NordVPN

Why Is Flash so Insecure?

Stephen Cooper

Stephen Cooper

October 26, 2017

Macromedia originally developed Flash. Adobe later acquired Macromedia. Flash offered a way to embed animation in websites. It made navigation slicker and enabled buttons and features to include animation. The Flash Player became the first method to display video in webpages.

Flash was so useful that it was built into many templates. Macromedia also produced a web designer package called Dreamweaver. Integration of Flash elements into webpages was a standard feature of that design platform. When Adobe bought Macromedia, it got Dreamweaver as well. It continued the policy of encouraging Dreamweaver users to integrate Flash into every element of their webpages.

Despite it offering a much more pleasing experience on websites, people came to dislike Flash. Advertisers exploited its presentational qualities, which added to the load times of pages that contained multiple ads. Users became annoyed with pages taking a long time to load because of their advertising content. The extra processing that Flash added into a page caused processors to run for longer in order to display the page. That action caused mobile devices’ batteries to drain faster.

Grab a great VPN service today

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Hacking Flash

The proliferation of one standard piece of code in many websites made Flash a very useful conduit for malware. The Flash extension was available for all browsers. The availability of each browser type for all operating systems made this an excellent cross-platform channel for infection. As hackers researched the Flash methodology and discovered security weaknesses, Adobe kept up with them. It released patches to shut down those exploits. However, Flash doesn’t load into the browser along with the webpage that uses it. The code for the player isn’t sent along with the code for the rest of the page because it’s already resident as a browser extension.

Users rarely needed to update their version of Flash because Adobe always tried to ensure backward compatibility. Thus users rarely installed patches to shut down security flaws. That made Flash even more interesting to hackers – their efforts to research Flash resulted in hacks that had a much longer shelf life.

The Beginning of the End

The death of Flash has been a long time coming. The fact that so many websites were developed on the assumption that all visitors would have the Flash extension meant that removing the inclusion of Flash would involve a major rewrite of some very important sites.

Apple forced the pace of change by refusing to allow iOS devices to run Flash procedures. Android followed suit. This was mainly because of the impact that Flash had on battery life. Rather than push technology to develop a more powerful battery, mobile device manufacturers simply banned battery-draining software. Flash was at the top of that list.

The increased popularity of mobile devices made a switch away from Flash almost inevitable. By 2015, more people in the US used mobile devices than desktop computers to access the internet. Sites had to adapt away from Flash or die along with it.

Android banned Flash in 2012. This move was way behind Apple’s declaration in 2010 that all of its iOS devices would be Flash-free forevermore. Regardless, this was still an early point in Flash’s decline. Games producers started to ditch Flash in 2013. By 2015, both YouTube and Netflix had replaced Flash with HTML5 code for their video players. Even advertisers have now started to abandon Flash, because its use presents ad blockers with the easiest method to shut advertising down on a page. By 2016, even Adobe abandoned Flash. It reconfigured its main Flash creator program -Flash Professional – to produce Adobe Animate. That program employs HTML5 methods instead of Flash.

Flash Exploits

Much of the online community had started to make plans to remove Flash from their sites by 2015. Despite that, the rate of discovery of security vulnerabilities in the Flash system suddenly escalated. There was one security flaw discovered in Flash in 2005. In 2014, 76 issues were reported. The number of flaws discovered in 2015 shot up to more than 250. More than 340 security problems were discovered in the system in 2016.

In total, 1,020 security flaws have been discovered in Flash since 2005, of which 863 are deemed critical. That “critical” designation is assigned to exploits that allow a hacker to download controlling programs that enable him/her to execute code on the infected computer remotely.

Flash Security Weaknesses

One of the main advantages that Flash brings to hackers is that the code that gets saved onto your computer doesn’t get deleted when you close down the page that it was transferred to support. Usually, cookies that different web applications need to function are stored in a browser folder. They can be deleted through a browser settings command. However, the cookies used for Flash aren’t stored with all other browser programs. They can’t be deleted in the regular way.

This basic design concept means that Flash will always be a target for hackers. The hacker code has a permanent home in plain sight.

Hacking Advantages

Adobe Flash includes a programming language called ActionScript. The inclusion of programming capabilities gives hackers the ability to include instructions in a webpage that can gather information and create events. JavaScript is another programming language that adds capabilities to webpages. It also introduces opportunities for hackers. Without inserted scripts, HTML is harmless because it is just a format coding standard and contains no programming constructs.

