As web developers started to emphasize function over gimmickry, they started to focus their energy on interesting and useful web apps and streaming video as opposed to taking the sentiment behind the old HTML tag way too far. With Flash, the possibilities seemed endless. If you could make a very good SWF applet, people really appreciated it, especially once most people had Flash plugins in their web browsers. And of course, Flash was necessary for YouTube. YouTube launched the same year Adobe bought Macromedia, 2005. YouTube was such a phenomenon that Google had the good sense to buy it a year later. Adobe is good at developing creative tools, however proprietary they are. What they’re not good at is security. No bloody way! Security bugs are inevitable in all applications from developers both big and small. But, they’re way more common in Adobe Acrobat and Adobe Flash than is typical for similar applications. One of the things I habitually do in my security hardening routine for both personal and professional client PCs is uninstall Acrobat, and replace it with another PDF viewer, such as Foxit Reader, when the machine I’m working on runs Windows. Even though the end user doesn’t realize that I’ve given them a more secure application to open PDFs in, they always appreciate how their new application patches without popups, and gives them a better designed GUI, better in-browser functionality, and an overall better user experience. I’m really happy to be able to say that now I can do the same thing to Flash as I do to Acrobat. Except, I don’t have to install another application to replace it. All I’ve got to ask an end user is, “do you ever go to YouTube?” They’ve always said yes. The really computer illiterate end users don’t know what Flash is, nor do they know that they sometimes view YouTube videos as an embedded applet on a webpage that’s not hosted at youtube.com. Asking them if they enjoy other websites that use Flash is an exercise in futility. “Huh? Do I use Google or Foxfire?” (Why oh why do they call Firefox “Foxfire?” Explaining to them the difference between the Google search engine and the Google Chrome web browser has made me ruin my manicures here and there.) But I could usually assume that they needed Flash for YouTube most of the time. A few years ago, they really needed it for games in Facebook, as well. The first nail in the coffin was mobile. The late Steve Jobs, although I strongly dislike the guy, was correct when he said, “Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it.” Although Adobe really wanted to port Flash to mobile platforms, that effort was never successful. It was never available for iOS. It was available at times for Symbian, Palm OS, and webOS. It was available for some devices running Android versions 2.2 through 4.0.4. It never really seemed to catch on, once smartphones and tablets became the primary way for consumers to enjoy content from the Internet. W3C started working on HTML 5 in 2004. It was usable for me to play around in starting in 2010. But I’m more of a web page developer than a web app developer, so my web development was focused on standards compliance and cross browser and device compatibility rather than creating nifty things with the canvas element. Nonetheless, the introduction of the

“Users of Adobe Flash Player for Windows and OS X should update to Adobe Flash Player 16.0.0.305. Users of Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. The Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.”

I can safely assume that we’ll continue to learn about really major vulnerabilities that pertain to Flash and Reader for as long as those products continue to be developed by Adobe. I base that assumption not only on Adobe’s reputation and their tendency to take a head in the sand approach to security, but also on Adobe’s patch management style. Their patches address vulnerabilities that are near the surface of their applications, rather than the really deep vulnerabilities at the center of their really old code bases. Way too much of the code is unchanged from the 1990s. I’d love for a security firm with much greater resources than I have to do a really thorough penetration test of the most recent versions of Flash and Reader for Windows, OS X, and GNU/Linux. The reported findings would probably require a forest’s worth of pulp if printed on paper. So, yes, security vulnerabilities can be found in products from all developers. But Adobe is much worse than the norm. Alternative PDF viewers and creators are available for pretty much all mobile and desktop platforms. And open web standards such as HTML 5 have made Flash obsolete. Heck, I even use GIMP instead of Photoshop. Here’s my advice. Whether you’re enterprise or a consumer, get Adobe out of your abode. Now you can do it for content creation and consumption. And it’s easy. References Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched- Shaun Nichols, The Register http://www.theregister.co.uk/2015/02/05/adobesighpatches_anothersighflash_zeroday_vulnerability/ YouTube flushes Flash for future flicks- Simon Sharwood, The Register http://www.theregister.co.uk/2015/01/28/youtube_flushes_flash_for_future_flicks/ YouTube now defaults to HTML 5