Google is planning to place restrictions and eventually block most Flash content in its Chrome browser by the end of this year, reports The Verge. Users visiting websites running flash will soon be prompted with an option to enable Flash; if enabled, Chrome will save that site for future visits.
Chrome is also planning to enable Flash by default in only the “top 10 domains” for a period of one year. These sites include: YouTube, Facebook, Yahoo, Twitch, and Amazon, among others. After the one year period, Flash will be blocked by default in all these sites as well.
Additionally, Chrome will prompt an option to run backup HTML5 players for sites with Flash. It has also encouraged developers to shift to using more of HTML5 tools while creating content. In a similar instance, Google said that it would stop accepting ads built on Flash for AdWords by July 2016 and by January 2017, AdWords will stop displaying ads running Flash formats. It instead notified developers to shift towards ads created used HTML5 tools.
Google restricts Flash to save power consumption
In July last year, in order to save power consumption, Google started “intelligently pausing Flash content that were not central to the webpage, while keeping central content (like a video) playing without interruption”. If Google accidentally pauses something that you were watching, you could click it to resume playback.
Flash is riddled with security concerns
In July 2015, Mozilla’s Firefox browser started blocking all versions of Adobe’s Flash plugin from its browsers citing Flash being actively attacked by hackers. In May 2015, The Register report showed Adobe pushing security updates for least 25 vulnerabilities in Flash Player on Windows, OS X, and Linux (link). The report added that and Microsoft and Google were also pushing out custom Flash Player updates for IE11, Edge and Chrome.
There is more. CVE Details, a website that records vulnerability patches, shows that Adobe has released patch updates for more than 100 different Common Vulnerabilities and Exposures (CVEs) for its Flash player in this year only. The site’s list also suggests in this month (May 2016), 25 different CVEs were identified and issued a security update by Adobe.
User data and PCs are at risk
Some of the CVEs allowed attackers to remotely execute arbitrary code to cause a Denial of Service Attack, or fill up memory to eventually crash your browser/plugin, etc. One particular VCE identified by Adobe could successfully exploit a PC and potentially allow an attacker to take control of the affected system. A Guardian report claimed that a hacking group was able to take over victims’ computers through this CVE and publicly leak of over 400GB of data through a BitTorrent file.
Shift towards HTML5 tools
Google is not alone in the bid towards HTML5. In November 2015, Adobe said started rebranding Flash centric software like Flash Professional CC to “Anitmate” CC, which uses HTML5 open standard tools for creating 2D and 3D animation. However, Animate CC also has an option to switch to Flash standard as well
In a different update in the same month, Adobe stopped pushing updates for Flash plugins in mobile browsers, but continued to issue security updates and bug fixes. At that time, Adobe also urged developers to start migrating to HTML5 tools.
Flash-centric websites are dropping