[QUOTE=Ibex;2786882]It should be mentioned that using an old version is very risky. Adobe Flash is one of the most popular attack vectors for web-based attacks & malware. Older versions will contain unpatched vulnerabilities.[/QUOTE]
Thus I recommended disabling the Flash plugin on all websites except for trusted ones (youtube etc). I’ve been working in cyber security for over 10 years and it has always disturbed me when customers whether they be business or home users rely on security updates for their protection, I even had a bit of a “debate” over this recently on another forum. This is exactly the way you get hacked, waiting for companies to detect the malware, analyze it, patch it, validate the patch then deliver it to the users. It takes time to do all of that, and even after its done you are only protected from that one specific vulnerability and malware authors are constantly developing new ones. Relying on software updates is not a serious security precaution. If you want to secure your system or network the only way you can effectively do that is by blocking and/or changing user behavior. The latter is easier in a home environment, the former can be employed in all cases and is the only truly effective measure, blocking execution of attack code.
Of course you are relying on the websites you whitelist to not get penetrated by hackers, thus you need to be very careful while crafting the list. Sites like youtube or usatoday have a rather low chance of being hacked, and in case they did an even lower chance you actually got infected because they have employed professional teams who work on detecting and countering such hacking attempts 24/7. In any case it’s more than likely that if a high profile site such as USAToday.com got hacked and is serving exploit code that is likely to be 0-day anyway. Since it takes a lot of time and skill (and money) to execute such an attack I don’t think the attackers would be wasting their time serving public exploits that not only would have a lower infection rate but also be detected much faster (within minutes) by all antivirus website scanners. In the past most successful hacking cases of that sort and magnitude have served 0-day exploits in their payload. You can buy 0-day Flash exploits today for about $10,000 on Russian malware boards, so its not a difficult task obtaining that part if you have the cash. This is in fact the reason all major browser manufacturers have taken the decision to disable Java and Flash in their browsers in recent years, Oracle and Adobe have not been able / are unwilling to keep up with patching new exploits at the same rate they are introduced to the public.
So in other words, of course you are correct in that old versions of Flash (and many other software) contain unpatched vulnerabilities that are still being actively exploited on the web but it is wrong to suggest that after updating to the latest version everything is hunky dory. Adobe Flash along with Sun/Oracle Java are as you said the biggest attack vectors for web exploits today, and the reason for that is largely their ineffectiveness or unwillingness in patching exploits on time, to such an extent that browser vendors had to take action on their own (Firefox blocked Java and Flash and sent out open letters demanding they fix their vulnerabilities, Adobe complied and Oracle did not).
It is up to one’s personal deliberation whether to consider the benefits of having a significantly faster, non-bloated piece of software substantial enough to have to take on more responsibility for personal security and giving up on relying on software updates saving the day (which you shouldn’t do per se, but they do help in some cases sure). For me it is a non-brainer, even if the worst case scenario happens and my system gets infected somehow, I have the know how and ability to detect and remove malware very quickly. I have been sitting in an ASM debugger analyzing modern malware long enough to know its way around and in most cases removing it is relatively pain-free. This likely explains my disdain for security updates. But as I said for each their own, some may rather trust their security to a third party even if they are known to do an inadequate job, simply due to lack of experience with removing malware, but I honestly believe that in this case, with the Flash plugin, its pretty safe and easy enough to take security to your own hands and just enjoy the benefits of being able to watch videos on an old PC…