back to article Kill Flash now? Chrome may be about to do just that

Google's Chrome web browser could be disabling all Flash content by default before the year's out. El Reg has learned that developers with the Chromium Project are working on a new feature known as 'HTML5 by Default'. The move could help to keep users safe by locking off a favorite target for web-based malware exploits. As …

  1. redpawn Silver badge

    About to?

    By the end of the year is a long moment.

    1. Andy france
      Alert

      Re: About to?

      Till then set Chrome to ask before running plugins i.e. flash

      This option is cunningly hidden under settings/advanced settings/Privacy/Content settings/Unsandboxed plug-in access.

      After that you only run flash when you really want to by right clicking the flash and selecting run. Disabling the flash plugin works too but I found my self forgetting to disable it again after visiting one of the very few sites where I tolerate flash.

      1. goldcd

        There've been plugins to do this for ages

        e.g. Flash control.

        Nukes all Flash leaving you a "flash goes here" image.

        Then click on it, if you want it to run.

    2. big_D Silver badge

      Re: About to?

      Yes, until the end of the year is a long time. I killed it on all of my machines over 18 months ago and I haven't missed it yet.

  2. Anonymous Vulture
    Go

    Google catches up to Apple, while Microsoft trails the pack

    So the Almighty Jobs killed Flash on mobile back in 2011, and Google is set to do the same on the desktop in 2016. All I can say is, it is about bloody time!

    Flash has been a security joke forever. The numbers there amaze even me, 314 vulnerabilities in 2015? You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.

    That said, the Flash plague will probably haunt the Internet for at least another 5 years until Microsoft finally kills it in an undocumented "functional" update to Windows 10. This nonsense about exempting the top 10 Flash domains seems like it could extend the nightmare for a bit.

    1. patrickstar

      Re: Google catches up to Apple, while Microsoft trails the pack

      To be fair, its bug count or frequency isn't worse than any of the major browsers. They are all, universally, major security jokes, in case someone hasn't noticed. The advantage of Flash is that you can actually turn it off, unlike all the Web3.0 hipster crap in modern browsers.

      And just to be picky - while it for obvious reasons is unlikely to get targeted by some Russian exploit pack nowadays, Windows 98 in its heyday happily downloaded and ran ActiveX controls automatically. At most displaying a message along the lines or "Are you sure you wanted to run this ActiveX control?"

      And not sure whether Windows 98 is vulnerable to the MDAC bugs, but those (applies to NT/2K and XP up to some service pack) were actually a staple in above mentioned exploit packs for many years, and let attackers simply tell it to run any command.

      Finally - 98 has no ASLR/DEP (not that it would save you from those), sandboxing, permissions/user control, or even real ring3/0 separation, so any bug - memory corruption or not - and you're hosed.

      1. Anonymous Vulture

        Re: Google catches up to Apple, while Microsoft trails the pack

        patrickstar spake:

        To be fair, its bug count or frequency isn't worse than any of the major browsers.

        No argument, but its line of code count should be less than a browser and its stated set of functions certainly is smaller. Just because someone else writes terrible code does not mean you are excused for doing the same.

        Forgive me for using hyperbole to make my original point. I am not revising history to gloss over the atrocious lack of security controls in Windows 98, but given the choice between the two terrible alternatives I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash. Adobe seems to keep including bugs in each Flash release that allow for sundry nastiness despite OS security enhancements

        1. Charlie Clark Silver badge

          Re: Google catches up to Apple, while Microsoft trails the pack

          I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash

          Really? Win 98 is just DOS which has absolutely no protection against permission escalation because it doesn't have permissions: find any exploit and get pwned.

          I think Flash suffered from feature creep. Remove the video stuff and you could probably tighten it up. In the meantime "press to play" and the improved plugin architecture do significantly reduce the attack area. Better still just deactivate it and hassle any websites that tell you Flash is required. Anything that depends on ads or subscription will switch pretty quickly.

