0

So I am slightly more than a dilettante when it comes to security but hardly an expert. I have been reading up on the recent Adobe Flash issues and I wanted to ask a couple of questions:

  • My Mom uses Mozilla on her computer and they have all but completely disavowed Flash. Flash is still used on most ticket buying sites and my mom still likes buying tickets to things. If I disable Flash permanently is there a workaround for her to still be able to use these sites?

  • What exactly are the vulnerabilities in Flash? I keep seeing references to "zero day hacks almost being a feature" but no one seems to be saying what can be exploited in the package?


This really all stems from a problem that I am sure you are all familiar with: My Mom (or in your case friend, dad, grandparent) assuming that since you code you can fix all technology problems ever. Thanks.

ford prefect
  • 235
  • 1
  • 2
  • 9
  • 1
    The first question is really up to each individual vendor's site: there isn't going to be a catch-all solution. Your first question is also not an InfoSec question. The second question will result in a HUGE list of published issues. Short answer for #2 is: visit a site and a hacker now owns your computer. Google "Flash CVEs" for the official list of details on Flash's vulnerabilities. – schroeder Jul 15 '15 at 15:32
  • 1
    So, I am slightly more than a dilettante when it comes to the English language, but you're making me feel like less than an expert for employing that recondite word (which I was forced to look up), although I did find your use of "disavowed" to be most cromulent and diverting. Generally speaking, I don't avow any aspect of a piece of software to begin with, so to see someone who still has such passion is remarkable. Usually, I just stop using stuff. – Parthian Shot Jul 15 '15 at 23:32
  • 1
    @ParthianShot Would you believe that this is actually how I talk? – ford prefect Jul 16 '15 at 14:50
  • @inquisitiveIdiot I would. – Parthian Shot Jul 16 '15 at 17:25
  • Flash is very bad. Do your research and you will understand why Firefox did this. There is no place for it on her computer, unless she does very good backups. – SDsolar Jan 20 '17 at 08:15

3 Answers3

7

Flash has been a high-value target for exploit developers for years, particularly because of its near-ubiquitous installation base and the fact that (historically) it will generally run automatically whenever a page with Flash content is loaded. This makes it very easy for a large number of systems to be targeted and compromised with a single exploit.

As it turns out, Flash apparently has a lot of flaws for those developers to discover as well. This has resulted in dozens upon dozens of Flash-related CVE entries every year, with many of them starting off as zero-day exploits. Flash Player is currently #16 on CVE Details' Top 50 most vulnerable products list, with a total of 510 vulnerabilities discovered since 2005. The last year in which there were less than 50 vulnerabilities discovered for Flash Player was 2009, and there's already been 132 discovered this year!

Flash Player Vulnerability Statistics

The vulnerabilities that have been cropping up aren't trivial things, either. Nearly 84% of Flash Player vulnerabilities discovered to date are usable for code execution, and about 80% of all Flash Player vulnerabilities are rated with a CVSS score of 9 or higher!

So, what can happen if you keep Flash enabled while indiscriminately browsing the web? Very bad things.

What should you do if you use some sites that still require flash? Find a different provider for those services, if possible, who doesn't require Flash for their site. All major browser vendors are abandoning plugins in general, so it's just a matter of time before you'll have to start using some obscure specialty (and/or outdated, and therefore even more vulnerable) browsers if you need Flash.

If you absolutely have no other choice but to use Flash, Chrome currently has a built-in Flash Player that gets automatically updated along with the browser. IE 10 and later, on Windows 8 and later, also has built-in Flash but Chrome is preferred for its (generally) better security and background updates.

Another thing you could try is to just disable Flash and see what happens. Many sites will say they require things like Flash and JavaScript, while their most critical functions actually do not depend upon them. Often times, the Flash/JavaScript used on those sites just enables some features that offer added convenience or non-critical functionality. In a number of other cases, you'll find that the only thing that breaks with Flash/JavaScript disabled is the ads!

Iszi
  • 26,997
  • 18
  • 98
  • 163
2

Use Google Chrome - it has "PepperFlash" built in, and it's always up to date (as long as you reboot every day).

She can use the sites you need, and you can uninstall the regular flash so that she doesn't get tricked into opening a website that will infect her computer.

I did this a year ago with my parents, and haven't had any issues since.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 2
    This can work, but note that some Flash sites do not work properly in PepperFlash. I've worked for a site for whom this was a problem. – schroeder Jul 15 '15 at 16:43
2

The short answer to your question is:

Leave Flash enabled on your mother's computer - but check the option for only running Flash content when the user (your mother) tells it to run. That way, when she's at a known page and she needs to run the plugin, all she has to do is right click and click "run this plugin". Firefox may even do this by default now. You can do this in Chrome by going to Settings -> Advanced Settings -> Content Settings underneath Privacy -> Check "Let me choose when to run plugin content" underneath Plugins.

shift_tab
  • 423
  • 3
  • 13