As the end-of-life date for Adobe Flash creeps nearer and nearer (December 2020[1]), jail administrators across the country should be preparing for the transition. Flash is a browser plug-in used by several of the more substantial video visitation providers to stream audio and video to inmate family and friends who connect remotely from personal devices. Video visitation providers that currently use Flash will need to provide an alternative by the time Adobe stops issuing security patches in 2020.
In fact, much of the tech world has already taken steps to move away from the Adobe Flash plug-in. Microsoft’s Edge and Internet Explorer browsers will disable Flash by default in 2018.[2] But that’s nothing compared to Apple’s mobile products and browsers, which have focused on HTML5, CSS, and JavaScript as Flash-alternatives since 2010.[3]
Suffice it to say that the writing is on the wall for Adobe Flash. The era of insecure browser plug-ins is coming to a close. It’s a great time to be online, but folks who are less technically inclined may still be wondering: “Why is Adobe discontinuing Flash?”
The answer is software vulnerabilities.
Historical Software Vulnerabilities of Adobe Flash
Journalist Aatif Sulleyman summarizes Flash’s main problem very well: “[Flash] has become less and less useful over the years, but is constantly being exploited by cybercriminals, who keep finding security holes that they can use to attack users.”[4]
Diminishing returns and added security problems? It’s no wonder companies like Apple and Microsoft are distancing their customers from the product. And these security vulnerabilities are no joke. There have been more than 600 critical vulnerabilities documented to-date, 57 of which appeared in the last year.[5,6,7]
In fact, let’s take a second to talk about 2017, the year of the Bad Rabbit. “One of the more notable social engineering-enabled attacks of 2017 was Bad Rabbit. The international ransomware attack began with legitimate but compromised sites that requested a fake Adobe Flash update that contained the malware,” according to a Skybox Security white paper.[8]
Skybox Security isn’t the only cybersecurity company researching Flash. Recorded Future–an internet company specializing in real-time threat analysis–identified the top vulnerabilities used by exploit kits in 2015 after analyzing sources from criminal forums, .onion sites, and social media. Adobe Flash Player vulnerabilities dominated the list with thousands of references.[9]
Continuing Problems
By now, it should be evident that the Adobe Flash web plug-in has been brutalized by cybercriminals over the course of its lifespan. Why video visitation providers would knowingly use this technology to connect with otherwise highly secure incarceration facilities is unfathomable. And don’t believe for a second that Flash’s security problems are a thing of the past; as of the time of this writing, the most recent critical Adobe Flash vulnerability was fixed on February 6, 2018.[10]
It’s impressive that some video visitation providers STILL rely on Flash to handle their services, let alone that they ever adopted the plug-in in the first place. Hopefully, Adobe’s 2020 deadline will force providers to take their client’s security seriously.
Who Still Uses Adobe Flash?
As of the time of this writing, video visitation giants Securus,[11] Telmate,[12] and Homewav[13] all use the Adobe Flash Player. If that concerns you, contact your video visitation solutions provider with additional questions.
Linked References
- Flash & The Future of Interactive Content.
- The End of an Era – Next Steps for Adobe Flash.
- Steve Jobs: Thoughts on Flash.
- Adobe Flash Player Users Urged to Disable Software After it Lets Criminals Infect Computers.
- Adversarial Detection of Flash Malware: Limitations and Open Issues.
- Adobe Flash Player Security Vulnerabilities.
- How Flash Vulnerabilities Expose You To Attacks.
- Vulnerability and Threat Trends Report 2018.
- Gone in a Flash: Top 10 Vulnerabilities Used by Exploit Kits.
- Security Advisory for Flash Player.
- Securus Terms and Conditions.
- Telmate Visit Test.
- Homewav Device Compatibility.