YouTube HTML5 support is good, and for any other video you can directly download. Browser runs a lot faster, web pages load faster, and I don't miss flash ads at all.
I also disabled flash on my parents' computer, and my brothers, and enabled YouTube HTML5 for them. They haven't noticed it yet. It is only a matter of time before more corporate networks uninstall/block all flash, especially with the bad reputation it has with security.
Flash is already dead to me, I can't wait until it is dead for everybody else as well
As I mentioned below, I had Flashblock, and used it for a while until I noticed that Flash is still in memory and Flashblock is just some JS that hides flash elements.
I used the following FlashBlock for Chrome, and using resource tracker I could see that no SWFs were downloaded on a YouTube page until after I temporarily enabled Flash on that page.
Note - The title is misleading. It's a zero day vulnerability on all platforms, but the exploits hit XP Vista and W7. It's still prudent to kill Flash on all though.
It is easy to turn off Flash in the Firefox plugins, and running the Better Privacy extension which kills the Flash hidden cookies normal cookie management doesn't touch. (One stalks you keeping track of every site you've visited with Flash) Better Privacy isn't yet compatible with the Firefox 4 beta but is fine with 3.x
Yes, extensions named 'Flashblock' are pretty universally mediocre and don't actually keep Flash from crashing your browser — they just keep it from being displayed.
ClickToFlash for native Webkit views on OS X actually blocks Flash for real — it's a native Webkit plugin that registers for Flash's primary mimetype and preempts it. When you selectively enable a flash embed, it replaces itself with Adobe's NPAPI plugin.
Using NoScript is probably best. It actually blocks Flash content properly, and protects against most other browsing-related vulnerabilities. Plus, if you don't allow scripts to run from advertiser's domains, most ads can't load.
I don't know what Flashblock you were using but the ones I have used do not behave this way. Maybe Flash was in memory because you clicked one of them and allowed it to run?
On last months zero-day Flash exploit thread, someone linked to a demo that shows bypassing Flashblock. I think this is it (but I don't run Flashblock).
I did that for a while but had issues like really needing Flash on a couple sites and the fact that every Flash or PDF update would re-enable their plugins in Chrome.
Now instead of disabling individual plugins, now in Chrome I do not allow any site to use plugins, then go back and whitelist sites as needed.
Use the kill-flash extension for Chrome. It takes off flash elements and replaces them with a zone to click on if you want to bring it back. It has a whitelist that you can use for sites that you want flash on by default.
I jest, but flash is the perfect target if you want to hit multiple OS's. Doesn't mean the malware authors will actually develop exploits/malcode for multiple OS's though.
As an aside, the alpha releases for Flash on Linux are surprisingly stable. The "gray rectangle" problem appears to be solved, which was the worst part of Flash on Linux in years past. Video streaming works well, but animations flicker and tear, so most online games are still unplayable.
I'm surprised to be reading so much talk about Flash not working very well on Linux. I'm using Fedora 13 (previously Ubuntu) on an extremely low-performance machine, and I haven't seen any problems in a very long time (at least a year). Video's, games, etc... all seem to work fine, and I generally pay a lot of attention to the Flash player because I'm a flex developer. The only time I struggle is when I watch HD video, but that's to be expected on my machine even if I'm watching a DVD.
Yeah, I haven't encountered much in the way of compatibility problems since 10.0 was released. (I'm on OpenSUSE x86-64.) It does have a habit of crashing and/or freezing for some time, I get the impression the latter is connected to sound (ALSA). Modern browsers survive the former quite well, luckily, and everything but Firefox recovers from the latter quickly, too.
One thing that seems to reliably fail is full-screen video, though.
To be fair, these things happen to many other platforms. Adobe's no exception. Two weeks seems a bit on the slow side from our hacker point of view, but it is in line with what you tend to get from large corporations (and actually fairly responsive... this would be a good response time for, say, Internet Explorer - and Flash has more installs on a much wider variety of OSes and hardware than IE).
Let's not all gang up on Adobe just because they're, well, just as bad as everyone else.
What is this "ganging up" you are speaking of? All I can see as of this moment are people making true statements about Adobe Flash's vulnerabilities, expressing their personal opinions about using Flash, sharing tips for avoiding or disabling Flash, and so on.
As for the two weeks, it sounds like you are saying that the appropriate response to being told that you have to stand in line a day to buy bread is to shrug your shoulders since you're already standing in line a day to buy milk.
Yes, but they happen on "other" platforms. Not "ALL" platforms.
I think there are too many developers out there in large and small companies that don't understand they power they wield or the responsibility they have.
I'm not a big fan of Flash. It had it's day. It wants to be everywhere, but it doesn't have the track record to be safe everywhere. I recently switched to Mac and have 3 (and only 3) crashes... all in Safari and all due to Flash.
I'm all for a company making a great product and making it prolific. I just want that company to have the integrity and follow through to make it right. After all, when an exploit takes over my machine who's out the time and money?
The trouble with Flash is that it is so ubiquitous. If Firefox gets a critical zero-day vulnerability, I'll use Chrome. If Chrome does, I'll use Firefox. With a Flash vulnerability over 90% of computers on the web are susceptible and there is no alternative.
