back to article Kill Flash now? Chrome may be about to do just that

Google's Chrome web browser could be disabling all Flash content by default before the year's out. El Reg has learned that developers with the Chromium Project are working on a new feature known as 'HTML5 by Default'. The move could help to keep users safe by locking off a favorite target for web-based malware exploits. As …

Page:

  1. redpawn

    About to?

    By the end of the year is a long moment.

    1. Andy france Silver badge
      Alert

      Re: About to?

      Till then set Chrome to ask before running plugins i.e. flash

      This option is cunningly hidden under settings/advanced settings/Privacy/Content settings/Unsandboxed plug-in access.

      After that you only run flash when you really want to by right clicking the flash and selecting run. Disabling the flash plugin works too but I found my self forgetting to disable it again after visiting one of the very few sites where I tolerate flash.

      1. goldcd

        There've been plugins to do this for ages

        e.g. Flash control.

        Nukes all Flash leaving you a "flash goes here" image.

        Then click on it, if you want it to run.

    2. big_D Silver badge

      Re: About to?

      Yes, until the end of the year is a long time. I killed it on all of my machines over 18 months ago and I haven't missed it yet.

  2. Anonymous Vulture
    Go

    Google catches up to Apple, while Microsoft trails the pack

    So the Almighty Jobs killed Flash on mobile back in 2011, and Google is set to do the same on the desktop in 2016. All I can say is, it is about bloody time!

    Flash has been a security joke forever. The numbers there amaze even me, 314 vulnerabilities in 2015? You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.

    That said, the Flash plague will probably haunt the Internet for at least another 5 years until Microsoft finally kills it in an undocumented "functional" update to Windows 10. This nonsense about exempting the top 10 Flash domains seems like it could extend the nightmare for a bit.

    1. patrickstar

      Re: Google catches up to Apple, while Microsoft trails the pack

      To be fair, its bug count or frequency isn't worse than any of the major browsers. They are all, universally, major security jokes, in case someone hasn't noticed. The advantage of Flash is that you can actually turn it off, unlike all the Web3.0 hipster crap in modern browsers.

      And just to be picky - while it for obvious reasons is unlikely to get targeted by some Russian exploit pack nowadays, Windows 98 in its heyday happily downloaded and ran ActiveX controls automatically. At most displaying a message along the lines or "Are you sure you wanted to run this ActiveX control?"

      And not sure whether Windows 98 is vulnerable to the MDAC bugs, but those (applies to NT/2K and XP up to some service pack) were actually a staple in above mentioned exploit packs for many years, and let attackers simply tell it to run any command.

      Finally - 98 has no ASLR/DEP (not that it would save you from those), sandboxing, permissions/user control, or even real ring3/0 separation, so any bug - memory corruption or not - and you're hosed.

      1. Anonymous Vulture

        Re: Google catches up to Apple, while Microsoft trails the pack

        patrickstar spake:

        To be fair, its bug count or frequency isn't worse than any of the major browsers.

        No argument, but its line of code count should be less than a browser and its stated set of functions certainly is smaller. Just because someone else writes terrible code does not mean you are excused for doing the same.

        Forgive me for using hyperbole to make my original point. I am not revising history to gloss over the atrocious lack of security controls in Windows 98, but given the choice between the two terrible alternatives I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash. Adobe seems to keep including bugs in each Flash release that allow for sundry nastiness despite OS security enhancements

        1. Charlie Clark Silver badge

          Re: Google catches up to Apple, while Microsoft trails the pack

          I will take the obsolete and unlikely to be targeted Windows 98 box over a modern Windows box running Flash

          Really? Win 98 is just DOS which has absolutely no protection against permission escalation because it doesn't have permissions: find any exploit and get pwned.

          I think Flash suffered from feature creep. Remove the video stuff and you could probably tighten it up. In the meantime "press to play" and the improved plugin architecture do significantly reduce the attack area. Better still just deactivate it and hassle any websites that tell you Flash is required. Anything that depends on ads or subscription will switch pretty quickly.

          1. url

            @Charlie Clark

            No, and, almost two decades later we could collectively stop perpetuating the lazy myth.

            https://blogs.msdn.microsoft.com/oldnewthing/20071224-00/?p=24063/

        2. patrickstar

          Re: Google catches up to Apple, while Microsoft trails the pack

          It's less, yes, but there is a significant degree of overlap in the functionality exposed to hostile content.

