Facebook’s CSO, Alex Stamos has suggested that it is well past time to retire the browser plug in and move onto something else. Stamos is not the first to suggest this either. The most famous Flash hater was, of course, Steve Jobs. He disliked Flash with a passion and refused to allow it on his iOS platform in any way. At one point he even banned games and applications that were developed using Flash even if they were properly ported to another base.
Still Flash has hung in there despite some high level comments that it is time to let it go. The biggest reason for this is that no one has been able to come up with a real replacement for it. Sure you can develop rich content in HTML 5 and Microsoft even tried to supplant it with SilverLIght (which failed), but there is nothing with the same simplicity as Flash. Which is one of the main reasons that it is easy to exploit. If you look back and the Pwn2Own competitions the majority of the winners used Flash exploits in their attacks.
Yes, it is time for Flash to sail off into the sunset. It is a plug-in that appears to be too far gone to secure. Sadly, even if you remove Flash from the equation there will be another plug-in or API right behind it that will be exploited in the same way. Most of you know exactly which one I am talking about; Java. Between Flash and Java I am and not sure how 100% of the computer systems out there are not completely compromised. After these two simple vectors are gone… well hackers will simply target the many, many holes in HTML 5…. You know, maybe it is simply time to demand better development practices when it comes to security from the entire market…
It will be interesting see if the Hacking Team breach really does bring about the death of Flash and what will jump up to take its place as the most exploited API…