It's bug-ridden, eternally insecure, and on death row – yet Adobe Flash persists on too many US government webpages.
Now Senator Ron Wyden (D-OR) wants to hear the sound of this deity-forsaken plugin torn from .gov websites, dragged behind a shed, and a single final gunshot.
Regular Reg readers will remember that even Adobe has seen written the writing on the wall, and last year set 2020 as the end-of-support date for its beleaguered exploit magnet.
Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wildREAD MORE
In a letter [PDF] to NIST under-secretary Walter Copan, NSA director, US Cyber Command commander Paul Nakasone, and secretary of Homeland Security Kirstjen Neilsen, Wyden today asked the agencies to learn from Microsoft Windows XP: it's expensive to ask vendors continue fixing up out-of-support software. In other words, stop relying on it, get rid of it, and replace Flash files with HTML5.
He has the NSA, DHS and NIST in his sights because those three government organizations carry “the majority of cybersecurity guidance” to the rest of Uncle Sam's agencies. Wyden wants government officials to stop creating new Flash content within 60 days, and also asks that:
- Agencies remove Flash content from their websites by August 2019;
- To aid in that effort, the DHS's “routine cyber-hygiene scans” should identify, and list for agencies, all Flash content found; and
- Agencies should pilot removing Flash from staff computers, starting in March 2019, ahead of expunging it by August 1, 2019.
Wyden noted that US-CERT “has warned about the risks of using Flash since 2010” – making it a latecomer: the earliest Flash fsckup we can find in El Reg's archives seems to be this directory traversal horror from 2007.
When the plugin falls out of support, Wyden wrote, “cybersecurity risks will only be compounded.”
We couldn't agree more. Stop using Adobe Flash. ®