Junkin’ Jack Flash

flash-logoAdobe’s Flash program has been a security nightmare. A favorite among malware writers for ages, Flash is useful for doing things like creating fake security pop-up alerts and conning computer users into buying security programs that don’t work and carry malicious content.  And it seems that there is another “zero-day” vulnerability discovered every three days.

Do we really need Flash?  No we don’t.  iPhones and iPads have worked without Flash from the start. Microsoft’s new Edge browser doesn’t use or support Flash, and web sites conforming to the new HTML5 standard do not require it either.

So how can we rid ourselves of this relic of a by-gone era?

In Chrome: open Chrome, then in the URL bar type “about:plugins,” then navigate down to Adobe Flash Player and select ‘Disable.’

In Internet Explorer: open your IE browser, then click on the Settings icon (the gear in the top right-hand corner), then select ‘Manage add-ons’ from the drop-down menu.  Under the ‘Show:’ drop-down, select ‘All add-ons,’  then select Shockwave Flash Object, and in the bottom right-hand corner, select ‘Disable.’

In Firefox:  open up the Firefox browser, then click on the Settings icon (the “pancakes,” or three horizontal lines in the top right-hand corner), then click Addons, then Plugins.  Next to any Shockwave or Flash-related objects, you’ll see a drop-down menu. Click on it, and set it to ‘Never Activate.’

Welcome the new year by making your computers a Flash free zone.

Additional Note:

My coworker at CIT, Tyler Ott, pointed out an absolutely terrifying article about a new Flash exploit that allows an attacker to send an email that, when opened in Outlook, runs a Flash exploit that allows the attacker remote access and control to the affected machine.  All that has to happen is for the recipient to read or even just preview the email for the code to run.  The report was authored by Haifei Li, and he is calling the exploit “BadWinmail.”  A couple of links to his paper are below.  Microsoft has released a Security Bulletin MS15-131 that addresses this vulnerability.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment