Alex Stamos, the recently appointed chief security officer at Facebook, has called on software company Adobe to announce an "end-of-life date for Flash." In a pair of tweets sent over the weekend, Stamos echoed a number of recent complaints from the security community that the software has become the vector for just too many hacking vulnerabilities.
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.— Alex Stamos (@alexstamos) July 12, 2015
Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.— Alex Stamos (@alexstamos) July 12, 2015
Last week, a 400GB cache of files stolen from spyware company Hacking Team revealed a major vulnerability in Flash that allowed hackers to execute malicious code on a target's machine via a website. Although Adobe quickly issued a patch to fix the problem, Hacking Team's internal memos describe the flaw as "the most beautiful Flash bug for the last four years," suggesting it had been known about — and used — for some time previously. This is far from an isolated incident: two additional vulnerabilities for Flash were found in the same 400GB trove in the following days, and earlier this year, Adobe was forced to release emergency security updates in both February and January.
Flash has been hit by a series of critical flaws this year
This seemingly unending list of vulnerabilities is why individuals like Stamos have turned against Flash, but the industry's ire against the software is nothing new. In 2010, Apple CEO Steve Jobs famously penned an open letter called "Thoughts on Flash," explaining why the company would not allow Adobe's software on its devices. He cited issues with performance, battery life, and security as major problems, noting that Flash had "one of the worst security records in 2009." So far, 2015 isn't shaping up to be a good year for the software either.
Stamos is not calling for Adobe to immediately pull the plug on Flash, of course, but instead, for Adobe to announce an eventual retirement date for the software, giving websites the time to move to more secure technology like HTML5. Flash has been suffering from shrinking relevance in recent years, with former strongholds like Facebook games collapsing (see the burnout of Zynga), and YouTube moving away from the technology (in January this year this company deprecated Flash in favor of HTML5). Still, the transition would be difficult for smaller companies an if it really is time for Flash to die, it's likely to be a long, painful struggle.