          1. url

            @Charlie Clark

            No, and, almost two decades later we could collectively stop perpetuating the lazy myth.

            https://blogs.msdn.microsoft.com/oldnewthing/20071224-00/?p=24063/

        2. patrickstar

          Re: Google catches up to Apple, while Microsoft trails the pack

          It's less, yes, but there is a significant degree of overlap in the functionality exposed to hostile content.

          Flash has something corresponding to all the basic components and APIs except the whole user interface thing.

          Most importantly, it has all the parts that tend to be where exploitable browser bugs actually are.

      2. JLV Silver badge

        Re: Google catches up to Apple, while Microsoft trails the pack

        To be fair, 1+1 = 2

        i.e. if you have a browser with a vuln quotient of x and then you add the y from Flash, you have x+y exposure instead of plain x. Note that in this equation, Flash's y is neither 0 nor negative. I would argue it is pretty high for its functionality compared to the Swiss Army knife of a modern browser.

        Additionally, you can run NoScript quite effectively to harden your browser to random JS. And it's not like white-listing automatically makes NoScript happy - it's often that it whines, justifiably or not, for a white-listed site's JS doing something it thinks fishy.

        In fact, as someone else mentioned a few days back, I tend to run FF w NoScript and fall back to Chrome when I can't be arsed to figure out what is irking NoScript on a site that I actually use.

        Flash content is opaque in that regard and I would rather concentrate on just dealing with JS vulns, thank you very much.

        Thank you, Chrome, anything that gets laggards like the BBC and CBC off Flash is most welcome. I haven't used Flash for years and I mostly don't miss it anywhere except for the 2 above. And that certainly includes YouTube which works fine without it.

        p.s. one exception - Joel Spolsky's otherwise excellent FogBugz service has a estimates-vs-actual time feature that I would love to use, but is based on Flash for its reporting (hello, D3, please).

    2. Andy Non
      Devil

      Re: Google catches up to Apple, while Microsoft trails the pack

      The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it! Yet another reason to hate Windows 10, as though there aren't enough reasons already. Curiously it isn't even listed as a plugin on Firefox on Windows 10 so I don't know if Flash is active or not via that browser? She never uses Edge or IE.

      1. VinceH Silver badge

        Re: Google catches up to Apple, while Microsoft trails the pack

        "The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it!"

        See if you have Wild Tangent Games installed - I found Flash on my Win8 computer, and IIRC it was pre-installed with that.

        1. Andy Non

          Re: Google catches up to Apple, while Microsoft trails the pack

          Just checked and no "Wild Tangent Games" installed. Ideally I'd like to remove Flash from the PC, we haven't used Flash for years and hate the way Microsoft appear to have hidden it inside Windows 10. If I can't get rid of it I'd like to be sure that Firefox isn't using it; it isn't listed as a plugin so I don't know.

          1. Chika
            Coat

            Re: Google catches up to Apple, while Microsoft trails the pack

            Odd. If you go into Firefox on the Add-ons manager page and look under Plugins, you should find something there (on my Linux installation it shows up as "Shockwave Flash", it also shows up that way on Windows 7). On Windows you will probably find it in Programs and Features - removing any instance from that point will also remove it from Firefox. Bear in mind though that there are different versions of Flash - the ActiveX version and the NPAPI version. If the latter is missing then Firefox isn't using it. Both versions will appear in Programs and Features if installed.

            I'd suggest that if you think that you don't use Flash anymore, then uninstall it anyway and see what happens. Installing it again should you really need it isn't difficult but chances are that you won't.

        2. Jack of Shadows Silver badge

          Re: Google catches up to Apple, while Microsoft trails the pack

          I run into Wild Tangent regularly on fresh out of the box and fresh reinstalled machines on a depressingly regular basis. That includes my consumer machines here as well. Hell, I don't even have to look at my notes about it!

      2. Free Maps?

        Re: Google catches up to Apple, while Microsoft trails the pack

        Not sure if the same applies here. I found a flash update on a 2012 server and knew it wasn't installed.

        It turns out to be a 'feature' called Desktop Experience and can be removed from programmes and features.

      3. Sandtitz Silver badge

        Flash in Windows 8/10 @Andy Non

        Windows 8 and 10 included the Flash plugin and it's kept up-to-date with Windows Update.

