Become a Patron of Ask Leo! and go ad-free!
Transcript
To Flash? Or not to Flash?
That’s a really good question. Hi everyone! Leo Notenboom here for askleo.com. You know, Adobe Flash has come under a lot of heat this last week. There have been several zero-day vulnerabilities that have been discovered and in most case quickly repaired. Zero-day, of course, means that the problem, the vulnerability, the bug has been found actually being exploited in the wild, meaning that there’s technically zero days to fix it before people are safe.
Now, this is not the first time. Flash has had many problems over the years. I’ll call it “permeable”. It seems to be full of holes. Now, several folks, including Facebook’s own director of security are now calling for Flash to be formally discontinued. I think they were formally calling on Adobe to declare an end of life for Flash.
And of course, many security experts are encouraging people to uninstall it completely and just stop using it. Not so fast. You know, it’s rarely that things would work out to be that simple. Flash has been around for a really, really long time and in fact that’s one of the problems; one of the things that leads up to our current situation with Flash. It’s really, really old code in its underpinnings.
The problem, of course, is that I figure it’s probably used one way or another on perhaps millions of websites. As we’ll see in a moment, some website owners, myself included, might not even know it. So, uninstalling it might end up making you safer, in fact it will end up making you safer, because you won’t be vulnerable to any Flash exploits no matter how many that might come up.
But, you know, you’ll also encounter websites and web services that will stop working for you because they require Flash. Now, some of these millions of sites are going to update. As it turns out, 99% of what Flash is used for, basically video and audio and multimedia on web pages is actually part of the HTML5 spec. It’s been out for several years now, and HTML5 is supported by all current, major browsers.
It’s just already, all that stuff is built in without needing to install an additional plug-in or add-on like Flash. So, here’s the problem though – websites need to be updated to take advantage of HTML5. Now, many of those millions of sites, of course, they’re going to get updated. It’s not going to be a problem. The problem, on the other hand, is that many of them will not be updated. They will continue to use and require Flash.
Now, I am slightly embarrassed to say that I turn out to be one, or actually two or three of those millions of sites. The problem is this – until yesterday the audio player on askleo.com that I use at the bottom of all current articles to play the podcast version, the audio version of each article turned out to require Flash.
Now, fortunately I was able to make a simple change to the plug-in that I use to provide that functionality on each page so it was a quick change and all of the players now are HTML5 compatible, and they just work there. Unfortunately, that’s not true for a couple of my other sites; specifically, the Members Only site that contains the videos that accompany your purchase of many of my Ask Leo! books.
When you purchase a book, you have an opportunity to register and get an account on members.askleo.com where you can access bonus material, and much of that material, in fact most of that bonus material usually takes the form of videos. Videos that can either be downloaded (which of course is not affected by any of this) or can be played directly on the web page, which is.
As it turns out, the video player that I’m using right now requires Flash. Whoops! So, the problem here of course is that’s going to work on my part to go through and fix. I actually have to touch every page that holds the video and make some changes to use a different approach that will allow the video to be played using HTML5 assumptions rather than using Flash.
I plan to do that; that’s not an issue for me. And to be clear, it’s not that I made a conscious decision to use Flash; it’s not like most webmasters decide to use Flash specifically. What typically happens, and is what happened in my case, is that I ended up using a library of code that makes putting video on web pages easier rather than having to write a bunch of supporting HTML and JavaScript and a bunch of other stuff. These libraries allow you to just say, “Here’s the video and play it here and make it this big, “ and they provide you with a nice player and the play button and the pause button and all that kind of thing.
Well, as it turns out, the library that I chose requires Flash. Now, ten years ago, that was the perfectly valid assumption; a perfectly valid requirement, and in fact, that’s one of the reasons that Flash became so popular, because Flash was being used to provide video on again, millions of different websites. It was the way to do it.
It’s not so much true though anymore, and that’s why this is happening; that’s why websites technically should be changing to move away from Flash. So, the real question, of course, is well, what do you do? Well, to be clear, if you own or operate a website, like I do, view it with Flash uninstalled or disabled like I did. Like me, you might be in for a surprise.
You might find the pieces of your website don’t operate the way that you expect them to, or the pieces of functionality are completely missing if Flash is not allowed to run when your website is displayed. So check it out and then consider your alternatives. Figure out if it’s going to be something you want to fix or maybe just leave alone. I don’t know. It’s the decision you have to make.
As an average user, of course, the answer is more complicated. You can, of course, uninstall Flash completely. The way to do that typically is to go into Control Panel > Add or Remove programs and just look for either Shockwave Flash or Adobe Flash and uninstall those and the components that have the similar names.
That will remove it from things like IE and Firefox. Alternatively, you can install a plug-in, an additional plug-in as it turns out that will disable Flash without actually uninstalling it, and you may want to do that. It’s kind of the default behavior for Firefox right now. In other words, that was part of the big news this week is that they block Flash by default but they don’t uninstall it. They still let you run it.
There are plug-ins for Chrome. Since Chrome runs its own built-in version of Flash, you actually do need to use a plug-in to turn it off, or of course, the third alternative is that you can just keep running it. If you need to do that, that’s fine just make sure you keep it up-to-date – as up-to-date as possible all the time.
As we’ve seen just this week, and as we expect to see in the coming weeks, there will probably be more vulnerabilities found, and you’re going to want to get the fixes for those vulnerabilities as soon as they’ve been made available. My approach, and I guess it’s going to be my recommendation is to run a Flash-blocking plug-in, it’s what I’m using in Chrome, in Chrome we don’t really have much of an alternative.
I’ve got that plug-in installed right now. The problem here, really, is that I think that it’s extremely likely that after disabling Flash, you’re going to discover that some website you care about requires it, and that’s going to leave you in a quandary if you’ve got it completely uninstalled, that website will not work without Flash. It just won’t.
Whereas with these Flash blocking plug-ins, most of them will give you the option of running Flash on a case by case basis, so that when you visit whatever website that is that uses Flash, that you need to use Flash on, you can say okay, run it. I know this website; I trust it; I need this; go ahead and run Flash.
I use something called Flash Control in Chrome, and it does exactly that. If there’s Flash content on a page, I can see that there’s Flash content on it because it displays a little black box that says it’s blocked, and by clicking on that box, I can then choose to run the Flash content on that page manually. But like I said, honestly, it really all depends on what sites you visit regularly on the web.
How may of them require Flash? And how important they are to you? I think once you run a blocker, you’ll be very surprised at just how pervasive Flash is. And you’ll understand why this is not necessarily an easy decision. Even stopping Flash development or bringing Flash into end of life is not an easy decision for the industry as a whole, because there are so many websites out there that still depend on it and probably will depend on it, perhaps without even realizing it, for a very, very long time.
So, that’s where we are with Flash; that’s what I recommend you do. What do you think? What approaches are working for you? What approach do you plan to take? Do you have a good Flash blocking plug-in for whatever browser it is you are using or some options within that browser to help control Flash? Let us know.
Share your comments down below. As always, if you’re viewing this anywhere but on askleo.com here’s the link. Go visit that page. That’s where we have comments, the discussion, the ideas that other people will be sharing. Comments are all moderated, so it’s a safe place to hang out and I really, really look forward to hearing what you have to say.
As for me, well, I’ve got some web pages I need to go modify.
I will see you again next week. Take care.
To remove Flash, go to Apps and Programs in Settings and uninstall it.
Click Windows Start Icon
Click the Gear icon
Click Apps
Scroll to Adobe Flash Player and click Uninstall
Really excellent summary and recommendations, Leo. Sorry to hear about the hip.
I’ve been using the Flashblock add-on in Firefox for some years – to stop those irritating pop-up ads. But good to find that I was doing the right thing from a security perspective. And – as you say – amazing how pervasive Flash is. No wonder it is being targetted.
Excellent comment and advice Leo, thank you. I have decided to use the plug-ins (now disabled) and not uninstall. My husband does video editing and I recall the suite required Adobe Flash, so I don’t know what to do from this aspect. I have taken your advice for several years now and it never fails. Love the extra stuff coming through now ……..and I have one or two of your books, which are brilliant.
