June 23, 2015

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

brokenflash-aBrowser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Update, 11:30 a.m. ET: Oddly enough, Adobe just minutes ago released an out-of-band patch to fix a zero-day flaw in Flash.

Original story:

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.


63 thoughts on “A Month Without Adobe Flash Player

  1. Bart

    At least a year ago I set Flash to prompt for permission and sometimes days go by without feeling the need to click on the enable button.

  2. VPN Germany

    I would love t go a month without having to deal with a Windows issues along with installing security patches.

  3. J. Armstrong

    Great article, thank you for the tips! I always use “click to play”. It’s convenient and gives me the opportunity to think before flash is run.

  4. Julian

    Excellent suggestions, thanks Brian.
    You are correct in that “… script blockers can be challenging for many users to handle.”
    I grow weary of forever fiddling with the Noscript settings for every site that I visit.
    In future I shall adopt your suggestion of using “Click to Play”.

  5. franz

    As a default, I have java and flash disabled. I suspect in the future, I will just run a secure container with a minimal OS and browser. Thanks for the articles.

  6. Tom R.

    I too use click to play but for a different reason: I got tired of videos auto-playing. Click to play stopped this annoying behavior.

  7. Brian

    I haven’t had Flash installed on my machine in over three years. I found it to be a resource hog, and simply too easy an attack vector. I do keep a copy of Chrome around for those times when a site simply requires Flash, but that’s less than once per month.

    I certainly don’t miss it or the associated maintenance it required.

  8. CJ

    I don’t run flash and other plugins automatically. One example is Chrome – If I want, I can choose [right-click to play Adobe Flash Player] command. When I started doing this a couple of years ago, I was able to reduce my CPU usage from 99% to 4%.

  9. Gerald

    I threw flash out many months ago after constantly reading about flash exploits on this site. At first it was a little inconvenient (mostly explaining to people why I couldn’t play some videos) but then sites like YouTube began offering alternative streaming methods that don’t require flash. I have occasional tasks that require both flash and Java so I’ve opted for a virtual machine to do those jobs.

  10. Tommy

    Well timed article Brian, as Adobe have just updated flash from 18.0.0.160 to 18.0.0.194

  11. Mahhn

    Unfortunately we need for Flash for business (due to sites we access as a business). Would be nice if Adobe would make a “secure” version that doesn’t have features/exploits and is a dumbed down to be a Player Only. A business version if you would.
    But like most companies they just add features until it’s broke, never satisfied.

    1. timeless

      Unfortunately, there’s no minimal set that guarantees fewer vulnerabilities short of not running the product under scrutiny at all (as Brian tried).

  12. Kevin

    If only I could do this in a corporate environment where so many of the OEM sites we must use are Flash and JAVA polluted….. I could do Click To Run, I could also go insane from the support calls from my user base that would never cease.

  13. Brady

    I find Malwarebytes Anti-Exploit Free to be a better alternative to EMET for home users. Provides the same level of protection to browsers and their plugins with no user intervention or understanding needed. Much less false-positives too.

    1. JCitizen

      Yep! +1 Although I had a clueless user ignore MBAM warnings about constant attacks, and when the malware did finally get though, it completely erased his drive! No evidence anything was ever installed at all. Even Linux couldn’t see any files!! I figured it got into a heck of a battle with the anti-exploit tool.

      I offered to do a recovery, but it was going to take too much time, so the victim just gave up and went to using an iPad for his business searches.

    2. Flash User

      Agree. It’s easier to implement than the other strategies and allows me to still use Adobe Flash when needed.

  14. qka

    I use Click To Plugin. It’s from the Click To Play folks, and blocks more.

    All I need Flash for is Pandora. Everyone else has joined the 21st century and uses HTML5.

  15. Dropbox

    I am intereted in knowing how you use dropbox for “risky” usage of flash. Is there a way to use it read-only or do you use a fresh copy of linux every time? Thanks for the great articles!

