Adobe’s Flash program has been a security nightmare. A favorite among malware writers for ages, Flash is useful for doing things like creating fake security pop-up alerts and conning computer users into buying security programs that don’t work and carry malicious content. And it seems that there is another “zero-day” vulnerability discovered every three days.
Do we really need Flash? No we don’t. iPhones and iPads have worked without Flash from the start. Microsoft’s new Edge browser doesn’t use or support Flash, and web sites conforming to the new HTML5 standard do not require it either.
So how can we rid ourselves of this relic of a by-gone era?
In Chrome: open Chrome, then in the URL bar type “about:plugins,” then navigate down to Adobe Flash Player and select ‘Disable.’
In Internet Explorer: open your IE browser, then click on the Settings icon (the gear in the top right-hand corner), then select ‘Manage add-ons’ from the drop-down menu. Under the ‘Show:’ drop-down, select ‘All add-ons,’ then select Shockwave Flash Object, and in the bottom right-hand corner, select ‘Disable.’
In Firefox: open up the Firefox browser, then click on the Settings icon (the “pancakes,” or three horizontal lines in the top right-hand corner), then click Addons, then Plugins. Next to any Shockwave or Flash-related objects, you’ll see a drop-down menu. Click on it, and set it to ‘Never Activate.’
Welcome the new year by making your computers a Flash free zone.
Additional Note:
My coworker at CIT, Tyler Ott, pointed out an absolutely terrifying article about a new Flash exploit that allows an attacker to send an email that, when opened in Outlook, runs a Flash exploit that allows the attacker remote access and control to the affected machine. All that has to happen is for the recipient to read or even just preview the email for the code to run. The report was authored by Haifei Li, and he is calling the exploit “BadWinmail.” A couple of links to his paper are below. Microsoft has released a Security Bulletin MS15-131 that addresses this vulnerability.
More information:
- Sophos
- Redmond Pie – How to Disable Flash
- BadWinmail report in PDF
- BadWinmail on Seclists
- BadWinmail Demo on YouTube
- Microsoft Technet Security Bulletin MS15-131 – Critical
DEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com