A few days ago Adobe released bug fixes for their Flash Player software. Flash runs on Windows, OS X, Linux and Chrome OS. Android and iOS users can stop reading now.
Eighteen bugs were fixed this time around. Last month, Adobe fixed 22 bugs in the Flash Player, in March, they fixed 11, in February, 15. January was a busy month, Adobe updated the software three different times to fix a total of 12 bugs.
That's 78 bugs fixed this year, after only 132 days. It averages out to a patch every 1.7 days. Or, 3 bug fixes every 5 days.
Going back further, to last May, we add in another 65 bug fixes. The last 12 months have thus seen 143 bugs in the Flash Player. That's 11.9 a month., one every 2.5 days or 2 every 5 days. This is truly shocking; for an entire calendar year, Flash has averaged 2 bug fixes every 5 days.
What a disgrace, especially when you consider that Flash is a mature product. The software has been around since 1996. I started tracking it on my FlashTester.org site back in 2003.
Putting it another way, after 18 years of work, Adobe produced such poor software that in its 19th year it needed 143 bug fixes.
Steve Jobs did the world a favor when he banned Flash from iOS.
There are four things we can do to defend ourselves from the bug magnet that is the Flash Player.
On Windows, I suggest not installing Flash at all. It comes embedded in the Chrome browser and that's fine. Google does a reasonably good job of keeping the Flash Player up to date with bug fixes and, most importantly, it does so silently. You can't forget to update Flash or be tricked by a scam popup warning that an update is desperately needed. If you restrict Flash to Chrome, than any warning that it needs to be updated is a scam.
Firefox ships without Flash, so leave it that way. Internet Explorer on Windows 8 includes Flash, IE on Windows 7 does not. There are two ways to disable Flash in IE 11 on Windows 8. You can either enable ActiveX filtering (off the Tools menu) or disable the Shockwave Flash Object add-on (Tools -> Manage add-ons).
If your OS/browser combination does not automatically update the Flash Player, then you can check if you have the latest version at adobe.com/software/flash/about/. If, like me, you find this too long to remember, I link to it at the very top of the FlashTester.org home page. For whatever reason, Adobe does not report the latest version of Flash on Chrome OS.
A third defensive strategy is not running Flash content by default.
In the latest versions of Chrome (v42) and Firefox (v38), this is easily done with a configuration change. For each browser, the procedure is the same on both Windows and OS X Yosemite. For Chrome, the procedure is also the same on Chrome OS.
In Chrome 42: Hamburger menu -> Settings -> scroll down, then click on the Show advanced settings link -> Content settings button -> Plug-ins section -> Let me chose when to run plugin content. Note that the choices here recently changed.
In Firefox 38: Tools -> Add-ons -> Plugins (left side column) -> Locate Shockwave Flash in the list of plugins ("Shockwave" is there just to confuse people) -> Change the Always Activate button to Ask to Activate.
After making this change, each browser will display a box where the Flash content belongs and prompt you for permission to run the Flash Player.
Chrome displays a light gray box with a puzzle piece in the middle.
Hover the mouse over the gray box and Chrome on Windows instructs you to "Right click to play Adobe Flash Player".
This is not the whole story however, right clicking pops up a menu that includes "Run this plug-in". You have to click on that to really run Flash.
On OS X, Chrome prompts to Control-click rather than right click. On Chrome OS, it also prompts for a right click, but Alt-click can substitute for right clicking if you are not using a mouse.
Firefox 38 displays a black box with what looks like a legos piece in the middle (see below).
Clicking anywhere in the box produces the following prompt where you can chose to allow Flash just once or always on this particular website.
These Firefox screen shots were taken on Windows, the only difference on OS X is that the Allow and Remember button is blue.
At this point, we have to consider blocking Flash by default the new normal. If nothing else, it should help speed up the transition to newer technologies.
The fourth defensive strategy? Run Flash on a Chromebook or Chromebox, a suggestion I first offered last year. While a Chromebook can serve as a primary computing device for some people, most of us can benefit by using it as a secondary, extra secure, device, especially in Guest Mode.