Sen. Ron Wyden has called on federal agencies to stop using Adobe Flash, multimedia software that has consistently proven vulnerable over the years.
Adobe will stop providing security updates for Flash in 2020, and Wyden, D-Ore., wants agencies charged with issuing federal cybersecurity guidance to get Flash off government systems before then.
“At that point, Flash’s existing cybersecurity risks will only be compounded,” Wyden wrote in a July 25 letter to the heads of the Department of Homeland Security, National Security Agency, and National Institute of Standards and Technology. “The federal government has too often failed to promptly transition away from software that has been decommissioned.”
The missive asks DHS, NIST, and the NSA to work together to produce a policy, effective within 60 days of its issuance, that bans the use of new Flash-based content on federal websites.
For Wyden, agencies should not just refrain from deploying Flash but also rid existing Flash-based content from their websites by August 1, 2019. To that end, Wyden asked DHS to “promptly expand the routine cyber-hygiene scans” it does of agency assets to include Flash content. He also called for the letter’s recipients to help produce an inventory of Flash content on each agency’s website, along with guidance to eradicate it.
Further, Wyden is proposing that agencies clear their desktops of Flash, staring with a “small number” of them via a pilot, and then all agency desktops by August 1, 2019.
“A critical deadline is looming,” Wyden wrote, referring to the end of technical support for Flash in 2020, and “the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Flash’s over two-decade history has been plagued by vulnerabilities, and popular web browsers’ abandonment of the software in recent years has hastened its demise.
Flash accounted for eight of the 10 vulnerabilities used in exploit kits over nine months in 2015, according to cybersecurity company Recorded Future. In May 2018, security researchers disclosed a vulnerability that they deemed a high risk to large and medium-size government organizations.
You can read Wyden’s full letter below.