News
Microsoft To Add Flash Blocking in Windows 10 Creators Update
Microsoft announced plans this week to further ease the use of the Adobe Flash Player in Windows 10.
In future Windows 10 operating systems releases, Microsoft will provide users with the means to block Flash use. They'll get a dialog box when visiting Web sites that will offer choices on whether to block or use Flash. The changes Microsoft will be making will be similar to "updates coming from our friends at Apple, Mozilla, and Google," Microsoft explained, in an announcement.
One difference with Microsoft's approach, though, is that users will be able to use Flash, if wanted, "for any site they visit." Microsoft currently includes Flash in Windows, but it's not part of the long-term picture, at least for use with the Microsoft Edge browser. In April, the Microsoft Edge team stated that "we are planning for and look forward to a future where Flash is no longer necessary as a default experience in Microsoft Edge."
Microsoft's announcement urged Web site developers to move toward using Flash alternatives "in the coming months." They can use "mechanisms like JavaScript and HTML5 Encrypted Media Extensions, Media Source Extensions, Canvas, Web Audio, and RTC" in their content, Microsoft suggested.
No exact timeline was indicated, but Microsoft's announcement suggested that it would evolve the Flash user notification approach with subsequent Windows 10 releases. The target for its appearance will be the Windows 10 "creators update," which is planned for arrival in the spring of 2017 (rumored for a March release).
Flash is seen as security target, at least in the cases where it wasn't kept updated. It's also considered to be a battery hog for mobile devices since Flash powers ads on Web sites. The Microsoft Edge browser is already automatically pausing Flash ad content that's deemed nonessential, which kicked off with the Windows 10 anniversary update release.
Ironically, Flash exploits have declined, year over year, according to the latest Microsoft Security Intelligence Report, which covers the first half of 2016. Â
"Fewer zero-day Flash Player exploits were discovered in 1H16 than during comparable periods in 2015, and fewer post-update exploits were incorporated into exploit kits," Microsoft's SIR report stated.
The report attributed the decline to Adobe's latest exploit mitigations, as well as the use of "Control Flow Guard technology in Windows 10, which makes memory corruption vulnerabilities harder to exploit."
However, the Adobe Flash Player was exploited in early May by the Promethium and Neodymium activity groups. These groups used a zero-day Flash flaw to target individuals, mostly in Europe. The Promethium group delivered malicious links in instant messaging software, while the Neodymium group used phishing campaigns and e-mail attachments, according to Microsoft.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.