Why Adobe Flash is a Security Risk and Why Media Companies Still Use it

You might have noticed that so many security updates pushed out to Windows include updates to Adobe Flash.

Adobe Flash is a security risk that will not go away. Steve Jobs famously fought this web video player, because he did not want the Safari browser dependent on a third-party product. He even wrote an essay in 2010, that you can read here, explaining why Flash would never run on iOS or Mac OS. (Although Adobe wrote instructions for how to enable it there, since otherwise lots of media content would not work.)

Jobs and others pushed for an upgrade to the HTML standard to HTML5 to support video without Flash. That took some years to roll out. HTML5 supports the <VIDEO> and <AUDIO> HTML tags. That causes a browser to play a video or audio using its own native ability to do that. But many websites still use <EMBED> and <OBJECT> HTML which launches the Adobe Flash or Adobe Shockwave plugins.

So many people want to get rid of of Adobe Flash that there is even a website dedicated to that.
Netflix and YouTube support HTML5. YouTube also supports Flash as does Facebook. NetFlix also has its own player called SilverLight. But according to Fast Company, among the web sites that still require Adobe Flash include: HBO, NBC, CBS, Zynga, King, Showtime, Pandora, Spotify, Major League Baseball, Slacker Radio, Hulu, and the BBC.

Facebook’s security chief said, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day." Yet they still support it.

The Complex world of Video Formats
The HBO series Silicon Valley chronicles the life of the fictional tech guru Richard Hendricks who tries to navigate the complex work of clashing personalities and venture capitalism as he turns his new compression algorithm into a business.

adobe flash security risks

Choosing the best compression algorithm is one reason there are so video formats. Each tries to minimize bandwidth, hence the need for compression, and stream video in a smooth manner that does not overwhelm the memory of the machine or fade into a few pixels when the internet slows.

YouTube uses the HTML5, H.264, and WebM formats. Adobe Flash and Shockwave support AVI, MPG, M1V, M2P, M2T, M2TS, MTS, TOD, MPE, MPEG, DV, DVI, FLV, and F4V.  Shockwave supports its own format, SWF. Apple Quicktime has its own format too.

The Dangers of Adobe Flash and Shockwave
Not many websites use Adobe Shockwave anymore. Not only does it have security issues, it’s awkward because it causes the browser to load an external file, called a .dll on Windows and .so on Linux. (If you do that with an unsigned .dll it would throw up an error in Windows. Adobe Shockwave is signed by Microsoft.) A .dll is a security risk because that launches a new process with access to its own memory. Hackers use exactly that approach to gain access to the operating system.

Adobe Flash is different, but not much. That runs inside the same process and memory as the web browser. But frequent bugs in that software give hackers lots of opportunities to gain access to memory. When they do that, they can cause the browser to jump to a specific memory address and take control of the machine.

Adobe Flash in the Browser
Google says it will end support for Adobe Flash by the end of 2016, sort of. It will set the default preference in the browser to use HTML5. But the websites Facebook, Google-owned YouTube, Amazon, and Yahoo will still use Adobe Flash by default. Yet Google says it will slowly reduce the list of websites for which Flash is the default player in Chrome.

Already Flash does not run in Chrome on Android, iOS, or Mac OS. On Windows, Linux, or a Chromebook, in Chrome you can type this command to see it:

chrome://plugins/

And you will see:

Adobe Flash Player - Version: 22.0.0.209-r1
Shockwave Flash 22.0 r0

Go to this website and try to play this video to see if your browser supports HTML5. If it does not a message will appear.

HTML5 in the Web Page Source Code
If you look at the source code of a web page (In Chrome, click the right mouse button and then click View Source.), you can tell if the web page is loading Adobe Flash because you will see the <OBJECT> and <EMBED> HTML tags which could look something like these:

<embed src="/catgame.swf" quality="high">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
<object type="application/x-shockwave-flash">

That might not be easy to spot in all that JavaScript code.

Contrast that with the web page shown below, which is the link we showed you above. If you hover the mouse over that video and click Inspect Element you can see the HTML code. Below you can see that this video is using HTML5. Thus it using the browser’s native ability to play video. On the right side in the code window you can see that it says <VIDEO>.

html5 video test

Why has it taken so long to kill off Adobe Flash? It does not make sense why the big media companies in the USA and Europe would cling to that. But people need to remember that in the developing world people still have slow internet and they repair and then buy and sell old computers running Windows XP and Windows 7, which do not support HTML5, depending on what browser they have. So it would be logical to assume that TV stations and other media outlets in those countries would be using video streaming servers that use MP4 and older non-HTML5 formats.

That might explain some of that. But in the meantime we will continue to suffer hacking attacks as hackers continue to study Adobe Flash, and even Adobe PDF viewer, for security weaknesses, of which there have been plenty.