Safe Browsing: 11. Adobe Flash Player Security

Reader Toolbox   Log in for more tools

11. Adobe Flash Player Security

Flash player is a large and growing source of malware exploits. There are different flavors of how this works, but the basic approach is that the Flash player plays a flash file that has a malware payload in it. It does not need to crash the browser, only the player, and then try to take part of the memory that the player is using to run its shell code. Crashing just the player window is less intrusive than crashing the entire web page and many users will never notice what has happened.

There are three things you need to do with Flash player, in order of importance:

  1. Make sure your current version is updated. Here are direct links to the player updates. Flash Player has two versions, one for IE and one for other browsers. If you run more than IE, you will need to download and install both. Going directly to the download file gets around much of Adobe trying to stick their own crapware on your system:
    IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
    Non-IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

    Even if you don't use it, updating it reduces your exploit surface. Be sure you are updated before going to the next step.

  2. Run Settings Manager and crank down the security.
    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

    This is a wacky page. The Settings Manager window is embedded in the HTML page.  Here are settings recommendations clicking across the tabs:

    • Global Privacy Settings: Always Deny
    • Global Storage Settings:
      Set Disk Space slider to "None"
      Check "Never Ask Again"
      Uncheck "Allow third-party Flash content to store data on your computer."
    • Global Security Settings: Either "Always Deny" or "Always Ask".
    • Global Notifications Settings: Check "Notify me when an update to Adobe Flash Player is available." Set the "Check for Updates" to every 7 days.
    • Protected Content Playback: Leave this as it is.
    • Website Privacy Settings: Click "Delete All Sites".
    • Website Storage Settings
      Set Disk Space slider to "None"
      Check "Never Ask Again"
      Click "Delete All Sites"
    • Peer Assisted Networking Panel: This depends on the kind of internet connection you have. Adobe wants to know if you will allow websites to take part of your system bandwidth to share with other people (or allow you to borrow other people's bandwidth) to make movies run faster. If you are on a very fast connection, this means you lose bandwidth to other people. If you are on a slow connection, you may benefit from taking other people's bandwidth. I have a very fast connection and I don't want it "borrowed" by anyone else, so I check the "Disable P2P uplink for all" to ensure nothing is using my system without my knowledge..
  3. Disable Flash in your browser unless you explicitly turn it on. While there are third-party products that will suppress Flash files and Action Script, the player is still active on your system and could be used. The only way to ensure that Flash Player cannot be exploited is to turn it off entirely.  (Individual browsers disable it in different ways, so the specifics are discussed with the browser.)

The third step is a drastic move and I realize that most people will not be willing to go through the hassle of doing this. It is inconvenient to have to turn the player on and off to view embedded videos. You will have to find a balance for yourself on how much to restrict Flash on your machine.  Another option is simply do not install Flash at all.

Ang's Personal Opinion: Flash is a decent technology that cannot currently deal with the malicious conditions of the internet. Its use to create obnoxious and intrusive advertising online has eclipsed its appropriate use in other venues, such as training and desktop applications. As long as people click on things that blink and move, however, it will be used for ads and other unsavory online creations. End opinion.


This is a work of fan fiction, written because the author has an abiding love for the works of J R R Tolkien. The characters, settings, places, and languages used in this work are the property of the Tolkien Estate, Tolkien Enterprises, and possibly New Line Cinema, except for certain original characters who belong to the author of the said work. The author will not receive any money or other remuneration for presenting the work on this archive site. The work is the intellectual property of the author, is available solely for the enjoyment of Henneth Annûn Story Archive readers, and may not be copied or redistributed by any means without the explicit written consent of the author.

Story Information

Author: Anglachel

Status: General

Completion: Complete

Era: Other

Genre: Research Article

Rating: General

Last Updated: 06/19/10

Original Post: 06/14/10

Go to Safe Browsing overview

Comments

No one has commented on this story yet. Be the first to comment!

Comments are hidden to prevent spoilers.
Click header to view comments

Talk to Anglachel

If you are a HASA member, you must login to submit a comment.

We're sorry. Only HASA members may post comments. If you would like to speak with the author, please use the "Email Author" button in the Reader Toolbox. If you would like to join HASA, click here. Membership is free.

Reader Toolbox   Log in for more tools