Skip to content
Naked Security Naked Security

Wyden urges government agencies to ditch Flash

Let's not wind up with another Windows XP mess, he said, noting that there's been no public guidance in spite of Flash's looming death date.

Come the end of 2020, it will be time to stick a fork in Adobe Flash. That’s when, if you’ll forgive the mixed metaphor, the malware petri dish will officially be toast.
Unfortunately, that doesn’t mean that government agencies are going to toss Flash into the compost pile
After all, the government doesn’t have an easy time letting go. Take, for example, the zombie-like Windows XP: it’s still in use by US government agencies (and plenty of other people), despite Microsoft having pulled life support away from the operating system back in 2014.
Let’s not go there this time, said Oregon Senator Ron Wyden on Wednesday. The senator suggested in a letter sent to three government agencies, let’s come up with solutions and procedures to mandate removal of Adobe Flash content from all US government websites by 1 August, 2019.
The letter was addressed to officials at three agencies that should be on top of this well before Adobe’s Flash end-of-life date: the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Homeland Security (DHS).

Wyden pointed to the technology’s “serious, largely unfixable cybersecurity issues,” which can “allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life.” It’s bad enough now, he said. After 2020, when Adobe will provide neither technical support nor security updates, the situation will only get worse.
The three agencies provide the majority of cybersecurity guidance to government agencies, Wyden wrote in his letter, and as such, they should be ensuring that government workers are protected from cyber threats. Yet to date, they’ve issued no public guidance, he said, in spite of the looming, critical deadline.
To that end, Wyden would like to see the officials do these three things:

  1. Mandate that government agencies shall not deploy new, Flash-based content on any federal website, effective within 60 days.
  2. Require federal agencies to remove all Flash-based content from their websites by 1 August, 2019. To help them do so, expand the cyber-hygiene scans DHS routinely performs on federal agencies to include Flash content on the agencies’ websites. Also, provide each agency with a list of Flash content on their websites, along with guidance on how to promptly transition away from it.
  3. Require agencies to remove Flash from desktop computers by 1 August, 2019, starting with a pilot program to remove it from a small number of employee desktop computers by 1 March, 2019.

According to web technology survey site W3Techs, only 4.5% of websites are now using Flash: a number that’s, thankfully, considerably less than the 28.5% market share the site recorded at the start of 2011.
But as pointed out by Bleeping Computer, that decline isn’t all that reassuring, given that it refers to “all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites.”
Given how dangerous Flash is, Wyden’s exhortations make sense. Let’s hope that somebody – a lot of somebodies, at that – are listening at DHS, NIST and NSA. The work to eradicate Flash should have started long ago, but “now” is much better than “never.”


Next up the removal of Adobe PDF files. Since they have to much access to the windows OS and are also an extremely common exploit source. Adobe really should start putting Security ahead of Features.


> “Adobe really should start putting Security ahead of Features.”
If they do that, how are they going to keep you on the upgrade train?
Microsoft was only able to get the XP users onto Win 10 by promising there would be no further versions, just continued fixes.


Maybe that’s the real problem with some software companies. They’re too focussed on adding ‘cool’ new features, or on product differentiation, that they miss what users actually need – a product that works, is secure and reliable, and uses minimal machine resources. Oh, and when the program is closed, it actually shuts down fully (Firefox take note).


I believe many of us know the risks of Adobe Flash..WHY does Google Chrome continue to use it?


Edge has it too. No idea why. You can turn it off, but why have it at all?
Perhaps it’s a left-over contractual thing between Google and Adobe? Perhaps it’s the theory that if a significant minority are going to install Flash anyway, why not make sure they have a managed version that keeps in known and tested lockstep with browser updates?
OTOH, whether you use Windows, macOS or Linux, there are loads of not-always-what-you-want-but-will-struggle-to-avoid software dependencies that go along with loads of common apps… try switching your Mac to LibreSSL, for example. You’ll still end up with N copies of OpenSSL scattered around your filesystem.
Perhaps Google figures it might as well retain Flash and at least maintain it reliably?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!