Can feel for you on the hip situation, I’ve have had both replaced after degeneration due to chemotherapy. (Cisplatin they call it). The stuff gets the cancer, (I was given 6 months to live, Fifteen years ago, with every joint in my body extremely painful.
I don’t use FLASH unless absolutely necessary. FarmTown (connected with Face Book) is one of the few.
Hope your hip is better.
I’m somewhat surprised that this is still an issue. When Steve Jobs decided not to allow Flash to run in iPhones and iPads, I thought that that would have been the death knell for Flash as websites would scramble to use the functionality of HTML5 so that their websites would work on Apple devices.
What about Shockwave?
True Shockwave (completely different from Shockwave Flash) is used by so few that it’s rarely needed. There may be some online games that use it, but that’s all I can think of. If you don’t need it, uninstall it.
I pretty much agree with your take on this Leo. I hate Flash and the hassle of all the updates but there are about 6 sites I value that run it. BTW a popup just stopped me from typing! It was telling me to subscribe!!
One question though…I use FF and have a plugin in the browser…so does that mean I do not need the Adobe program in the programs in my Control panel? Not sure if these are the same!
Thanks :-)
They are the same – uninstalling it in control panel will remove it from your computer. The plugin only controls how it’s accessed.
Thanks Alex for the question and Leo for the answer. I was unclear about that as well.
Thanks for yet another informative video. I find that flash on some of the websites I visit, in particular a local web based newslink, causes the site to slow to a crawl, but I need it to run some of the news vids they have. If I disable Flash in my add-ons it speeds up the pages immensely, so in my case it is a real pain, but needed to watch the vids provided. I am speaking of IE, not an issue when I run Chrome or Firefox.
I typically use I.E. but am not sure how to obtain the plug-in you are talking about and am to lazy to look for one, for now. I am going to install Firefox and see how I like it.
Thank you, Leo. installed the Chrome plug in while you were speaking. What I would have wanted to know is, what might happen to my computer if I click on a website using flash, and what might happen to my website if it uses flash (I’m heading out right now to see if in fact my site does). Thanks again.
Thank you Leo, as always, for a clear and concise article. My question is as follows:- is there a way that we, the people at home using our computers for all the usual day to day stuff, can tell whether or not a website has been constructed using HRTML5?
Not easily. I mean, disable flash and if video works it’s pretty obvious – mostly – but in general you’d need to look at the HTML source code.
Several years ago, turning the Firefox Flash plugin off was a major upgrade to my old dual core computer. Web pages were so bogged down with Flash garbage that it would almost crash the computer. Having the option to turn it on only when needed was great. The only problem now is; will I have the option to turn off the HTML 5 media that is going to replace Flash. I can run all my productivity programs, CAD and Libre Office on ancient machines but surfing the Internet requires a decent new computer just because Flash is such a resource hog.
Any software that needs to be updated every few of days for security reasons or any reason must be poorly written garbage code. This is analogous to having your car recalled 2 to 3 times a week because they did not build it right in the first place. Years ago I also stopped using Adobe Acrobat which was another resource hog, as soon as other options became available. Steve Jobs truly understood the concept of elegant code and Adobe never supplied elegance.
I’m not sure you’ve understood. HTML5 isn’t an ADD-ON, it’s a standard (replaced other versions a few years ago and if you look at the HTML code many of them will show the version somewhere near the beginning). Blocking it isn’t really all that useful, you don’t need to ‘attack it’ and if you did block it you’d probably be left with old websites and word processing :) You never downloaded it as a program, it was written like that by the site developer.
And sites like You Tube work in HTML5 on capable browsers so you can watch cats or old 80s pop bands without a lot of fears… older browsers that can’t support it are likely being phased out for usage at many sites anyway (which means it will not work or be grumpy about it using the IE versions for XP and Me, IE 9 in Vista probably soon). Firefox will probably work with older OS versions, read up on it to determine which version you’ll want but remember that you’ll get passed by someday there as well.