          Flash has something corresponding to all the basic components and APIs except the whole user interface thing.

          Most importantly, it has all the parts that tend to be where exploitable browser bugs actually are.

      2. JLV

        Re: Google catches up to Apple, while Microsoft trails the pack

        To be fair, 1+1 = 2

        i.e. if you have a browser with a vuln quotient of x and then you add the y from Flash, you have x+y exposure instead of plain x. Note that in this equation, Flash's y is neither 0 nor negative. I would argue it is pretty high for its functionality compared to the Swiss Army knife of a modern browser.

        Additionally, you can run NoScript quite effectively to harden your browser to random JS. And it's not like white-listing automatically makes NoScript happy - it's often that it whines, justifiably or not, for a white-listed site's JS doing something it thinks fishy.

        In fact, as someone else mentioned a few days back, I tend to run FF w NoScript and fall back to Chrome when I can't be arsed to figure out what is irking NoScript on a site that I actually use.

        Flash content is opaque in that regard and I would rather concentrate on just dealing with JS vulns, thank you very much.

        Thank you, Chrome, anything that gets laggards like the BBC and CBC off Flash is most welcome. I haven't used Flash for years and I mostly don't miss it anywhere except for the 2 above. And that certainly includes YouTube which works fine without it.

        p.s. one exception - Joel Spolsky's otherwise excellent FogBugz service has a estimates-vs-actual time feature that I would love to use, but is based on Flash for its reporting (hello, D3, please).

    2. Andy Non Silver badge
      Devil

      Re: Google catches up to Apple, while Microsoft trails the pack

      The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it! Yet another reason to hate Windows 10, as though there aren't enough reasons already. Curiously it isn't even listed as a plugin on Firefox on Windows 10 so I don't know if Flash is active or not via that browser? She never uses Edge or IE.

      1. VinceH

        Re: Google catches up to Apple, while Microsoft trails the pack

        "The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed, so the phuckers don't even let you remove it!"

        See if you have Wild Tangent Games installed - I found Flash on my Win8 computer, and IIRC it was pre-installed with that.

        1. Andy Non Silver badge

          Re: Google catches up to Apple, while Microsoft trails the pack

          Just checked and no "Wild Tangent Games" installed. Ideally I'd like to remove Flash from the PC, we haven't used Flash for years and hate the way Microsoft appear to have hidden it inside Windows 10. If I can't get rid of it I'd like to be sure that Firefox isn't using it; it isn't listed as a plugin so I don't know.

          1. Chika
            Coat

            Re: Google catches up to Apple, while Microsoft trails the pack

            Odd. If you go into Firefox on the Add-ons manager page and look under Plugins, you should find something there (on my Linux installation it shows up as "Shockwave Flash", it also shows up that way on Windows 7). On Windows you will probably find it in Programs and Features - removing any instance from that point will also remove it from Firefox. Bear in mind though that there are different versions of Flash - the ActiveX version and the NPAPI version. If the latter is missing then Firefox isn't using it. Both versions will appear in Programs and Features if installed.

            I'd suggest that if you think that you don't use Flash anymore, then uninstall it anyway and see what happens. Installing it again should you really need it isn't difficult but chances are that you won't.

        2. Anonymous Coward
          Anonymous Coward

          Re: Google catches up to Apple, while Microsoft trails the pack

          I run into Wild Tangent regularly on fresh out of the box and fresh reinstalled machines on a depressingly regular basis. That includes my consumer machines here as well. Hell, I don't even have to look at my notes about it!

      2. Free Maps?

        Re: Google catches up to Apple, while Microsoft trails the pack

        Not sure if the same applies here. I found a flash update on a 2012 server and knew it wasn't installed.

        It turns out to be a 'feature' called Desktop Experience and can be removed from programmes and features.

      3. Sandtitz Silver badge

        Flash in Windows 8/10 @Andy Non

        Windows 8 and 10 included the Flash plugin and it's kept up-to-date with Windows Update.

        To disable it in IE: disable ActiveX. The Edge browser has a simple on/off setting for it.

        The built-in Flash plugin doesn't work with any other browsers, so her Firefox is safe in that regard.

        1. illiad

          Re: Flash in Windows 8/10 @Andy Non

          yes, BUT what if websites NEED FLASH???? the BBC still needs it, but Apple must be paying them something so that it does not need flash??? YES, I once 'spoofed' Firefox the look like Ipad, and HTML5 worked!!! :) but then they changed it, does not work any more...

