Adobe has recently announced its plans to rebrand Flash as Animate, but some feel it’s little more than a name change when it comes to security.
According to Rich Lee, Sr. Product Marketing Manager at Adobe Systems, the change to Animate positions Adobe to more fully respond to the fact that more than a third of all content created in Flash Professional uses HTML5.
“For nearly two decades, Flash Professional has been the standard for producing rich animations on the web,” observes Lee in a blog post. “Because of the emergence of HTML5 and demand for animations that leverage web standards, we completely rewrote the tool over the past few years to incorporate native HTML5 Canvas and WebGL support. To more accurately represent its position as the premier animation tool for the web and beyond, Flash Professional will be renamed Adobe Animate CC, starting with the next release in early 2016.”
Animate will boast a host of new features, including the ability to rotate a canvas 360 degrees, improved pencils and brushes, and enhanced syncing and output options.
However, contrary to Lee’s position, some in the industry feel that the move from Flash to Animate constitutes little more than a name change, especially when it comes to security.
“What [Animate] won’t do… is fix the various security problems that have plagued Flash for years,” writes Brian Barrett of WIRED magazine. “Flash the platform has a new name, but Flash the development tool lives on.”
Barrett is right. As an official press release reveals, Adobe does not have any plans to retire Flash immediately. Instead it plans to work with Microsoft, Google, and other partners in improving the security and compatibility of Flash content. It also intends to expand Flash-enabled gaming on Facebook.
“The key message is this is not going away any time soon,” Mike Hanley, program manager R&D and Duo Security, told Threatpost. “At best, this is a recognition that there is a future where Flash will no longer be a dominant platform on the web, but with no clear timeline or planned deprecation schedule, many legacy applications and web content will continue to rely on historically problematic platforms like Flash to get the broadest possible adoption for years to come.”
Google has all ready collaborated with Adobe in introducing exploit mitigations into Flash Player. Even so, zero-days continue to pop up in the software.
With this in mind, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposure Research TEAM (VERT), feels that Flash will continue to appeal to attackers for the foreseeable future:
“My expectation is that there will be a large Flash install base for many years to come and as such it will continue to be a thorn in endpoint security,” Young said. “I do expect that some sites and services will quickly replace Flash with HTML5 content, but Flash itself will remain a viable attack vector for as long as popular web browsers continue to support it.”