        To disable it in IE: disable ActiveX. The Edge browser has a simple on/off setting for it.

        The built-in Flash plugin doesn't work with any other browsers, so her Firefox is safe in that regard.

        1. illiad

          Re: Flash in Windows 8/10 @Andy Non

          yes, BUT what if websites NEED FLASH???? the BBC still needs it, but Apple must be paying them something so that it does not need flash??? YES, I once 'spoofed' Firefox the look like Ipad, and HTML5 worked!!! :) but then they changed it, does not work any more...

          1. Anonymous Coward
            Anonymous Coward

            Re: Flash in Windows 8/10 @Andy Non

            There are other websites. Use one of those.

      4. TeeCee Gold badge

        Re: Google catches up to Apple, while Microsoft trails the pack

        Edge does not support plugins, but has a heavily-sandboxed implementation of Flash built-in. That'll be what's updating.

        The fact that it does update like that proves it's the internal MS version. Look on the bright side, if you were using the official Adobe version she'd have had Chrome and the Google toolbar installed on the qt as well.

      5. Captain Badmouth
        Windows

        Re: Google catches up to Apple, while Microsoft trails the pack

        "The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed"

        M$ : This has nothing to do with you, it's our OS not yours. If you don't like it you know what to do.

        Assume the position.

    3. Charlie Clark Silver badge

      Re: Google catches up to Apple, while Microsoft trails the pack

      So the Almighty Jobs killed Flash on mobile back in 2011

      Only because, by then, enough had been done that Apple could get people to move from the Adobe walled garden to their own. This was pretty much also the time when Apple stopped contributing significantly to WebKit. And, wasn't there a note recently about Apple not giving a shit about the holes in Quicktime?

      If it was YouTube that helped Flash to dominance, it was Google that really pushed for HTML5 video being both free to use and free to create. Otherwise content providers would be paying both Adobe and MPEG licences to encode.

      The important thing will be to fail on feature detection so that the <video> tag gets precedence and offer "press to play" functions where this isn't possible.

      1. Martin Gregorie Silver badge

        Re: Google catches up to Apple, while Microsoft trails the pack

        Google could most usefully show leadership by making sure that all the videos on Youtube are available as HTML5, and should preferably remove the Flash version each time they convert a video to HTML5. A quick check of four or five old favourites showed that all of them are still Flash, so YouTube have got work to do.

        On the web browser front, Firefox is in the lead: it canned Flash many releases ago, yet strangely El Reg didn't mention that.

      2. jason 7
        Meh

        Re: Google catches up to Apple, while Microsoft trails the pack

        Jobs did hardly anything to kill Flash. He maybe knocked three months off it at best. It's 2016 now and Flash is still hanging around all over the place. It's hardly dead. Will still be with us at 2020 I reckon.

    4. Planty Bronze badge
      Stop

      Re: Google catches up to Apple, while Microsoft trails the pack

      Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...

      http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

      Imsgine if they had flash , they would be the unstoppable leader in vulnerable software by a large margin

      1. Anonymous Coward
        Anonymous Coward

        Re: Google catches up to Apple, while Microsoft trails the pack

        Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...

        Oh hello Microsoft Statistics guy, haven't heard from you for a while after I left your last attempt to be creative with statistics in a large smoking hole. I wonder how much are you paying Venturebeat to keep this (rather obvious) attempt at rigging statistics on their pages.

        Let's just line up the shot to kick you back into that hole then, shall we?

        From the page you supplied:

        OSX vulnerabilities: 384

        Windows vulnerabilities: (adding up ALL VERSIONS of Windows as you have to do to get the OSX numbers) 151 + 147 + 146 + 135 = 579, and that's leaving out the Server editions and RT.

        But that's only one third of the story. After all, it was you who wanted to play with statistics. Let's look at the whole timespan.

        OSX was introduced in 1999. That would bring the total of reported OSX CVEs to 1484, but guess what would happen to the Windows total? You'd have to include

        Win 98SE : 61

        Win 2000: 507

        Win XP: 726

        .. which brings our jolly total up to 1873 - and I still have left the server totals out of it (because Apple's isn't exactly in heavy use and I want to give the Microsofties at least the sporting chance they never give Apple). Still advantage Apple, and I'm not done yet.

