead -- it just smells bad. – Peter - Reinstate Monica Apr 13 '18 at 18:33
  • 2
    COBOL won't be dead until other languages learn to add numbers properly. Every other language uses scientific notation internally, which is great for calculating orbital insertions but super sucks for balancing payroll accounts. – Harper - Reinstate Monica Apr 13 '18 at 21:38
  • @Harper "Scientific notation"? How would you use a *notation* internally? Never written COBOL so would love to know what's special about its number handling in particular – Voo Apr 13 '18 at 23:10
  • 1
    @voo COBOL uses fixed-point math and fixed number widths. It's positively bizarre until you realize it's based on the adders in IBM mainframes. 90% of what you're doing is adding and tabulating, so that makes sense. When you have to do real math, say a mortgage interest calc, you create a few temporary FLOAT variables, do your math and convert back to fixed-point. It never carries numbers around internally like $234.5600001, that *cannot happen*. – Harper - Reinstate Monica Apr 13 '18 at 23:38
  • 1
    @Harper isn't that just like using an integer type in other languages? – bdsl Apr 14 '18 at 09:43
  • @Harper So is it about performance? Because if all you want is fixed point math, that's trivial to implement if you have integer arithmetic at your disposal (you probably want a language with operator overloading to make the syntax not horrible though). – Voo Apr 14 '18 at 15:06
  • 1
    So we have gone from counting sheep with sticks and rocks to arguing about floating point notation on computers...the human race is just something else. – Radvylf Programs Apr 14 '18 at 15:15
  • [*Installed base*](https://en.wikipedia.org/wiki/Installed_base) is the term for this issue: “… the number of units of a product or service that are actually in use, … as opposed to market share, which only reflects sales over a particular period”. – Basil Bourque Apr 14 '18 at 20:18
  • @bdsl sure, integers on both sides of the decimal point wouldn't be far off. At the time it was cheaper to carry all numbers as BCD rather than do bounds checks at every op and decimal conversion at print time. Bounds checks are needed to catch a field overflow like 9999+1. No efficient way to do that in binary math. COBOL actually needs to be a very tightly typed language. E.g. The == and = confusion (if $A=1) is just the kind of thing COBOL 's customers will never abide! – Harper - Reinstate Monica Apr 14 '18 at 21:58
  • 2
    @Harper Many if not most modern languages have a way to perform arbitrary precision decimal calculations without error. In Java it's called BigDecimal. In PLSQL use the Money type. This is a well recognized problem, and there's a variety of different solutions to it depending on the language. – Steve Sether Apr 16 '18 at 02:47
  • 1
    I've seen several cases over time where multi-million pound projects to replace legacy software failed to produce something that could match the functionality and performance of the original, so the new project was scrapped and the legacy code got another 15 years of life. – Michael Kay Apr 16 '18 at 07:37
19

Because it's not completely "dead". It's just suppressed, for example, in Chrome the user has to click to allow Flash.

Google has said that by 2020 it will not support Flash at all.

Soron
  • 2,809
  • 1
  • 12
  • 19
MichaelEvanchik
  • 332
  • 1
  • 8
  • 5
    It's not just Google. Adobe is EOLing flash at the end of 2020. Mozilla is planning on removing it from the mainstream Firefox browser in mid 2019, with the ESR version keeping it alive until the start of 2021. https://theblog.adobe.com/adobe-flash-update/ https://developer.mozilla.org/en-US/docs/Plugins/Roadmap – Dan Is Fiddling By Firelight Apr 12 '18 at 19:07
10

Unfortunately, a lot of corporate software or internal websites still require Flash for various things (and not necessarily a recent version that may have some patches). If a company decides that their internal application requires a five-year-old version of Flash to simply work, they're not going to patch it.

That leaves an awful lot of software and sites that are likely vulnerable to any new attacks based on Flash.

Philip Rowlands
  • 1,779
  • 1
  • 13
  • 27
  • 2
    Also, there is a lot of long-term-investment hardware (think LOM cards in servers, RAID appliances networking, UPS and telecom equipment...) that relies on java and/or flash in its web interfaces. This stuff is usually packed away in a firewalled mainentance network, and you do usually NOT want to mess with its firmware images (especially if that stuff is infrequently accessed, and ways to work it with are part of emergency documentation). A frequent reason to have very, very violent attitudes about "no user recourse" browser security policies. – rackandboneman Apr 12 '18 at 18:49
  • There's nothing quite like seeing Edge's "you've stumbled across some ancient web tech" message on your company intranet homepage. – mbrig Apr 13 '18 at 17:40
  • Aren't many of these uses just simple things that are a little too much for Javascript? It's not like they were writing games. .. for example my state's business records division still uses java to show you TIFF files of docs... it's nothing but a bit of glue. – Harper - Reinstate Monica Apr 14 '18 at 22:06
  • Flash is still used on webapps like Mint (investment trends) and TeamViewer. – Stevoisiak Apr 25 '19 at 18:01
4

Adobe is still releasing new updates to their Flash editor (now named Animator), and new versions of their Flash player. I think the Flash player updates are less noticeable (working in the background) so we don't notice how often they update now.

They also have their AIR player for mobile phones (the core of Flash is downloaded to a phone once, so apps don't have to include the core, and AIR becomes its own cross-platform marketplace).

It seems like they are trying to migrate many aspects of Flash/Animator to HMTL5/CSS3/JS, I suspect in large part due to waning browser support.

Many browser games were made in Flash, and Adobe still has its Game SDK, which uses Flash for graphical assets.

Ghost8472
  • 61
  • 2
  • 2
    Indeed, my small company has been working on converting our Flash-based game to HTML5/JS for the past couple of years. We have most of the major features replicated, but still have a huge number of little things remaining. – Barmar Apr 11 '18 at 21:43
3

Several entertainment websites still support and perhaps will continue supporting Flash games despite security concerns, since they are likely to be their largest source of revenue:

In order to play most of the games in these websites, the user just needs to:

Click to Allow Flash

Which is something that even in most public computers is possible (no installation required since it's embedded in the browser). Usability/quick access trumps security concerns when users are on limited/paid time cybercafés.

CPHPython
  • 321
  • 1
  • 9
1

I work for a company that is a partnered with a large agricultural company. Said Ag company uses Flash for all their web based applications. Even newly (less than 6 months) released applications. Unfortunately, many companies don't see the negative sides of using a known vulnerable application and will continue to use it as they have invested time and money into it and want to get a return on it.

In Australia, until recently, the tax office (and other government orgs) were best accessed through Internet Explorer 8! Thankfully, they have changed and Chrome/Firefox work just as well but it shows you can't take the knowledge that something is bad as a sign that everyone will dump it.

All in all, it means we have to care about the dodgy applications that are out there as its better to be aware and patched/mitigated than to get bitten.

Todd Hansnicki
  • 11
  • 1