The case against Flash
IF you’re a Firefox user, chances are you’ve already seen this warning: “Firefox has prevented the unsafe plugin Adobe Flash from running on the target URL.”
The warning is part of the latest industry backlash against Adobe Flash, software used to play and view animated elements on web pages.
Starting last week, Mozilla began blocking all versions of the Adobe Flash plug-in from automatically playing on Firefox, after the uncovering of new “zero-day” vulnerabilities or flaws in the software that are exploited by malicious hackers before they are patched.
The new flaw was discovered in gigabytes of data and documents stolen from the Italian spyware vendor Hacking Team and released to the public.
The stolen documents showed the Italian company offered software tools to governments that used at least three undocumented flaws in Flash to hack into people’s accounts and take over their computers.
Details of those flaws, now made public, meant they could be used by other hackers and criminals to install malicious software on people’s computers to steal personal details, monitor keystrokes or steal passwords.
Mozilla’s move to disable Flash on its browser came one day after the security chief of Facebook, Alex Stamos, called on Adobe to stop trying to improve Flash and kill it off once and for all.
“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” he said on his Twitter account.
Security firms such as Symantec and Trend Micro also urged users to disable Flash.
The latest revelations about vulnerabilities in Flash also triggered calls among industry watchers to finally lay to rest the multimedia tool and platform that began life almost 20 years ago under Macromedia, a company that Adobe bought in 2005.
“Adobe Flash—that insecure, ubiquitous resource hog everyone hates to need—is under siege, again, and hopefully for the last time,” wrote Brian Barrett in an article unambiguously entitled “Flash Must Die” on the WIRED website.
He then explained why people shouldn’t wait for Flash’s demise but remove it from their devices right away.
“Why would you want to?” Barrett wrote. “Because Flash is a closed, proprietary system on a web that deserves open standards. It’s a popular punching bag for hackers, which puts users at risk over and over again. And it’s a resource-heavy battery suck that at this point mostly finds its purchase in pop-up ads you didn’t want to see anyway.”
Barrett’s words echoed those written by the late Apple founder Steve Jobs in 2010 when he explained why Flash would have no place in the iPhone or iPad.
Jobs objected to Flash for a number of reasons, the first of which was its proprietary nature.
“Adobe’s Flash products are 100 percent proprietary,” Jobs wrote. “They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc. While Adobe’s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system.
Jobs also observed that Flash, which used software to decode video, was a drain on batteries—a crucial point when it came to iPhones and iPads.
“To achieve long battery life when playing video, mobile devices must decode the video in hardware; decoding it in software uses too much power. Many of the chips used in modern mobile devices contain a decoder called H.264 – an industry standard that is used in every Blu-ray DVD player and has been adopted by Apple, Google (YouTube), Vimeo, Netflix and many other companies.
“The difference is striking: on an iPhone, for example, H.264 videos play for up to 10 hours, while videos decoded in software play for less than five hours before the battery is fully drained.”
Perhaps most germane to today’s situation, Jobs also attacked Flash for its lack of security.
“Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”
With the woes surrounding Flash today, Jobs’ words five years ago certainly seem prescient. Chin Wong
Column archives and blog at: http://www.chinwong.com