        There's more embarrassment waiting in the wings - onwards to the last part of the story.

        The real fun starts when you go back to the beginnings and remember why the author made this "comparison": it was to observe security trends for making choices.

        A CVE entry is a warning signal which may or may not result in exposure. You'll find that actual exposure data in the "vulnerability" column, which is the real thing you want to pay attention to if you're serious about risk management (you weren't, but I am and these BS stories do not help).

        Here is the data as of today:

        OSX CVE entries: 1484 Vulnerabilities: 73 Patches: 128

        I am going to add up patches and vulnerabilities together because both indicate something grave enough to warrant effort., so for OSX it means that 14% of CVE entries were a risk, grave enough to warrant corrective action by Apple.

        Now let's go to Microsoft Windows.

        Win 98SE 61;145;14

        Win 2000 507;667;97

        Win XP 726;968;192

        Win Vista 670;538;123

        Win 7 560;436;92

        Win 8 254;182;0

        Win 8.1 254;129;0

        Adding that up demonstrates that over almost 3 times the number of vulnerabilities in the same time span (3032) there were actually more risks addressed than formally reported (118%). In other words, they quickly banged out fixes for thing they didn't even tell you about and hoped you weren't watching the numbers properly. Yup, those are the people you should trust.

        So:

        1 - based on the bare numbers, OSX is SIGNIFICANTLY less risky than Windows

        2 - Apple seems to address issues that have as yet not resulted in exposures in the wild

        See you in a few months, I guess?

        1. Updraft102 Silver badge

          Re: Google catches up to Apple, while Microsoft trails the pack

          Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.

          1. Anonymous Coward
            Anonymous Coward

            Re: Google catches up to Apple, while Microsoft trails the pack

            Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.

            Well, it appears the same happens when you lump all versions into one "OSX" entry, so I guess that balances out.

        2. Anonymous Coward
          Anonymous Coward

          Re: Google catches up to Apple, while Microsoft trails the pack

          Having little to no legacy support, limited hardware options and a closed system does reduce some of those vulnerabilities for Apple.

        3. Anonymous Coward
          Anonymous Coward

          Re: Google catches up to Apple, while Microsoft trails the pack

          "A CVE entry is a warning signal which may or may not result in exposure. "

          Weird, as all the Android scare stories, and nothing actually occuring here in the real world, that suggests warnings are as good as exploits when it comes to writing clickbait.

          Typical upset apple fanboy that has dounke standards ...

    5. Mikel

      Re: Google catches up to Apple, while Microsoft trails the pack

      Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Google catches up to Apple, while Microsoft trails the pack

        Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)

        Was. It's already gone...

        Adobe can play that game too: it's called HTML5. To be fair, Microsoft accidentally started it with an undocumented feature called XMLRPC (AJAX), and the Canvas API came from Apple, but a huge chunk of Web 3.0 crap is basically a Javascript port of Flash. (No wonder it's crap)

    6. macjules Silver badge
      Facepalm

      Re: Google catches up to Apple, while Microsoft trails the pack

      You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.,

      Oh come on, it is not that bad surely? Then again you are dealing with a monolithic corporation that is highly protective of its product, regularly threatens anyone finding bugs (and there are a LOT of bugs) with both civil and criminal action yet steadfastly refuses to fix any issues raised by the community as a whole. No, not Microsoft … Adobe.

    7. Michael Thibault

      Re: Google catches up to Apple, while Microsoft trails the pack

      ... plan to exempt the top 10 domains that use Flash for one year in order to concentrate the focus of, and increase the effectiveness of, any new exploits.

      Plain-Speaked That For You

      Euthanise Flash Now! The pain has to end. Make it quick.

  3. Herby Silver badge

    "exempt the top 10 domains"??

    Would one of these be YouTube?? Which is owned by......

    I could go on, but why bother?

    1. Charlie Clark Silver badge

      Re: "exempt the top 10 domains"??