          1. Anonymous Coward
            Anonymous Coward

            Re: Flash in Windows 8/10 @Andy Non

            There are other websites. Use one of those.

      4. TeeCee Gold badge

        Re: Google catches up to Apple, while Microsoft trails the pack

        Edge does not support plugins, but has a heavily-sandboxed implementation of Flash built-in. That'll be what's updating.

        The fact that it does update like that proves it's the internal MS version. Look on the bright side, if you were using the official Adobe version she'd have had Chrome and the Google toolbar installed on the qt as well.

      5. Captain Badmouth
        Windows

        Re: Google catches up to Apple, while Microsoft trails the pack

        "The Mrs has got a Windows 10 laptop (spit) and I noticed it did an update to Flash the other day but it isn't even listed anywhere as being installed"

        M$ : This has nothing to do with you, it's our OS not yours. If you don't like it you know what to do.

        Assume the position.

    3. Charlie Clark Silver badge

      Re: Google catches up to Apple, while Microsoft trails the pack

      So the Almighty Jobs killed Flash on mobile back in 2011

      Only because, by then, enough had been done that Apple could get people to move from the Adobe walled garden to their own. This was pretty much also the time when Apple stopped contributing significantly to WebKit. And, wasn't there a note recently about Apple not giving a shit about the holes in Quicktime?

      If it was YouTube that helped Flash to dominance, it was Google that really pushed for HTML5 video being both free to use and free to create. Otherwise content providers would be paying both Adobe and MPEG licences to encode.

      The important thing will be to fail on feature detection so that the <video> tag gets precedence and offer "press to play" functions where this isn't possible.

      1. Martin Gregorie

        Re: Google catches up to Apple, while Microsoft trails the pack

        Google could most usefully show leadership by making sure that all the videos on Youtube are available as HTML5, and should preferably remove the Flash version each time they convert a video to HTML5. A quick check of four or five old favourites showed that all of them are still Flash, so YouTube have got work to do.

        On the web browser front, Firefox is in the lead: it canned Flash many releases ago, yet strangely El Reg didn't mention that.

      2. jason 7
        Meh

        Re: Google catches up to Apple, while Microsoft trails the pack

        Jobs did hardly anything to kill Flash. He maybe knocked three months off it at best. It's 2016 now and Flash is still hanging around all over the place. It's hardly dead. Will still be with us at 2020 I reckon.

    4. Planty Bronze badge
      Stop

      Re: Google catches up to Apple, while Microsoft trails the pack

      Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...

      http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

      Imsgine if they had flash , they would be the unstoppable leader in vulnerable software by a large margin

      1. Anonymous Coward
        Anonymous Coward

        Re: Google catches up to Apple, while Microsoft trails the pack

        Ironically apple were still at the top of the list and ahead of flash in 2015 CVE even without flash's help...

        Oh hello Microsoft Statistics guy, haven't heard from you for a while after I left your last attempt to be creative with statistics in a large smoking hole. I wonder how much are you paying Venturebeat to keep this (rather obvious) attempt at rigging statistics on their pages.

        Let's just line up the shot to kick you back into that hole then, shall we?

        From the page you supplied:

        OSX vulnerabilities: 384

        Windows vulnerabilities: (adding up ALL VERSIONS of Windows as you have to do to get the OSX numbers) 151 + 147 + 146 + 135 = 579, and that's leaving out the Server editions and RT.

        But that's only one third of the story. After all, it was you who wanted to play with statistics. Let's look at the whole timespan.

        OSX was introduced in 1999. That would bring the total of reported OSX CVEs to 1484, but guess what would happen to the Windows total? You'd have to include

        Win 98SE : 61

        Win 2000: 507

        Win XP: 726

        .. which brings our jolly total up to 1873 - and I still have left the server totals out of it (because Apple's isn't exactly in heavy use and I want to give the Microsofties at least the sporting chance they never give Apple). Still advantage Apple, and I'm not done yet.

        There's more embarrassment waiting in the wings - onwards to the last part of the story.

        The real fun starts when you go back to the beginnings and remember why the author made this "comparison": it was to observe security trends for making choices.

        A CVE entry is a warning signal which may or may not result in exposure. You'll find that actual exposure data in the "vulnerability" column, which is the real thing you want to pay attention to if you're serious about risk management (you weren't, but I am and these BS stories do not help).