    1. Stephen

      I was confused by your asking him about using Dropbox for the flash stuff. Then I realized you meant VirtualBox.

      1. VirtualBox

        Oops my bad! Yes my question was related to Virtual box 🙂

    2. MattyJ

      In VirtualBox (and pretty much any VM app can do this), once you get a disk image how you like it (bootable, just a browser and flash) you can mark it as ‘immutable’ and it’ll reset to that same state every time you reboot.

      This way if something horrible happens you can just reboot and start over.

  16. Brian Fiori (AKA The Dean)

    I have used a Flash blocker, and/or Click To Play, for quite a while now. And while I’ve considered uninstalling Flash, I have to say I have to Click to Play several times a day. Seems many of the sites I visit are Flash-based, or use Flash video.

    1. JCitizen

      Some sites won’t let you use or view content unless flash is enabled for their advertising.

  17. WTL

    I’ve had Flash uninstalled on all my machines for about 18 months now, and about once a week, I fire up Chrome and enable Flash there to watch a specific video, or use a chat-system for a vendor. Barely miss it.

  18. Charles

    I discovered how to work around sites that demand Flash for video. Almost all these sites have HTML5 videos available if you are browsing from an iOS device (which of course has no Flash).

    So you merely need to spoof your browser’s User Agent to an iOS device. In Safari on my Mac, enable the Debug menu. Then when you find a page that says Missing Plug-in, go to the Debug menu, choose User Agent>Safari iOS 8.1 – iPad (any iOS device would work). The page will reload and offer an HTML5 video, usually an mp4. Some sites actually have HTTP Live Streaming for live video.

    So why aren’t they offering HTML5 video as a FIRST CHOICE? Flash should be a fallback only.

    1. BrianKrebs Post author

      Nice tip, Charles. Never thought of that. Can’t wait to try it next time. Thanks.

    2. Cavoyo

      One problem is that HTML5 video has uneven support among browsers. Chrome and old versions of Firefox have issues playing H.264 video, but support Ogg Theora and WebM. Meanwhile IE and Safari don’t support Theora or WebM, but play H.264 fine. And IE8 and earlier have no support for any HTML5 video.

      So looking at that mess, a webmaster might decide “if it ain’t broke, don’t fix it,” and just serve video to desktop browsers with the Flash plugin.

      1. NickDanger

        So looking at that mess, a webmaster might decide “if it ain’t broke, don’t fix it,” and just serve video to desktop browsers with the Flash plugin.

        That’s true, but there are some fairly simple ways around that – at least for any web dev who’s reasonably familiar working with online video. E.g. there’s the “video for everybody” approach that’s been around for a few years now (http://camendesign.com/code/video_for_everybody). I’ve also cobbled together a similar, simpler setup using the Video.js HTML5 player with automatic fallback to on older version the free edition of JWPlayer for browsers that only support Flash.

    3. Bill S

      I have some kind of browser extension that does this automatically along with a click to play thing. If an HTML 5 option is available, it shows HTML in the video window and waits for me to click. If no HTML version, it shows Flash in the same spot and waits for me to click. I can’t remember the name of it right now. I think it’s for Safari.

    4. NickDanger

      So why aren’t they offering HTML5 video as a FIRST CHOICE? Flash should be a fallback only.

      Hear, hear. In my experience, Blip.tv is one of the worst offenders – even if you have Flash disabled, they still insist on giving you the Flash version of their video player – UNLESS you spoof the iOS/Android useragent. Even then, it appears that Blip also uses JS to check for the useragent (instead of just the HTTP headers), so you also need a second plugin to spoof a mobile useragent when checked that way.

      As for the why, if I were to be cynical I’d say it probably has something to do with these 2 details:

      1) Blip has some of the most annoying, intrusive ads of any video sharing/delivery service I’ve used (their unskippable, unmutable pre-roll ads are the main reason I installed adblock).

      2) The Blip HTML5 player doesn’t appear to support pre/mid/post-roll video ads.

