Vincent Danen agrees Adobe Flash is a security pitfall but knows that using it is not entirely unavoidable. Here are some ways to minimize the risk and the pain of Flash on the web.
It's no secret that Adobe's Flash Player is one big pile of awful that causes problems for many users on the Internet. There are fewer legitimate uses for Flash now, with HTML5 supporting audio and video, using open standards, and better codecs. Sadly, Flash is a technology that many web developers have spent a lot of time and money to learn, and there are some pretty fantastic web sites out there written in Flash, so it isn't something that most people are ready to part with.
Flash is pretty. There is no denying that. However, having said that, Flash is evil. As much as this is opinion, it is also fact. Adobe tries desperately to have a quarterly update schedule for their products, including Flash, and they are failing miserably because there are so many security holes continually found in it. Peruse the Adobe security bulletins page and you'll see that it has had a pretty bad run of things this year.
And now with the Macbook Air no longer shipping with Flash pre-installed, I think we can see where Apple, at least, is headed. No more Flash on the Mac, at least not provided by Apple. Google, on the other hand, has taken a different approach. They will support Flash in the Chrome web browser, but they are sandboxing it, meaning that the tab or web page with Flash content can in no way interact with other windows or tabs with other web sites loaded.
That is a safe alternative because, let's face it, Flash is here and will be here for a long time to come. YouTube and many other sites offer only Flash content to most users (although YouTube will provide H.264 videos to iPhone users, but Flash to all others).
If you're not into using Google Chrome, there are other alternatives. One is ClickToFlash, a plugin for Safari. With ClickToFlash, Flash is not automatically loaded unless you request it (click on the substituted Flash logo on the web page). Using ClickToFlash, you get to determine whether or not the Flash Player is loaded, not the web site. From a security perspective, this is welcome as there is a lot of malicious Flash content out there to take advantage of people running old versions of Flash Player.
Once you've downloaded and installed ClickToFlash, restart Safari and load the ClickToFlash preferences via the "Safari" menu bar option, then ClickToFlash, then Settings. Here you can enable it, and tweak the preference settings, such as turning off automatically loading invisible Flash views (if it's invisible, why load it?).
The current version of ClickToFlash is 1.5.5, and telling it to load H.264 from YouTube doesn't work for me. Hopefully this is just a bug in the current version and will be fixed shortly. You can load the Flash files from YouTube, or use the Safari Develop menu to change the browser agent to something like Mobile Safari 4.1 for iPhone (it will then load H.264 videos from YouTube).
If Safari isn't your browser of choice, you can also use Flashblock with Firefox or Camino. It will also block Flash, but rather than selectively playing the Flash in the browser when you click on it, it will instead download the Flash file to the system to be viewed off-line.
For those using mobile computers, like the MacBook Air, not having Flash load whenever a web page feels like firing it up will also increase battery life, decrease unnecessary CPU usage, and leave the computer running cooler and quieter. As well, by only loading Flash on trusted sites, and only the bits of Flash that you actually want to see, you avoid a large pile of potential security pitfalls that malicious sites and users care to throw your way.
Tools like ClickToFlash and FlashBlock give back control to whom it belongs. You.