Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Is disabling Flash not enough?

    Posted on May 14th, 2016 at 06:24 woody Comment on the AskWoody Lounge

    UPDATE: Starting in October, Google Chrome will not show Flash objects unless you specifically click to show your acceptance. If a site offers both HTML5 and Flash, the HTML5 will always run, not the Flash, by default. More details on the F-Secure site.

    Good question from WH:

    In your 20:19, May 10, 2016, post on AskWoody.com, you have the following:

    “The Adobe zero-day is with Flash. Lesson: Don’t use Flash. (Does that sound familiar, too?)”

    My default browser is Firefox. I use NoScript also. I think it is NoScript that prevents Adobe Flash Player from being run automatically. Any time a web site wants to use Flash, I have to explicitly click to activate it.

    It seems that MANY web sites require activation of Flash to view at least some of their content.

    When you recommend third-party updates (e.g., Randy the Professor) to programs such as Flash, I update it. Is that not enough?

    If you say we shouldn’t use Flash, but we want to view the content web sites offer, what is the alternative to Flash?

    Sadly, there is no alternative to Flash. Sadly, some web sites still require it, after years and years of complaints. If you hit a site that requires Flash, find a different site! The people who control the site obviously don’t give a harry rat’s patoutie about you. Write to them and complain!

    If you have to use Flash on some sites, I suggest you pick just one browser and arm it with something like NoScript, which will block Flash unless you specifically allow it. I use Edge (don’t shoot me!), because it’s easy to switch Flash on and off. I never, ever venture out into the real world with an armed version of Flash exposed to the web. Life’s too short.

    Internet Explorer, Flash and Adobe Reader have been the leading source of Windows infections for many years.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Is disabling Flash not enough?

    This topic contains 43 replies, has 8 voices, and was last updated by  misuser8 1 year, 5 months ago.

    • Author
      Posts
    • #42607 Reply

      woody
      Da Boss

      UPDATE: Starting in October, Google Chrome will not show Flash objects unless you specifically click to show your acceptance. If a site offers both HT
      [See the full post at: Is disabling Flash not enough?]

    • #42608 Reply

      misuser8

      On my Windows 8.1 PC I’ve uninstalled Adobe Flash Player NPAPI Plugin for Firefox from Control Panel > Programs And Features,
      but Adobe’s uninstaller does not delete FlashPlayerCPLApp.cpl and FlashPlayerApp.exe and even after Flash Player is uninstalled and not listed among installed programs,
      Flash Player Settings Manager is still accessible from Control Panel.
      Downloading and running Flash Player Uninstaller (uninstall_flash_player.exe) ends with same results – FlashPlayerCPLApp.cpl and FlashPlayerApp.exe still remain intact.
      If I just delete those files manualy are there any registry entries associated with them that should also be removed?

    • #42609 Reply

      woody
      Da Boss

      That should be good enough, I think.

    • #42610 Reply

      anonymous

      Erm… Flash is bundled with W8 and higher. So, the uninstaller will not remove the control panel item, of course. What we *really* need is a way to kick the flash out of Windows installs completely. Plus, Microsoft needs to stop bundling this insane superbuggy s*** with their OS. Who the heck came up with the retarded idea in the first place? :-X

    • #42611 Reply

      rc primak

      This is a case for either Revo Uninstaller or Geek Uninstaller. These programs will deal with precisely this sort of failure of a program uninstaller to remove everything associated with that program. Geek Uninstaller also covers 64-bit areas of Windows, and can force-remove programs or modules which don’t have their own uninstallers.

      There is no excuse for a vendor to provide a program where the uninstaller doesn’t completely remove the program and all its non-shared components. Yet one more reason to distrust Adobe.

    • #42612 Reply

      rc primak

      Woody,

      I can now confirm that the Noel Carboni Method does work for selectively patching Windows 10 Pro.

      The latest MS Update for Flash Player for Windows 10 version 1511 was not available from the MS Update Catalog for 32-bit systems. Weird, as the same patch for 64-bit systems is available at the Update Catalog.

      Anyway, the only way to get the patch was to use the full-on MS Updates mechanism on my Win 10 Pro 32-bit tablet, and we are not installing the May Win 10 CU just yet. So the only way to selectively get just the May 13th Flash Player Update was to go ahead and use the Carboni Method.

      I downloaded and ran the Registry mods from the Infoworld article link. So now I’m no longer on Automatic Updates for the tablet.

      Then I downloaded WuShowHide, and hid for now both of the other updates (the CU and MSRT, even though there’s no harm in running MSRT any time). Then restarted the tablet and ran the updates checker with Metered Connection still on for safety.

