Let’s pretend we’re back in, say, 2008. You’ve just bought a new computer with Windows XP on it, hooked it up to the internet, opened the browser, navigated to your favorite website… and found that half of it doesn’t display. “Try installing Adobe Flash,” a friend who knows all about computers advises over the phone.
The origins of Flash date back to the early 1990s: it was a tool to create simple vector-based animations compact enough to be downloaded even over a slow internet connection via a modem.
By the late 2000s, Adobe Flash Player — still an animation tool at heart — was pretty much indispensable. Without it, literally half of all websites didn’t work. At the same time, cybercriminals began to utilize the dozens upon dozens of vulnerabilities found in the player. Largely because of this, since 2010, Flash has had many ardent critics, and even Adobe itself recognized that the internet needs to develop along different lines. Nevertheless, Flash’s “funeral” was drawn out for almost 10 years — and even then it wasn’t properly buried. It all makes for one of the most interesting episodes in the history of online information security. Let’s delve into the details…
Computers go tablet
The history of Flash begins in 1992–93, when several firms released tablet computers all at once. That’s right, like the iPad — only 13 years earlier. Here’s what the IBM ThinkPad 700T, a rare breed, looked like, for example:
Such devices used Penpoint OS developed by GO Corporation. This first attempt to make a portable tablet computer, however, crashed and burned. As early as 1994, Go Corporation was sold to AT&T Corporation, which promptly ceased its production. However, several independent applications were written for Penpoint OS. One of them was the graphics editor SmartSketch, developed by Futurewave Software.
Alas, the release of Smartsketch coincided with the demise of Penpoint OS. Futurewave first adapted the editor for Microsoft Windows and Mac OS, then added the ability to create animated graphics while renaming the product FutureSplash Animator. In 1996, Futurewave Software was acquired by Macromedia, and its product was rebranded Macromedia Flash. It consisted of two components: a program for creating animations, and a compact Macromedia Flash Player utility for playing them on users’ computers. Importantly, both SmartSketch and early Macromedia Flash used what are known as vector graphics.
The JPEG photos and images that we’re all used to use raster graphics, whereby each individual pixel has a color value — and there can be thousands or even millions of them. Vector graphics don’t store pixel information; they’re a recipe for recreating an image from primitives or geometric shapes: lines, squares, circles, etc. Vector files tend to be more compact than raster ones: instead of describing each pixel in an image of a circle on a white background, we store a single instruction: “Draw a circle with a radius of X pixels on a white background.”
Back in the heady 1990s, people generally went online through modems. Such connections were tediously slow, with a data transfer rate of 5–6 kilobytes per second at best. Any raster image of minimum decent quality took at least a few seconds (or even minutes) to load. As a result many users simply turned off images in the browser settings. Using vector graphics, however, Macromedia Flash was able to deliver colorful animated images that loaded in no time at all.
One other important point before we continue: when speaking of Flash, we’re essentially talking about the code that gets downloaded to a computer every time a user opens a site with Flash content. This is no ordinary executable file, but a set of instructions run by Macromedia Flash Player on the PC. Still, the principle is the same (in theory, however, there was nothing to prevent making an executable file containing both the content and the player).
It didn’t take long for Flash to start picking up additional functionality: besides graphics, along came sound and special effects, and later even video transmission.
The author of this post first came across Macromedia Flash in 2001 when watching Masyanya, Russia’s answer to Beavis and Butt-Head. That fall, every Monday morning, I downloaded and watched a new episode of the online cartoon, lasting one to two minutes. The creator of Masyanya, Oleg Kuvaev, made the animated videos with Macromedia Flash and uploaded them to his website specifically as executable files, with Flash Player and the animation itself embedded inside. This approach essentially preempted YouTube. Masyanya perfectly illustrates the compactness of the format: the sixth episode of the series (called “Modem”) was only 600 kilobytes in size — including the playback software, don’t forget. The same episode in video format of the most basic quality weighs three times as much, and that’s without a player.
Macromedia Flash technology significantly expanded the capabilities of internet browsers in those days, which themselves did not differ in terms of content displayed: text and images, period. So it was a logical development to create a plug-in for playing Flash content directly in the browser, eliminating the need to download and run things separately. That is, Flash objects were still code executed on your computer — the only difference being that, after installation of the plug-in, these programs ran as the web content loaded, without any additional action from the user.
Developer tools also expanded: by the end of the 1990s it was no longer about simple animation. Flash now made it possible to implement user-interactive menu items, and there was support for a scripting language allowing you to create increasingly complex constructions inside a Flash object. To visualize this, let’s show the evolution of website capabilities.
