Adobe’s Flash program has been a security nightmare. A favorite among malware writers for ages, Flash is useful for doing things like creating fake security pop-up alerts and conning computer users into buying security programs that don’t work and carry malicious content. And it seems that there is another “zero-day” vulnerability discovered every three days.
Do we really need Flash? No we don’t. iPhones and iPads have worked without Flash from the start. Microsoft’s new Edge browser doesn’t use or support Flash, and web sites conforming to the new HTML5 standard do not require it either.
So how can we rid ourselves of this relic of a by-gone era?
In Chrome: open Chrome, then in the URL bar type “about:plugins,” then navigate down to Adobe Flash Player and select ‘Disable.’
In Internet Explorer: open your IE browser, then click on the Settings icon (the gear in the top right-hand corner), then select ‘Manage add-ons’ from the drop-down menu. Under the ‘Show:’ drop-down, select ‘All add-ons,’ then select Shockwave Flash Object, and in the bottom right-hand corner, select ‘Disable.’
In Firefox: open up the Firefox browser, then click on the Settings icon (the “pancakes,” or three horizontal lines in the top right-hand corner), then click Addons, then Plugins. Next to any Shockwave or Flash-related objects, you’ll see a drop-down menu. Click on it, and set it to ‘Never Activate.’
Welcome the new year by making your computers a Flash free zone.
My coworker at CIT, Tyler Ott, pointed out an absolutely terrifying article about a new Flash exploit that allows an attacker to send an email that, when opened in Outlook, runs a Flash exploit that allows the attacker remote access and control to the affected machine. All that has to happen is for the recipient to read or even just preview the email for the code to run. The report was authored by Haifei Li, and he is calling the exploit “BadWinmail.” A couple of links to his paper are below. Microsoft has released a Security Bulletin MS15-131 that addresses this vulnerability.
- Redmond Pie – How to Disable Flash
- BadWinmail report in PDF
- BadWinmail on Seclists
- BadWinmail Demo on YouTube
- Microsoft Technet Security Bulletin MS15-131 – Critical