Bookwyrm627: It is almost a programmer axiom that any worthwhile code will have bugs somewhere. So it will probably always be insecure in different places.
timppu: It is given that there are bugs, but somehow... security bugs that make the usage very risky? Are the features containing all those security risks really that important that we couldn't live without them? What's the main purpose of Flash Player, and is it impossible to reach that kind of functionality (from user's perspective) securely?
I presume the current open vulnerability is this one (just after Adobe fixed an earlier one I think):
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html What does it take to have even a moderately secure system that doesn't infect and take control of your system by merely visiting a damn web site with infected ads? That sounds as silly to me as getting a brain tumor from watching some movie from the TV. Is the only way to go some strictly walled-garden system, just so that watching a damn video wouldn't be so risky?
It isn't restricted to hazy sites only, sometimes quite known and respectable sites have had infected content/ads too.
I'm kinda getting fed up with java and Flash Player due to these kind of problems, I'll have to check whether I could do completely without them. Gladly the online bank I use apparently stopped using Java at some point.
EDIT: The Adobe page says this:
February 2, 2015 - removed Flash Player version 11.x from the list of affected versions. Version 11.x and earlier do not support the functionality affected by CVE-2015-0313.
timppu: i wonder what functionality that is, something veeery important and useful I presume? At least for the exploiters.
Note: I haven't tried to do any research; this is just my current understanding of things. Also, some of this will be basic information to help illustrate my points; I don't mean to insult you (or anyone else reading this) by assuming you don't know something.
Flash Player (and other content players) take code and, based on what the code says, tell the computer what to do. With that in mind,
the computer has no clue what the difference is between a legit video and what we would call a virus; both are just a series of instructions the computer is carrying out. So it falls to the programmer to implement safe guards to keep system-killing code (virus) from being run. The more powerful you make the code-running program (Flash Player), the more risk you take if it starts running malicious code. Often, it takes more work to make the player more powerful, as well. More work = more code = more points where things can go wrong and the harder it can be to find them. And coding standards have generally been improving over the years; if you keep building on an older code base then the code might be incredibly difficult to debug. If you don't use the old code base, then you are starting from scratch.
When trying to prevent problems from cropping up, the advantage lies with those trying to doing the infecting. The preventers have to effectively see into the future to block everything; the infectors can just poke and prod at the current build until they find a weakness. Something as simple as checking slot 11 in a size 10 array can provide an opening. Have a look at this comic for another idea:
http://xkcd.com/1354/
This analogy will probably have massive holes and is almost certainly terrible, but I like it regardless:
You want some brownie batter (a video to watch). So you tell your computer to go to a particular store (website) and then make the brownie batter. Your computer's browser goes out shopping for the ingredients (the code that defines the video electronically) and the browser grabs the package with all the ingredients. Flash player takes the ingredients and runs them through the recipe it has, and BOOM! brownie batter. Unfortunately, sometimes the eggs have salmonella. And sometimes some jerk has managed to slip a razor blade into the food.
EDIT: On reflection, you are probably mostly venting. I'll be quiet now.