Here’s the very first web page, from 1990:
Here’s a typical website from 1996:
And here’s a website with Flash elements from 2000:
Web designers back then had different priorities: some strove for maximum compatibility, others sacrificed compatibility for the sake of graphics. In the former case 1996 — even if a site had Flash elements — it was still usable without them. In the second, a site needed Flash; without it it wouldn’t work. Like this Nike Air minisite:
Macromedia Flash seriously expanded the boundaries of what was possible in website design. It untied developers’ hands regarding the placement of animated elements, the use of sound and video, and eye-catching effects when moving between pages.
In 2006, Macromedia was bought by Adobe Corporation. Soon, Flash was being used to create entire games that ran right in the browser — an unprecedented step in the mid-2000s. Meanwhile, mobile devices were developing rapidly. Flash Player alternatives were being developed for them as well, making content available across multiple platforms. 2005 saw the launch of YouTube. It, too, used Flash Player to deliver videos.
A negative consequence was that advertisers got overly carried away creating garish banners based on Macromedia/Adobe Flash. Since these were still programs executed on the user’s computer, they sometimes put a heavy load on the system, seriously slowing down other programs. In some browsers and plug-ins for them, the option appeared to disable Flash by default. As it quickly transpired, however, banners were the least of the many problems awaiting the Flash-dominated computing world.
Giant security hole
Reconstructing the timeline of vulnerability detection in Adobe Flash Player is quite difficult, since the program dates back to the dawn of the modern web. In the early 2000s, it was not yet common practice to notify users and customers of vulnerabilities. In the archive of Adobe bulletins and advisories, which includes Macromedia-era data, the first entry about a Flash Player vulnerability appears in 2002. MITRE’s CVE database lists more than 1100 vulnerabilities related to Adobe Flash Player.
The first arbitrary code execution (ACE) vulnerabilities in this database also date back to 2002. An attacker could send an Adobe Flash file to the victim, which, when played, runed malicious code. Some of these vulnerabilities had a maximum CVSS score of 10.0 (according to unverified sources, there were more than 800 ACE vulnerabilities in all Flash Player versions). Such vulnerabilities were easy to exploit, it often required little or no action from the user. Suffice it to lure the victim to a website with a malicious Adobe Flash object embedded in it. Some attacks compromised ad distribution systems, causing malicious content to suddenly appear on websites visited by millions of users.
Not for nothing have we been stressing that Flash objects are essentially programs that get delivered to the user’s machine and executed there. A consequence of the wide-ranging capabilities of the technology was the emergence of countless loopholes through which attackers could gain complete control over a computer. Already by 2005, Flash was the most popular technology for running web applications.
Not a problem, we think in 2022. Just deliver an update to all users. But automatic Flash Player updates appeared only toward the end of the technology’s life — they simply didn’t exist in the 2000s. Back then, you had to go to the Adobe website, download the new version, and manually install it. Some users weren’t even aware they had a version of Flash Player that needed updating. The 2006 vulnerability was also flagged (along with three others) in a Microsoft bulletin, because Adobe code could be distributed with Windows XP. Microsoft itself handled updates for it, and its process for delivering and installing patches was likewise less than ideal.
Just how bad the update delivery situation was is evident from a Kaspersky report from 2012. That year, Adobe Flash Player was already the leader by number of vulnerabilities found on users’ computers. By then, a system was in place to notify Flash Player users of available updates, as well as to track how quickly they were installed. With each discovered security hole, the share of vulnerable users grew and grew (peaking at 60% in 2012!), before declining with each new patch. The update distribution process, at least for most users, took from three weeks to two months — eons by today’s standards. It was worst of all for users of very old versions, who didn’t even receive update reminders; throughout 2012 their share was about 10%.
Let’s take a look at another Kaspersky report, this time from 2015. It lists 13 new vulnerabilities in Flash Player, which were known to be used (along with others that were old but still live) in so-called exploit packs — kits containing multiple exploits for attacking vulnerabilities in software on users’ computers one by one until a breakthrough is made. Most of the actual attacks on users were carried out through the browser (62%), with the most common cause, according to Kaspersky experts, being a Flash vulnerability. Flash was eventually toppled as the main source of threats by another popular plug-in technology, Java, which was used, for example, in early online banking systems.
By the mid-2010s, Adobe Flash was already seen as obsolete. Perhaps the first high-profile statement against Flash was the open letter “Thoughts on Flash” by Apple founder and CEO Steve Jobs. After going through permanent crises in the nineties, by 2010 Apple was sitting pretty: in 2007 the first iPhone was released, followed in 2010 by the first iPad, which, unlike the 1993 tablets, was successful. The iPhone initially lacked many of the features found in other smartphones. In particular, it didn’t support Flash, and so couldn’t display sites that used the technology. In the late 2000s, this was a serious argument in favor of Nokia’s Symbian smartphones and early Android devices, which did have Flash support.
