Adobe Patches Nine Vulnerabilities In Flash

jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.

Get rid of flash on slashdot, firefox

Hey, mozilla, please implement proper MSE support, so that youtube actually works thank you!
Hey DICE, please use HTML5 video for slashdot thank you!

Re:Get rid of flash on slashdot, firefox

[cheekyboy]

please mark flash as spyware, please kill flash!!!!

Any business that still wants programmers to make apps in flash are stupid, HULU, please recode your apps.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

Please make all firewalls block flash.

Make firefox not even accept flash plugins, ban it , black list it.

Re: Get rid of flash on slashdot, firefox

[Billly+Gates]

Thank XP and corporate users.

IE 8 is the worlds most popular browser as a result

Re:Get rid of flash on slashdot, firefox

[l0ungeb0y]

Any business that still wants programmers to make apps in flash are stupid Name one other way to transmit a live video & audio stream from the browser that works across all major platforms that doesn't require a download and install.

Besides Flash/Flex, AS, just purely suck as a language, utter putrid crap.

AS3 is essentially Java with most of the same features as most other strongly typed OO languages.

Please make all firewalls block flash. Make firefox not even accept flash plugins, ban it , black list it.

Yes, let's kill off browser-based internet video chat for the next few years and go with vendor specific implementations from Google and Apple! No one should be able to create a video app until Google lets them! Flash needs to die, but the fact is HTML5 has yet to provide a means to provide device access and a streaming AV codec. Sure, Opus is great, but not the standard and will likely never be adopted by Apple and WebRTC is great, but not the standard and has issues with implementation requirements (ICE servers, Turn/Stun).

Re:Get rid of flash on slashdot, firefox

[Anonymous+Brave+Guy]

Exactly. It's all very well hating on Flash for whatever reason, but until the newer technologies can do the same jobs, and do them at least as well as the older technologies they are replacing, this is an apples to oranges comparison.

Why does anyone think the browsers themselves don't have similar security problems, and won't have more when they offer the same kinds of functionality as the insecure plug-ins we've used in the past?

Re:Get rid of flash on slashdot, firefox

[Gliscameria]

Disabling Flash makes this site a whole lot better.

Re:Get rid of flash on slashdot, firefox

Because browser vendors have been learning from their mistakes, and tend to develop sandboxed APIs that we complain about for not being as fast because they're a bit more secure. Generally speaking. In fact the browsers of today can handle the vast majority of what Flash can do already, and often better because they don't break the user's browsing experience as readily.

Re:Get rid of flash on slashdot, firefox

[Anonymous+Brave+Guy]

Why do you think all the browsers will be able to implement sandboxed APIs for these kinds of functionality successfully, when no major plug-in in history has been able to do so?

If there were a browser that was written using truly robust coding practices, the kind of thing you'd use if you really were writing safety-critical software, then maybe I'd buy that. But they aren't. Like most commercial software, browsers prioritise speed of development and to some extent run-time performance over quality. And they are large applications, with complicated code bases, written in languages like C++. I see no reason to believe that they won't be subject to the same kinds of attacks, sometimes successfully, as everyone else developing software that way.

Re:Get rid of flash on slashdot, firefox

[Guru2Newbie]

No conversation on earth is private. Everything youve seen on Startrek has already been done all by Lockhead Skunk Wor

Try Star Trek and Lockheed instead.

Given the track record of Flash

[AchilleTalon]

Given the track record of Flash, I would say they patched 9 and introduced 18.

Re:Given the track record of Flash

[fuzzyfuzzyfungus]

I'm not sure whether their patches add bugs, or whether their original code quality was so atrocious that they are trying to fix a transfinite number of flaws by removing them at a finite rate.

Re:Given the track record of Flash

[v1]

I don't understand how softare that's been around THIS long could still be pumping out "critical" security bugs by the dozen.

Re:Given the track record of Flash

[gstoddart]

I would honestly say given the track record of Flash ... why the hell are people still running it?

Flash has been a gaping security hole as long as it has existed.

How anybody can pretend that it hasn't been leaving a series of security issues in its wake for over 15 years is mind boggling. Many of us have actively blocked/disabled it for at least 10. I don't even install it on personal machines, and I disable it on work machines except for the 2-3 things per year which I am required to do which won't work without Flash.

Why do people have any trust in this platform? It's pretty much been crap for its entire history.

Re:Given the track record of Flash

[gtall]

It is a bit worse than that. It is a curious fact that Flash contains more bugs than can actually exist in the code...it is considered among philosophers to be akin to Russell's Paradox. The latest scientific explanation involves higher order quantum mechanics and several new and very odd dimensions. The best theory I've seen so far is that Flash is bit like quantum soup with a black hole in hiding in the extremely odd extra dimensions. Virtual bugs and fixes appear in pairs, but curiously, only the fixes are attracted to the black hole and disappear from our time-space continuum forever. The consequence is that Flash seems to us as though it is a net emitter of bugs.

When questioned about this, Adobe refused to discuss the matter or its implications...firm evidence of a coverup in my book.

Re:Given the track record of Flash

[Marginal+Coward]

Perhaps it's a conspiracy to create more opportunities to monetize it via bundled adware. Then again, never ascribe to conspiracy that which can be adequately explained by incompetence.

Re:Given the track record of Flash

[nblender]

because "The Internet". My wife doesn't care about internet ideals. She just wants to get her work done. There are lots of sites that she needs to do her work that require Flash... These are places that hired out their web-dev and don't have fulltime staff.. They're not going to hire someone to come and fix something that is apparently working. My wife's computer doesn't auto-update so I hear from her once a week to update her Flash plugin because it's "blocked" again by Safari.

Fucking irritating and I would probably quietly cheer if someone went on a shooting rampage at Adobe... Maybe we can get some radicalized individuals to do it for us...

Re:Given the track record of Flash

[tlhIngan]

I don't understand how softare that's been around THIS long could still be pumping out "critical" security bugs by the dozen.

It's a typical case of "cost center".

Flash Player is free. It's developed and distributed for free. That means it costs Adobe money to put development effort into it.

Adobe makes money selling software, and free software like Reader and Flash Player make no money for Adobe, other than potentially encouraging people to buy their tools by making a large market available.

But still, it costs money to make, so anyone working on Flash player must get stuff working and then shut it down to work on more profitable projects. So "do it fast" versus "do it securely and right".

Adobe doesn't care if customer machines get pwned - they sold the tools for developers to create, so the customer is the developer, not the end user.

Re:Given the track record of Flash

[Burz]

Given the track record of Fedora, the update will hit the mirrors in about 2 days.

Why?

[barcarolle]

Why in the world are we still using this completely unnecessary software?

Re:Why?

Youporn.

Re:Why?

[Gorgonzolanoid]

Yeah sure, replace something with known security holes with something new where they still have to be discovered :)

Re:Why?

Are you asking why we're using dumb clients parsing HTML+Javascript when we have machines more powerful than an '80s supercomputer sitting on our desktops?

Good fucking question, bro. The reason is simple: capitalism. Money can be had by giving people control ("PC on every desk") but even more money can be had by making people believe that they should not have control ("cloud!").

As for Flash vs HTML+Javascript, well, browsers had a long period - i.e. lasting a good decade - of regular serious insecurities. People regularly questioned use of any client-side scripting at all, and while there was hate for IE's Brower Helper Objects, the Netscape API was a fairly good way of delivering rich content. It's only in the past half decade that Javascript has received enough eyes and sufficient maturity that core browsers are becoming less holey add-ins. Stability-wise, of course, HTML+Javascript still has a habit of breaking at the slightest network problem, and while this may be the fault of the individual site developer, it really doesn't encourage graceful failing, encouraging the developer to assume that there is a constant, stable and relatively fast Internet connection - good software ought to work perfectly with zero Internet connectivity and, if it has any collaborative or backup features, sync at intervals.

