Adobe’s Flash Player will be switched off by default at the end of this year, meaning Chrome users will need to actively turn it on for all but a handful of top websites.
The slow and steady slide to a world without Flash continues, with Google revealing plans to phase out support for Adobe’s Flash Player in its Chrome Web browser for all but a handful of websites. And the company expects the changes to roll out by the fourth quarter of 2016.
While it says Flash might have “historically” been a good way to present rich media online, Google is now much more partial to HTML5, thanks to faster load times and lower power use.
As a result, Flash will still come bundled with Chrome, but “its presence will not be advertised by default.” Where the Flash Player is the only option for viewing content on a site, users will need to actively switch it on for individual sites. Enterprise Chrome users will also have the option of switching Flash off altogether.
Google will maintain support in the short-term for the top 10 domains using the player, including YouTube, Facebook, Yahoo, Twitch and Amazon. But this “whitelist” is set to be periodically reviewed, with sites removed if they no longer warrant an exception, and the exemption list will expire after a year.
A spokesperson for Adobe said it was working with Google in its goal of “an industry-wide transition to Open Web standards,” including the adoption of HTML5.
Given that Flash continues to be used in areas such as education, web gaming and premium video, the responsible thing for Adobe to do is to continue to support Flash with updates and fixes, as we help the industry transition,” Adobe said in an emailed statement. “Looking ahead, we encourage content creators to build with new web standards.”
Many other tech firms, including Apple, Microsoft and Mozilla, have taken steps to stop Flash running. In 2015, Facebook’s security chief Alex Stamos called for it to be killed off once and for all. However, it still lives on because many sites still make heavy use of it and many games employ it in ways that are hard to replicate with other web technologies.
Security hole. Shortly before Google announced its plans, security firm Fire-eye revealed the latest reported vulnerability in Flash was being actively exploited by cyberthieves. The malicious campaign began only days after the bug was first discovered.
In a blogpost, a Fire-eye researcher said attack code was being included in Flash files embedded in Microsoft Office documents. Adobe has published patches that stop Flash being used as an attack route via this flaw.
Writing on the Sophos security blog, Paul Ducklin said this was the third time in three months that Adobe had needed to produce patches for vulnerabilities that, if exploited, would let attackers compromise a victim’s computer.
Many security firms now recommend that people uninstall Flash player to avoid falling victim to malicious attachments or booby-trapped webpages. A lot of web firms have now stopped using Flash in a bid to thwart attackers.