Security & Privacy

If you were an early adopter of the internet, you remember how the height of multimedia was the "blink" tag, that made text on a page flash. In order to go beyond the text and static image limitations of early web pages, a number of companies began developing tools to display rich multimedia content on the web, and the platform that became dominant was Adobe’s Flash.

Flash had the advantage of being lightweight, and, with a browser plugin, could run on multiple operating systems. But it was also a security nightmare, presenting vulnerabilities that were regularly exploited by malware creators. Its need for regular – sometimes weekly – updates meant that users were sensitized about the need to frequently updated their plugins. This worry was exploited, and eventually led fake Flash Player installers to be the leading vector for malware on the Mac.

Adobe has officially ended support for Flash on December 31, 2020. Here’s a look back at the checkered history of this multimedia and malware platform.

Early days

In the early 1990s, multimedia tools, such as Macromedia Director/Shockwave or Apple’s HyperCard, allowed multimedia content to be used in apps distributed on CD-Roms. They were the basis for some of the earliest interactive software and games, such as the Encarta encyclopedia, Silly Noisy House, and Myst. But the growth of the internet in the mid-1990s meant that tools were needed to provide similar content in web browsers. Bandwidth was a fraction of what people have today, so any such platform needed to be lithe and rapid.

FutureWave Software, co-founded by Charlie Jackson and Jonathan Gay in 1993, first worked on some drawing software, but then changed direction to develop a vector-based animation tool to compete with Macromedia Shockwave. Vector-based animations use much less data than bitmap animations, since the data only needs to describe the relationship between points, along with colors and other data.

The company released FutureSplash Animator in May 1996. The software was adopted by a number of major websites, such as MSN and a Disney website, and in December of that year, Macromedia bought the company and rebranded the software as Macromedia Flash.

Flash was the leading multimedia software for several years, and in 2000, ActionScript, an object-oriented programming language inspired by Apple’s HyperTalk, was added to the Flash platform. This allowed developers to script actions rather than animate them, enhancing the types of content available, to include web games and streaming media.

Flash becomes dominant

In 2005, Adobe purchased Macromedia, and added Flash to its Creative Suite. This corresponded with the growth of video content on the web, and Flash was an easy way to embed video and play it back on web pages, since it depended on a simple plugin. Around that time, three former PayPal employees launched a startup called YouTube, and they adopted Flash as the technology for displaying videos on their website.

Since HTML did not have direct support for video content, and since there were a variety of codecs (software used to encode and decode video content), having a single browser plug-in made it easy for anyone to download this free software and view videos. Suddenly, anyone on a Mac or Windows PC could watch videos – albeit in very low resolution, compared to today – in their browser.

Flash was the dominant platform for displaying multimedia content on the web. When Apple was developing the iPhone, the company worked with Adobe in the hopes of using Flash on the device, but the performance was insufficient. Adobe had a Flash Lite platform, designed for mobile devices, but it didn’t work well enough with mobile processors, particularly because of its battery usage, so Flash was not offered on the iPhone.

The slow demise of Flash

It’s taken a long time, but it’s clear that the 2007 release of the iPhone marked the inflection point for Flash. Since the iPhone didn’t support Flash, YouTube developed technology to display its videos, in an app, without Flash.

In 2010, Steve Jobs penned his Thoughts on Flash open letter, pointing out the many reasons why the company wouldn’t allow Flash on the iPhone. These included reliability, security, performance, and especially battery life. With Flash unable to be on the soon-to-be-dominant mobile device, there was no future for the software. since it was intended to be a "write once, run anywhere" platform, and it wouldn’t run on the device that more and more people were using to consume media, it was left behind.

In this letter, Jobs said:

Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now.

From this point on, Flash lost its luster. YouTube began using an experimental version of its website using HTML5 in 2010, and in 2015 switched to that open standard for all its videos.

Flash and security

Because of these many security vulnerabilities, Adobe was required to issue updates to Flash Player often. (See the many posts on the Intego Mac Security Blog about Flash Player security updates.) By 2011, Flash Player was no longer included with Mac OS X, and users had to download it to view Flash content on the web. Many were duped by websites telling them that they needed Flash Player to view content: they would download what they thought were legitimate Flash Player installers, only to find that malware had infected their Macs.

Flashback was a particularly serious Trojan Horse that Intego discovered in 2011. Flashback created a botnet – a network of computers that could be controlled remotely – and it was estimated that it infected 10% of home Macs in 2012, and was still infecting about the same number of Macs in January 2020. This prompted Apple to release a specific Flashback malware removal tool in 2012.

Flash Player updater malware was increasingly common, and became the default way to distribute malware on the Mac. Some of this malware was truly malicious, and some of it was scareware, designed to make Mac users think their computers were compromised, and pay to have them "fixed."

2016 was a particular busy year. Malware such as OceanLotus, InstallCore, SilverInstaller, and MacDownloader all leveraged fake Flash Player installers that year to infect Macs.

In 2016, because of security vulnerabilities in unpatched versions of the Flash Player plugin, Apple started blocking old versions of Flash Player in its Safari web browser, with the browser displaying a dialog prompting users to download an up-to-date version from the Adobe website.

In 2018, the Shlayer malware surfaced, attacking Macs once again through fake Flash Player installers.

Browser plug-ins in general are problematic. For many years, we had to install and update plug-ins to be able to play certain types of content – remember Real Audio? – rather than have these elements installed natively on our computers. This led to an acceptance of this jury-rigged approach to the web, which has finally been superseded by improved HTML and CSS (Cascading Style Sheets, which describe how web content displays).

The end of Flash

Since Steve Jobs’ screed against Flash Player, it had become accepted that this software was problematic. In 2015, Facebook’s head of security called for its demise, and Mozilla disabled it by default in the Firefox browser. Flash games and videos were so popular on Facebook that even the BBC ran a story about how the company was moving away from the platform, mentioning that they, too, had ported the company’s iPlayer platform to HTML5. A Wired article at the time, Flash. Must. Die., said, "Flash is officially more trouble than it’s worth. Here’s how you can kill it now."

In 2017, Adobe announced that Flash would reach the end of its life on December 31, 2020. This warning, two and a half years before the cutoff date, gave developers plenty of time to change their technologies, but by then, many steps had already been taken to eliminate it. For some time, Google’s Chrome browser contained its own version of Flash, that was part of the browser, rather than a plug-in, and security specialists long recommended using Chrome for those users who needed to view Flash content. But in July 2019, even Google turned off Flash by default in the browser.

So the time has come to say goodbye to a tool that allowed us, in the early days of the internet, to play games and view videos. This technology has been superseded by open standards, and switching away from Flash allows users to be much safer when visiting websites. The reliance on open standards means that it’s rare to find audio or video content that is incompatible with your operating system, and you don’t depend on dangerous or outdated software to experience media on your computer.

Farewell, Flash, it was an interesting ride.

About Kirk McElhearn