Alex Stamos, who recently left Yahoo's highest security position to become Facebook's Chief Security Officer (CSO), called on Adobe to kill Flash once and for all to spare the world of all of its security vulnerabilities.
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," said Stamos. He added, “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."
This message comes after it was revealed that the recently hacked "Hacking Team" was using Flash zero-day vulnerabilities to hack journalists, activists, governments and more. Alex Stamos, like other security experts, must have also gotten tired of hearing about so many security vulnerabilities that Flash has had during its entire lifetime.
Flash and Java applets have been some of the most vulnerable and attacked pieces of software over the years. However, Java applets have been disabled by default in most modern browsers by now, so the damage from them has been greatly reduced. Flash still remains a major problem, even though the world was supposed to move to HTML5 years ago.
Back in 2010, Steve Jobs said Flash had "one of the worst security records in 2009" in his "Thoughts on Flash" (opens in new tab) article. The situation doesn't seem to have improved much since then. This year alone, several (opens in new tab) critical security vulnerabilities were found in the software.
One of the main reasons why we haven't moved faster to a Flash-free world is because of the old Internet Explorer versions, which don't support the <video> tag necessary to replace Flash video players, nor other HTML5 features that were necessary to make HTML5 development a real alternative to Flash development in the browser.
High Windows XP adoption rates also haven't helped, as you couldn't install versions newer than IE 8 on the aged OS, making it harder for websites to start using HTML5 for video or other security protocols that were only present in modern browsers. With Microsoft having dropped support for Windows XP for more than a year now, and its fast declining in market share, it should soon be much easier for websites to stop supporting Flash completely.
However, as Stamos noted, the websites will still need some time to adapt and make the change. They will also need Adobe to give them a real incentive to switch, by announcing an official end-of-life date for Flash.