Adobe will keep patching Flash on mobile devices for now
By Gregg Keizer
Adobe has promised to support the soon-to-be-orphaned Flash Player plug-in for mobile browsers, but has not said how long it will continue to patch security bugs in the software.
In a blog post Wednesday, Danny Winokur, the Adobe executive in charge of interactive development, said that the company would release one more version of Flash Player for Android and RIM’s PlayBook before calling it quits. That last version, labeled 11.1, shipped Thursday.
Winokur, however, pledged that Adobe would keep patching bugs in its mobile Flash Player. “We will of course continue to provide critical bug fixes and security updates [emphasis added] for existing device configurations,” said Winokur. His mention of “critical bug fixes” may not mean much, as Adobe typically rates all its Flash security updates as “critical” across the board.
Another Adobe manager repeated that promise in a message on Twitter Thursday. “Adobe will continue to ship security updates for Flash Player mobile after the final feature release,” said Brad Arkin, the company’s senior director of product security and privacy.
But neither Winokur or Arkin spelled out how long Flash Player 11 security updates will be offered for smartphones and tablets. And on Thursday, Adobe’s public relations staff declined to comment on a support timeline.
That struck Andrew Storms, director of security operations at nCircle Security, as odd. “Why would they not tell us?” Storms asked. “That’s to the detriment of everybody. If they make a date [for the end of support], that would get users off it sooner and force developers to get off Flash, too.” Storms speculated that Adobe may not have yet decided, or that commitments—such as to one or more mobile service providers—may have tied their hands.
Adobe’s support policies aren’t any help in calculating Flash Player’s remaining time because unlike Microsoft, which hews to a time-oriented support lifecycle—five years for consumer products, ten for enterprise software—Adobe does not. Instead, the company promises to support only the current major version and the one before that.
However, sometimes Adobe pulls the trigger early “as a result of changing market conditions and impact to customers,” according to its website. Last February, for example, Adobe retired Flash Player 9 even though Flash Player 11 had not shipped, citing the former’s five-year run and its paltry 2 percent market share at the time. Adobe’s handling of Shockwave Player may be a better clue: Although Shcokwave Player 11 was introduced in March 2008, Adobe is still pushing patches to users, most recently on Tuesday.
Adobe did also provide a patch for Flash Player on Thursday, releasing 11.1 for not only Android but also desktop browsers on Windows, Mac OS X and Linux. The update fixed 12 flaws, all considered critical, most of them memory corruption vulnerabilities. Yesterday’s update was the ninth this year for Flash Player, nearly double the number Adobe released in 2010.
Users running desktop browsers other than Chrome—which packages Flash Player within the browser—can download the patched version from Adobe’s site; Chrome users can get it by checking for updates within the application. Android users can obtain Flash Player 11.1 from the Android Market.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg’s RSS feed. His email address is email@example.com.