        Here is the data as of today:

        OSX CVE entries: 1484 Vulnerabilities: 73 Patches: 128

        I am going to add up patches and vulnerabilities together because both indicate something grave enough to warrant effort., so for OSX it means that 14% of CVE entries were a risk, grave enough to warrant corrective action by Apple.

        Now let's go to Microsoft Windows.

        Win 98SE 61;145;14

        Win 2000 507;667;97

        Win XP 726;968;192

        Win Vista 670;538;123

        Win 7 560;436;92

        Win 8 254;182;0

        Win 8.1 254;129;0

        Adding that up demonstrates that over almost 3 times the number of vulnerabilities in the same time span (3032) there were actually more risks addressed than formally reported (118%). In other words, they quickly banged out fixes for thing they didn't even tell you about and hoped you weren't watching the numbers properly. Yup, those are the people you should trust.

        So:

        1 - based on the bare numbers, OSX is SIGNIFICANTLY less risky than Windows

        2 - Apple seems to address issues that have as yet not resulted in exposures in the wild

        See you in a few months, I guess?

        1. Updraft102

          Re: Google catches up to Apple, while Microsoft trails the pack

          Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.

          1. Anonymous Coward
            Anonymous Coward

            Re: Google catches up to Apple, while Microsoft trails the pack

            Most of the vulnerabilities are the same ones across Windows versions. One exploit does not become two simply because MS renamed the version of Windows that contains the vulnerability. You're essentially making up numbers here.

            Well, it appears the same happens when you lump all versions into one "OSX" entry, so I guess that balances out.

        2. Anonymous Coward
          Anonymous Coward

          Re: Google catches up to Apple, while Microsoft trails the pack

          Having little to no legacy support, limited hardware options and a closed system does reduce some of those vulnerabilities for Apple.

        3. Anonymous Coward
          Anonymous Coward

          Re: Google catches up to Apple, while Microsoft trails the pack

          "A CVE entry is a warning signal which may or may not result in exposure. "

          Weird, as all the Android scare stories, and nothing actually occuring here in the real world, that suggests warnings are as good as exploits when it comes to writing clickbait.

          Typical upset apple fanboy that has dounke standards ...

    5. Mikel

      Re: Google catches up to Apple, while Microsoft trails the pack

      Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Google catches up to Apple, while Microsoft trails the pack

        Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)

        Was. It's already gone...

        Adobe can play that game too: it's called HTML5. To be fair, Microsoft accidentally started it with an undocumented feature called XMLRPC (AJAX), and the Canvas API came from Apple, but a huge chunk of Web 3.0 crap is basically a Javascript port of Flash. (No wonder it's crap)

    6. macjules
      Facepalm

      Re: Google catches up to Apple, while Microsoft trails the pack

      You're probably safer running a Windows 98 box than a modern Windows flavor with Flash installed.,

      Oh come on, it is not that bad surely? Then again you are dealing with a monolithic corporation that is highly protective of its product, regularly threatens anyone finding bugs (and there are a LOT of bugs) with both civil and criminal action yet steadfastly refuses to fix any issues raised by the community as a whole. No, not Microsoft … Adobe.

    7. Michael Thibault

      Re: Google catches up to Apple, while Microsoft trails the pack

      ... plan to exempt the top 10 domains that use Flash for one year in order to concentrate the focus of, and increase the effectiveness of, any new exploits.

      Plain-Speaked That For You

      Euthanise Flash Now! The pain has to end. Make it quick.

  3. Herby

    "exempt the top 10 domains"??

    Would one of these be YouTube?? Which is owned by......

    I could go on, but why bother?

    1. Charlie Clark Silver badge

      Re: "exempt the top 10 domains"??

      YouTube quite happily serves HTML5 video where Flash isn't installed, has done for a good while now.

    2. Zakhar

      Re: "exempt the top 10 domains"??

      You are very wrong, Youtube has been working impeccably well WITHOUT flash for years.

      I have gotten rid of Flash 5 years ago on all my PCs (running Linux) and there is no problem whatsoever with Youtube. By the fact they have been phases :

      - many years ago it was "all flash"

      - then they "experimented" HTML5 playback (meaning Flash was always the default but you could opt in HTML5)

      - then they made HTML5 the default and flash only a fall-back for old browsers that still don't support HTML5 video (some IE6 out there!?)

      And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.

      @Anonymous Vulture: "All I can say is, it is about bloody time!"

      Indeed!

