It’s installed on a billion computers around the globe, but before the end of this decade Adobe Flash will be dead. After two decades of ubiquity, the Flash platform is finally collapsing under its own weight.
Flash Player used to be everywhere. You used it to watch videos on YouTube, you used it to play online games, whole sites were built in it. Before 2010 there were very few other ways to display animated content on the Web, and none of them had the reach of Flash.
Now Flash seems at best an afterthought and at worst a liability. So far this year alone, Adobe has scrambled to patch six major security holes in the platform. These are not theoretical holes, these are live vulnerabilities that were (and still are) being used by hacker groups to attack millions of computers.
The most recent vulnerabilities were revealed by an unlikely source and in a wryly amusing way. Hacking Team, an odious hackers-for-hire firm based in Milan, was itself hacked. Oops. Four hundred gigabytes of its corporate data was then distributed on the Internet.
This data has proved a treasure trove for what security geeks call “zero-day exploits”, particularly in Flash. One of these bugs was described in Hacking Team’s internal communications as “the most beautiful Flash bug for the last four years”. It can be used to override PC functions, change the value of objects and reallocate memory.
This is not a new phenomenon. Adobe has been frantically patching Flash for the last few years. The platforms huge install base is a curse as much as it is a blessing, because it turns the Flash Player plug-in into a red-hot target for anyone seeking to infiltrate a computer via the Internet.
Most of the people who use Flash do not even realise they are using it. It’s the ultimate Trojan horse, constantly running in the background, merrily executing code through compromised advertising banners and stealing people’s data en masse.
This problem has become so acute in the last few weeks that Mozilla has blocked Flash Player by default in the latest version of its Firefox browser. Since Firefox updates automatically, tens of millions of Adobe’s customers will simply disappear from its radar in the next few weeks.
And things are only going to get worse. Alex Stamos, the new head of security at Facebook, has publicly challenged Adobe to set an “end of life date” for Flash. Like most other security professionals, he sees no future in which Flash can be relied upon. And Stamos cannot be easily dismissed. Flash may have a billion customers, but Facebook has nearly two billion and counting.
A large part of the problem stems from the fact that Flash is both proprietary and entirely closed source. That means the only people thinking about Flash’s security work for Adobe. Compared to the (literally) millions of skilled hackers, they are a fart against a hurricane.
The rest of the Web’s plumbing uses open standards like HTML, CSS, SSL and PGP. These are far from perfect, but they have millions of dedicated geeks grooming and shepherding them. Flash’s whole approach is outdated, which explains why it is unable to keep up with the rest of the Web.
Case in point: YouTube officially deprecated Flash in January this year. All viewers now use the HTML5 player that is both cross-browser compatible and almost universally available without any additional download.
All of the things Flash was once good at — animation, interactivity, audio, video — now have safer and more reliable alternatives that are built right into modern browsers. The only things using Flash at any real scale anymore are advertising banners and in-browser games like Farmville.
In 2010, Steve Jobs wrote a now famous memo explaining why Apple would not be including support for Flash on its iOS platform. In a nutshell: Flash was closed, unreliable, unsafe, bloated and a battery hog.
At the time he was derided by Adobe and its lackeys for dismissing one of the Web’s most important technologies. Five years later, his criticisms seem prescient. Rather than Apple caving in and supporting Flash, the rest of the world followed Apple.
Even Adobe itself seems to realise Flash’s days are numbered. In the last five years, it has invested in tools and systems that work with HTML5, the new standard for Web video and animation.
But if history is anything to go by, Adobe will never take the plunge itself — it will have to be pushed. One by one, the major Web browsers will begin blocking it by default and eventually banning it outright.
But Adobe will ride this burning platform right down into the icy sea before it relinquishes its last toehold in the Web. Let’s all leave the platform before it gets to that stage.