The hacker doesn’t need to download all of his malware onto your computer with the first transfer of Flash. Hackers have developed controlling programs that can open up a connection and check back with headquarters. These programs work in exactly the same way that installer programs operate when they install updates.

The update procedures that malware implements act as an open door. Thus the hacker has a method to get new malware onto your computer as long as that update program is resident on your machine.

Firewalls block outside connections being made into your computer over the internet. However, they don’t block incoming data when it’s sent in response to a request that originated on the computer.

Flash Privacy Weaknesses

Thanks to Virtual Private Networks (VPNs), it’s becoming increasingly difficult for website providers to identify visitors. This is because VPNs provide temporary IP addresses to mask their users’ identities and locations. These are associated with different locations to the users’ real locales.

A new method of analyzing website visitors has emerged. This tracks users through other factors that a website can query about the computer that sends a request for a page. Many of these factors are referred to as “user agents.” They include information on the operating system version, the browser version, and other data about the screen type and keyboard layout. These small pieces of information can be added together to create a unique profile that identifies each visitor. This method of identification is called “fingerprinting.”

Adobe Flash is a great help to those who want to implement fingerprinting. Tracker blockers can now prevent queries in the browser to derive this information. However, Adobe Flash can be queried individually to reveal the platform of the user’s computer, the system language, the screen resolution, and a list of installed fonts. These pieces of information can be enough to track your access to websites and compile a profile on your web activities.

Grab a great VPN service today

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Protect Your Computer

Thanks to the animation and video display capabilities of HTML5, websites no longer need to use the Adobe Flash Player. However, some older sites may still integrate the system. Thus you have to decide whether you want to give up visiting those sites if you want to remove Flash from your browser.

If you use the Mozilla Firefox browser, you can stop Flash by installing an add-on called Flashblock. For other browser types, follow the instructions below.

Block Flash in Chrome

Step 1

Click on the menu icon at the end of the address bar. Select Settings from the drop-down menu.

Step 2

Click on Advanced at the bottom of the Settings screen.

Step 3

Scroll down to the Privacy and Security section and click on the arrow next to Content settings.

Step 4

Click on the arrow next to Flash in the next screen.

Step 5

Set the slider next to Allow sites to run Flash to Off in order to block Flash completely. Leave that slider in the On position and put the Ask first slider to On if you want the option of whether to allow Flash to run on a page.

Block Flash in Safari

Step 1

Access the Preferences menu of Safari and select Security.

Step 2

Click on Manage Website Settings.

Step 3

Select Adobe Flash Player and select Block from the When visiting other websites drop-down list.

Block Flash in Microsoft Edge

Step 1

Click on the menu icon in the top right of the browser. This icon appears as a row of three dots. Select Settings from the drop-down menu.

Step 2

Click on View Advanced Settings in the Settings menu.

Step 3

Move the Use Adobe Flash Player slider to Off.

Block Flash in Internet Explorer

Step 1

Click on the cog symbol at the top right of the browser and select Safety from the drop-down menu.

Step 2

Click on ActiveX Filtering in the sub-menu that appears. A tick will be displayed beside this option to show that it has been turned on.

Testing for Flash

Adobe has a test page on its website. This will help you work out whether Flash elements can be activated in your browser. However, it only works for Internet Explorer and Microsoft Edge. After going through the steps in the previous section, check out the Adobe Flash Player help page to confirm that your Adobe Flash ban has actually worked.

Flash Is History

Thanks to the development of HTML5, Flash is no longer needed. The outdated webpages that still use Adobe Flash will eventually be taken down and replaced with better versions. Adobe announced in July 2017 that it would stop supporting Flash in 2020.

Flash is gradually getting out of date and retreating to the annals of web history. One day, you will tell your children about Flash exploits and they won’t believe you. For now, you just have to guard your computer against the many hacks that Adobe Flash makes possible.

Image Credit: 360b/Shutterstock.com

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
SAVE 49% TODAY
WITH OUR
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for BestVPN.com Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
$3.25/mo
Exclusive Offer
SAVE 72% TODAY
LIMITED TIME OFFER
Get NordVPN for only
$3.29/month