“Flash. Must. Die,” begged a recent Wired headline.
And Wired wasn’t alone in advocating the death of the notoriously buggy Adobe Flash Player. After a highly publicized data breach of a surveillance technology contractor contained a flood of previously unseen vulnerabilities in Flash, security professionals as prominent as Facebook Chief Security Officer Alex Stamos Flash's called for Adobe to bury the multimedia player.
But calling for Flash to die is nothing new. In 2012, a CNN headline asked "Did Steve Jobs kill Adobe Flash?" In 2011, one on the tech blog Vision Mobile read “The death of Flash – 8 years in the making." And in 2010 Mashable had this: “Apple Didn't Kill Flash, HTML5 Did."
Flash has been one of the most resilient technologies on the Web because it has been one of the most revolutionary. Without Flash making it easy to play videos online, there would be no YouTube. Without Flash animations, the Web would have been a flat, grainy experience from the player’s invention in 1996 until everyone had broadband.
Should Flash die? Can Flash die? Does it really deserve such an unceremonious death?
Hacking Team got served, Flash fried
The current furor over Flash emerged after hackers posted online some 400 gigabytes of data stolen from Hacking Team, an Italian manufacturer of military-grade spyware. Within a 10-day period, researchers uncovered four unpatched, critical bugs in Flash buried in Hacking Team's source code. The vulnerabilities were almost immediately found incorporated into exploit kits – the building blocks for hackers to build malware.
Adobe has heard this before - Flash is a regular punching bag for industry pros, And not without reason. A recent Hewlett Packard report showed that the three of the 10 most commonly used new vulnerabilities against Windows computers in 2014 was in Adobe Flash.
Trend Micro was first to publish three of the Hacking Team Flash bugs. The company’s chief cybersecurity officer Tom Kellermann likens the history of laxness of Adobe’s security practices in light of Flash’s popularity to poisoning the water supply for all of a village’s wells.
“Most of the burden of Flash’s security problems is being carried by the security companies who have to clean up after them,” he says. “That’s what’s so annoying.
Adobe said in a statement that many of the security problems that penetrate Flash are old vulnerabilities for which the company issued patches but that users didn’t install. And, Adobe notes, Flash’s market popularity makes it a valuable target for hackers.
But most experts outside Adobe pin the company’s bug problem on other issues. Those familiar with the source code of Flash describe it as filled "spaghetti," a "convoluted" mess of disorganized functions that accumulated over Flash’s 20-year run. They say there are just too many knots to untangle before anyone could shake out all the flaws.
Before it was spaghetti, it was a single noodle
"Typically, code doesn’t go away," says Jonathan Gay, the man who invented Flash. "I’ll bet some of my code is still in it."
Mr. Gay hasn’t been part of the programming effort for Flash for more than a decade, and recently, he hasn’t been programming much else, either. In fact, these days he herds grass-fed cattle in California.
In the beginning, there was Mr. Gay, founder of FutureWave, which designed graphics software for a failed early pen-and-touchscreen movement in the early 1990s. As pen computing demised, FutureWave transitioned to Mac and PC. And then they got lucky.
At a graphics convention in 1995, organizers gave FutureWave a booth next to animation software heavyweight Animo. Artists who went to see Animo kept asking if FutureWave’s programs did animation. It didn't. But that gave Gay the idea that it could.
The company shipped the first version of Flash as FutureSplash Animator. FutureWave was still tiny, but was accomplishing big things. Disney and Microsoft used FutureSplash on their first video websites. “It was kind of dumb of them,” says Gay. I wonder if they knew they were trusting their sites to a company with only four guys."
FutureSpash was released in May of 1996. By the end of the year, Macromedia had purchased FutureWave and renamed the plug-in Flash.
The advantage of Flash was that it allowed sites to add crisply animated videos using very small files – big video files moved slowly over modems that capped out at download speeds of 1.8 bytes a second. Where its competitors had to send every frame of every movie, Flash let users' computers render many frames, shrinking files in the process. Flash gave a practical alternative to a Web of just text, images or blotchy animated GIFs, which only recently found their niche.
Flash was one of an entire ecosystem of browser plug-ins that handled multimedia for Internet Explorer and its chief competitor, Netscape Navigator. There were other video players, but all required long waits as files downloaded.