And don't get me started on how easy it is for one piece of shitty Javascript to slow down a whole browser. Java applets, for example, are still easier to write (all the sophisticated UI widget and many backend libraries are in the base system), more elegant to code (Java ain't perfect, but it's simple and neat), and run faster (you may not notice this on your development Core i7, which is part of the problem) than Javascript - but for whatever reason Oracle has simply made them hard to run rather than continuing to secure and innovate, pretty much abandoning rich client-side development because see above: there is more profit selling chains than shovels, i.e. to help your clients to away control.

tl;dr I don't know. I hope we'll get over this cloud business, and treat desktop PCs - where everything must be HTML+Javascript to be hip - the same way we're treating mobile devices now: rich client experiences using proper programming languages and UI widget sets, and failing gracefully when network connectivity is poor.

Re: Why?

[cyber-vandal]

Ah the good old days of DLL hell, deployment of updates taking hours or days instead of minutes, the upgrade treadmill, VB6 et al. What a joy it must've been.

Re: Why?

[Billly+Gates]

Yeah because Java is so much more secure and mobile friendly

Re: Why?

[gstoddart]

But why do we think it is a good idea for arbitrary websites to be able to run arbitrary code? That's completely idiotic.

Flash and Java are one of those things that expect you to run your browser in the least secure possible configuration (let anybody run anything) on the offbeat chance you might need it somewhere.

Which means you let all of the rest of the websites you visit run anything they want to for no good reason.

Since Flash is mostly a security hole used by advertising, and the few sites I've seen which require Flash for navigation are complete crap, why are people willing to put up with this?

Hey, I know, how about we stop pretending that we need the stuff Flash brings to the table because it just makes a more overall insecure browsing experience, so when you do get exploited it was kind of just a matter of time.

Flash (and to a certain extent, Java) has always been a security hole. It's time to stop pretending that it's otherwise useful.

At the very least, it needs to be sandboxed up the wazoo ... there is no way in hell Flash should have access to anything outside of itself, because you can't trust it. Not now, not ever.

Re: Why?

[Anonymous+Brave+Guy]

There are literally billions of people on the Internet. The fact that you don't find Flash or Java applets useful for anything -- given your own personal lifestyle, interests, location, businesses and governments you deal with, other technologies available, and so on -- does not mean that no-one else in the world does. Although the number of users is steadily trending downwards and alternative/replacement technologies are getting more capable, as a matter of fact there are still millions and millions of people using these plug-ins today and no-one offering them a better option for some of the things they need to do.

Re:Why?

[smooth+wombat]

Try RetroShooter from Arcade Pod. The music alone is worth it.

Re:Why?

[loufoque]

You're speaking of html5 video as if it worked as well as flash video.

Re: Why?

[Billly+Gates]

Because grandmas with IE 7 complain that the internets do not work on your wizbang HTML 5 site. Or your boss threatens to fire you if you do not cater to 98% of all customers.

This means IE 8 hacks and flash to make up for hte fact it is from last decade. If you don't another webmaster in India needing money happily will and the grandmas will keep on using IE 7 like there is no tomorrow since everythign keeps looking fine for her.

This continues until we see a whole freaking decade with no web innovation. Thanks IE 6.

Re: Why?

[Billly+Gates]

What needs to change is ancient IE FAST!

The good news is mobile now is ahead of the PC with mobile sites with graphics and smoothness. This is because Apple invented much of the HTML 5 specs and pushed it with the iphone. I may not like Steve but now it is forcing website makers to make 2 sites. If China can use SSL rather than Active X plugins written for IE 6 it will finally drop below the radar for PHB to tell webmasters to target. Your site may not be in Mandarin but he looks at statistics where China is counted 8 - 1 for each user over due to the population making him think 25% lost revenue if you target HTML 5 and not use flash to make up for old IE users.

Any chance of a non Chrome linux version?

[Viol8]

No, didn't think so. I guess at some point Flash in firefox will just stop working because so many sites will require a more modern version. Funnily enough I don't think I'll care.

Re:Any chance of a non Chrome linux version?

[Dr_Barnowl]

That's version 11.2

Yes, they've fixed the bugs in it. But it's not the mainstream version, which is 16.

There are plenty of sites that already depend on newer versions of Flash. Try running Card Hunter on Linux : you'll need Chrom(e|ium) with it's bundled Flash for that to work, and that's just over three minor versions (it requires 11.5)

So for given use cases, Flash already stopped working in Firefox for Linux. Supporting PPAPI probably is the only way it will work again.

