Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on February 26th, 2013 at 10:09 PM EDT
Although it has not attained the same level of danger as Java, Flash is back in the news today due to vulnerabilities. Adobe has issued a Flash update, saying that the vulnerabilities fixed are currently being exploited in the wild. This patch is considered to be of the highest priority. All users of Flash are advised to update immediately.
The exploit apparently a vulnerability that is specifically found only in the Flash sandbox in Firefox, so presumably users of other browsers are safe. Still, the update should be installed regardless. Most likely, Apple will take the choice out of users’ hands by disabling the vulnerable versions of Flash, as they have done in the past. It is unclear at this time what malware might be dropped on the Mac by this exploit.
Flash, like Java, has the potential to open up your computer to malware when vulnerabilities are discovered. If you can live without Flash, you probably should do so. I have been trying to avoid Flash for a little while now, and it hasn’t really been all that difficult. I have had to skip certain older YouTube videos, though most of the videos I have tried worked just fine. I had to find a new HTML5 internet speed test site, and am much happier with the one I have found anyway. I can’t use Google Maps’ street view, but that’s okay, as I rarely found it useful in the first place. I encourage you to give a Flash-free life a try and see how it goes for you.
If you can’t live without Flash, there are a few things you can do to keep yourself safer. One is to use something like ClickToFlash to control what Flash content gets loaded. On recent systems, the ClickToFlash Safari extension works very nicely, and the older ClickToFlash plug-in works on versions of Safari unsupported by the newer extension.
For Firefox users, it’s a little more difficult to block Flash, but still possible. Enter “about:config” in the address bar (without the quotes) and press return, then click the “I’ll be careful, I promise” button when you see the scary-looking warning. In the intimidating list of settings, search for “plugins.click_to_play”. If the Value column reads “false,” double-click that item to change it to “true.” Be careful not to change anything else! Then close that Firefox window. (Thanks to Spade for pointing out this solution!)
You can get a bit more protection in Google Chrome, however. Chrome includes the capability to enable “click to play” functionality for all plug-ins (Java and Flash included). This gives protection similar to ClickToFlash. However, in addition, Chrome encloses Flash in an additional sandbox. This means that a vulnerability in Flash cannot be exploited in Chrome without the simultaneous discovery and exploitation of a vulnerability in Chrome’s sandbox.
When it comes to third-party software like Java and Flash, if you choose to use it, you need to stay on top of it. Keep up with updates, and do whatever you can to limit possible exposure to malicious plug-in content.