Facebook's New Security Chief Calls On Adobe To Kill Flash

Alex Stamos, who recently left Yahoo's highest security position to become Facebook's Chief Security Officer (CSO), called on Adobe to kill Flash once and for all to spare the world of all of its security vulnerabilities.

"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," said Stamos. He added, “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."

This message comes after it was revealed that the recently hacked "Hacking Team" was using Flash zero-day vulnerabilities to hack journalists, activists, governments and more. Alex Stamos, like other security experts, must have also gotten tired of hearing about so many security vulnerabilities that Flash has had during its entire lifetime.

Flash and Java applets have been some of the most vulnerable and attacked pieces of software over the years. However, Java applets have been disabled by default in most modern browsers by now, so the damage from them has been greatly reduced. Flash still remains a major problem, even though the world was supposed to move to HTML5 years ago.

Back in 2010, Steve Jobs said Flash had "one of the worst security records in 2009" in his "Thoughts on Flash" article. The situation doesn't seem to have improved much since then. This year alone, several critical security vulnerabilities were found in the software.

One of the main reasons why we haven't moved faster to a Flash-free world is because of the old Internet Explorer versions, which don't support the <video> tag necessary to replace Flash video players, nor other HTML5 features that were necessary to make HTML5 development a real alternative to Flash development in the browser.

High Windows XP adoption rates also haven't helped, as you couldn't install versions newer than IE 8 on the aged OS, making it harder for websites to start using HTML5 for video or other security protocols that were only present in modern browsers. With Microsoft having dropped support for Windows XP for more than a year now, and its fast declining in market share, it should soon be much easier for websites to stop supporting Flash completely.

However, as Stamos noted, the websites will still need some time to adapt and make the change. They will also need Adobe to give them a real incentive to switch, by announcing an official end-of-life date for Flash.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • mrmike_49
    YES!!!!!!!
    YES!!!!!
    oh REALLY REALLY YES!!!!!
    Reply
  • derekullo
    RIP Flash.
    So many memories of playing games while at school.
    Reply
  • spectrewind
    What I'm reading is:
    Competitor #1, using the guise of 'security', asking Competitor #2 to stop making something, making it easier for Competitor #1 to advance an agenda.
    Reply
  • RedJaron
    16245038 said:
    What I'm reading is:
    Competitor #1, using the guise of 'security', asking Competitor #2 to stop making something, making it easier for Competitor #1 to advance an agenda.
    Uh, exactly how is Facebook a competitor to Adobe?
    Reply
  • BulkZerker
    Hehehheheheh. Oh wait your serious, let me laugh even harder. BWAAAAAHAAAHAAAAHAAAAHAAAHAAAHAAA!
    Reply
  • Achoo22
    I have a deep, loathing hatred of Flash. We've cultivated a great many tools for processing information on the Internet and Flash tries to break all of them. Proxies, rendering engines, JavaScript/ECMA engines, browser plugins, screen scrapers, translation engines, and all the other tools we use to process the Internet are under threat from Flash. I only enable it when I absolutely must, and I'll be exceedingly happy when it dies.

    With respect to security... the Internet would be a safer place if browser vendors would stop trying to integrate all manner of useless crap into the browsing experience. We don't need VRML, we don't need hardware 3D, etc., etc. If I really want to play your game, I'll download a standalone version.
    Reply
  • nitrium
    Flash needs to die ASAP. If IE, Firefox and Chrome all dropped support for it simultaneously it would be instadeath for Flash, surely. Why don't the major browser companies just get together and agree on this one obvious thing? It already is completely unsupported (i.e. not working) on mobile devices (iOS and Android), so I see no reason why we can't also get rid of it on the desktop.
    Reply
  • Blueberries
    Wasn't Flash privatized a long time ago?
    Reply
  • RedJaron
    16245773 said:
    Flash needs to die ASAP. If IE, Firefox and Chrome all dropped support for it simultaneously it would be instadeath for Flash, surely. Why don't the major browser companies just get together and agree on this one obvious thing? It already is completely unsupported (i.e. not working) on mobile devices (iOS and Android), so I see no reason why we can't also get rid of it on the desktop.
    I can just see it, they all "agree" to drop it and then one of the three secretly agrees to keep Flash support. Suddenly they're the only browser that works with Flash and all the blinking 10's out there immediately adopt that browser for Flash because they don't know any better.
    Reply
  • alidan
    what i want is flash to go legacy mode.
    the last iteration before it just get support to keep working
    all flash is run in a sandbox

    this would allow people to use the flash tools and still put out flash things (im thinking animation here, as its very low space and high quality compared to other methods i know that take tons of space more for lower quality) but because its now legacy it will make people go to something new for things like video.

    you than have to make flash run in a sandbox... with no access to outside files, in the cases where it creates and saves a file its allowed to use than in the sandbox, but the sandbox renames it to something that will not execute unless the user does something stupid.
    Reply