But personally, I'd vote for "Long Gone". Why bother with Flash when you can do stuff like this directly in a modern browser?

Re:Any chance of a non Chrome linux version?

[Viol8]

I meant a new major version you halfwitted bell end!

Re:Any chance of a non Chrome linux version?

[Viol8]

Which part of the phrase "a more modern version" confused you?

Re:Any chance of a non Chrome linux version?

[Tempest_2084]

I had trouble with my version of Flash not working with some sites but found a website describing how to make use of Pepper Flash (part of Chrome) with Firefox and it worked for me. I forget the details but it involved using some free flash player and linking to the Pepper Flash files in the Chrome directory.

Re:Any chance of a non Chrome linux version?

[caspy7]

Hopefully by that point project Shumway will have arrived.

Adobe hasn't been updated for 5 minutes.

[MrKaos]

This update will require a reboot and completely disrupt your current workflow until you do.

Reboot now or crash you browser?

Re:Adobe hasn't been updated for 5 minutes.

[RJFerret]

Erm, I just updated both (Firefox & IE) without even restarting browsers happily.

Awesome

[drinkypoo]

The download page crashed FF Nightly. Classy++

Re:Awesome

[rnturn]

Heh. I couldn't get FF to even download it. A portion of the download "form" was obscured and inaccessible under FF. I had to fire up Opera to see the complete form and do the download.

Security Through Instability

[winphreak]

Luckily, Flash crashes before any malicious code can be executed!

It's Patch Tuesday

[WD]

This sort of thing happens every month. Microsoft, Oracle, Apple, etc. This is news?

History

[sjbe]

Why in the world are we still using this completely unnecessary software?

Because at a point a few years back it was the only viable solution available to do some of the things flash does. There was no realistic alternative for several years. That gave it a very large installed base and large installed bases don't go away just because they later become inconvenient.

One of the smartest things Apple did in recent years was to keep flash out of iOS so it could never get an installed base on that platform. Solved a whole host of inevitable security and performance problems AND it pushed the rest of the net somewhat away from flash. Apple had other less altruistic reasons to do this besides just the security problems with flash but on the whole I think we have all benefited from flash being pushed aside.

Re:History

[gtall]

I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash. The fact that it was a security nightmare was just icing for whacking the entire cake.

Re:History

[Anonymous+Brave+Guy]

The ability to spy on your microphone and camera?

There were explicit prompts for permission before accessing those peripherals with a default answer of "no", which is hardly spying.

In any case, how would you have suggested that someone implement a videoconferencing tool five years ago, without using any of these plug-ins you hate so much because you claim they don't do anything useful and just create security problems?

Re:History

[sjbe]

I think the reason Apple refused Flash was a bit more mundane; it sucked energy and would have made the iThings unviable in a consumer market addicted to Flash.

The biggest reason Apple refused flash was because it would have circumvented their requirement that developers code natively for iOS. At the time iOS was still young, Flash was still important on PC browsers and Apple essentially would have abdicated control of their development environment to Adobe.

Re:History

[l0ungeb0y]

Not at all. One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR. What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience. Hell, Google bent over backwards to give Adobe everything they claimed Apple denied them and couldn't get it to run in a stable or usable manner on Android.

More detail about problems with Flash:

[Futurepower(R)]

The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Adobe's Flash software is abusive to users, in my opinion. From the Better Privacy Firefox extension web page, re-written for clarity:
Some properties of Flash-cookies (LSOs):
1) They don't expire. They stay on each computer for an unlimited time.
2) By default they offer a storage of 100 KB. Normal cookies, 4 KB.
3) Browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
4) Using Adobe's Flash, companies store and access highly specific personal and technical information (system, user name, files, ...).
5) Flash sends the stored information to servers without the computer user's permission.
6) Some Flash applications are not visible to the user. Not all Flash applications display anything.
7) There is no easy way to tell which Flash-cookie sites are tracking you.
8) Shared folders allow cross-browser tracking, LSO's work in every flash-enabled application.
9) Adobe doesn't provide a user-friendly way to manage LSO's. Management is very cumbersome.
10) Many companies make extensive use of Flash-cookies.