I haven't had Flash installed since that first vulnerability where Adobe pulled support for x86_64 Linux. The web looks the same. (I used Adblock anyway.)
Yeah, some Youtube videos don't work... but you can get those videos elsewhere.
Never used it. I think spying on my users (with the help of Google) is unethical.
(FWIW, I did do a project for a client once which involved extracting data via the Analytics API. It was very easy to do, and all the metrics were there, so it seems possible to make your own chart without requiring Flash. Hell, there is even an in-browser Javascript Analytics API and many in-browser Javascript charting libraries... so you could probably even do this in the form of a bookmarklet or user script!)
Heh, spying is a strong word. Without GA I would have had a harder time figuring out that more of my users are from Spain than from the US for one of my projects.
Thanks for the info. I knew of their API but haven't used it yet.
Just disable all plug-ins & Java in Safari preferences. It's a lot easier and you won't miss them. The only thing I used Flash for was watching videos, and HTML5 has that mostly covered now.
Their openness about the vulnerability is refreshing. But I assume they're only publicising the vulnerability because of the people already exploiting it.
I uninstalled Flash three months ago, and haven't encountered any serious problems. I have Greasemonkey scripts to let me download video from most of the YouTube-like sites.
Note that running the Adobe Flash Player uninstaller may not disable Flash in Google Chrome (which integrates a separate Flash). You need to use the 'chrome://plugins' manager to disable that Flash Player. See here for details:
I upgraded Flash on my old laptop just yesterday. The pain and misdirection of being pushed through installing the Adobe Download Manager extension, then restarting the browser in order to actually update the plugin, seems like enough of an obstacle to significantly slow down the roll-out of the eventual fix.
Their forcing of the download manager app (painful trying to find an alternate download to upgrade Flash) should be a key reason for people to abandon the platform.
Nothing burns me up more than vendor-provided "download/update managers". I'll keep my app updated myself thank you very much. No, you don't actually need to run your program 24-7 when it's only used once every few months on my machine.
Just thinking about it makes my blood pressure rise.
(Yes, I know I can go back and uninstall the download manager, but now there are 2 of them - one specifically for IE/ActiveX and the one for Firefox that they recently created).
Can anyone explain some motivations behind Adobe continuing to keep the flash player closed source? The only reasonable thing I've heard before was about movie codecs, is there anything else? The Flex SDK is open, they're not exactly stellar on performance, several different SWF decoders work okay for some narrow subset... I doubt there's much in there that's top secret or thesis-worthy. Releasing it to the community would go a long way in improving Adobe's standings as well as letting the community fix these (in say one week rather than two) and work on 64-bit versions or performance...
The VM is open source, the frameworks are open source. The language specification is open.
The only thing closed are codecs (many of which are licensed from other companies and can't be open sourced), DRM stuff and platform level code that glues everything together. On the other hand, there are open source versions of swf players that Adobe actively promote.
Unfortunately, community involvement (developers and early testers) in all these projects have been low. My understanding is that people within Adobe (and there are many who like Open Source) have no evidence that open sourcing more stuff is any better for the player, since the community hardly gets involved.
Adobe did launch a 64-bit Linux flash player on Labs. Most 64 bit users never used it, sticking with the nspluginwrapper method instead.
I'm sure more community involvement with existing open source projects at Adobe would pave the way for opening up of more stuff.
They open sourced the parts that have been solid for years. What's always been a huge problem is the runtime — the implementation of the standard library. It's it's mostly the same across all platforms and more than just 'glue code', it's what's actually using most of the CPU cycles when a Flash applet executes, it's all native code, and it's not sandboxed at all by most browsers.
CNN could be using an ad provider that just happens to not have enough ads so they outsourced to a few new ad networks and one accidentally let in a hacked ad.
No issue here.. Just use FlashBlock for chrome and firefox, and when theres flash content you want to view, click the Flash icon to enable it. Theres still a lot of flash content thats good out there. I think just enabling the flash content you want to use, will solve a lot of the issues people have with flash.
Yup, I've used the Flashblock Firefox plug-in for quite a while. It replaces any Flash items with an icon that you can click to run the Flash. There's also a right-click option to always enable flash for a site (whitelist).
Flashblock is a simple and effective way to manage Flash.
I'm pretty sure. Flash has been acting very weird lately (random UAC popups) and it's the first time I get malware from the web in over 5 years. Flash is the only plugin I use so unless there is also a 0-day in Chrome, Flash is the most likely suspect.
"This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild..."
http://imgur.com/mCfqQ.png
YouTube HTML5 support is good, and for any other video you can directly download. Browser runs a lot faster, web pages load faster, and I don't miss flash ads at all.
I also disabled flash on my parents' computer, and my brothers, and enabled YouTube HTML5 for them. They haven't noticed it yet. It is only a matter of time before more corporate networks uninstall/block all flash, especially with the bad reputation it has with security.
Flash is already dead to me, I can't wait until it is dead for everybody else as well