Adobe Flash: Kill it now

31.08.2015
Some programs — cough Windows cough — are full of security bugs, but they’re so popular we can’t get rid of them. That is why Adobe Flash continues to be widely used. But it could be that the end is near at last for the bug-ridden multimedia platform.

Flash, of course, though widely used, is also vehemently hated in some quarters. Steve Jobs famously trashed Flash twice. First, in 2008, he said that Flash for desktops and notebooks “performs too slow to be useful” on the iPhone, and the mobile version “is not capable of being used with the Web.” Then, far more famously, in 2010, he declared that Flash wasn’t good enough for iPhones and he wouldn’t have it in his devices.

He was far from the only hater, but it didn’t do any good. Today, you can still run Flash on iOS using third-party programs like the Puffin Web browser to get your Flash fix.

It’s no secret that when it comes to security, Flash leaks like a sieve. And while that cliche is appropriate, it doesn’t capture the magnitude of the problem. We’re all techies here; let’s look at some hard numbers. Computerworld’s Michael Horowitz counted up Flash’s bugs through mid-May for 2015. Take a guess how many he found. I’ll wait.

Give up He found 78 Flash bugs in the first five months of the year.

And has a chagrined Adobe done much better since then Not on your life. In the last three months alone, 86 more Flash bugs have been found. That’s 164 all together, which means a bug was being discovered every day and a half, on average, or one bug every day for the five-day business week.

That’s got to be some kind of record — but not one that anyone will want to match anytime soon.

If you’re an Adobe Flash programmer, this is all great news; you’ve got excellent job security as long as advertisers and websites continue to use Flash. If you’re anyone else, there’s nothing great about it.

But Flash’s days may be numbered.

You might find that hard to believe if you have any idea how much Flash is still being used. When I browse the Web with Google Chrome, I block Adobe Flash content automatically, so instead of Flash content, I see gray boxes. And I see them everywhere. There are few sites I visit that don’t have Flash-based ads. According to Ad Age, who should know, 84% of banner ads are still built from Flash.

People are also still playing Flash games. Jerome Segura, senior security researcher at Malwarebytes Labs, says that developers are still using Flash for games. “There are people in the gaming industry who are still very attached to Flash,” he says.

And while YouTube dropped Flash for HTML5-based video in January 2015, many other video sites still use Flash. Last, but oh I how wish this were least, some websites’ user interfaces are still written in Flash. Oh, the humanity!

But Web companies have had enough.

First, Mozilla began blocking all versions of Flash Player from running automatically in Firefox in mid July. Then Facebook admitted in an SEC 10-Q that Flash vulnerabilities are affecting its “ability to generate Payments revenue.” This prompted fed-up Facebook chief security officer Alex Stamos to tweet, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

You think

Then, on Aug. 27, the grumbling about Flash got serious. Google announced in its AdWords Google+ page that “Chrome will begin pausing many Flash ads by default to improve performance for users. This change is scheduled to start rolling out on September 1, 2015.”

That means all those splashy video Flash ads will stop in their tracks. That’s no way to impress the punters.

Google will automatically translate some of these ads into HTML5 video. But some ads won’t convert. The only way you can tell beforehand is to test the ads with Google’s Swiffy. If your ads don’t come over — well, Google suggests you get cracking in creating HTML5 ads.

Yikes! Sept. 1 is tomorrow. Sorry I didn’t warn you sooner, but you really should have been paying attention.

This move is going to be the real Flash killer. Google AdWords accounts for about two out of three ads seen on the U.S. Web. If vendors can’t reach their customers with Flash ads, they’re going to abandon Flash in a jiffy.

Flash is finally coming to the end of its road. Adobe has no one to blame but itself for this. Flash is almost 20 years old, and still a month doesn’t go by without a serious security problem. That’s why I seriously doubt it will live to see its 21st birthday.

(www.computerworld.com)

Steven J. Vaughan-Nichols