The title is meant to be taken as a rhetorical question. No answer is required, nor is one really expected. Most of us know this story far too well already…
Just at the end of last week, we learned about yet another Flash vulnerability. For those details, which revolve around embedded Flash components in Office documents being circulated in malicious emails, see https://helpx.adobe.com/security/products/flash-player/apsa18-01.html. Most likely, Adobe will release a patch later today (Monday 05-FEB-2018), but some damage has already been done. This time, it was something that made it easy for attackers to add harmful Flash content to Excel files. Today’s tech news tells us that although this zero-day exploit has not been widely circulated (yet), it has already caused issues for users in South Korea.
I know why Flash is still used on many websites. The site might have been developed some time ago and moving away from Flash would incur extra costs. But is that really a valid reason to use pre-historic methods and tools? How would we react if a mobile phone manufacturer admitted they were aware that batteries on their devices kept exploding, but they don’t plan to address this issue because of additional costs it would incur? How about a car manufacturer admitting that it knows its brakes don’t always work, but because it would be too expensive, they’ve decided not to fix them? Ultimately, it comes down to issues of product liability and responsibility. Companies that make physical tangible objects can completely avoid absorbing some costs when things go wrong, and people get hurt because of design defects, shoddy materials, component failures, and so forth. But as we all know too well, things are different in the digital world…
I find it passing strange that even companies like Microsoft still use Flash on their websites, even though that use is more limited nowadays. Here’s a screenshot from Windows 10 insider Preview ADK download page in Edge browser:
OK, in all honesty I do not know what the Flash content on this page does. In fact, the download works just fine without allowing Flash content. But, why on earth is there Flash content present, required or not?
Reading about this latest Flash vulnerability I couldn’t help but think how we consumers tend to accept risk as inherent in our everyday computing. We know that Flash shouldn’t be used any more, yet we love our online stuff so much we will deliberately use it, so we can play that online game, or partake of this online video streaming service. I guess it comes down to the same thing that drives almost everything in computing: familiarity, ease of use, and old habits trump security concerns. Be it using a simple and easy to remember password instead of complex password with two-factor authentication, not requiring a password to sign into Windows, or just about any other activity in which security plays a role of some kind, the average consumer usually selects the easiest alternative. The same goes for Flash sites. We know they might cause issues but because “I’ve never had any problems with it” attitude, we continue using them anyway, despite obvious, often-ballyhooed security risks.
Personally, I’ve been a silent member of the (un)Occupy Flash movement for some time now. I refuse to use Flash sites, I do not allow Flash plugins nor add-ons in my browsers. My sincere hope is that you would join the ranks and say no to Flash, too. If nobody uses it any more, surely then Flash can finally disappear forever?
Author: Kari Finn
A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.