Adobe Flash: kill it now
It’s time to put Flash out of our misery once and for all. And, thanks to Google, it may finally happen
Some programs – cough Windows, cough – are full of security bugs, but they’re so popular that we can’t get rid of them. That is why Adobe Flash continues to be widely used. But it could be that the end is near, at last for the bugridden multimedia platform.
Flash, of course, though widely used is also vehemently hated in some quarters. Steve Jobs famously trashed it twice. First, in 2008, he said that Flash for desktops and notebooks “performs too slow to be useful” on the iPhone, and the mobile version “is not capable of being used with the web”. Then, far more famously, in 2010, he declared that Flash wasn’t good enough for iPhones and he wouldn’t have it in his devices.
He was far from the only hater, but it didn’t do any good. Today, you can run Flash on iOS using third-party programs such as the Puffin Web browser to get your Flash fix.
It’s no secret that when it comes to security, Flash leaks like a sieve. And while that cliché is appropriate, it doesn’t capture the magnitude of the problem. We’re all techies here; let’s look at some hard numbers. Colleague Michael Horowitz counted up Flash’s bugs through mid-May for 2015. Take a guess how many he found. Give up? He discovered 78.
And has a chagrined Adobe done much better since then? Not on your life. Since then, 86 more bugs have been found. That’s 164 all together, which means a bug was being discovered every day-and-a-half, on average, or one bug every day for the fiveday business week. That’s got to be some kind of record, though not one that anyone will want to match anytime soon.
If you’re an Adobe Flash programmer, this is all great news; you’ve got excellent job security as long as advertisers and websites continue to use Flash. If you’re anyone else, there’s nothing great about it.
Flash’s days numbered
You might find that hard to believe if you have any idea how much it is still being used. When I browse the internet with Google Chrome, I block Adobe Flash content automatically, so instead of Flash content, I see grey boxes. And I see them everywhere. There are few sites I visit that don’t have Flash-based ads. According to Ad Age, which should know, 84 percent of banner ads are still built from Flash.
People are also still playing Flash games. Jerome Segura, senior security researcher at Malwarebytes Labs, says that developers are still using it. “There are people in the gaming industry who are still very attached to Flash,” he says.
And while YouTube dropped Flash for HTML5-based video in January 2015, many other video sites still use it. Last, but oh I how wish this were least, some websites’ user interfaces are still written in Flash.
First, Mozilla began blocking all versions of Flash Player from running automatically in Firefox in mid-July. Then Facebook admitted in an SEC 10-Q that Flash vulnerabilities are affecting its “ability to generate Payments revenue.” This prompted fed-up Facebook chief security officer Alex Stamos to tweet, ”It is time for Adobe to announce the endof-life date for Flash and to ask the browsers to set killbits on the same day.”
Then, on 27 August the grumbling about Flash got serious. Google announced in its AdWords Google+ page that: “Chrome will begin pausing many Flash ads by default to improve performance for users. This change is scheduled to start rolling out on September 1, 2015.”
That means all those splashy video Flash ads will stop in their tracks. That’s no way to impress the punters. Google will automatically translate some of these ads into HTML5 video. But some ads won’t convert. The only way you can tell beforehand is to test the ads with Google’s Swiffy extension. If your ads don’t come over – well, Google suggests you get cracking in creating HTML5 ads.
This move is going to be the real Flash killer. Google AdWords accounts for about two out of three ads seen on the web. If vendors can’t reach their customers with Flash ads, they’re going to abandon it.
Flash is finally coming to the end of the road. Adobe has no-one to blame but itself for this. Flash is almost 20 years old, and still a month doesn’t go by without a serious security problem. That’s why I seriously doubt it will live to see its 21st birthday.