The plug-in system of browser extensions was a quirk of the early Web. Today, there are open programming languages anyone can use without purchasing any particular brand of software. In 1998, to broadcast audio and video, you purchased RealAudio’s encoder for its plug-in and Flash development software for Flash’s.
Even the browsers were wildly different. Today, more or less, things look the same in Safari as they do in Chrome. Fifteen years ago, the gap between the appearances of each browser was wide. So, as Flash grew into a more interactive, highly programmable system, it didn’t just mean that websites would dance and sing as you moved your mouse around. It meant that websites would look the same wherever they were opened.
Adobe purchased Macromedia in 2005 for $3.4 billion, just in time for Flash’s heyday. In 2007, capitalizing on Flash’s ability to easily embed video files, YouTube hit the Web.
Flash has had three owners across two decades of service to the Internet. And still, it was not held relatively true well into the 2000s. The first Flash virus surfaced nearly five years after FutureSplash launched, in January of 2002. Even then, it was a bit of a dud – it only affected files opened in Flash’s developer platform.
"At the time it was a bit of a unicorn," says Graham Cluley, then a technology consultant for Sophos, the company that reported the virus after someone anonymously e-mailed it to them. "It was mostly a proof of concept that would never have infected many computers in the real world. But maybe it was a sign of things to come."
The floodgates were open. Four months later, the computer security firm Eeye and Macromedia independently discovered an exploitable bug in Flash videos. And the vulnerabilities have piled on ever since.
“What I don’t understand is why people find it so hard to move away from Flash?” Mr. Cluley says.
An accurate cause of death
The obituaries for Flash mostly refer to its security problems as the cause of death. But Flash usage has been on the decline for years, and not because of vulnerabilities. As Cluley says, even if they don’t recognize it yet, people don’t really need Flash the way they once did. The Web changed and swallowed up its niche.
It’s a credit to Flash that it lasted this long. Open standards such as HTML5 have replaced plug-ins used to handle multimedia such as Flash. The problem Flash was designed to solve, allowing animations to be sent over dial-up modems, went away when broadband access became the norm. The complex environments Flash was able to produce also lost appeal.
"People just want to go to a site that instantly loads with all the information they want. They aren’t interested in immersive animated experiences anymore," says Clay Ostrom, a Web designer who worked primarily on Flash between 2004 and 2011, before he saw Flash begin to wither.
Flash can still do a number of things better than HTML5, says Mr. Ostrom, especially animation. But in today’s Web, even animated video needs to be shoehorned into HTML5. Flash doesn’t run on mobile devices – it uses too much processing power and hobbles battery life. For years, Adobe tried to get a mobile version of Flash to smooth out some of those problems but gave up in 2011.
There were other problems with mobile. Steve Jobs famously worried that applications written for Flash would bypass the Apple store, and listed that as "the most important reason" it wouldn’t be on the iPad in his public letter, "Thoughts on Flash." And touchscreens weren’t compatible with Flash’s mouse-based actions.
Ostrom now helps companies develop digital user experiences at a shop he cofounded called Maps & Fire. He says he'll remember Flash not for its incompatibility with mobile, but for its compatibility with everything else. "It was develop once, deploy everywhere," he says. "You could always expect it to look the same on any browser, either operating system.
"Think about what you can do in a browser," reminisces Ostrom. "You couldn’t do that 10 years ago in HTML."
Adobe can’t fight the rise of HTML5. Nor is it trying to, says Adobe representative Wiebke Lips.
It’s true that Adobe would like Flash to live on – they see it as a future platform for desktop delivery of high-definition video. But it’s also true that Flash is a hard-to-monetize product – Adobe makes money on the production platform but not the countless users who downloaded the free browser extension. The same could be true, Adobe has stated, with its advanced platform to develop HTML5.
With Flash, Ms. Lips said, they are making a continued effort to harden the code to attacks, even while transitioning it away from the Web. They have made a stronger effort to release tools for researchers to discover bugs for them to eliminate. And, said Lips, they completely support browsers like Firefox blocking out of date versions of Flash.
"Blocking vulnerable software versions and directing users to install the latest, most secure version of Flash Player is one initiative we have been supporting for years," she said.
Adobe realizes that Flash’s desktop future won’t match its YouTube highs, but it's adamant that the headlines are wrong. Flash is not dead, the company says, maybe it’s just in a cocoon.