      1. Chloe Cresswell Silver badge

        Re: "exempt the top 10 domains"??

        If it wasn't for YT, I wouldn't have flash on my machines.

        On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.

        Currently that is the only thing I use it for.

        1. Charlie Clark Silver badge

          Re: "exempt the top 10 domains"??

          On the one I use the most (S20-30 netbook), the html5 version keeps the CPU at a "happy" 40-50% load, compared to 15-20% for the flash version.

          Sounds like Flash is able to use hardware acceleration and your browser isn't. Hardware acceleration is very dependent upon browser and OS.

      2. Chika

        Re: "exempt the top 10 domains"??

        And in fact, I won't be surprised that Youtube ditch flash completely, even as a fall-back.

        With more recent versions of Firefox you will find that YouTube will force the browser to try to run with HTML5 first by default. It has been this way for a few months now though it will fall back to Flash if HTML5 isn't working or if you have an add-in that forces Flash to be used (yes, they exist).

      3. Anonymous Coward
        Anonymous Coward

        Re: "exempt the top 10 domains"??

        Youtube has been working impeccably well WITHOUT flash for years.

        In your parallel universe, maybe. But you can use youtubedown without flash or a browser...

  4. frank ly

    Why has Flash been so bad?

    Adobe's other products (Photoshop, etc) seem to have good reputations.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why has Flash been so bad?

      Photoshop, if I've got my history on it right, is something that started in-house. Flash and ColdFusion to give another example of historically vulnerable software were created by Macromedia. (I used to beta Dreamweaver and its antecedents for them way back when.) Adobe bought them and aside from Dreamweaver (I think) the rest of the products have been exercises in patch, patch, and patch again since. I'm maligning ColdFusion a bit but when it demonstrates real doozys when they turn up.

      1. jdoe.700101

        Re: Why has Flash been so bad?

        Photoshop was actually developed externally and first? available as a BarneyScan XP, which came with the BarneyScan film scanner.

        Adobes problem is that their products reached maturity years ago, and have been adding bloat in order to (try to) justify their upgrades.

        1. Not That Andrew

          Re: BarneyScan XP

          I was sceptical but you are right. Photoshop was developed by Thomas and John Knoll and first made available commercially by BarneyScan. It appears it was so popular Adobe decided to buy it and market it themselves as Photoshop.

      2. Charlie Clark Silver badge

        Re: Why has Flash been so bad?

        ColdFusion to give another example of historically vulnerable software were created by Macromedia.

        Nah, ColdFusion was developed by Allaire and subsequently bought by Macromedia. A lot of people were really sad that Adobe canned Freehand which many thought was better than Ilustrator.

        With Flash I think it's worth remembering that it and Shockwave were originally developed as authoring tools for CD and DVDs. They were fine at this and adapting the runtimes to become browser plugins wasn't too hard. Of course, the internet has since become a much nastier place.

    2. Chika
      Mushroom

      Re: Why has Flash been so bad?

      Adobe's other products (Photoshop, etc) seem to have good reputations.

      They had good reputations. Then they went all cloudy...

    3. macjules

      Re: Why has Flash been so bad?

      Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator. Pagemaker was ok with Aldus, but certainly not so afterwards; but then Indesign *sort* of made up for it. Dreamweaver was fantastic if only because it made Adobe trash the truly awful experience of GUI editors - GoLive.

      The crock of Trump in all of this is Flash. Under Macromedia's umbrella Flash was actually pretty stable, regularly maintained and you didn't get the weekly 'Flash Installer needs your attention', which to me is the new MS Word paperclip. Since then, well ...

      But thanks anyway Adobe: if it had not been for GoLive I might never have gone onto using BBEdit so quickly in the late 1990's..

      1. Anonymous Coward
        Anonymous Coward

        Re: Why has Flash been so bad?

        Photoshop, Premiere and After Effects are pretty much the original products and are still (Final Cut Pro notwithstanding) pretty much the market leaders. Illustrator used to be like wading through treacle compared to Freehand, until Adobe bought Macromedia Freehand and merged it into Illustrator.

        You may want to keep a beady eye on the guys from Serif who are developing the Affinity products. It's not exactly hard to detect that Affinity Designer and Affinity Photo are very accurately focused on the Illustrator/Photoshop audience that is planning to walk from Adobe because of their licensing change, and possibly those who currently use pirated versions because the Affinity software comes at a far more palatable price.

        I already licensed both :).

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like