There’s yet another security issue surrounding Flash, the Adobe technology that is used in the majority of rich online ads today.
On Monday (Aug. 3), Yahoo said it shut down an attack that distributed malicious code to Windows computers that had visited its properties. Once installed, the malware exploited machines running outdated versions of Flash, taking over the computers until their owners paid a ransom. Citing Yahoo’s 6.9 billion visitors each month, security firm Malwarebytes, which discovered the vulnerability, called this “one of the largest malvertising attacks” it had seen.
The attack on Yahoo is just the latest in a string of assaults that have exploited Flash. Last month, Mozilla blocked Flash from its Firefox browser until Adobe released an update patching another security flaw. According to CVE Details, a database that tracks online vulnerabilities, there have been 511 reported Flash vulnerabilities since 2005, and the number has been rising in recent years, with 133 instances in the year to date alone.
As such, some are calling for the abandonment of Flash altogether. “The sooner we completely eliminate the use of Flash, the better,” wrote John Gruber on his Apple blog, Daring Fireball. “Just get rid of it.”
But doing so isn’t so simple.
According to advertising company Sizmek, Flash made up 55% of multimedia ad impressions on mobile in the first quarter of 2015, with HTML5 comprising the remainder. (This statistic is especially striking when you consider the fact that most mobile devices—including iPhones—don’t support Flash. As a result, 98.6% of those Flash ads display as static images on phones and tablets.)
In 2010, Apple’s then-CEO Steve Jobs penned an open letter explaining why the company’s mobile devices did not support Flash. In addition to taking aim at Adobe’s proprietary technology draining devices’ battery life, he highlighted Flash’s security vulnerabilities. “We also know first hand that Flash is the number one reason Macs crash,” he wrote. “We don’t want to reduce the reliability and security of our iPhones, iPods, and iPads by adding Flash.”
Even Jobs, who helped nudged consumers toward a number of emerging trends, wasn’t able to wean the world off Flash. But the campaign against Flash is starting to pick up steam again. Last month, Facebook’s chief security officer Alex Stamos posted on Twitter that it was “time for Adobe to announce the end-of-life date for Flash.”
Just don’t expect the advertising industry to lead the charge on this. As a whole, it’s known to stick to tried-and-true methods—which helps explain why TV still commands the majority of ad budgets.