Security Experts are Recommending you Uninstall Adobe Flash

[audreyh1]

We've gotten rid of Adobe Flash on all our computers at home. Adobe has released security fix after fix after fix in the past few weeks. Enough already!

I'd been running with it disabled for a over a week, so I know my main sites work no problem.

It's time to uninstall Adobe's Flash from your Mac - here's how

Adobe has patched more than twenty Flash vulnerabilities in the last week — some of them days after active exploits were discovered in the wild — and issued over a dozen Flash Player security advisories since the beginning of this year. Flash has become such an information security nightmare that Facebook's Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off.

Third Hacking Team Flash Zero-Day Found: Krebs on Security

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

 

[walkinwood]

Thanks for the post. I hate Adobe flash and have just removed it. Now to see what breaks.

 

[MBAustin]

Thanks for the post. I hate Adobe flash and have just removed it. Now to see what breaks.

+1

Interestingly, for the past several days, Safari has been running "hot" on my Macbook. I didn't track it specifically, but it started around the time I did the last Flash update. Now that I have uninstalled Flash, it's back to normal again. I tried identifying the process that was running up the CPU in Activity Monitor, but it was always just generic "Safari".

Edit: First thing that is broken is the feature here on ER.org that lets you watch a YouTube video within a post. But I just clicked the link at the top of the window and it went to YouTube directly which worked fine. Minor hassle.

 

[audreyh1]

+1

Interestingly, for the past several days, Safari has been running "hot" on my Macbook. I didn't track it specifically, but it started around the time I did the last Flash update. Now that I have uninstalled Flash, it's back to normal again. I tried identifying the process that was running up the CPU in Activity Monitor, but it was always just generic "Safari".

Edit: First thing that is broken is the feature here on ER.org that lets you watch a YouTube video within a post. But I just clicked the link at the top of the window and it went to YouTube directly which worked fine. Minor hassle.

Embedded YouTube works on my iPad, and under the "Develop" menu for Safari you can tell it to mimic iPad instead of desktop. I think you have to go somewhere in Safari preferences to turn on the Develop menu.

 

[BBQ-Nut]

Is the vulnerability just for Flash or also Adobe Shockwave?

And, what about Flash internal to Chrome? Is that vulnerable as well?

 

[Lsbcal]

I decided maybe the OP is right about this. So using the Firefox browser on my PC, I found that one can choose an Ask-to-activate option. This will allow me to check out my usage of the Adobe Flash player which I suspect is very rare. Eventually I may uninstall it.

To do this just click on the 3 horizontal bar symbol (far right on my browser) and select:
Add-ons -> Plugins -> Shockwave Flash
and then set the button to Ask-to-activate

From my web search, Adobe Flash player and Shockwave Flash are the same. See: https://support.mozilla.org/en-US/questions/1037000

 

[audreyh1]

Is the vulnerability just for Flash or also Adobe Shockwave?

And, what about Flash internal to Chrome? Is that vulnerable as well?

There are some answers in the linked articles - Chrome is discussed.

 

[MBAustin]

Embedded YouTube works on my iPad, and under the "Develop" menu for Safari you can tell it to mimic iPad instead of desktop. I think you have to go somewhere in Safari preferences to turn on the Develop menu.

I have the Develop menu active already, so I tried this (neat feature - didn't know it existed before!) but the embedded video still isn't working. Will tinker a bit when I have some time to experiment. Thanks for the tip.

 

[M Paquette]

Various attack vectors are present in both "Flash" and the "Shockwave" broswer plug-in.

We've disabled these and deleted all the relevant files from our systems.

Sadly, MIL insists that she has to have her Flash plugin, so she doesn't see the scary messages when some ads don't work on pages she frequents. I'm going to try to get her to document and set her various accounts up such that we can swap out payment mechanisms when the inevitable happens.

 

[audreyh1]

I have the Develop menu active already, so I tried this (neat feature - didn't know it existed before!) but the embedded video still isn't working. Will tinker a bit when I have some time to experiment. Thanks for the tip.

Hmm - thought that would work. Usually embedded YouTube works on my iPad.

 

[Travelwanted]

thanks for the heads up!

 

[Free To Canoe]

I uninstalled adobe flash on my windows7 machine. Now YouTube does not work.


However, thanks for the heads up on the security issues. I might go without Youtube for a while.

