Flash ads are terrible. Along with being memory hogs and crashing people’s browsers, they also allow hackers to send malicious code to computers by hijacking ads, something Yahoo is now dealing with after an attack was discovered by Malwarebytes.
Malwarebytes, creators of an anti-malware program that is designed to root out what anti-virus and anti-spyware programs miss, discovered a giant malware injection campaign that was affecting nearly all of Yahoo’s sites, including the main, news and sports pages. The Angler Exploit Kit was used to take advantage of what are apparently gaping holes in Flash Player’s security.
Individuals who clicked on ads were redirected to websites filled with malware or ransomware, which requires that people pay to get rid of whatever horrible thing is happening to their computer. Since Yahoo attracts an audience of 6.9 billion every month, this is the largest malware attack discovered so far.
A security researcher with Malwarebytes, Jérôme Segura, told the New York Times:
Right now, the bad guys are really enjoying this. Flash for them was a godsend.
Flash is generally terrible
Okay, so, Yahoo just had a no good, very bad day, but does that mean that Flash is awful? Well, on its own, no. But there’s a lot more to the clustersuck that Flash ads are. To begin with, they don’t really work very well on mobile, which is where most people are going. Marketing Dive covered a study that shows that:
…98.6% of Flash impressions defaulted to a static image instead of delivering the rich media ad, whereas only 8.3% of HTML5 ads defaulted.
That’s… bad. That’s really, really bad. Further, Freedman International showed a head to head comparison of Flash to HTML5, and Flash basically falls down on every point – except how widely used it is. It’s worth a read, but the article basically says that HTML5 is faster loading, works on more devices, and is more dynamic and adaptable than Flash. And, you know, not the go to for hackers.
Google is leading the charge in getting people to start using HTML5 by not only automatically converting Flash ads to HTML5 whenever possible but by designing the newest version of Chrome (still currently in Beta) to disable Flash ads by default. Mozilla has gotten so tired of Flashes security failures that the head of the Firefox support team recently announced via Twitter that Firefox is blocking it by default.
— Mark Schmidt (@MarkSchmidty) July 14, 2015
Because we’ve always done it that way
So, there’s a huge amount of evidence that Flash ads are about as effective as a glass hammer. However, ad companies are still using them, and frequently. Why?! My guess is it’s somewhere in the ballpark of that’s what we’re told to do / that’s what we’ve always done.
In Think Like A Freak, the authors – Steven D. Levitt and Stephen J. Dubner – talked to an ad agency where they were trying to find out how effective ads in Sunday papers were. When the book’s authors suggested that they black out certain areas for a while and compare sales numbers to when ads were run and other areas where ads were still running, and the company representatives were aghast. They’d be fired! You can’t do that!
It turned out that due to an error on the part of an intern, there had been a blackout in Pittsburgh for several weeks. When they checked the numbers, sales were unchanged – so again, the authors urged them to run the blackout test. Same answer. They’d be fired.
According to Levitt and Dubner:
To this day, on every single Sunday in every single market, this company still buys newspaper advertising—even though the only real piece of feedback they ever got is that the ads don’t work.
The only reason I can think that large swathes of advertising are still done using a format that if you’re lucky only doesn’t work well is because that’s how it’s always been done. All I can suggest to people that use Flash ads is: don’t.