To Flash or not to Flash?

To Flash or not to Flash?

That’s a really good question. Hi everyone! Leo Notenboom here for askleo.com. You know, Adobe Flash has come under a lot of heat this last week. There have been several zero-day vulnerabilities that have discovered and in most case quickly repaired. Zero-day, of course, means that the problem, the vulnerability, the bug has been found actually being exploited in the wild meaning that there’s technically zero days to fix it before people are safe.

Now, this is not the first time. Flash has many problems over the years. I’ll call it “permeable”. It seems to be full of holes. Now, several folks, including Facebook’s own director of security are now calling for Flash to be formally discontinued. I think they were formally calling on Adobe to declare an end of life for Flash.

And of course, many security experts are encouraging people to uninstall it completely and just stop using it. Not so fast. You know, it’s rarely that things would work out to be that simple. Flash has been around for a really, really long time and in fact that’s one of the problems; one of the things that leads up to our current situation with Flash. It’s a really, really old code in its underpinnings.

The problem, of course, is that I figure its probably used one or another on perhaps millions of websites. As we’ll see in a moment, some website owners, myself included, might not even know it. So uninstalling it might end up making you safer, in fact it will end up making you safer because you won’t be vulnerable to any Flash exploits no matter how many that might come up.

But, you know, you’ll also encounter websites and web services that will stop working for you because they require Flash. Now, some of these millions of sites are going to update. As it turns out, 99% of what is used for, basically video and audio and multimedia on web pages is actually part of the HTML5 spec. It has been out for several years now and HTML5 is supported by all current, major browsers.

It’s just already, all that stuff is built in without needing to install an additional plug-in or add-on like. So, here’s the problem though – websites need to be updated to take advantage of HTML5. Now, many of those millions of sites, of course, they’re going to get updated. It’s not going to be a problem. The problem, on the other hand, is that many of them will not be updated. They will continue to use and require Flash.

Now, I am slightly embarrassed to say that I turn out to be one or actually two or three of those millions of sites. The problem is this – until yesterday the audio player on askleo.com that I use at the bottom of all current articles to play the podcast version, the audio version of each article turned out to require Flash.

Now, fortunately I was able to make a simple change to the plug-in that I use to provide that functionality on each page so it was a quick change and all of the players now are HTML5 compatible and they just work there. Unfortunately, that’s not true for a couple of my other sites; specifically, the Members Only site that contains the videos that accompany your purchase of many of my Ask Leo! books.

When you purchase a book you have an opportunity to register and get an account on members.askleo.com where you can access bonus material and much of that material, in fact most of that bonus material usually takes the form of videos. Videos that can either be downloaded (which of course is not affected by any of this) or can be played directly on the web page, which is.

As it turns out, the video player that I’m using right now requires Flash. Whoops! So, the problem here of course is that’s going to work on my part to go through and fix. I actually have to touch every page that holds the video and make some changes to use a different approach that will allow the video to be played using HTML5 assumptions rather than using Flash.

I plan to do that; that’s not an issue for me. And to be clear, it’s not that I made a conscious decision to use Flash; it’s not like most webmasters decide to use Flash specifically. What typically happens and is what happened in my case is that I ended up using a library of code that makes putting video on web pages easier rather than having to write a bunch of supporting HTML and JavaScript and a bunch of other stuff these libraries allow you to just say, “Here’s the video and play it here and make it this big, “ and they provide you with a nice player and the play button and the pause button and all that kind of thing.

Well, as it turns out, the library that I chose requires Flash. Now, ten years ago, that was the perfectly valid assumption; a perfectly valid requirement and in fact, that’s one of the reasons that Flash became so popular is because Flash was being used to provide video on again, millions of different websites. It was the way to do it.

It’s not so much true though anymore and that’s why this is happening; that’s why websites technically should be changing to move away from Flash. So, the real question, of course, is well, what do you do? Well, to be clear, if you own or operate a website, like I do, view it with Flash uninstalled or disabled like I did. Like me, you might be in for a surprise.

You might find the pieces of your website don’t operate the way that you expect them to or the pieces of functionality are completely missing if Flash is not allowed to run when your website is displayed so check it out and then consider your alternatives. Figure out if it’s going to be something you want to fix or maybe just leave alone. I don’t know. It’s the decision you have to make.

As an average user, of course, the answer is more complicated. You can, of course, uninstall Flash completely. The way to do that typically is to go into Control Panel > Add or Remove programs and just look for either Shockwave Flash or Adobe Flash and uninstall those and the components that have the similar names.

That will remove it from things like IE and Firefox. Alternatively, you can install a plug-in, an additional plug-in as it turns out that will disable Flash without actually uninstalling it and you may want to do that. It’s kind of the default behavior for Firefox right now. In other words, that was part of the big news this week is that they block Flash by default but they don’t uninstall it. They still let you run it.

There are plug-ins for Chrome since Chrome runs its own built-in version of Flash you actually do need to use a plug-in to turn it off or of course, the third alternative is that you can just keep running it. If you need to do that, that’s fine just make sure you keep it up-to-date – as up-to-date as possible all the time.

As we’ve seen just this week and as we expect to see in the coming weeks, there will probably be more vulnerabilities found and you’re going to want to get the fixes those vulnerabilities as soon as they’ve been made available. My approach and I guess it’s going to be my recommendation is to run a Flash-blocking plug-in so what I’m using in Chrome, in Chrome we don’t really have much of an alternative.

I’ve got that plug-in installed right now. The problem here, really, is that I think that it’s extremely likely that after disabling Flash you’re going to discover that some website you care about requires it and that’s going to leave you in a quandary if you’ve got it completely uninstalled that website will not work without Flash. It just won’t.

Whereas with these Flash blocking plug-ins, most of them will give you the option of running Flash on a case by case basis so that when you visit whatever website that is that uses Flash that you need to use Flash on, you can say okay, run it. I know this website; I trust it; I need this; go ahead and run Flash.

I use something called Flash Control in Chrome and it does exactly that. If there’s Flash content on a page I can see that there’s Flash content on it because it displays a little black box that says it’s blocked and by clicking on that box I can then choose to run the Flash content on that page manually. But like I said, honestly, it really all depends on what sites you visit regularly on the web.

How may of them require Flash? And how important they are to you? I think once you run a blocker you’ll be very surprised at just how pervasive Flash is. And you’ll understand why this is not necessarily an easy decision. Even stopping Flash development or bringing Flash into end of life is not an easy decision for the industry as a whole because there are so many websites out there that still depend on it and probably will depend on it perhaps without even realizing it for a very, very long time.

So, that’s where we are with Flash; that’s what I recommend you do. What do you think? What approaches are working for you? What approach do you plan to take? Do you have a good Flash blocking plug-in for whatever browser it is you are using or some options within that browser to help control Flash? Let us know.

Share your comments down below. As always, if you’re viewing this anywhere but on askleo.com here’s the link. Go visit that page. That’s where we have comments, the discussion, the ideas that other people will be sharing. Comments are all moderated so it’s a safe place to hang out and I really, really look forward to hearing what you have to say.

As for me, well, I’ve got some web pages I need to go modify.

I will see you again next week. Take care.

Comments

I’ve been using the Flashblock add-on in Firefox for some years – to stop those irritating pop-up ads. But good to find that I was doing the right thing from a security perspective. And – as you say – amazing how pervasive Flash is. No wonder it is being targetted.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------