      YouTube quite happily serves HTML5 video where Flash isn't installed, has done for a good while now.

    2. Zakhar

      Re: "exempt the top 10 domains"??

      You are very wrong, Youtube has been working impeccably well WITHOUT flash for years.

      I have gotten rid of Flash 5 years ago on all my PCs (running Linux) and there is no problem whatsoever with Youtube. By the fact they have been phases :

      - many years ago it was "all flash"

      - then they "experimented" HTML5 playback (meaning Flash was always the default but you could opt in HTML5)

      - then they made HTML5 the default and flash only a fall-back for old browsers that still don't support HTML5 video (some IE6 out there!?)

      And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.

      @Anonymous Vulture: "All I can say is, it is about bloody time!"

      Indeed!

      1. Chloe Cresswell

        Re: "exempt the top 10 domains"??

        If it wasn't for YT, I wouldn't have flash on my machines.

        On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.

        Currently that is the only thing I use it for.

        1. Charlie Clark Silver badge

          Re: "exempt the top 10 domains"??

          On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.

          Sounds like Flash is able to use hardware acceleration and your browser isn't. Hardware acceleration is very dependent upon browser and OS.

      2. Chika

        Re: "exempt the top 10 domains"??

        And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.

        With more recent versions of Firefox you will find that YouTube will force the browser to try to run with HTML5 first by default. It has been this way for a few months now though it will fall back to Flash if HTML5 isn't working or if you have an add-in that forces Flash to be used (yes, they exist).

      3. Anonymous Coward
        Anonymous Coward

        Re: "exempt the top 10 domains"??

        Youtube has been working impeccably well WITHOUT flash for years.

        In your parallel universe, maybe. But you can use youtubedown without flash or a browser...

  4. frank ly Silver badge

    Why has Flash been so bad?

    Adobe's other products (Photoshop, etc) seem to have good reputations.

    1. Jack of Shadows Silver badge

      Re: Why has Flash been so bad?

      Photoshop, if I've got my history on it right, is something that started in-house. Flash and ColdFusion to give another example of historically vulnerable software were created by Macromedia. (I used to beta Dreamweaver and its antecedents for them way back when.) Adobe bought them and aside from Dreamweaver (I think) the rest of the products have been exercises in patch, patch, and patch again since. I'm maligning ColdFusion a bit but when it demonstrates real doozys when they turn up.

      1. jdoe.700101

        Re: Why has Flash been so bad?

        Photoshop was actually developed externally and first? available as a BarneyScan XP, which came with the BarneyScan film scanner.

        Adobes problem is that their products reached maturity years ago, and have been adding bloat in order to (try to) justify their upgrades.

        1. Not That Andrew

          Re: BarneyScan XP

          I was sceptical but you are right. Photoshop was developed by Thomas and John Knoll and first made available commercially by BarneyScan. It appears it was so popular Adobe decided to buy it and market it themselves as Photoshop.

      2. Charlie Clark Silver badge

        Re: Why has Flash been so bad?

        ColdFusion to give another example of historically vulnerable software were created by Macromedia.

        Nah, ColdFusion was developed by Allaire and subsequently bought by Macromedia. A lot of people were really sad that Adobe canned Freehand which many thought was better than Ilustrator.

        With Flash I think it's worth remembering that it and Shockwave were originally developed as authoring tools for CD and DVDs. They were fine at this and adapting the runtimes to become browser plugins wasn't too hard. Of course, the internet has since become a much nastier place.

    2. Chika
      Mushroom

      Re: Why has Flash been so bad?

      Adobe's other products (Photoshop, etc) seem to have good reputations.

      They had good reputations. Then they went all cloudy...

    3. macjules Silver badge

      Re: Why has Flash been so bad?

      Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator. Pagemaker was ok with Aldus, but certainly not so afterwards; but then Indesign *sort* of made up for it. Dreamweaver was fantastic if only because it made Adobe trash the truly awful experience of GUI editors - GoLive.