Apparently Adobe develops software but doesn't check for flaws. There have been 24 new versions of Adobe's Flash software in one year, if I count correctly, since v11.9.900.170 in January of 2014. (The latest version is v16.0.0.257.) As the Slashdot story mentions, the flaws were found by other companies, not Adobe.

One purpose of the extremely frequent updating may be to push users to allow Adobe to do its silent updating, giving Adobe control over user's computers.

Now, apparently, Flash applications will not work unless the latest version of Flash is installed. That's apparently another way Adobe pushes users to allow Adobe to do silent updating, using the Windows operating system service Adobe calls ARM: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

Apparently the former Adobe CEO, Bruce Chizen became tired of managing, because Adobe was, in my opinion, poorly managed for years before Mr. Chizen was replaced in 2007. Bruce Chizen is on Oracle's board of directors. Birds of a feather flock together?

The present Adobe CEO, Shantanu Narayen, is, in my opinion, a very poor manager. For example, an organization with which we are acquainted paid $2,000 to update to an Adobe CS6 suite. CS6 came with old versions of some Adobe programs, and an Adobe representative justified that practice.

Re:More detail about problems with Flash:

The Flashblock extension [mozdev.org] apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

Only if you also have AdBlock installed. There is a "bug" when you use both. You can fix it by adding "youtube.com##div#theater-background.player-height" to AdBlock's exception rules.

Re:More detail about problems with Flash:

The Flashblock extension apparently is not supported by Firefox v35. With the extension enabled, YouTube videos won't play. When the Flashblock extension is disabled, YouTube videos play immediately, without user permission. Is that a Firefox problem, or is Adobe checking for Flashblock and refusing to operate if the Flashblock extension is installed?

The problem is not with Flashblock. Flashblock works just fine with YouTube. I think you're running into an AdBlock Plus issue.

If you have trouble with YouTube on FF 35, then you need to go into AdBlock Plus, Filter preferences, Exception Rules, and add the following:

youtube.com###theater-background

Are browsers so much better?

[Anonymous+Brave+Guy]

Do you realise that many of the criticisms you're directing toward Flash -- about rapid updates, numerous security fixes including some that were found by others, auto-updating, and so on -- could also be directly aimed at Chrome?

Chrome is an application that actively circumvents the main Windows security model so that it can update executable code on the user's machine without the administrative privileges usually required to install and modify applications. The day someone breaks into Google's update mechanism for even a short time, whether technically or from within the organisation, the damage will be astronomical.

We could discuss related issues with Microsoft's recommended security models and how much of that update mechanism is actually suggested by Microsoft itself rather than Google, but the facts of what Chrome is doing and the potential danger associated with it are still the same regardless of whose idea it was.

Re:Are browsers so much better?

[e70838]

Chrome is a proof that the main Windows security model does not work.

Re:Are browsers so much better?

[brunes69]

The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches - so I totally disagree with the premise of your post. It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates. The near-forced auto-update mechanisms of Firefox and Chrome are some of the best things to have ever happened to web browsers from the point of view of security.

Finally, Chrome *DOES* provide a way for administrators to lock down to specific Chrome versions, so your post doesn't even have a leg to stand on.

Re:Are browsers so much better?

[Anonymous+Brave+Guy]

The risk of the "potential danger" of someone cracking into Chrome's update mechanism and pushing out a rogue update, is exponentially over-weighed by forcing client endpoints to always have the latest security patches

Chrome is the most used browser by some way among private individuals. If anyone cracked its auto-update mechanism, every one of those users could be subject to having their private data uploaded without even knowing it, resulting in the usual problems like fraud and identity theft, and/or encrypted and held for ransom, or just deleted.

The actual cost would depend on how fast Google identified the problem and recovered. Obviously if they found it within a few minutes and shut down the system that would reduce the damage considerably from what it could be. Still, keep in mind that recovering from any breach in this particular software would surely mean at least a major and ongoing PR campaign, as anyone who cracked the auto-update mechanism would disable such channels the moment their malware was installed. It seems possible that the resultant damage not just to the economy from direct fraud but to individual quality of life, consumer confidence, and so on could take a long time to recover, not to mention severely damaging or even bringing down Google as a business.