Still, like Leo said, a lot of stuff still runs on Flash. Until the other day I was getting pestered to install it on my webmail (you don’t have to) and I suspect it was more for the advertisements that accompany it (and you can pay for the ad-free version, which I wouldn’t anyway, bologna sandwiches are more important to me).
Firefox isn’t the only thing left out there but it’s the one that seems to have more experienced users to draw knowledge from and it’s often paired with Linux versions.
Updating Flash has allowed Firefox to return to normal operation with regards to Flash websites.
While I agree that websites should get rid of Flash (since HTML5 will do it all anyway), if we were to abandon using all software where bugs were found, we wouldn’t be using our computers at all (how many bugs have they found in Windows and we still keep using Windows). Instead, my approach is the same as with anything on my computer. Be careful where I go and what I do. Do backups. Keep on top of all updates to ensure that I am running the most up-to-date version.
Our Canadian national public broadcaster uses Flash on almost every news story they publish. Eliminating Flash is not going to work until the CBC gets with the program.
I have the Shockwave Flash plugin for Firefox set on “Ask to Activate,” which works pretty well for me. But it seems every site I go to asks me to activate it, so I don’t see it being phased out. Though, I do see quite a few annoying ads running seemingly without the need for Flash. Is that HTML5 at work?
One thing not touched on:
How would the Flash vulnerability likely manifest itself on my computer if I were to become a victim?
Malware – any sort of malware – would likely be installed. There’s no single set of symptoms since the malware could be anything.
Great article, as always. I use FireFox for most of my browsing, and have Flash set for “Ask to Activate” – works great. Pages load faster, and I only use it when I need it.
Two questions:
–Could you clarify the difference between Flash, Shockwave Flash, and Shockwave please? And where does Silverlight fit in?
–This may be an issue for another article, but could you clarify the difference between add-ons, extensions, and plugins also?
Thanks!
Flash, Adobe Flash and Shockwave Flash are the same thing. (Shockwave created Flash and were eventually purchased by Adobe. The name persists.)
Shockwave (without Flash) is a completely different technology, also used to bring animation and interactivity to web pages, but it’s not used much at all.
Addons, extensions and plugins are three names for the same thing. They’re all software that adds functionality to other software when installed.
Thanks!
You don’t need a separate plug-in to block Chrome’s specific version of Flash, which Google maintains the security of and doesn’t have quite the same vulnerabilities as the Adobe Flash program people download to their pcs. Is it 100% safe? Nothing is. If you do want it disable it, you can type in the address bar chrome://plugins to pull up the Flash plugin and check disable. It’s all about choices in the end, as is assessing risk in everything we do in life: Some things are worth the risk so we accept the consequences and go for it. Security’s paramount to me; I was told over six months ago to uninstall Flash from my pcs and leave it off, period, just as I did Java years ago. I complied. The vulnerabilities in Flash are serious and will only get worse. Updating Flash is meaningless when one considers the last three vulnerabilities were exploited, and code released to the Internet to further exploit them, THREE DAYS BEFORE Adobe even knew they had a bug. For me, this comes down to the question of what we can personally do to to keep our systems safe, no different than all the other things you teach about browsing habits that leave us vulnerable, and I’m admittedly a security freak. Hope you’re feeling better, Leo.
Right, Chrome doesn’t need a plug-in to block Flash, and, even better, it has a nice option similar to the Flash Control plug-in Leo is talking about which lets you have Flash (and other plug-ins) off by default. Then if you want to see the content you just right-click on the placeholder on the page and choose “Run”.
See http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/ for how to set this up in Chrome and in other browsers (including IE!)
What is the link to Flash disabling add-on? Or do I need to change Firebox settings? Thanks.
Firefox Settings>Add-ons>Plugins. Next to any Shockwave or Flash-related objects, you’ll see a drop-down menu. Click on it, and set it to ‘Never Activate.’ This was the path as of February, 2015. I rarely use Firefox and don’t have it installed on the laptop I’m on right now, so I can’t check to see.