      The crock of Trump in all of this is Flash. Under Macromedia's umbrella Flash was actually pretty stable, regularly maintained and you didn't get the weekly 'Flash Installer needs your attention', which to me is the new MS Word paperclip. Since then, well ...

      But thanks anyway Adobe: if it had not been for GoLive I might never have gone onto using BBEdit so quickly in the late 1990's..

      1. Anonymous Coward
        Anonymous Coward

        Re: Why has Flash been so bad?

        Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator.

        You may want to keep a beady eye on the guys from Serif who are developing the Affinity products. It's not exactly hard to detect that Affinity Designer and Affinity Photo are very accurately focused on the Illustrator/Photoshop audience that is planning to walk from Adobe because of their licensing change, and possibly those who currently use pirated versions because the Affinity software comes at a far more palatable price.

        I already licensed both :).

    4. patrickstar

      Re: Why has Flash been so bad?

      I'm sure that if Photoshop automatically loaded media off web sites and was deployed on a large chunk of Internet connected PCs, we would be having this discussion about it instead...

      Flash at its heyday was, and to some extent still is, a really good tool/environment from the content author/software developer viewpoint. Covers everything from simple interactive 2D vector stuff to high-performance bitmapped 2D graphics as well as 3D (with or without acceleration) and everything in between. Either as part of a web site interacting with the rest of it, loaded from a web site, or a standalone application. And works really well while doing so, provided that the developer actually knows what he/she is doing (admittedly, your average Flash developer should be dragged out and shot, but that applies even more so to web developers in general). With a nice API and a rich ecosystem including very good third-party toolchains and libraries. Etc.

      Too much focus on making it nice, pretty and nifty and too little focus on security.

  5. Dieter Haussmann

    Almost sage-like..

    "On April 29, 2010, Steve Jobs, the co-founder and chief executive officer of Apple Inc., published an open letter called "Thoughts on Flash" explaining why Apple would not allow Flash on the iPhone, iPod touch and iPad. He cited the rapid energy consumption, poor performance on mobile devices, abysmal security, lack of touch suppor."

  6. tin 2

    I wonder what they're doing about...

    ...ad blocking. Seeing as it's fighting for top spot in the how-to-get-malware-on-peoples-PCs charts.

    I wonder if for *some* reason they'll be slightly less active in that area.

  7. Neil Alexander

    I wonder if anyone at Adobe is ever kept awake at night wondering how the hell they managed to inherit one of the Internet's most hated products.

    1. Chika
      Devil

      I wonder if anyone at Adobe is ever kept awake at night wondering how the hell they managed to inherit one of the Internet's most hated products.

      Macromedia's revenge!!!

    2. Anonymous Coward
      Anonymous Coward

      >I wonder if anyone at Adobe is ever kept awake at night wondering how the hell they managed to inherit one of the Internet's most hated products.

      It was cutting edge when they inherited it from Macromedia and for several years after - they failed to invest in and evolve it. Java has suffered exactly the same fate. HTML5 is fine for web games and wrapping video - but replacing Flash (& Java) with DHTML 4.0.2.0 is hardly a recipe for restful nights.

    3. jonathanb Silver badge

      It replaced Real Player as the de-facto standard for web video, and it was a major improvement at the time compared to that POS.

  8. Anonymous Coward
    Anonymous Coward

    Shouldn't have never supported it to begin with!

    They should have never started building it in and supporting it to begin with! Only reason they did it was to poke a jab at Apple!

  9. raving angry loony

    BBC off then

    I guess the BBC better get off their lazy, incompetent technical heinies then and move away from Flash, because at the moment they're the only news organization that I read that uses that piece of crap.

    @JLV: I don't think the CBC doesn't use flash, since I've managed to make their videos work once and I don't have flash installed anywhere. What they are using is an in-house player that only works if you aren't blocking some of the most intrusive and harmful advertising servers in the business. Into which they wrap YouTube and other videos that they've stolen and re-packaged so they could put their ads on them. I haven't been able to get their videos to work with even minimal blocking, and stopped trying years ago.