    5. timeless

      Unfortunately, most site authors respond to requirements. A typical requirement is: “make an iOS version of our site”, so they do precisely as requested. They might or might not know how to use HTML to generate fallback content. If they know how, they’re probably told not to touch the main site because someone is afraid of breaking it.

      Should they have a single site that favors modern browsing? Yes. But, that’s idealism speaking.

      You can help by complaining to the site about your experience and suggesting the change. The reason they added iOS support was because they got complaints from iOS users (internal or external).

  19. Dude

    I uninstalled Flash and disabled it in Chrome, I can’t believe how much faster every webpage loads! Since most websites use HTML 5 for videos nowadays it will be rare that I will need Flash.

    Thanks for the tips!

  20. .....

    >> “I encountered a site hosting a video that I absolutely needed to watch”

    I can only guess what kind of videos we’re talking about here, Krebbo™ 😉

  21. .....

    >> “I encountered a site hosting a video that I absolutely needed to watch”

    I can only guess what kind of videos we’re talking about here, Krebbo… 😉

  22. JCitizen

    This is a very dead center article! As usual Brian hits the nail right on the head.

  23. Jean W

    Adobe’s been absent from this Win 7 machine for a couple of years now; pdf is either rendered a lot more safely inside Firefox or Seamonkey or sent to a nonscripted third party reader.
    Any site wants to show me a non-youtube Flash video that I think I might want to view? And these are generally videos from news sites in my kind of browsing…..
    I search youtube.com… and even Flash displayed by third party embedded players has ended up on youtube (or has been taken without attribution) most of the time – and is available in html.

    The main hurdle for many Flash users to jump before they can dump it is that public broadcasting is often streamed in Flash players.
    There are in each anglophone country that I know about, various helpful groups of amateurs who work to make the files from their public broadcasters accessible without needing to be played in Flash players, but it requires a fair initial investment of time and effort to circumvent the Flash presentation of those files.
    It doesn’t help that public broadcasting is cash strapped at the best of times (not so much in the USA I notice) so these players most likely are not as well vetted by security mavens as they could be.

  24. FakeName

    I use ActiveX Filtering in Internet Explorer, which disables any plugin on any site, except those I nominate.

    Unfortunately, it only enables/disables at the site level (not the specific plugin or area of the site), but in practice this seems to be a reasonable compromise, similar to click to play. But less convenient.

  25. Joom

    Since this hasn’t been suggested yet, I’ll go ahead and drop this bit of info. Firefox users (including forks like Waterfox and the mobile version) can use Mozilla’s “Shumway”. It’s a total replacement for Flash that renders Flash objects (videos, games, etc) using HTML5. I’ve been using it for quite a while now and don’t miss Flash one bit.

    1. MattyJ

      Nice! I just took the plunge and removed Flash in favor of Shumway. In a quick battery of tests, only one of my special websites stopped functioning because it explicitly checks for Flash. Hopefully Shuwmay will provide a way to spoof Flash for these types of checks in the future. But so far so good.

  26. Me

    I do what Charles suggests above and disable Flash to use HTML5 video. Works very well for me, but with one gotcha: if you set Flash to click-to-play in Firefox, it is still recognized as installed and many website will demand to use it instead of switching to HTML5. Setting Flash to never enable will pretend that it is not installed at all and HTML5 is used (if available).

    If that still doesn’t work, I use the User Agent Switcher extension in Firefox (http://chrispederick.com/work/user-agent-switcher/) to pretend to be on an iPad. But keeping that set changes the browsing experience on many websites, so I switch back as soon as I’m done with the video.

  27. BarryH

    Just disabled Flash on my Chromebook and Youtube videos now play with HTML5. Thank you Brian.

  28. d

    Geeze, Brian, I haven’t installed Flash since you last wrote for WaPo. I thought I followed your advice and removed it years ago. If Flash is called for on a site, that’s a site I don’t visit.

Comments are closed.