Why everybody should be happy that Flash is finally dying

Rob Pegoraro
Contributing Editor

Adobe (ADBE) acknowledged the inevitable Tuesday when it announced that it “will stop updating and distributing the Flash Player at the end of 2020.”

That multimedia browser plug-in was once such an inescapable part of the web that Adobe thought it could persuade Apple (AAPL) to add it to the iPhone. Now-deceased Apple co-founder Steve Jobs replied in 2010 with a 1,681-word “Thoughts on Flash” post that denounced Adobe’s creation as a proprietary, insecure, buggy, and battery-eating menace to the mobile web.

Seven-plus years after the manifesto that Adobe tried to counter with passive-aggressive newspaper ads and then mobile software that shipped late and worked poorly, its multimedia player is officially doomed on screens everywhere. That’s quite a comedown for a technology that, Adobe bragged in 2009, was on over 98% of internet-enabled desktops and played 75% of all videos viewed online.

But it’s great news if you don’t like having your computer left more vulnerable to online break-ins.

Die, Flash, die!

There are many reasons to resent Flash, some recounted at length in Jobs’ post and others left unsaid there. (Pointless animated intro pages on restaurant sites, I’m shaking my fist at you.) But the problem that ultimately sank Flash was security—something the Apple co-founder didn’t mention until more than a third of the way into his screed.

In the years after, Flash increasingly resembled the equivalent of a screen door on a submarine. As a program that originally had wide access to your machine but could be called upon by any site–or even any ad on a site–it was a tempting target for malware authors.

It didn’t help that Flash historically made it a pain to stay up to date. A June 2010 update, for instance, required Windows users to download separate download-manager apps for Internet Explorer and Mozilla Firefox—each of which would push a McAfee security-scan tool.

Five years later, a study by McAfee, by then an Intel (INTC) subsidiary, found almost 200,000 new Flash malware samples in circulation in the first quarter of that year—a 317% increase from a year earlier. The vulnerabilities and subsequent patches have kept coming since, with seven “critical” Flash updates released so far this year.

Flash’s decline on the desktop wasn’t as fast as its failure in mobile devices—after its Android player arrived behind schedule on devices like the Motorola Xoom tablet that nobody bought anyway, the company abandoned mobile-Flash efforts in late 2011. Apple stopped bundling Flash on new Macs beginning in late 2010, while Google (GOOG, GOOGL) and Microsoft (MSFT) steadily restricted the versions of Flash included in their own browsers.

By the end of last year, both companies had said their browsers would ignore Flash media if a site offered the same content in web-standard HTML5 code. Future versions of Chrome and Edge will make it entirely opt-in.

If web developers won’t get with the program, you should

Web developers, however, have not been so quick to get off the Flash train. Adobe’s announcement ought to get their attention in ways that third-party moves did not—although the company won’t remotely disable remaining copies of Flash in 2020, those left in circulation will then carry the stink of “abandonware” status.

Offering viewers premium content no longer qualifies as a good reason to require Flash—not when Netflix (NFLX) and Amazon (AMZN) began offering HTML5 playback for their videos in 2015. Yet major sites like Hulu and baseball’s MLB.tv continue to demand this fading format in desktop browsers.

Those media sites, however, at least offer phone and tablet apps that permit Flash-free viewing. What’s more annoying is seeing Flash-required sites that don’t have any Hollywood content to protect and don’t even serve up videos.

For example, the U.S. Patent and Trademark Office’s patent-applications dashboard demands Flash to show you a series of gauges. That is not what you want to see at the government agency that’s supposed to champion innovation. And at the Mint.com personal-finance site of Intuit (INTU), you still get nagged to install Flash to see graphs of the performance of your investments.

It may be tempting to keep Flash around for these annoying exceptions. But when Flash remains a transmission vector for ransomware, the risk is too high.

To get rid of the Flash plug-in outside of Chrome and Edge, download and run Adobe’s uninstaller for Mac or Windows. If you also realize you still have the Java plug-in installed, an equally dangerous piece of code to have in your browser, take a moment to scream in horror and then ditch that Oracle (ORCL) software, using its Mac or Windows uninstaller.

That will leave locked-down versions of the player built into the Google and Microsoft browsers. They are the safest option for running Flash content today. But even then, you should take advantage of Chrome’s option to restrict Flash playback to specific sites, something I did two years ago: Type “chrome://settings/content/flash” into the address bar, select “Block sites from running Flash” and then allow only the sites with Flash fare you can’t live without.

Then you’ll have to hope Adobe’s news gets those laggards to act—preferably before 2020.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.