An upcoming update to Microsoft’s Windows 10 will add more pressure on developers to switch to HTML5 from Adobe’s bug prone Flash Player. Once the update rolls out, Edge will run HTML5 by default, while sites that still use Flash will require users to enable it.
Similar to Google’s plan to phase out Flash in Chrome, Microsoft is taking gradual steps to ween the web off of Flash, which started in August with its Windows 10 Anniversary Update automatically pausing Flash ads and animations, while allowing video and games to continue uninterrupted.
The next step, aimed at improving performance, battery life, and security, will avoid loading Flash altogether if a site supports HTML5. Flash won’t be completely barred yet, however users will need to grant each site that relies on Flash Player permission for it to run. For convenience and to avoid overloading users with prompts, Windows will only require users to enable Flash once per site.
Microsoft says the new approach to Flash will not immediately affect the most popular sites that still rely on Flash, however eventually it will apply to all sites. This is also similar to the tack Google took with Flash on Chrome, which initially made an exception for the top 10 sites to use Flash without requiring end-user permission.
Flash has remained a persistent security headache for users, despite joint efforts by Microsoft, Google and Adobe to harden the software against hacks. This year alone, Adobe has patched five zero-day flaws that were being used in targeted attacks. The latest Flash zero-day, patched on Tuesday, was used to attack systems running Flash with Internet Explorer 32-bit on Windows.
While Flash zero-days remain a problem for high value targets, these same bugs often become a problem for the general public after Adobe patches them. Microsoft’s security team today detailed two advanced attack groups using a Flash Player zero-day exploit in May. One of the groups, which Microsoft calls Neodymium, used malware that appears similar to commercial surveillance vendor, FinFisher. Adobe patched the flaw on May 9, four days after being notified by security vendor, FireEye, however within two weeks several exploit kits had integrated the flaw for automated web attacks against consumers who may not have installed Adobe’s latest update.
With the release of Chrome 55 last week, Google began disabling Flash by default for all sites except those that only support Flash. In October next year, Chrome users will need to give permission for Flash to run on any site, no matter how popular it is.