Another nail in Flash’s coffin. Google Chrome to block Flash by default on most websites

Graham Cluley

Another nail in Flash’s coffin. Google Chrome to block Flash by default on most websites

Google Chrome, the world’s most popular web browser, is banging another nail into Adobe Flash’s coffin.

This week we’ve learnt that by the end of the year Chrome will be defaulting to using HTML5 rather than Adobe Flash on nearly all websites.

Google’s Anthony LaForge outlined the company’s plan to prevent Flash from automatically running on websites:

“While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption. This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience. We will continue to work closely with Adobe and other browser vendors to keep moving the web platform forward, in particular paying close attention to web gaming.”

In a nutshell, this what Google is proposing:

  • Flash Player will come bundled with Chrome, however its presence will not be advertised by default.
  • If a site offers an HTML5 experience, it will be used as the default experience.
  • When a user encounters a site that needs Flash Player, a prompt will appear at the top of the page, giving the user the option of allowing it for a site.
  • If the user accepts, Chrome will advertise the presence of Flash Player, and refresh the page.

LaForge doesn’t mention it, but the reason why so many people are excited by the news of Flash’s step closer to extinction is because the technology has been blighted by innumerable security holes in recent years, and is regularly exploited by online criminals.

Specifically, Google wants to reduce malicious attacks such as malvertising – the rogue web adverts that can infect your computer with malware as you browse a legitimate website.

As we have previously reported, Adobe Flash is the technology most targeted by malicious exploit kits, and the number of discovered vulnerabilities has increased dramatically.

In short, a Flash-free web is a safer web.

As Google explains, to avoid too much disruption, the top ten websites using Flash will be added to a whitelist – allowing Flash to continue operating for a while:

  1. YouTube.com
  2. Facebook.com
  3. Yahoo.com
  4. VK.com
  5. Live.com
  6. Yandex.ru
  7. OK.ru
  8. Twitch.tv
  9. Amazon.com
  10. Mail.ru

However, most of the time Chrome’s Flash Player will be hidden away.

In a slide deck describing the proposal, Google offers a sneak peak of what Chrome users may be seeing in their browser later this year.

One part of the report describes how on sites that need Flash Player, a prompt will appear at the top of the page, giving the user the option of granting permission for the controversial technology to run.

If you allow Flash Player, then preferences will be stored, and the webpage refreshed with Adobe Flash Player enabled.

The proposal suggests that enterprises will be able to set a policy of always running Flash content (I hope you’re feeling bold), and users will be able to manage their preferences for individual sites.

I don’t think anyone is going to be too surprised to see Google further distancing itself from the troubled Adobe Flash. It has already announced it will drop support for the Flash-based online ads that some advertisers like to upload to Google’s Adwords and DoubleClick services, and blocked Flash ads by default.

Adobe Flash isn’t quite dead yet, but we’re one step closer to its burial.

Personally I don’t think it could come quickly enough.

This article first appeared on the HEAT Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES