Adobe Flash is probably the biggest reason for the pervasiveness of active content on the Internet. But the whole world has known for years that the Adobe Flash browser plugin is a dangerous piece of software, and yet it is still used widely. I have been trying to run my systems without it, but I frequently run into situations where I still need it.
I was, at first, heartened by the news that Google would banish Flash ads on their ad network in 2017. Then it clicked with me that I don't really care if ads work or not. I don't mean to disparage web advertising, as it makes almost all of your free content, this column included, possible. But Google is right to use their muscle to push advertisers off the problematic and unnecessary platform.
First, a little clarity: It's important to distinguish between Flash and the plugin. Flash is a way of writing multimedia software that is in wide use all over. A very large number of mobile apps are written with it. The problem comes when delivering Flash content over the web, something which requires a browser plugin. Once enabled, malicious Flash content, generally relying on vulnerabilities in older versions of the plugin, can wreak havoc on the user's system.
From the beginning, Apple forbade the Flash plugin on iOS. This was a heavy-handed move but, as with Google forcing advertisers off of Flash, heavy-handed in the very best sense of the term. Because of controls like this, iOS is a basically malware-free environment.
The major browsers (no, not Safari) all bundle the Flash player, as users are better about updating browsers than their plugins. Browsers, in fact, can effectively force updates. This has been a good thing, and I only run current browsers, but I still don't want Flash if I don't have to run it. Luckily, the major browser also all allow you to disable Flash. So I turn it on only when I need to do something that requires it.
Some of this is entertainment, like a lot of Major League Baseball content. But mostly it's webinar and conferencing software. Some examples: ReadyTalk, Adobe Connect (big surprise), and ON24. I can understand why they don't want to disrupt a very large system that's working, especially as Flash makes it easier to maintain common code between the web interface and any mobile apps.
From their point of view it's a real problem. Is the future in native apps, in which case Flash is a good choice for them, or in HTML and standardized interfaces, in which case they need to rethink their approach. Wherever the future is headed-personally, I think it's HTML and standardized methods-it can't possibly involve browser plugins, can it? Really, can it?
My strategy has been to enable Flash only in one browser, Firefox, and leave it disabled in the others. I generally only use Firefox when I need Flash, and so Flash is disabled for the large majority of my web surfing, which is largely in Chrome.
It's possible I'm overreacting. I suspect that Flash-based attacks using zero-day vulnerabilities in current versions of browsers are a rare thing and I should just leave it enabled. But Google is right: We've got to sideline the older, more vulnerable technologies of the past, and I'm just doing my own little quixotic part.