    1. MrT

      Re: BBC off then

      Depends on the browser . In the desktop version of Firefox I use "User-Agent Switcher" by Linder rather than editing the about: config settings. Whenever Auntie kicks off about media not playing, tell it you're using an iPad, refresh the page and carry on watching. It's pretty much the only website that I use regularly which needs this workaround.

  10. laurence brothers
    FAIL

    The sad thing is if Adobe wasn't malicious or stupid -- likely both -- they could have avoided all this by eliminating some of the more ludicrous capabilities of flash, keeping it simple and small and relatively easy to verify and relatively hard to hack.

    When their product manager said "sure, let's enable camera and microphone access by default for all apps", if there was a responsible executive anywhere in the company that never would have happened. Same for the notorious secret settings-web-page that for years they didn't even advertise as a way to control how flash apps behave for a given user.

    These people are either criminals or cretins.

  11. Ropewash
    Pint

    A line I once read...

    From a poster on our outhouse wall when I was a kid.

    "If builders built buildings the way programmers write programs then the first woodpecker to come along would destroy civilization."

    I think they foresaw flash with that one.

    I sit here on a wineless linux box so the "click here to install our codecs.exe" pop-ups don't work even if I was stupid enough to try. (I've yet to see a "click here to sudo our .sh") Without having ever installed a flash plugin and using Firefox with all the almost pre-requisite blockers installed just so I can browse the damned web without needing a re-install by the end of the week.

    Beer, because it IS the end of the week.

  12. Tannin
    Flame

    Off-topic (almost)

    One nice thing about having Flash content is that you can tell your browser not to run it. This avoids all those shouty, distracting things. Once in a while, when you actually do want to see something animated, you can click to run.

    Is there a simple, practical way to turn off HTML5 animation or make it click to run the way you do with Flash?

    1. Anonymous Coward
      Anonymous Coward

      Re: Off-topic (almost)

      LOL, you want NoScript. It'll turn off 80% of HTML5 and break 99% of websites, and it's not exactly easy to selectively unblock scripts. Yep, it's 1999 all over again.

      1. User4574
        FAIL

        Re: Off-topic (almost)

        "...NoScript. It'll turn off 80% of HTML5 and break 99% of websites, and it's not exactly easy to selectively unblock scripts. Yep, it's 1999 all over again."

        If you have to unblock Javascript just to view the page content, then they're doing it wrong. The good thing about 1999-2009 was that a good website just needed HTML for markup and CSS for styling, everything worked in virtually all browsers and building sites that adapted to different displays was simple.

        Then some hipster had the idea of using Javascript to turn websites into ~applications~ so you get served a blank page if you don't enable JS. The trouble with that is you go all-or-nothing and enabling it on example.com allows scripts loaded from example.com to pull in everything from spyware to malvertising.

        I'm not convinced that Angular.JS is all that much different from Angler Exploit Kit, these days a modern website has all the hallmarks of a malware slinger with obfuscated JS included.

        1. bombastic bob Silver badge

          Re: Off-topic (almost)

          "If you have to unblock Javascript just to view the page content, then they're doing it wrong."

          WELL SAID!

          A couple of years ago, things worked fine if you used noscript and 'gnash' (it's a POSIX thing) rather than Adobe's plugin. Gnash being open source was LESS likely to do evil things, and it had the extra interesting capability of doing automatic stream captures to a directory of your choice. Unfortunately gnash is behind the latest moving target on FLASH specs, and didn't work last time I tried it.

          So now I happily disable all flash plugins, on everything, period (even gnash). And I use 'noscript'. It's like "safe surfing". It's amazing how many viruses and hijacks will NOT happen if you block javascript and flash. [and I have others do the same, and it works, even on a Vista system]

          And blocking HTML5 content by default, particularly ads - that is *EXACTLY* what *I* want to do! More people should do the same. If *EVERYBODY* does this, then it would force ad servers to use static content again. And, NO SCRIPTING.

          /me pointing out that you can make a nice, readable web page by using '<table>' to size columns. I like making the content 85% of the screen width so it's easier on the eyes. no need for script. drop-down menus are overrated.