There were other arguments, too. In contrast to desktop computers, code for smartphones must be as streamlined as possible so as not to eat up the battery. Streamlining Flash, which didn’t even support GPU acceleration back then, was as good as impossible. Even if Adobe had made a great version of the Flash Player, the performance of Flash applications would have depended on the individual developers — of which there were many thousands. And the control-freak Apple wasn’t able to countenance this.
Other tech companies, too, didn’t want to depend on a competitor’s proprietary software. The normal way that market players interact is though collaboration on an open standard. But that still required everyone to accept this standard! And this wasn’t easy. Some tried to replicate the success of Flash and create their own proprietary format. In particular, Microsoft decided in 2007 to develop its own “improved Flash” called Silverlight, but — fortunately — it didn’t catch on.
In 2015, Wired magazine published an article tellingly titled “Flash. Must. Die.” It describes the attempts of various industry players to deal with the “one big vulnerability” that goes by the name of Adobe Flash Player. That same year, the developers of the Firefox browser disabled the plug-in for playing Flash content by default. Chrome stated it would disable “unimportant” Flash content on websites (read: video banners that seriously strain the system). Alex Stamos, then chief security officer of Facebook, suggested setting a final date by which to pull support for this legacy technology. Facebook itself at that moment was still using Flash to play videos. The open standard HTML5 was indeed in position to replace Flash as the universal tool for building content-heavy interactive websites. But getting rid of such a huge legacy overnight was simply impossible. Ad networks depended on Flash — as did users of old computers with old browsers and developers of sites with a large content library.
Only in July 2017 did Adobe announce it was ceasing development and ending support for Flash, but with a generous transitional period of three years. Almost immediately, all popular browsers began to run Flash content only when requested by the user. Finally, on January 12, 2021 — 25 years after the release of Macromedia Flash Player 1.0 and 13 years after the discovery of the first supercritical vulnerability in the software — user-side support for Flash was discontinued. After today, modern browsers no longer play Flash content even if you want it and have Flash Player installed, and the latest version even blocks it from running.
However, the Flash era isn’t over yet. Forty days after Flash was pulled, we published a review of the then-current situation regarding the technology. Some corporate applications, it turned out, were still tied to it and no longer being updated. In particular, the technology is still widely used in China. Some companies unwilling or unable to part with Flash are even ready to create custom browsers that support it. We can only hope they know what they’re doing. At the very least, don’t use such browsers on computers without a high-quality security solution.
Flash is also of interest to web archivists: with the passing of the technology, much of the creative output of tens of thousands of people has become inaccessible.
No one’s fault — almost
It’s entirely understandable why Adobe was so slow to announce the end of life of Adobe Flash. Support for the technology on the vast majority of consumer PCs meant high sales of content development tools. Starting 2013, the company was able to adapt this part of the technology for the modern world: the still-active Adobe AIR lets you develop applications for Windows, Mac OS, Android and iOS. It’s essentially the direct successor to Adobe Flash, supporting both the company’s proprietary technologies and open-source technologies such as HTML5.
That’s not to say that Adobe developed Flash in a particularly poor way. The technology was cursed by its own popularity, and also by the development principles of the 1990s. Adobe Flash Player had full access to the computer’s resources, and any major coding error had equally major consequences. A prime example was the bug in the player that allowed any site to access the user’s webcam. Dealing with such a legacy — old code insecure by design — is no simple task. Fixing is also tricky: any optimization or security technology jeopardizes compatibility with millions of Flash applications on thousands of websites.
Not that Adobe didn’t try. After the discovery of the first 10.0 vulnerability in 2008, Adobe patched dozens of critical vulnerabilities in Flash Player every year up until 2011. But it seems that adapting Flash to the evolving ideas about internet security was a bridge too far. Today’s browsers don’t require any plug-ins at all to display almost any online content. This means that the browser developer alone is responsible for the user’s safe browsing, and no one else.
Everything downloaded from the web is now considered unsafe by definition, so browser makers go to great lengths to isolate websites from each other and from other programs on the device — be it a computer, smartphone or tablet. They’re clearly doing a good job, but, alas, cybercriminals are also improving their tools. In Google Chrome in 2022 alone, six zero-day vulnerabilities have been discovered that have already been used in attacks. Sure, that’s fewer than the 15 Adobe Flash Player vulnerabilities exploited by cybercriminals in 2015, but the difference isn’t huge.
Let’s end on a positive note: Adobe Flash played a major role in shaping the web as we now know it. It transformed websites from a dull collection of text-based pages into something, well, flashier. Flash helped realize the dream of a virtual universe, as envisioned by 1990s sci-fi books and movies. For some, website design in the 2000s was too gaudy, too brassy, too in-your-face. Over the following decade, the general style of sites and applications mellowed, while the internet itself became an indispensable part of modern life. Adobe Flash was instrumental throughout this period — the so-called romantic age of the internet. It may have been rough around the edges, prone to spilling your data through a careless click, but it will always remains an essential part of the early history of the web.