Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.18 securityweek BigBrothers
United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.
Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.
Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.
Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.
Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.
“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.
The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.
“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.
The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.
The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.
Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.