For what it’s worth I have a strong dislike for having porous programs on my computer. While disabling Java mean that you can’t use Open Office or Libre Office, I think that if you want a free Office program, WS Office (previously known as Kingsoft Office before it was absorbed) gives the user a word processor which is totally compatible with Microsoft Office and, while it’s not powerful enough to write a doctoral thesis on it, for 99% of people it’s great. It has a spreadsheet that is compatible with Microsoft Excel, and a presentation software program that is compatible with Microsoft PowerPoint. If you want more mathematical and statistical functions in the WS Office spreadsheet or if you want to write macros, for $50 you can step up to WS Office Pro. Few people need this. So Java is out.
Adobe Reader is also porous, and it can’t read many pdf files that I get from friends – see Bullzip Free pdf writer. The freeware program Sumatra has a tiny footprint and can read everything that Adobe Reader can and more. In addition it can be downloaded and updated through Ninite. Bye-bye Adobe Reader.
I’ve had it with Flashplayer and its constant need for patches. It’s another typical Adobe catastrophe. I’ve long since gotten rid of it and don’t miss it at all. If there are pornographic sites that require it and somebody wants to watch those then they need Flashplayer. I don’t visit those sites so I don’t know anything about such requirements. In the last six months only one site (Yahoo) has refused to run a video without Flashplayer – it was no great loss.
YouTube is so gigantic that you can see almost any video that you want to there. It’s not just a music site. There are educational videos on everything under the sun. They range from changing the battery in an electric toothbrush to high level mathematics and statistics. Google owns YouTube so it’s HTML5 compatible.
Yes flash is very buggy and vulnerable, but used by so many websites (required) that it’s an essential plugin to have installed still. So as Leo mention above, use a flash blocker add-on/extension for Google Chrome, Opera, IE, Safari, Firefox and Pale Moon. You can also just enable the built in click-to-play per-element option, a.k.a “detect and run important plug-in content” in Chrome and “remove from all website and ask to run” in IE and of course keep it updated. This way you have it when needed (installed), but it won’t be a security risk and it will not use up a lot of bandwidth/system resources (RAM) while browsing.
G’day Folks,
I am reminded that IE and most of what Microsoft publishes has so many holes that the Pope is going to Canonize all the IE versions as they are the “Holiest” release from Microsoft. I won’t bother mentioning the others from Microsoft, mainly because I have lost count of the bugs and vulnerabilities in them.
I am also reminded of the scare mongering relating to Java some month ago and the hype surrounding it. Surprise, Surprise, it all seems to have gone away !!??
Then now we have the Adobe Flash situation, the ploy is very similar to that of Java which makes me wonder if the same Scare Mongers are at work here ?
Flash is at v Flash Player 18.0.0.209 (Win and Mac), and if you need to check for the latest version then go to this page ” http://www.adobe.com/products/flashplayer/distribution3.html ” just make sure you download both the players for IE and Firefox and run them as you will find that 99.9% of the bugs have been fixed.
– I wonder what of Microsoft’s “Silverlight” ? are we scare mongering Adobe Flash to make Silverlight number 1 ?
Just keep checking the Adobe URL above once a week to see if the Flash version has been updated yet again, which it most likely will be in view of the scare mongering that is currently in play :)
Have fun with Flash, I expect we will see it for some years to come, in my opinion.
– However change to HTML5 if you have a website, and that is not going to be an easy task when you have several sites running, all using Flash.
Regards
Roger H. / PC-Bug Fixer, Sydney, Australia.
G’day Folks, yet again,
I forgot to mention that Leos’ Article is very good and covers the situation regarding Adobe Flash.
Also sorry to hear about your Hip, take care of it a replacement is not as good as the original.
I trust that this is not regarded as off topic, as it is a continuation of my last post!
I also wanted to mention the result of the Java versions and notably that Oracle / Java is still supporting Win XP Pro SP3 contrary to the Dooms Day Merchants regarding Microsoft dropping support for it. Love and behold that I use Microsoft Update on my XP machine and it continues to update Critical and Microsoft Office updates, used it a week ago and it still updates my XP machine.
