OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Flash vulnerability

Published February 26th, 2013 at 10:09 PM EST , modified February 27th, 2013 at 10:56 AM EST

Although it has not attained the same level of danger as Java, Flash is back in the news today due to vulnerabilities. Adobe has issued a Flash update, saying that the vulnerabilities fixed are currently being exploited in the wild. This patch is considered to be of the highest priority. All users of Flash are advised to update immediately.

The exploit apparently a vulnerability that is specifically found only in the Flash sandbox in Firefox, so presumably users of other browsers are safe. Still, the update should be installed regardless. Most likely, Apple will take the choice out of users’ hands by disabling the vulnerable versions of Flash, as they have done in the past. It is unclear at this time what malware might be dropped on the Mac by this exploit.

Flash, like Java, has the potential to open up your computer to malware when vulnerabilities are discovered. If you can live without Flash, you probably should do so. I have been trying to avoid Flash for a little while now, and it hasn’t really been all that difficult. I have had to skip certain older YouTube videos, though most of the videos I have tried worked just fine. I had to find a new HTML5 internet speed test site, and am much happier with the one I have found anyway. I can’t use Google Maps’ street view, but that’s okay, as I rarely found it useful in the first place. I encourage you to give a Flash-free life a try and see how it goes for you.

If you can’t live without Flash, there are a few things you can do to keep yourself safer. One is to use something like ClickToFlash to control what Flash content gets loaded. On recent systems, the ClickToFlash Safari extension works very nicely, and the older ClickToFlash plug-in works on versions of Safari unsupported by the newer extension.

For Firefox users, it’s a little more difficult to block Flash, but still possible. Enter “about:config” in the address bar (without the quotes) and press return, then click the “I’ll be careful, I promise” button when you see the scary-looking warning. In the intimidating list of settings, search for “plugins.click_to_play”. If the Value column reads “false,” double-click that item to change it to “true.” Be careful not to change anything else! Then close that Firefox window. (Thanks to Spade for pointing out this solution!)

You can get a bit more protection in Google Chrome, however. Chrome includes the capability to enable “click to play” functionality for all plug-ins (Java and Flash included). This gives protection similar to ClickToFlash. However, in addition, Chrome encloses Flash in an additional sandbox. This means that a vulnerability in Flash cannot be exploited in Chrome without the simultaneous discovery and exploitation of a vulnerability in Chrome’s sandbox.

When it comes to third-party software like Java and Flash, if you choose to use it, you need to stay on top of it. Keep up with updates, and do whatever you can to limit possible exposure to malicious plug-in content.

Tags: ,

9 Comments

  • Spade says:

    Alternatively, for Firefox, you can also activate Firefox’s builtin in “click to play” functionality for Flash and other plugins. It’s an about:config preference change (plugins.click_to_play) which I’ve been using since it was introduced, and it works great. (The Flashblock add-on you linked to hasn’t been updated since 2011!)

  • tek says:

    Good advise here. Helps a lot. Thanks!

  • Bonny says:

    I’m going to try browsing without flash, but safari doesn’t offer a disable option for flash. How can I disable it?

  • aalien says:

    ClickToFlash is a good option but it has some issues with multiple flash movies sometimes…
    Some flash are a playlist and ClickToFlash has issues with that…

    I think the better option is to use chrome.

    “In Chrome, in the address bar type “chrome://plugins/”…
    Then you can enable or disable flash player only when need. You can even save that address as a bookmark bar for fast access as I do…

    I always have it disabled, when I need it I simply press the bookmark address and enable it in seconds…”

  • Jessica says:

    I just installed the ClickToFlash extension. Do I have to modify the settings to keep me fully protected or can I leave them on default?

    • Thomas says:

      Its default settings should be fine… just don’t click on any Flash placeholders on web sites unless you really want to load that Flash!

  • Someone says:

    I hope that Chrome will soon come up with a different solution. I know that in Safari, you don’t need Flash on your computer to watch YouTube videos (I heard someone mention HTML5 was used in Safari by default on non-Flash computers) and I hope Chrome will start coming up with solutions as well.

This post is more than 90 days old and has been locked. No further comments are allowed.