Facebook drops Flash, adding one more reason for users to stop using it altogether

Wolfgang Kandek, CTO at Qualys

Facebook recently announced it stopped using Adobe Flash for web videos that appear on its News Feed, Pages and the embedded Facebook video player, instead deploying a video player built around HTML5.

Facebook is not the first substantial organization to move away from Flash, with YouTube switching to a HTML5 based player in January 2015 and Mozilla having blocked it completely from its Firefox browser earlier this year, in response to its continued exploits. But the move marks a significant change for Facebook, which built its first HTML5 video player five years ago.

Adobe Flash is a programming system and its Flash player is an interpreter for programs but also capable of showing a wide range of video and audio streams. It is very widely installed on client machines, with the notable exceptions of iPhone and iPad devices. This makes it an ideal platform for rich media web pages, both simple ones containing audio and video and complex one containing entre programs, such as games. Its problems lie exactly in this combination:

  • Playing video content is notoriously complex and very difficult to implement securely. This has provided the attackers with rich options to probe for code execution vulnerabilities, documented in the hundreds on vulnerabilities found this year for Adobe Flash.
  • Once a vulnerability is found the attacker has the full breadth of a programming language at her disposal, and can use network request to download malware.

Adobe is aware of the issues and introduced automatic updates in 2012 and monthly patching in 2013, bringing Flash up to the industry standard and closing the large attack vector of outdated software installations. But attackers continue to exploit new vulnerabilities in the product, as we have seen in this year’s multiple 0-day occurrences. But it is not only attackers.

Security researchers have developed tools that are capable of finding vulnerabilities in astounding numbers – the latest monthly bulletin addressed 70+ vulnerabilities.

Limiting Flash use is an interesting route to take, after all iPhones and iPads have shown that it is possible to be Flash free. So what does this mean for users?

The immediate implication is that security can now be much improved. Facebook is removing one of the reasons to have Flash which will allow users a new chance to limit Flash use either by uninstalling all together. Browsers vendor can also take this opportunity to refresh their mechanisms to encourage “click-to-play” for Flash as it should now be less widespread.

Facebook has not stopped supporting Flash for all cases, allowing its continued use for games – the other popular use case for Flash. But other organizations might have an internal policy that users should not be playing games on work devices and automatically block Flash. However, there are plenty of business applications requiring Flash so your mileage on this may vary. The best approach is to combine blocking and checking. Make sure that all machines that have to have Flash installed are continuously checked to be secure. If Flash is in place and not up to date, then these assets can be automatically blocked while updates are continued to be rolled out.

In eliminating Flash in its video serving, Facebook has managed to serve two of its highest goals: faster and better interaction with its users (yes all metrics are up for Facebook since its introduction) and making that interaction more secure. Other organizations can now follow and see if the HTML5 technology can be used in their application as well.

More about

Don't miss