        2. a_yank_lurker Silver badge

          Re: Off-topic (almost)

          The same problem has occurred before with Flash. There has been a tendency for idiots to have audio or video on a site to be hip when the site should be simple html/css. Ten years ago it was Flash now it is JS embedded garbage.

      2. JLV Silver badge

        Re: Off-topic (almost)

        >turn off 80% of HTML5 and break 99% of websites

        Your mileage. Not mine. If you don't want to use it, that is entirely your choice. But your claims are somewhat overblown.

        Yes, it kills some sites, but not that many. Most sites work fine in degraded mode without their JS.

        It's not that difficult to grant a temporary "all js for this page". And maintaining the whitelist is not that hard either. The only thing that's really hard is some/all of the advanced settings stuff. I usually don't bother by that point and just Chrome it. FB, which I rarely use, only works with Chrome at this point.

        As a bonus, google analytics and its kin never quite made it onto my whitelist.

        i.e. you don't like NoScript and I respect that. It's not for you. However, don't give everyone the idea that it won't work for them either. IMHO, it's a significant contributor to web-facing security for those who can be bothered to use it.

  13. lybad

    Business Systems

    It's all very well to start blocking flash because of it's security risks - unfortunately a lot of business systems still rely on it (and java).

    At work, we use VMware - on newer versions some of the functionality has been shifted from the .net client into the web client, which is flash based. They started development of an html5 client, then stalled it - they announced in a blog post this week that a new html5 client is starting to roll out now, but with limited functionality. But not there yet.

    Java is a similar thing - a lot of system admin tools are based on it, but the support levels are ridiculous, meaning we need to have several java versions installed, and remember which version is needed per application (or include specific wrappers round them).

    1. Bruce Ordway

      Re: Business Systems

      >>Java is a similar thing - a lot of system admin tools

      Yes what a pain. Tools for legacy applications based on java = a lot of hoop jumping on newer servers.

      >> flash

      Sometimes I look back fondly on the days before browsers when I was using Director and loving it.

      I did try Flash off and on but never really warmed up to that. Just never seemed to reach a point where is was really practical. Now I avoid/block whenever possible and will be so glad when it has finally been eliminated completely.

  14. Nifty

    Could be that once all the equivalent bells & whistles are added to HTML5 to make it usable for e.g. VMware and in-browser apps, it'll then have a similar surface area = zero day vuln possibilities as Flash?

    1. ThomH Silver badge

      It could be, but with at least three different popular implementations, and with features agreed by the slow churn of a standards body rather than the late-night scribble of a product manager onto a napkin, problems should be more localised and more often foreseen.

      You know, hopefully.

  15. anonymous boring coward Silver badge

    Can Google please inform BBC about this?

    It looks like the PUBLIC SERVICE company can't get their thumb out.

  16. Outcast

    FB Games

    Flash will "go away" only when the FB games no longer use it.

  17. herman Silver badge

    BBC

    Aunty BBC will stop playing also.

  18. sikejsudjek

    Its really only the BBC that I use flash for. They don't use flash for mobiles so why are they still using it for desktops ? The sooner flash dies the better for everyone.

  19. Jean-Paul

    Dumped it

    Six years ago. I haven't had that rubbish on my machines since six years ago. Never liked websites made with it. Apple were right not including it on the iPad/iPhone. Six years on people finally start getting it.

  20. Breen Whitman

    Just for thesakeof a little honesty, this is less about security and more about banning a platform that provides competition to apps and games. We saw this on iPhone and Android.

    Now that there is the chrome store flash to to much competition.

    Html 5 on mobile does not function like a desktop browser. Performance is sub par. And they still banned flash. The security argument is just the selling point.

  21. razorfishsl

    it is not that simple.

    Many routers , NAS and even that damned "ZIMBRA" email /collaboration suite demand flash is installed.

  22. localzuk

    Someone please tell education sites!

    Flash is still heavily used in educational sites. To the extent that Flash not working in Chrome would be the end of us supporting Chrome in school here.

    Every online testing site we've ever used here uses Flash. BBC Bitesize uses Flash. Cool math 4 kids uses Flash. Gridclub etc... The list goes on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019