This has been a spectacularly bad week for Adobe Flash or fans thereof – over the past several days, many previously unknown security flaws have been uncovered in the program. Security experts and major tech companies alike are either recommending that individual users disable the program in their devices, or are outright refusing to enable Flash until the problems are fixed.
On Sunday, Facebook's Chief Security Officer Alex Stamos said on Twitter that “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.” And today Mark Schmidt, the head of Firefox support at Mozilla, tweeted the announcement that “All versions of Flash are blocked by default in Firefox as of now.” The Daily Mail claims that Google has made a similar decision regarding its Chrome browser.
Firefox or Chrome users can still choose to allow Flash if they wish; it's just that such permissions must be granted individually, rather than have the browser allow it automatically.
Here's a bit of background: in Italy, there's a company called Hacking Team whose business model allegedly entails making spyware and other surveillance technology and then selling it to various governments (some of its more notable clients allegedly include the governments of Saudi Arabia, Kazakhstan, Uzbekistan, Sudan, Russia — and the United States of America).
The company has not confirmed its business practices or clientele. Such details came out recently when Hacking Team itself got hacked by people who stole hundreds of gigabytes' worth of Hacking Team documents and released them online.
Among other interesting details, those documents also revealed the existence of not one, not two, but three separate zero-day flaws in Adobe Flash (as of this writing; more Flash security flaws may yet be revealed).
“Zero-day” is tech-speak for a threat discovered to be exploiting a previously unknown vulnerability; since nobody (other than bad-guy hackers) knew about the security hole, nobody's had time to patch it, and so zero days pass between the discovery of the vulnerability, and the first time that vulnerability is attacked.
Experts recommend uninstalling
Where news headlines are concerned, “Zero-day exploit discovered in Adobe Flash” has become only slightly less commonplace than “Baby born at area hospital.” But after the triple play uncovered in the Hacking Team cache, the Internet collectively decided “This is the last straw.”
For example, when security expert Brian Krebs blogged about the third Hacking Team Flash exploit, he warned, “We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.”
Executives at Facebook and Firefox went even further, as mentioned already. When The Verge reported Mozilla's blocking of Flash today, it said the block is “temporary, but we hope it's permanent.” Computerworld gave its story on the matter the headline “Adobe Flash must die, die, DIE.”
Apple Insider advised Mac users to uninstall Flash from their computers, and provided instructions how.
Over in the United Kingdom, The Register advised its readers “It's time to flush Flash back to where it came from – Hell” (although The Register actually said this last February, several months before the Hacking Team document dump).
Regardless of when Adobe releases security patches for its various flaws, you're probably better off disabling or removing Flash from your browser altogether, even though this means you'll be unable to see Flash animations (or Flash ads), and also be unable to play various Flash games. But that's a small price to pay, compared to leaving your device and all data on it vulnerable to the always-growing list of ways hackers can exploit Adobe for their own purposes.