Adobe Flash Player is a security nightmare, plain and simple. Unfortunately, many large companies still use it on their websites. Years ago, when I was working at the DoD, I recall installing security patches on Adobe Flash almost constantly. It seemed like every few days there was a new vulnerability being patched. Among the technical team, there was always a question of why Flash was still in use considering the constant security hazards.
Recently, I was assisting an end-user who had a special customer access account for the website belonging to one of the world’s largest aerospace companies. Since this experience relates to my current job, I’m leaving out the names purposely. My company has Adobe Flash blocked in web browsers by default because it’s not secure and Adobe themselves have been telling people to stop using it for over a year. So I was surprised to find out that this large aerospace company still relies on Adobe Flash for portions of their website. The same company also provides secure tokens for login to protect their environment and keep it secure, yet once you’re in you must have a piece of vulnerable software installed to continue. So why is this this case?
Adobe Flash: A Hard Habit to Break
For a long time, Adobe Flash was the premier delivery system for streaming audio and video over the internet. There simply wasn’t a better option available. As a result, security-minded professionals continued to use the vulnerable platform in spite of its weaknesses. In 2014 that all changed when HTML5 was published. HTML5 was a new standard that could replace the vulnerable Flash. Unfortunately, adoption of the new standard has been slow. Developers are comfortable with their old tools and resistant to change.
Follow The Money
Two of the earliest adopters to make the switch from Adobe Flash to HTML5 were Netflix and Amazon. It’s no surprise that they have large amounts of capital available to pour into such a project. Smaller providers simply may not have the resources for such a change. Is this justifiable? Well I guess that depends on the company. If the risk associated by continuing to use an outdated platform outweighs the cost of moving to something more secure, then I suppose the answer is yes.
Ultimately my confusion really comes to my experience with large companies that have resources, and more to lose via security exploits, who still refuse to make the move to HTML5. When one of the largest and well-funded aerospace companies in the world still uses Adobe Flash, the reason why all comes down to 2 things. A lack of understanding by senior management, and pure laziness. These companies will eventually change, but most likely only after a security breach has cost them millions.