Beginning Tuesday, Microsoft is reversing itself and adding Flash back into the Internet Explorer 10 browsers used by Windows 8 and Windows RT. The browser will use a “touch-enabled” version of Flash optimized with Adobe.

Specifically, Flash will be enabled with the Windows 8-style “Metro” environment by default, Microsoft said. It will continue to run, as it previously has, within the Windows 7-like desktop, the alternative user interface still used by some apps. Microsoft has also flip-flopped its security protocols, swapping a “whitelist” of approved Flash sites for a blacklist of sites which are now prohibited.

Usability vs. Security

Microsoft’s decision has two key aspects: usability and security. On the usability side, people who use Windows 8 and Windows RT, including those who have purchased the two variants of Microsoft’s Surface tablet, will be able to take advantage of the numerous Flash games available online. On the other hand, adding back Flash also opens IE users to Flash vulnerabilities that the browser might have previously weeded out.

Before today’s change, Microsoft maintained a so-called “whitelist” of approved sites that could run Flash within the IE10 environment. Now, however, that so-called “Compatibility View List” will block (or “blacklist”) those sites that don’t meet Microsoft’s criteria for usability and reliability, or security. On Windows 8, they’ll be banished to the desktop via an ugly error message. On Windows RT, they won’t run at all.

“We believe having more sites ‘just work’ in IE10 improves the experience for consumers, businesses, and developers,” Rob Mauceri, the group program manager for Internet Explorer, wrote in a blog post. “As a practical matter, the primary device you walk around with should give you access to all the Web content on the sites you rely on. Otherwise, the device is just a companion to a PC. Because some popular Web sites require Adobe Flash and do not offer HTML5 alternatives, Adobe and Microsoft continue to work together closely to deliver a Flash Player optimized for the Windows experience.”

A guide for developers provides some additional guidance – namely, that Microsoft isn’t giving up its emphasis on HTML5 over Flash. And just because IE10 now supports Flash doesn’t mean Microsoft will bless any old implementation. Any app that requires a double-click, for example, will be frowned upon, as will apps that call Flash for panning, zooming, rotating and swiping. The use of cameras and microphones powered by Flash code will also not be allowed.

Fortunately, fewer than 4% of sites on the Web fall on the CV blacklist, Microsoft said.

Security Headaches?

Microsoft’s Mauceri wrote that the new version of Flash has been “optimized for touch, performance, security, reliability, and battery life. Adobe made substantial changes to the Flash player to align with the Windows 8 experience goals.”

Unfortunately, that also means that IE10 will require Flash-specific patches, too. While Flash may not be as vulnerable as Java – recall that the U.S. Computer Emergency Readiness Team (US-CERT) recommended that Java be disabled in January, even after Oracle issued an out-of-band update – Flash is frequently patched. That’s a double-edged sword: It means that Flash is constantly being attacked, even as Adobe and others constantly update it. In May 2012, for example, Adobe discovered and patched a vulnerability that could hijack Windows PCs. Adobe representatives did not respond to requests for comment via a Web form. According to Microsoft, any needed Flash updates will be delivered via Windows Update… no surprise there.

This is a big issue because from a security standpoint, Internet Explorer is a gateway into Windows PCs. And both Flash and Windows. are constantly in dynamic states of security. 

Microsoft should be congratulated for maintaining the CV blacklist as an additional layer of security, simply refusing to access sites that it knows harbor malware. Unfortunately, “innocent” sites that merely display their content in ways that are unfriendly to touch screens or IE10 may also be blocked. Developers can manually request their sites to be unblocked (with the number of visitors being one criteria) and use sites like Microsoft’s IE-friendly to facilitate its removal.

A Microsoft spokesperson had this to say: “Adobe and Microsoft have worked closely together for some time to address security and reliability issues, sharing best practices like the SDL and ASLR as well as information on hangs and crashes. We are also working together on accessibility, manageability, and privacy. Flash updates with the Windows Update mechanism to distribute security updates from Adobe to meet expectations of Windows customers with regard to security updates and delivery of those updates.”

Flash Is Dead. Long Live Flash?

Flash may not be inherently bad – but it sure has plenty of enemies. Adobe itself pulled the plug on mobile Flash development last year, and groups like OccupyFlash would like to eliminate it from the desktop, as well. (BlackBerry, for some reason, has chosen to cling to Flash in BB10.)

“Flash Player is dead,” the site’s manifesto reads. “Its time has passed. It’s buggy. It crashes a lot. It requires constant security updates. It doesn’t work on most mobile devices. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology.”

That analysis is absolutely right. If Flash isn’t dead yet, it’s surely dying. But just as Windows users gripe about backwards-compatibility with their favorite apps and games, so must the Web hold on to Flash. For now, at least.

Image Source: Robot Unicorn Attack