Time to Finally Dump Flash


Time to Finally Dump Flash

Adobe flash users are once again are being advised to update the application ASAP – to protect against two previously unknown security vulnerabilities. Worth noting, the PC Matic vulnerability engine – automates the process of keeping some of most commonly used applications on your system (like Flash) up to date and patched with the latest security protections. However, many security researchers are calling for a more drastic approach – stop using Flash now.

At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date.

UPDATE:

Third Hacking Team Flash Zero-Day Found

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.
http://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/

Adobe To Fix Another Hacking Team Zero-Day

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

In an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacking Team data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.

Major Adobe Flash security flaw discovered in Hacking Team leak | The Verge | 7/8/15

Two unpatched vulnerabilities have been discovered, affecting Adobe’s Flash software and Microsoft’s Windows operating system. Hacking Team describes the Flash flaw as “the most beautiful Flash bug for the last four years,” suggesting that the company may have been using this to access people’s machines for quite some time. The vulnerability itself allows malicious attackers to execute code on a victim’s machine through a website. It affects Windows, OS X, and Linux, and can be used against browsers like IE, Firefox, Chrome, and Safari. Hacking Team appears to have used this hole to install its own exploit kits and monitor or remotely control PCs. Adobe is now aware of the vulnerability and is planning to issue a patch later today, but given the vast amount of security issues with Flash over the years it’s advisable to move away from using the software if you’re able to.

What Should You Do

Great information from Tom’s Hardware for those looking for the best way to cope with the seemingly never ending list of Flash security vulnerabilities.
http://techtalk.pcpitstop.com/2015/07/14/dealing-with-flash-vulnerabilities/

Update: Adobe posted Security Bulletin CVE-2015-5119 today stating that they are working on closing the hole.

Users of Chrome, and Windows 8 users running Internet Explorer, will automatically receive the updated version. For those on other browsers, Adobe recommends installing the patch as soon as possible.

Security researchers have an alternative solution to offer users: Dump Flash.

“In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all,” wrote security journalist Brian Krebs.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/

Those who wish to stick with Flash Player can get the patched versions from Adobe’s download page.–
http://www.theregister.co.uk/2015/06/23/adobe_flash_player/

140 total views, 1 views today

(Visited 52 times, 1 visits today)

37 thoughts on “Time to Finally Dump Flash

    • @Darryl kimball: There’s no “killing” going on here. But the things they finally sent in their reply really should have been in the actual article. It would have been easy to add “Unfortunately there’s no blanket replacement…”, the whole HTML5 things, etc….

  1. Why has there not been a single answer to the “what software can I use to replace flash?” Nope, just delete it and never use the internet to watch another video again. Makes sense.

    • @Ken: At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date. As for videos – “Many YouTube videos will play using HTML5 in supported browsers. You can request that the HTML5 player be used if your browser doesn’t use it by default.” https://www.youtube.com/html5

    • @Kevin D Wright: At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date.

  2. Why is it that every alert and/or fix is posted in computer jargon that most end users cannot understand? Can't you send alerts in plan English with fixes that are more understandable to laymen?

  3. A very interesting dichotomy in your mail offering of 7/13/15. First you suggest ‘dumping Flash’, yeah I hate it also, then you offer a ‘speed check’ that runs on Flash. Read the Adobe problems several days ago, took you folks a few days to see the Adobe notices? Read the page @Bart.

    • @Duane Cook: Please note this post originally went live here on July 8th. Our newsletters simply supply an overview of the postings that appear on techtalk.pcpitstop.com. If you require an alternative bandwidth speed test/non flash – consider http://speedof.me/

    • @Ross Alexander: At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date.

  4. When I try to delete Adobe Flash Player Active X18 I get this error…
    “the installer will automatically continue when these conflicting applications are closed…pcmatic ”

    I am concerned about closing pcmatic with the vulnerability.

  5. I’m not sure how dumping it is a solution. Maybe most do not use websites or online applications that use Flash. Sure, I can ask the developers to move from Flash but will then and if so, when. So for me and countless others, another update.

  6. Is this message advising that I remove adobe flash from my pc or disable it. I have WIN 8.1and am not sure what to do. please let me know what and how via my email. Thanks

  7. I have personally hated flash for a long time, hate flash sites, and hate their convoluted update process (at least for Macs). BUT I have one tool on my website that runs in flash and I don’t know how to put it in another form. It takes input from the user and draws a graph with those values. What else is out there that it can be converted to?

  8. I uninstalled flash, flash browser plugin, adobe reader & java about 2 years ago. Got tired of updating one or the other every day. Haven’t really missed them.

  9. but what should you do uf accessing flash designed websites. What about those youtube videos that require flash enabled. This Saturday only, I encountered a lot of videos that required flash enabled.

    • @Edward Anyone: At this point, there are not many viable alternatives to Flash. However, the security concerns associated with Flash have become so serious and prevalent – that we decided it was important to share the warnings being issued across the industry – so members of our community can be better informed. Should you prefer to keep Flash, we strongly encourage you to make sure the application is always up to date.

  10. a long time ago, 12 years. I liked flash. I think back then it was a macromedia product. NOW. I don’t.
    In fact, the only thing that keeps Adobe interesting are the products they bought from Macromedia.
    Most of their programs are bloated and complex AND they have moved to the monthly fee model.
    Adobe will destroy themselves. If they want to survive, they will offer their entire suite for $3 dollar a month so that no one can resist it.
    But they won’t. it is like Microsoft which could have consolidated their market by giving every XP user a Win 10 XP edition.
    These companies don’t realize that this is the beginning of the market and if they want to be number one, start thinking in terms of billions of people, not millions and make things easier to use with less need for upgrades.

  11. It has become fashionable to tell people to get rid of Flash and Java. Unfortunately, it is also an impractical suggestion for most people. Both utilities are simply too widely required for everyday use to be summarily dumped. Anyway, if you really want to be that secure, you would have to dump the entire internet. Its rateher like advising people to dump their cars, because they represent a threat to your safety.

  12. Security journalist Brian Krebs writes in the above article:

    "I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose."

    For those of us who don't have:

    1. 'a Flash-enabled browser inside of a Linux virtual machine running inside of VirtualBox'….

    We get it: You're smart. But this is hardly a practical solution for the masses. OR

    2. who find it time-consuming or confusing to temporarily enable flash, watch the video, and then immediately disable it again as soon as we've finished using it, each and every time we encounter a flash-requiring video.

    is there a simpler or better solution?

    Will Adobe ever get their Flash product right?

  13. I would love to kill Flash, but I’m a retired widower living alone and playing online puzzles is one method to keep the mind active. I’d say 95% of them use Flash. How do I get around that?

  14. I’d love to dump it if it’s dangerous to keep but how in the world do you get along without it since pretty much everything uses Adobe Flash. What is its alternative, in other words?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.