Flash Safety 101
The annual Pwn2Own hacking contest is always a rather frightening demonstration of how available exploits are. Year in, year out, the latest browsers and Web plug-ins fall to researchers demonstrating cutting-edge ways to craft exploits and defeat the latest security precautions put in place by various software vendors.
Most vendors, however, have become quite good at patching vulnerabilities as they are discovered in contests like this. For example, both Chrome and Firefox have received updates that fixed the flaws uncovered at Pwn2Own. Flash and Internet Explorer will receive similar updates next month.
We’ve talked before about how to best secure Java and PDF readers. What about Flash?
Can you do without it?
If you’re really security-minded, yes, you can do without Flash. To a large degree, Flash’s usage is now limited to online video, games, annoying ads, and the navigation menus of websites. (Among other things, the rise in popularity of smartphones and tablets – which generally don’t have Flash – has played a role in that development.)
If these are things that aren’t important to you, you can safely remove Flash and not have your day-to-day browsing experience be affected. For many people, the stumbling block is likely to be online videos. It may be a good idea to check if your favored video site has HTML5 support. For example, Youtube has HTML5 support – but it’s as an opt-in beta.
Is it built into your browser?
Some browsers actually have Flash directly integrated into them, making updating them relatively painless. Internet Explorer 10 (on Windows 8) receives Flash updates as part of Windows Update. Flash is completely integrated into Chrome, so auto-updates for Chrome also ensure that Flash is kept up to date.
Using these browsers ensures that the version of Flash for that browser is kept up to date by the browser itself as part of its own auto-update. This minimizes your exposure to exploit kits, as many cybercriminals (due to the cost of cutting-edge exploits) will prefer to use long-patched security flaws, aware that many users don’t always run the latest version of software.
How do I keep my version of Flash up-to-date?
Today, Flash comes with its own auto-update installer. However, it won’t hurt to check manually every now and then whether the version you have is up to date.
To do that, you can visit Flash’s about page and check what version you have installed. If you need to download an updated version, the about page helpfully provides links to the download for Flash Player.
Even if you use multiple browsers, you only need to do this twice: one to check on Internet Explorer, and another for non-IE browsers collectively.
Can you restrict the usage of Flash?
Even if you do keep your version of Flash up-to-date, you may want to limit your exposure to it anyway. A good way to do this is to limit the sites which websites can run Flash content.
Browser extensions can be used to set whitelists for sites that can run Flash content; a good example (but far from the only one) is the well-known Flashblock add-on for Firefox. If the user is willing to take the time to set up their whitelist (or add sites as needed), then this is an excellent way to make Flash usage more secure.
An even more restrictive technique is using click to play. Available in Chrome, Firefox, and Opera, this feature does exactly what it says: before running plug-ins, the user must manually click on the embedded object to run it. The downside to this should be apparent: this can get tiresome very quickly. Also, this is not just limited to Flash; this affects all plug-ins used by the browser (compounding the previous issue).
Both of these options do increase the security of using Flash, but they do impose a burden on the user that just ensuring the version of Flash installed is up-to-date doesn’t. For some users – like those largely to be recipients of targeted attacks – this makes sense. Others may feel that the added security isn’t worth it. Your mileage may vary.
Conclusion
The key thing you need to know about securing Flash is: it can be done, but removing it completely is a feasible option. Current trends in web design and development mean that Flash is not as absolutely necessary to a good user experience as it may have been several years ago. If you can do without it, uninstalling it may not be such a bad idea.
If you are going to keep running Flash, then keeping it up to date is essential. In between the auto-update and the Flash about page, it’s not that hard to determine if an upgrade to a newer version is needed. You can also perform some steps to reduce your exposure to Flash more specifically, although these do mean that users have to be slightly inconvenienced. Taken together, these steps should minimize the risk of Flash exploits to most users.
Post from: Trendlabs Security Intelligence Blog – by Trend Micro