A critical security flaw in Acrobat Reader 9.x and 10.x as reported by CVE can "allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption)". According to an Adobe notice dated June 4: "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat." The solution is to upgrade to Flash Player 10.1.
Unfortunately, that is easier said than done for those of us who run a 64-bit Linux distribution. On Tuesday Slashdot reported that Adobe has, at least temporarily, ended support for Flash Player on 64-bit Linux. No updated version is available. Adobe's message for 64-bit Linux users, at least for now, is "No Flash for you!"
Adobe explains the decision as follows:
We have temporarily closed the Labs program of Flash Player 10 for 64-bit Linux, as we are making significant architectural changes to the 64-bit Linux Flash Player and additional security enhancements. We are fully committed to bringing native 64-bit Flash Player for the desktop by providing native support for Windows, Macintosh, and Linux 64-bit platforms in an upcoming major release of Flash Player.Some in the Linux community are no so sure about how "fully committed" Adobe really is. Bob Robertson, writing in the LXer forum, was hardly alone in his doubts:
Adobe's problem is thinking they can survive whilst cherry-picking platforms.The developers of SalixOS, a Slackware derivative with a 64-bit build, chose to add gnash, an FOSS alternative to Flash, to their repository. They also configured the repository to have the automated updates available in that distribution replace Flash 10.0.45.2 with gnash 0.8.7.
Unfortunately switching from Flash to gnash is not without problems. The official project website notes that gnash "supports most SWF v7 features and some SWF v8 and v9." The fact that the full features of recent Flash versions are not supported means that many websites are simply not displayed properly with the gnash browser plugin. There are additional issues. SalixOS developer gapan described them in his announcement of the change:
CPU usage is high, higher than flash's. And I think that if you leave a page that includes a youtube video open for some time, CPU will hit 100% until you close that page. But at least it plays all youtube videos I tried. There is one issue though: if you get a "An error occured, please try again later" error in youtube, you need to clear your browser of all youtube cookies and block youtube from setting any new cookies.He goes on to explain the importance of the decision:
I think this is the best course of action we could take. Security should matter above anything else. If someone really needs the proprietary flash-plugin, then they should better stick with a 32-bit system, or add 32-bit libraries in their 64-bit system and run a 32-bit browser that will use the 32-bit plugin.Others in the forum had a different idea: keep the old Adobe Flash Player plugin but run Flashblock to mitigate some of the risk. The problem with this solution is that whenever Flash is enabled so is the rather serious vulnerability. Flashblock is very useful, however, for eliminating the performance issues associated with gnash on sites where viewing Flash is just not necessary, i.e.: when it is used strictly for advertising.
Until Adobe is ready and willing to resume support Linux distributors with 64-bit builds and end users alike are now forced to choose between a number of less than satisfying solutions.
Note: A tip of the hat to Seinfeld episode which inspired the title of this article. Adobe's decision to leave many Linux users without Flash support seemed every bit as capricious and inappropriate to me as the character in that television program.
UPDATE (22 June 2010): Stephen Shankland at CNet has an excellent article published yesterday which explains why this is a major issue and what is at stake for Adobe. His article in their Deep Tech column is recommended reading for those who have commented and think this is no big deal.
For those who have suggested running 32-bit libraries and nspuginwrapper and pointed to the Debian forums may wish to note the reported may want to note the PulseAudio problems and the reported browser crashes and freezes in that thread. Those who are offering this "solution" should be aware that it is problematic at best for many users.