Naked Security

Microsoft to ditch Flash – sort of

Browser plug-in components such as Flash aren’t there to improve security in your browser, but rather to add more features and process more types of file.

So, the best result from a security point of view is “nothing”, while the worst is “crooks have more ways to attack and install malware.”

The problem with Flash is that it became so widespread that crooks focused on it, finding bug after bug that they could exploit because the rewards from drive-by malware installs were so big.

At the same time, Flash has become less and less necessary, to the point that few websites these days truly require it. (Just ask any iPhone or Android user – neither platform uses Flash at all.)

So, why not get rid of Flash alogether? Uninstall it or turn it off completely?

Many users have done just that, without regret; others prefer a more granular approach.

So far, Microsoft Edge has taken what amounts to an on-or-off approach, but Microsoft just announced that it will take a more nuanced attitude in the future.

Microsoft is introducing an Edge feature that will make future versions of the browser a bit more like Safari, which lets you have Flash off for the most part, yet turned on for specific sites, either always on or in “click-to-play” mode where you’ll be asked every time.

If Microsoft had said it was dropping Flash entirely, like iOS notoriously did, we’d have cheered out loud…

…but we also know lots of people who won’t get rid of it because they prefer it or need it for some sites, so we’re still happy to hear about this new Edge feature.

If we can get more people to block Flash on more sites, instead of leaving it turned on everywhere just so that it’s turned on somewhere, we’ll all be better off.

Nevertheless, I’ll still suggest trying to live without Flash altogether – for a while, perhaps, say for a month.

You may find that your digital lifestyle is inconvenienced very little – and in return you will inconvenience the cybercriminals enormously.

That’s not meant as an indictment of Adobe, or a direct criticism of Flash, but simply a reminder that when it comes to attack surface area – the amount of software you have that is directly exposed to hostile content – then less is definitely more.