 

[Free To Canoe]

YouTube Working now.


Computers!

 

[target2019]

I decided maybe the OP is right about this. So using the Firefox browser on my PC, I found that one can choose an Ask-to-activate option. This will allow me to check out my usage of the Adobe Flash player which I suspect is very rare. Eventually I may uninstall it.

To do this just click on the 3 horizontal bar symbol (far right on my browser) and select:
Add-ons -> Plugins -> Shockwave Flash
and then set the button to Ask-to-activate

From my web search, Adobe Flash player and Shockwave Flash are the same. See: https://support.mozilla.org/en-US/questions/1037000

That is the way to go. Initially I turned on the Ask-to-activate feature so that I wouldn't have to look at the 100's of previews being pushed to my browser.

But, as some will find out when they uninstall or disable flash, there are certain web sites which use flash for interactive graphs, for instance. So you will not be able to get those features.

Ask-to-activate is a much better approach.

 

[audreyh1]

There is some mention that "click to enable" which is perhaps the same as ask-to-activate, does not provide enough protection, and that just having the flash dlls on your windows machine makes it vulnerable. So I encourage you to research whether ask-to-activate is truly safe. If so, why aren't the warning articles promoting that approach?

 

[eytonxav]

Thanks Audrey, you are now appointed the official chief of keeping our Macs safe

 

[meierlde]

Note that Firefox 39.0 has now labeled shockwave flash as hazardous and puts up a warning when any such features appear in a web site.

 

[audreyh1]

Thanks Audrey, you are now appointed the official chief of keeping our Macs safe

Don't know about that! LOL!

 

[Lsbcal]

There is some mention that "click to enable" which is perhaps the same as ask-to-activate, does not provide enough protection, and that just having the flash dlls on your windows machine makes it vulnerable. So I encourage you to research whether ask-to-activate is truly safe. If so, why aren't the warning articles promoting that approach?

I really don't know if just disabling will be protective enough. This article implies that: Disable Flash In Chrome, Firefox, Safari, Other Web Browsers To Keep Your PC Safe From Vulnerabilities | Redmond Pie

Also this recently from Krebs seems to say that disabling is an OK way to go:
https://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/

I'm only disabling as a temporary test to see if I will miss Adobe Flash for some application. If no issues then I'll uninstall it.

This is what I now see on the BBC site (as an example):

I also noticed that tinyPic was not working right for me to get the "IMG" info for the above image. I had to allow adobe flash temporarily on that site to get this picture. So this is an example of something I need that would be broken if I uninstall Adobe Flash.

 

[target2019]

As with any known security threat, install the update the publisher will provide. It's really that simple.

When Windows finds a zero-day, if you have automatic updates ON, it will be patched. Some goes for Adobe. If you go for the manual method as I do, wait for the notice, and then do the update or patch in a controlled way.

 

[audreyh1]

As with any known security threat, install the update the publisher will provide. It's really that simple.

And you would be doing this many, many times as more and more issues are discovered and exploited while Adobe furiously rolls out patches behind the times. I'm not willing go through this process any more for something I don't really need.

 

[ERD50]

As with any known security threat, install the update the publisher will provide. It's really that simple. ...

I just want to stress the bold. DD ended up with a browser hijack on her MacBookPro (she would get re-directed to advertising, almost all the text on a page had underlines with links to ads). Every indication was that she downloaded what she thought was an Adobe update, but she didn't go direct to Adobe, so got this malware. Took some effort to get it cleaned up, files all over the place.

Go direct to Adobe, do not follow some other link.

-ERD50

 

[bjorn2bwild]

I have not tried this approach, but have noticed alternatives to flash player in firefox add-ons - e.g. "video w/o flash" (does not play YouTube) and "YouTube all HTML5" that plays w/o flash (limited to 720p).
I have been using the flash player 'ask to use' mode for years without any problems.

P.S. Here is an active thread including Mark from Mozilla discussing the issue. https://news.ycombinator.com/item?id=9883246

 

[MBAustin]

Here's an article about the proliferation of browser hijacks and what to do about them (oriented to Mac users):

TidBITS: Scary Internet Scam Becoming Disturbingly Common

 

[Options]

And here I thought it was just me. I have nothing but problems with Flash Player updates on my PC. Java updates have been problematic as well (though not at all as much as with Flashplayer), requesting that I install repeatedly even after just installing. Frustrating.