Some Good News, and Some Bad News, About Adobe Flash 10.1

The good news first: Adobe's promising Flash 10.1 is going to hit smartphones—Android, WebOS, Windows Mobile—and desktops in the "first half" of this year, a slightly less squishy date. And it'll come over the air. The bad part?

Well it's bad for Android, anyway: You're gonna need Android 2.1. At least. Because it provides some access Adobe needs to make the Flash magic happen. So, sorry everything but the Droid and Nexus One, at least for the moment. The "over the air" thing is also kind of "up in the air" as to what that means: It could come from your carrier, it could come from your phonemaker, or failing all else, it could come from Adobe. Which means, Flash isn't necessarily going to hit your phone at the same time as everybody else's. Depends on your phone. But, they're betting that over half of smartphones—53 percent—will have Flash Player by 2012. Not surprisingly, Adobe says Flash 10.1 is going to be all over some tablets, too, with accelerated performance on Nvidia's Tegra 2, Qualcomm's Snapdragon (like what's in the Nexus One), and Freescale's i.MX515.

Lastly, Adobe would like you to know that this whole Adobe vs. HTML5 thing is silly, since they totally support HTML5, like all web standards. They love them some web standards, they say. But! They would also like you to note that HTML5 standardization is years away, and Flash works right now. And the reason you notice crappier performance on the Mac is sorta the Mac's fault, they say, because they need more access to APIs and they get half-assed crash reports. Plus, Adobe claims, apps tend to run faster in Windows than OS X generally, because performance is about 20 percent worse using OS X's GCC compiler, not to mention performance varies even within an OS, since Flash runs 20 percent faster in IE8 than Firefox, for instance. Either way, performance will be better on Mac with Flash 10.1, since it's shifting over to using CoreAnimation.

Okay, you can resume your "death to Flash!" chants now (even though it's not going anywhere for a while, people!).

[Adobe]

Read More

Adobe apologizes for festering Flash crash bug 16 months...and counting

An Adobe product manager has apologized for allowing a potentially serious bug in Flash Player to remain unfixed for more than 16 months.

The admission, by Emmy Huang, product manager for Flash, came a week after Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash." Adobe CTO Kevin Lynch struck back, insisting that at Adobe, "we don't ship Flash with any known crash bugs."

The crash bug at issue in Huang's blog post published over the weekend was reported in September 2008, but it has yet to be excised from release versions of Flash. She said a beta version of Flash scheduled for official release later this year has fixed the problem.

She went on to say the flaw should have been patched in one of the interim updates released over the past 16 months.

"I want to reiterate that it is our policy that crashes are serious 'A' priority bugs, and it is a tenet of the Flash Player team that ActionScript developers should never be able to crash Flash Player," she wrote. "If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously."

The bug in version 9 of the software was reported by security researcher Matthew Dempsey on Adobe's Flash Player bugbase. Flash 10 was released a month later, making it impractical to fix the flaw in the next release. The report "slipped through the cracks," an omission that allowed the bug to languish even as other flaws were repaired in subsequent updates.

Over the past year, critics (El Reg among them) have assailed Adobe for a steady stream of security bugs that have been exploited in drive-by and email attacks that aim to install keyloggers and other types of malware on the machines of unwary users. Jobs, meanwhile, timed his remarks to the release of the iPad, which is notable for completely shunning the Adobe media program.

CTO Lynch flatly rejected the criticism from Jobs, arguing that "if there was such a widespread problem historically Flash could not have achieved its wide use today." As if a product's widespread adoption were a guarantee that is was free from serious defects.

Huang's post seems to admit as much. But its forthrightness also suggests Adobe may finally be heeding critics. "I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again," she wrote.

While the bug is said to generate only a simple crash, attackers often go on to figure out how to exploit such flaws to remotely execute malicious code. Dempsky has additional details about the bug here. A demo - which he warns will cause browsers to crash - is here.

"I'm not an Apple fan boy out to prove Steve Jobs right in Apple's decision not to support Flash on the iPhone/iPad," he explained. "Instead, I'm just a software engineer who at one time had to deal with Adobe's sorry excuse for a development platform and made an earnest effort on several occasions at helping them improve it for everyone."

Read More

HTML vs. Flash: Can a turf war be avoided?

A difference of opinion among developers has become a high-profile debate over the future of the Web: should programmers continue using Adobe Systems' Flash or embrace newer Web technology instead?

The debate has gone on for years, but last week's debut of Apple's iPad--which like the iPhone doesn't support Flash--turned up the heat. Before that, Adobe had been saying with some restraint that it's happy to bring Flash to the iPhone when Apple gives the go-ahead.

But Chief Technology Officer Kevin Lynch took the gloves off Tuesday with a blog post that said Apple's reluctance to include Flash on its "magical device" means iPad buyers will effectively see a crippled Web. And he played the Google Nexus One card, too.

"We are now on the verge of delivering Flash Player 10.1 for smartphones with all but one of the top manufacturers," Lynch said, specifically mentioning the Nexus One as one such device and adding that the software also works on tablets, Netbooks, and Net-enabled TVs. "Flash in the browser provides a competitive advantage to these devices because it will enable their customers to browse the whole Web...We are ready to enable Flash in the browser on these devices if and when Apple chooses to allow that for its users, but to date we have not had the required cooperation from Apple to make this happen."

Flash has indeed spread to near-ubiquity on computers, with better than 98 percent penetration, according to Adobe's statistics. Its roots lay with graphical animations, but its success was cemented by providing an easy streaming video mechanism to a Web that had been plagued with obstreperous and incompatible technology from Microsoft, Apple, and Real.

But a collection of new technologies--including a rejuvenated HTML (Hypertext Markup Language) standard used to write Web pages--are aiming to reproduce some of what Flash offers.

Bruce Lawson, Web standards evangelist for browser maker Opera Software, believes HTML and the other technologies inevitably will replace Flash and already collectively are "very close" to reproducing today's Flash abilities.

"The Web (including video, games, animation) is too vital a platform for business, communication, and society to be in the hands of any single vendor," Lawson said. "But it'll be a while; there is a huge body of existing content that uses Flash."

It's not just a matter of the installed base of Flash on the Web, though. Although HTML5 and its associated technologies are maturing rapidly, and because they evolve concurrently with browser support, they're arriving and relevant now even though incomplete. But many developers are likely to sit on the sidelines until things settle down in 2010 and perhaps beyond.

Open Web allies

After years of HTML standardization disarray, browser makers Apple, Opera, Mozilla, and most recently Google now are hammering out new directions for Web standards.

Perhaps the most visible HTML5 aspect is built-in support for audio and video, but there are other HTML abilities under way: storing data on a computer for use by an application, Web Sockets for periodically pushing updates to a browser, Web Workers for letting Web programs perform multiple tasks at once, and Canvas for better two-dimensional graphics.

At the same time, these allies marching under the "Open Web" banner also are creating new standards such as WebGL for accelerated 3D graphics on the Web, enabling better typography through CSS (Cascading Style Sheets) and Web fonts, beefing up support for others including SVG (Scalable Vector Graphics), and improving the power of JavaScript for writing Web-based programs.

Even Microsoft, despite sitting out much of the last decade's browser development activity and having a Flash rival called Silverlight to promote, is getting involved. It pledges interest in Web standards and in recent months engaged in HTML and SVG development. "The positive response has been overwhelming," said Patrick Dengler, a senior program manager on the IE team, in a blog post Monday about SVG Microsoft's SVG involvement.

In addition to some philosophical opposition to Adobe's proprietary Flash software, there's a practical complaint, too: crashes. It's a major reason Mozilla is rushing out a new "Lorentz" version of Firefox that isolates plug-ins into a separate computing process so problems don't bring down the whole browser.

Here's one new example in action: a browser application that lets people drag an image onto the browser, which stores it locally on the computer, enables various editing abilities, resizes it to a small size, and uploads it to TwitPic using Twitter login credentials. And some more: a Star Wars imperial walker animated in CSS, Windows 3.1 reconstructed in JavaScript, and a first-person gifter game using Canvas.

But there are real-world sites, too, that forsake Flash. For example, the iPhone Google Voice application runs in the browser.

Flash advantages

It's far from game-over for Flash, though.

The Open Web work is chaotic, fluid, and scattered, and browser support for its various elements is inconsistent when it exists at all. Flash is a single browser plug-in that provides consistency from one computer to the next. And unlike with browsers, where Microsoft's 2001-era Internet Explorer 6 has only recently been dethroned as the most-used browser, most people upgrade to new Flash versions relatively rapidly.

Formal standardization proceeds slowly. HTML5 editor and Google employee Ian Hickson opened the last call for HTML5 comments in October for WHATWG (Web Hypertext Application Technology Working Group), which has been working on HTML5 for years. But that group works jointly with the more straight-laced W3C (World Wide Web Consortium) to come up with the standard.

So today, if you're publishing The New York Times' graphical tour of the federal budget proposal, Flash is the obvious choice.

The difficulties of HTML5 video is a good illustration of difficulty of matching Flash. Flash video can use a variety of "codecs" for encoding an decoding video as it's sent from server to viewer. Viewers don't need to know anything beyond how to click a video's "play" button, a contrast to Net video's incompatibility-fraught early days.

But with HTML5, though, there are two prevailing codecs right now: H.264, supported by Apple's Safari and Google's Chrome, and Ogg Theora, supported by Firefox, Chrome, and, according to plan, Opera. IE, the dominant browser, doesn't support any at HTML5 video at present.

What's a video streamer to do? If a Web site supports HTML5 video at all--YouTube just started experimenting with it--it's safest to include Flash as a fallback for the vast number of people whose browsers today can't use HTML5 yet.

Another thing: the Open Web allies may be close to reproducing what Flash has today--but not necessarily what it's getting tomorrow. Adobe's Lynch last year pledged to advance Flash, keeping it "a leading agent in terms of exploring what's possible in the Web."

Finally, programming tools aren't as mature for the hodgepodge of Open Web tools.

One reason for that immaturity is that HTML5 and related technologies aren't finalized yet, Lawson said. Another: "You're relying on browsers interoperating--which historically has never been the cleverest bet, although as the specs become final there's a better chance," he said.

Cooler heads

HTML vs. Flash has the potential to become a religious war. As long as there have been programming languages, there have been arguments about which tool is the best for getting the job done, and this issue has some extra elements that add some emotion to the mix.

There are plenty of Firefox-using open-source fans who chafe at proprietary plug-ins, and they're accustomed to making their opinions heard. Another group enjoys bashing Flash as a conduit for in-your-face online advertising. Add a little Apple iPad love-hate invective into the mix, and you've got great potential for Flash bashing.

"People want a certain 'killer' narrative: Good guys vs. bad guys, open vs. proprietary, blah blah," said John Nack, Adobe's Photoshop principal product manager but also a defender of Flash in his spare time.

Indeed, it's probably wiser to take a deep breath and accept that both technologies will prevail and neither will conquer the other any time soon.

Perhaps the gulf isn't as wide as it appears. Don't forget that Adobe has HTML authoring tools as well, and its AIR (Adobe Integrated Runtime) software foundation includes not just a Flash player, but also the WebKit HTML-handling engine that's also in Safari and Chrome. Adobe has a big investment in Flash, but count on its HTML interest increasing as that technology matures.

In the big picture, Adobe sees a place for both but not a day when the Web can dispense with Flash.

"Longer term, some point to HTML as eventually supplanting the need for Flash, particularly with the more recent developments coming in HTML with version 5," Lynch said. "I don't see this as one replacing the other, certainly not today nor even in the foreseeable future."

Read More

Adobe CTO Kevin Lynch Defends Flash, Warns HTML5 Will Throw The Web “Back To The Dark Ages Of Video”

Adobe’s Flash technology has been taking a beating lately. Apple still won’t support it on its upcoming iPad or its iPhone. Steve Jobs calls it buggy and crash-prone and dismisses Adobe as being lazy. Adobe is trying to fight the negative vibes emanating from Cupertino and elsewhere. It has already pointed out that it will be easy to convert Flash apps into iPad apps, and now CTO Kevin Lynch is weighing in to defend Flash.