And all because they didn't want users to get a simple message saying an update was available and inviting them to download it with the usual security precautions, as Firefox or IE would?

It is far, far, far better for the security of the web as a whole to ensure browsers always have the latest security updates.

Of course having timely security updates is better, but as Firefox and IE demonstrate, you don't need to play games that circumvent basic security practices to achieve this.

Finally, Chrome *DOES* provide a way for administrators to lock down to specific Chrome versions, so your post doesn't even have a leg to stand on.

I wasn't advocating not updating, only not updating without any confirmation and bypassing normal security checks, so this is a straw man.

Moreover, if I asked 100 randomly chosen Chrome users how to do this, I imagine fewer than 10 of them would even realise it was possible, so it's not even a good straw man...

Re:Are browsers so much better?

[Anonymous+Brave+Guy]

Chrome is using the wrong parts of that model for what it does.

I agree that giving it the ability to opt out is an error from a system security point of view, but not opting in anyway is on Google.

Re:Flash is still going strong

[0123456]

I uninstalled Flash long ago. Very occasionally I find a site that doesn't work at all without Flash, but it's rarely one I care about.

The worst thing are the 'mobile' sites which say 'ah, you're running iOS, so I'm going to give you a sane site that doesn't have any of that Flash crap,' so you know they can make their site run fine without Flash, but you go there with an Android device and it says 'ah, you're running Android, so i'm going to give you the Flash version' even though Flash hasn't run on Android for several versions now.

HiDPI on Firefox

[Ark42]

Flash is useless on my 192dpi laptop. Everything is so tiny or sometimes only fills up the top left 25% of the box. Adobe doesn't ever seem to care -- https://bugbase.adobe.com/inde...

Only game in town

[sjbe]

Define 'viable' -- do you mean it was the only sufficiently insecure platform which allowed arbitrary execution of code on the host machine?

It was the only platform available at the time to do certain tasks on the web the way people ("developers" especially) wanted to do them particularly tasks relating to video. There was nothing else comparable at the time. I never claimed it was a good or secure solution, merely that it was the only game in town. Warts and all. A lot of code was written to utilize flash and that sort of thing doesn't go away overnight even when it should.

Flash is a great example of private technology and interests getting ahead of standards. Internet Explorer 6 is another great example.

Re:Only game in town

[Billly+Gates]

Flash was GREAT and at one time A SAVIOR.

Remember .WMV was taken over the web? Flash freed us by not having IE 6 and MS define multimedia. You go to youtube and through flash it worked on Linux, Mac, and PC.

I remember ask slashdot had questions on .WMV proprietary media tools for the mac as he didn't want to loose visitors and no one used quicktime anymroe and IE 6 had 90% marketshare anyway etc.

Today yeah it is obsolete but it defined video streaming last decade. It worked regardless of browser and did things through actionscript with beautiful graphics that javascript libraries were a full 5 years behind in comparison.

Flash is blocked

[PPH]

Management figures it's just used for viewing porn sites.

What Jobs actually said

[sjbe]

One of the last footholds of Flash is the ability to write a Native App for iOS and Android with Adobe AIR.

That is by definition not a native app. It can behave like one but it's not the same thing.

What Steve Jobs was talking about was the Flash Browser plug-in -- which was unviable as a mobile browser experience.

Here is what Jobs said about Flash. Note the bit where he said:

"We know from painful experience that letting a third party layer of software come between the platform and the developer ultimately results in sub-standard apps and hinders the enhancement and progress of the platform. If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features. We cannot be at the mercy of a third party deciding if and when they will make our enhancements available to our developers"

It was VERY much about maintaining control over how applications were developed for iOS.

Hell, Google bent over backwards to give Adobe everything they claimed Apple denied them and couldn't get it to run in a stable or usable manner on Android.

Yes they did and there were a lot of people loudly crowing about how having Flash somehow made Android better than iOS. There were/are plenty of reasons to prefer Android but Flash has never been one of them.

Re:What Jobs actually said

[Billly+Gates]

I just read his statement and to me I got flash sites are crap on his phones and 3rd party deciding is bad.

HTML 5 would not be here without Steve Jobs (no I am not a mac fan). It got off the ground as you could use HTML 5 and CSS 3 for gradients and other effects and video. Flash did not have a mobile mode and scaled and performed poorly.

It forced web developers to learn HTML 5 for mobile sites and of course with its popularity for -webkit helped Android too with mobile site apps which are now trying to jerk HMTL 4 off (thanks to IE 8) to the grave.

Google's Chrome browser has the same issues.

[Futurepower(R)]

"... many of the criticisms [directed] toward Flash... can also be aimed at Chrome"

I agree. That's why I stopped using Google's Chrome browser. One one computer I checked,
Google installed 3 system services:
Google Update Service (gupdate), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
Google Update Service (gupdatem), "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
Google Updater Service (gusvc), "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

Normally, software requires an update only if new features have been developed, or in rare cases when a vulnerability is found. I'm guessing, and it is just a guess, that a lot of the vulnerabilities found in Adobe's Flash software are due to extremely poor management of Adobe that began about halfway through Bruce Chizen's period of being CEO. I imagine that the best people at Adobe left because of not liking Chizen's management. Certainly now, when I talk with people at Adobe, they seem very much out of control, as though there is no real management at Adobe or even understanding of technology management.

However, although Google's management has been degrading rapidly in recent years, in my opinion, Google has historically been much better managed. Someone checks Google software before it is released. But there are such frequent updates in Chrome that it seems possible that Google is being forced by some secret agency in the U.S. government (There are many more than just the NSA.) to deliver software to get information directly from user's computers. (I've been studying the degradation of management of formerly excellent companies since the downfall of Fairchild Semiconductor and of Tektronix.)

Also, there is an abuse that is becoming much more common: It is possible to give a name to a service (or an Internet domain) that is misleading or un-informative about who is in control of it. The sneaky, dishonest, abusive people are becoming more powerful, as in other areas of U.S. society.

So, we need an open-source operating system that has a far better security model. (Open source so that we can try to prevent hidden agencies from being in control.) We need a federal law that all software components must be labeled with their true supplier.

Most don't have the technical ability...

[Futurepower(R)]

"Wrong. Flash developers specify the minimum API version for their applications. Nothing has changed here. I can still run apps in old versions of the player."

Not wrong, because we've seen the problem with several domains. I'm guessing that Flash development software now automatically includes that limitation, and that the Flash development software updates without user intervention or knowledge. Most people who develop with Flash don't have the technical ability to know the "minimum API version for their applications".

Experiences of tech. people are not representative

[Futurepower(R)]

"In Chrome it took me 60 seconds to figure out how to delete Flash cookies or view which sites are using Flash cookies."

Translation: In Chrome a highly technically knowledgeable person, who knows that Flash cookies must be deleted, took only 60 seconds to delete them.

"In terms of uploading content to the server, Flash is essentially capable of what JS is capable of. Companies don't need Flash to upload user information."

No JavaScript engine installs a system service. Flash does, and, according to Adobe, new vulnerabilities are discovered in Adobe software every 2 to 4 weeks. So, even if Adobe is not abusive, there are plenty of opportunities for others to invade a system.

"A quick look at cookies on my system shows that the vast majority of websites are storing information with regular cookies, not Flash."

Cookies on the system of a technically knowledgeable person are not representative of the cookies on the systems of average users.

Thanks.

[Futurepower(R)]

Thanks for the info about AdBlock.

Thanks again.

[Futurepower(R)]

Thanks for the additional info about AdBlock.

Not just joking, a direction of useful inquiry

[Futurepower(R)]

"The best theory I've seen so far is that Flash is bit like quantum soup with a black hole in hiding in the extremely odd extra dimensions."

That is not just a joke, it is a direction of useful inquiry.

We need to philosophize about why a company would be so horrible toward its customers. Okay, probably not involving the quantum soup and black holes of Physics, but instead the quantum soup and black holes of Sociology.

There is some recent Slashdot sociological inquiry about Bill Gates and a cancer cure.

Then there is WEIRD, When Every Idea Rates Dumb.