Announced as part of the upcoming Spring 2017 Windows 10 Creators Update, Microsoft is extending the existing ‘click to run’ rule of Flash ads in the Edge browser to all flash content in the Edge browser. Especially in Enterprise IT where I work, this is a great move as Flash has increasingly become a source of regular zero-day exploits and vulnerabilities. The rate of vulnerabilities is best seen in the rate of updates, wherein Flash originated with version 1.0 in 1997, and marched on toward version 11.8 by 2013, roughly a major version every 18 months. Compare that against 2013 through till today wherein Flash Player is now on major version 23, more than three major version numbers per year, and all addressing critical vulnerabilities.
With this update to Edge, sites that have already been developed with replacement content in HTML5 will load that content by default, offering a faster browser experience that is expected to also be more mobile friendly and battery consumption friendly. For all other content only offered via Flash, “click to run” will be the default and will need to be toggled off via advanced options ( if at all ) by the end user.
In similar news, Google announced back in August that the same restrictions on Flash content would be fully implemented by Chrome version 56, expected in February 2017.
The hope from the enterprise IT perspective is that these changes away from Flash will allow our environments to shift away from Flash being a default application on all workstations, via image or tools like SCCM, to an on-demand install only for users who demonstrate the need for flash player, reducing the security footprint risk.