In a blog post today, Lynch addresses the two major threats to Flash: Apple’s refusal to support it on mobile touchscreen devices and the rise of HTML5 as a new, open standard which may one day replace Flash. On Apple, Lynch says Adobe is ready and able to put Flash on the iPhone, the iPad or anything else Apple can throw its way. But, as has been the case for more than a year, the ball is in Apple’s court:

We are ready to enable Flash in the browser on these devices if and when Apple chooses to allow that for its users, but to date we have not had the required cooperation from Apple to make this happen.

Lynch points out that the next version of Flash for smartphones, 10.1, is about to become available and that practically all other smartphones will support it, including Android, Blackberry, Nokia, and Palm Pre. If they can handle it, why can’t an iPhone?

But the bigger long-term threat to Flash is HTML5, especially for rendering video. Lynch says that 75 percent of video on the Web currently is shown in a Flash player. That number could decline if HTML5 video starts to take off. Google (via YouTube, Chrome, and other products) and others are pushing HTML5 hard. Lynch tries to pretend that HTML5 is not a threat, saying in the same breadth that Adobe supports HTML5, but its incompatibilities across browsers spells doom for the Web. He writes:

Adobe supports HTML and its evolution and we look forward to adding more capabilities to our software around HTML as it evolves. If HTML could reliably do everything Flash does that would certainly save us a lot of effort, but that does not appear to be coming to pass. Even in the case of video, where Flash is enabling over 75% of video on the Web today, the coming HTML video implementations cannot agree on a common format across browsers, so users and content creators would be thrown back to the dark ages of video on the Web with incompatibility issues.

HTML5 is still a young technology, and those incompatibility issues can be solved over time. Flash is still a more capable technology when it comes to rendering video, but HTML5 is advancing faster and as a native Web standard it has many other advantages which may help it win over time.

Adobe is in a battle for developers, who buy its Creative Suite software to make Flash apps. As long as Flash is the de facto standard for video and animation on the Web, those sales will not be threatened. But if Flash developers migrate to other technologies to build better apps for the Web and mobile devices such as the iPhone and iPad, Adobe’s competitive position will be weakened. It will defend Flash to the death.

Read More

War of Words Between Apple and Adobe Heats Up

There's been no love lost between Apple and Adobe for a while now, ever since Apple decided to not allow Flash on the iPhone. But since the iPad was announced with an equal lack of Flash, things have gotten ugly.

First, Adobe posted a screed about how lame it was that Apple wasn't including Flash on the iPad. Then, Steve Jobs himself called Adobe "lazy" and blaming Flash for most Mac crashes. Now, Adobe is back to its Flash blog with another salvo.

First, they address and attempt to debunk the various reasons Apple has for blacklisting Flash. Then, they go for the heart of the matter:

But I want to be very clear. My concern isn't just about Flash on the iPad. It's about a disturbing trend where Apple is starting to inhibit broad categories of innovation on their platforms. On the iPad, it looks like developers won't be able to write applications in Java, .net, Python, Ruby, Perl, or any number of other languages (including Flash). And users won't be able to install Firefox, Opera,IE, or any third party browser. There are countless other examples of applications and technologies that Apple doesn't allow. Why? Apple won't say.

And innovation isn't just about technology, it's also about business models. Developers on this new platform aren't able to innovate there either. At best, developers targeting the iPad are subject to a 30% Apple Tax in the App Store. And at worst, developers invest time and money building a product that can never be brought to market, because the only channel is one that is centrally controlled and entirely opaque. In every case, Apple is a gatekeeper on how developers are able to deliver content to their consumers.

Over time, restrictions on technology and business opportunity have a chilling effect on innovation on closed platforms.

In the end, this is a tricky situation. On the one hand, Flash is a relatively insecure and resource-heavy plugin that would invariably cause some problems if used on the iPad. In a year or so, HTML5 will be replacing it for most of its biggest uses, such as streaming video.

However, it isn't a year from now, and Flash is still heavily used all around the web. It's just a fact of life that if you want a full internet experience right now, you need to have Flash.

So neither side is entirely right or entirely wrong. But something tells me that Apple isn't going to cave, and as HTML5 gets rolled out over the next year, they'll have fewer and fewer reasons to even consider it. Sorry, Adobe.

[Adobe]

Read More

Steve Jobs: Google's "Don't Be Evil" Mantra is "Bulls***"

During that Apple town hall meeting we mentioned earlier this week CEO Steve Jobs reportedly had some choice words regarding Google that left little doubt about how the outspoken executive sees the competition. Updated.