– Java for XP is at Java Runtime Environment 1.7.0.79 for 32 and 64bit, also has both Java CPU (7u79) and PSU (7u80) releases. check what the differences are on the site.
To check for the latest version for XP go here “http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html ”
– Obviously Win 7 and above continue to be supported and Java for them is at “Java Runtime Environment 8.0 build 51”
To check for the latest version for Win & and above go to “http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html”
Seems that Most of the bugs in Java have been fixed and the Scare Mongers are on other Game n the IT Jungle.
Regards
Roger H. / PC-Bug Fixer, Sydney, Australia.
At last! Someone with a sane outlook regarding Flash. So tired of authors dishing out advice (mostly read on and/or copied from other sites) to remove Flash immediately, without offering really viable alternatives or detailing the consequences of uninstalling it. It is simply not feasible to completely remove it at this stage, unless the Net is extremely low on your priority list. I am not a torrent user, nor do I play games, only rarely watch a video or listen to audio, yet I cannot do much unless I have Flash on my system. The same goes for Java. Even my ISP and my accounting auditors use Java. I have installed Malwarebytes Anti-Exploit, but after about 2 months I have encountered only one site where it popped up a warning. I shall simply continue to upgrade to newer versions of Flash and Java until I can realistically do without it.
I use the free Malwarebytes Anti-Malware. Is Anti-Exploit something new?
Malwarebytes Anti-Exploit is an additional tool from Malwarebytes which protects certain programs against exploits.
As I understand it, yes. Exactly what, I’d have to send you to their web site to find out as it’s still unclear to me as well.
Now that I have Flash blocked by default, I find it surprising how many website designers who should know better are still using Flash. A couple of prime examples. PC-World (duh you guys harp on the dangers of Flash and still use it) and Time magazine (OK I gotta say I shouldn’t expect better as it’s turned into an almost exclusively click bait site.)
In everyone’s defense, it’s very easy to use Flash without realizing it. I have fallen into this trap myself. My audio player was flash (until I changed it), and my video player on the members-only site still is. I did not choose to use flash – I chose to use a library that made audio and video easy without realizing (or caring, at the time) that flash was being used. I suspect I’m not alone.
Did I miss something on the Flash forum? I don’t recall seeing a link to any sites that offer a Flash blocking/disabling utility. I sort of speed read the conversation. Sorry if I missed it.
P.S. I use Internet Explorer 11.
One issue many will face is on computers used for both work and personal use, you have certain older programs that you must use/keep in order to run your work programs. That means not all browsers you’re forced to have will be able to run this newer protocol/HTML 5 and therefore you’re back to either Flash or nothing for the content. I don’t use IE anymore for anything but work programs on this computer because we can’t update it to above IE10 – and that recently, used to be IE8 – due to compatibility issues. All “personal” web surfing is on Firefox (which isn’t connected to any work programs), and I have the option to enable Flash on a case by case basis (as you noted in the video). I’m wondering if there is anything in the hyped and anticipated Windows 10 that will help or hinder this. The new “Edge” browser is supposed to be the latest and greatest, but I haven’t seen it in action yet and can’t judge.
I don’t know of anything in Windows 10, or Edge, that impacts this situation.
what about a complete rewrite of the entire program?
seems like a good chance for someone to create a replacement for flash.
Wayne
In the process of removing Flash from all of my computers, I found that Firefox and I.E were easy but with Chrome, when i clicked on settings, and then extensions, Flash was not shown ? turns out that its hidden, To find it just type into your search window, Chrome://plugins then you will notice that you have the option of disabling it so that its not actually gone and you can reactivate it again if you want, It just won’t be active in the background without you knowing about it.
I have antivirus software running and I tried to install flash player but google told me I couldn’t do it I have games in my favorites that I like to play but can’t I’m ready to take a hammer to my laptop thank you
Google and your anti-virus software are two different things. The first thing you need to do is to figure out if you are receiving the error from your anti-virus software, or from your browser.