June 23, 2015

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

brokenflash-aBrowser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Update, 11:30 a.m. ET: Oddly enough, Adobe just minutes ago released an out-of-band patch to fix a zero-day flaw in Flash.

Original story:

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

63 thoughts on “A Month Without Adobe Flash Player

  1. Barry Allen

    Sorry, guys! I promise it’s not me!

  2. Altieres Rohr

    I’ve been running this experiment for months. A couple things:

    – Even some websites that do support HTML5 video won’t always send you HTML5 video if they see you on a desktop browser. Facebook is one of them.

    – Firefox’s click-to-pay is very buggy. I found that many times right-clicking the video after allowing it to play will crash the plugin. The other thing is that keeping Flash on click-to-play will increase the amount of websites that require Flash. The page will see that your browser does support the plugin and won’t send you the non-Flash version of the content.

    The first one is the real dealbreaker for casual browsing, and the second is bad for anyone who wants some convenience, but it should get better when HTML5 becomes the norm instead of the “alternative.” But we’re getting there.

  3. John

    I also got disgusted with Flash about six weeks ago. My strategy has been to disable Flash in Chrome, but let it run in Firefox. I’ve hit a few sites that don’t work correctly without Flash, I just cut-n-paste the URL over into a Firefox tab.

    I should confess to my poor browsing habits. I might typically have several browser windows open, with 20 to 30 tabs open in each. Times two or three browser brands. So I might have 300 tabs open in total. This is pretty stupid!

    Even a recent i7 with 16GB RAM would run dog-slow with all those tabs. But turning off Flash in Chrome helped that quite a bit. I could have 200 Chrome tabs open and it was still snappy. Almost enough to start weeding down all those tabs. 🙂

  4. daniel

    Under Linux with Chrome
    I disabled the chrome flash plugin … but immediately found news sites like Reuters ans Bloomberg would not play video .. I travel outsite of the US and these kinds of sites are my only good access to news ..

    I’m using uMatrix as a script blocker .. it has a feature that allows you to set a different user agent string. So I tried several of the Mac strings … but Reuters and Bloomberg would not render. I went to Panopticlick and confirmed the new user agent string … but noticed that my chrome plug-ins were still being reported regardless of the user agent spoof … Anyway, I then tried this ipad user agent string:

    Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

    Voila, Reuters and Bloomberg now play video via html5 (with the flash plug-in disabled in chrome) …

    The only downside is that chrome has no “click to play” feature for html5 video … so video’s tend to autostart on some websites like youtube ….. I believe this will be fixed in future chrome versions

    Thanks to the commenter above who shared the spoofing tip …

  5. Rabid Howler Monkey

    The Linux-based U.S.A.F. lipose liveCD includes both the Flash Player and Java web browser plug-ins, by default. In addition, the NoScript add-on is included (although it is disabled), by default, for the Firefox web browser.

    Get on the lipose mailing list to be notified of new liveCD iso releases (approximately every 3 months).

    1. William T Blanchard

      Amusingly, attempting to sign up for the USAF email list on this secure OS in Firefox results in:

      This Connection is Untrusted

      You have asked Firefox to connect securely to http://www.spi.dod.mil, but we can’t confirm that your connection is secure.

      Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified.
      What Should I Do?

      If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn’t continue.

      1. Rabid Howler Monkey

        I don’t believe that a miscreant’s impersonation of the USAF lipose web site is at play here. You may _or may not_ want to load the DOD’s Root Certificates. More here:

        “Problem With This Website’s Security Certificate?”

        “Some of our .mil website users have encountered problems accessing secure pages using an “https” web address. If your browser indicates a problem with our security certificate, please read the following information to resolve the issue.

        When accessing a secure (SSL) web page, your browser attempts to verify the identity of the server by checking the site certificate. A certificate is a digital document that identifies websites or individuals, and is issued by a trusted third party provider called a “certificate authority” (CA). Department of Defense (DoD) policy requires that we use certificates issued by the DoD Certificate Authority for identity verification and encryption, rather than those issued by a commercial certificate authority.

        Web browsers are pre-loaded with a default set of root certificate authorities which usually does NOT include the DoD Medium Assurance and Class 3 Root Certificate Authorities among its list of Intermediate and Trusted Root CAs.

        This causes a warning to be displayed when you attempt to connect to a secure page on the site. In this case, the browser does not recognize the DoD as the Certificate Authority.

        To resolve this problem, you must install the DoD Root Certificates on your browser.”


        1. William T Blanchard

          Yes, I got this reply:

          Yes, the irony has not escaped us. It is usually caused by the browsers not having the US DoD Certificate Authority pre-installed.

          To install it follow the link on this page: https://spi.dod.mil/spi_debug.html

  6. Greg A. Woods

    I’ve always wondered why more people in the internet security business are not far more serious about avoiding seriously buggy proprietary software. I realize there’s something to be said for being familiar with the tools of the victims, but on the other hand if you can’t walk the walk….

    So, I must congratulate you for finally trying to stop using Flash (though I’m somewhat surprised and amused by your excuses for the cases where you failed).

    Personally I’ve not used Windows for years now (and only for one application, an accounting package for a few years, well since about 1988 or so — before that I very reluctantly wrote code for Windows application development) and I certainly never will again, though I’ve also never used Linux and don’t expect I ever will either. I do now use OSX on a desktop and a laptop, though I’m considering a switch back to a true built-entirely-from-source BSD desktop.

    I have never used Flash of course, and I’ve never ever missed it. It was the first thing I disabled on OSX, and I get very angry every time a Chrome update automatically re-enables it.

  7. Isma'il

    I’m running the Windows 10 Pro Insider Preview, Build 10130, and have disabled Flash in Microsoft’s new Spartan/Edge browser and it plays YouTube just fine without it. My primary browser though is Yandex Browser (a Chromium-based browser without all the Google-tracking garbage), which also allows you to disable Flash in the settings. When I get to a site that has video which requires Flash, it displays a gray box with a puzzle piece icon (click-to-play for that specific video only). On YouTube, it defaults to HTML5, even if I’ve enabled Flash for one video on another site.

    If you haven’t tried Yandex Browser, I’d suggest giving it a go. The Yandex team has improved it dramatically within the last 12 months.

  8. Larry

    Considering that Fitbit has gone big time with an IPO, it’s a shame that their “Dashboard” still makes extensive use of Flash, and is almost unusable without it.

  9. Eric2

    I was going good Flashless, until I went to generate a disposable credit card number at my bank the card generator would not operate without Flash. This seems like an oxymoron to depend on Flash for *anything* financially driven.

  10. markD

    How/where does one go to obtain the software to uninstall Flash? And no, I’m not just asking for me, millions don’t know exactly how or don’t know if where they go (the web source) is the right place and syntax, or something not helpful, or harmful. Thx.

      1. markD

        Many thanks! For me and all those for whom “that which makes it really easy” is the answer to the question: “define sophisticated.”

  11. Peter

    There oughtta be a way you can doubleclick on an icon on your windows desktop which launches a browser inside a Linux vm on the fly, and walla*, you’re browsing safely, no?

    *just kidding about the ‘walla’

Comments are closed.