That "Don't be evil" slogan Google's known for? "Bullshit" Jobs said, after which he was reportedly rewarded with a big round of applause from the gathered throng of Apple employees.

Also about Google, Jobs said that company "entered the phone business. Make no mistake they want to kill the iPhone. We won't let them."

Jobs also singled out Adobe, calling the company "lazy" because, in his opinion, "they have all this potential to do interesting things but they just refuse to do it." Jobs also criticized Flash for being buggy. When a Mac crashes, it's usually because of Flash, he reportedly told the crowd. "The world is moving to HTML5", he said.

Reports that the town hall meeting was adjourned with a gavel that made a loud Bing sound were completely fabricated and made up by me just now.

Update: Mac Rumors and Daring Fireball have an update on this. Most of Wired's quotes are paraphrased, and with that came some discrepancies between what may have been said and what was written to page. One change being "bullshit" was probably more along the lines of "full of crap." So, same sentiment, different word choice. Also, while the lazy quote hasn't been disputed, the tone may have been. Daring Fireball's John Gruber said an attendee wrote to say Jobs was actually very nostalgic about the "kick ass Adobe of old."

Update 2: We're now learning that the next iPhone update with be an "A+ update" (which probably means "substantial," but that's no surprise). Furthermore, on that front, the updates will be such that Google/Android "won't be able to keep up" with them (meaning competition lit a fire, perhaps?).

Other juicy tidbits:

- The Lala folks are probably destined for the iTunes team
- The Macs for 2010 are "going to take Apple to the next level" (???)
- And, Blu-Ray software "is a mess," and Apple will continue to keep its distance until sales take off

[Wired]

Read More

Adobe Busts Out Porn in iPad Flash Crusade

Adobe is not going to take Flash's exclusion from the iPad lying down. Their latest salvo: enlisting their friends at Bang Brothers to show just how badly you're going to miss Flash video on Apple's new device.

Lee Brimelow over at TheFlashBlog provides ten examples of pages that will be incapacitated on the iPad due to the lack of Flash, ranging from Disney to Google Finance to... well, to hard core pornography. In fact, it's near the top of the list, at the intersection of Hulu and CNN.

Low blow? Possibly. But the iPad is at heart a content delivery device, and last I heard pornography was pretty popular on these here internets. Then again, given the lack of built-in kickstand, trying to watch porn on the iPad might give a whole new meaning to tablet sutra.

[The Flash Blog via Wired]

Read More

Adobe Responds to the iPad's Lack of Flash

As you're probably aware, the Apple iPad, like the iPhone and iPod Touch, doesn't support Flash. Apple has its reasons for this, but clearly Adobe isn't happy about it. Here's their response.

It looks like Apple is continuing to impose restrictions on their devices that limit both content publishers and consumers. Unlike many other ebook readers using the ePub file format, consumers will not be able to access ePub content with Apple's DRM technology on devices made by other manufacturers. And without Flash support, iPad users will not be able to access the full range of web content, including over 70% of games and 75% of video on the web.

If I want to use the iPad to connect to Disney, Hulu, Miniclip, Farmville, ESPN, Kongregate, or JibJab — not to mention the millions of other sites on the web — I'll be out of luck.

Adobe and more than 50 of our partners in the Open Screen Project are working to enable developers and content publishers to deliver to any device, so that consumers have open access to their favorite interactive media, content, and applications across platform, regardless of the device that people choose to use.

The main arguments against Flash running on the iPad are that it's a resource hog and a security risk. Both true! Hopefully the web is moving away from relying on Flash for videos and ugly menus, with HTML5 acting as a more-than-adequate replacement. But we're not there yet. While I can appreciate the fact that Apple is trying to keep the iPad more stable by not including Flash, the fact that it kills off most online gaming and video streaming in the process makes the tradeoff questionable.

[Adobe]

Read More

Firefox, Adobe top buggiest software list

Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe software more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second-place spot from Microsoft this year. The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft software dropped from 44 to 41, according to Qualys. Internet Explorer, Windows Media Player and Microsoft Office together had 30 vulnerabilities.

A shift in focus

The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

Read More