      Turns out, even with the Metered Connection trick, the Download button for non-hidden MS Updates is still available, so running the Flash Player update selectively went off smoothly without unmetering the connection. Rechecking for MS Updates showed no further updates available.

      Then I ran WuShowHide to unhide the hidden updates, and rechecked for MS Updates. Everything was back, but due to the Metered Connection, nothing downloaded. And due to no longer having Automatic Updates enabled, nothing new should download anyway.

      So the Carboni Method worked. Thanks Woody and Noel!

    • #42613 Reply

      Steve

      Why isn’t setting Shockwave Flash to “ask to activate” in Firefox’s Add-ons Manager good enough?

    • #42614 Reply

      lizzytish
      AskWoody Lounger

      Just butting in here… would using something like
      Revo Uninstaller help to remove those files/registry entries that have been left behind after using the
      Adobe uninstaller ? Just a thought! LT

    • #42615 Reply

      Aaron

      I have plugins set to not run automatically, but I was wondering how Chrome’s (and its derivatives’) Pepperflash figures in this? Safer than Adobe? Less safe?

    • #42616 Reply

      tonydi
      AskWoody Lounger

      “The people who control the site obviously don’t give a harry rat’s patoutie about you. Write to them and complain!”

      I presume you’ve already handled this for us at Infoworld.com?

    • #42617 Reply

      Noel Carboni

      IE got (gets) a bad rap but it does have one of the most controllable security models. It just isnt’ shipped with out-of-the-box default settings in secure positions.

      It is, for example, quite doable to change IE to just not run ActiveX (or the fancier scripting features) from sites on the wild internet. Boom, Flash problem solved.

      And of course you can disable Add-ons, of which “Shockwave Flash Object” is one. Like I said, IE is ultimately configurable.

      Couple the above reconfiguration with a strategy of maintaining a good blacklist of malware-delivering web sites and IE becomes one of the fastest performing browsers and, I assure you, quite secure.

      As far as I know (though to be fair I haven’t looked at ANY Apps lately) Edge doesn’t offer that configurability. And so it is growing up to be clearly and measurably worse than IE.

      -Noel

    • #42618 Reply

      name

      Dear WH, many websites provide a html5 version for mobile users. Most of the time you can trick the site to show the mobile version to you by changing your user-agent. The Chrome documentation (https://developer.chrome.com/multidevice/user-agent) can help you make up one. How-To Geek has an awesome guide on how to change user-agents in different browsers: http://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/?PageSpeed=noscript

      If the above trick doesn’t work, I recommend you to use a virtual machine and install Flash Player inside that.

      And of course the best option is to contact the website owner and express your feelings.

    • #42619 Reply

      Charlie
      AskWoody Lounger

      In Firefox browser’s Add-ons, Flashplayer now has a box that’s checked by default to “Enable Flash Protected Mode”. It’s been there for some time I think.

      Also, in Firefox Add-ons, you can choose to have Flashplayer Activated, Ask To Activate, or Never Activate with a little drop down choice box. I chose Ask To Activate, and nothing plays unless I allow it. It works like a charm. All areas where videos would run are greyed out and you have a standard notice to choose if you want to allow that site to play videos AND it even gives you the choice to just make it a temporary allowing. Is this not good enough?

      Sorry Woody, I had to ask.

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

    • #42620 Reply

      poohsticks

      Like W.H., sometimes I have to use a website that requires Flash.

      I have a Windows 7 machine and I.E. 11.

      I think that the programs that people often recommend to hobble Flash, like “NoScript”, do not work with I.E. 11 on Windows 7. Maybe I am wrong about that, though. (Yes, I know that other browsers allow for those programs, but none of them are perfect solutions.)

      It’s somewhat different in scope, but I do heavily use the old, free program PeerBlock and it’s been totally fantastic for me and has blocked a lot of stuff online that I don’t want to see — ads and moving videos and so forth, whether they are powered by Flash or not.

      Some other things I do to stay safe with Flash:
      -I go to the Flash settings area and lock down all the options for safety as much as I can
      -I have Flash constantly disabled in I.E. Tools/Manage Add-Ons and only enable Flash once I’m at the website which requires it to be on
      -I don’t surf off of that site to other locations on the internet until I’m ready to disable Flash again
      -I always have ActiveX filtering turned on
      -I check for updates at the Adobe site once a month: https://get.adobe.com/flashplayer/?promoid=KLXMF

    • #42621 Reply

      poohsticks

      I meant to put in the middle there that, for blocking moving videos and ads, turning off DOM storage in tools/internet options/advanced seems to help with that.

    • #42622 Reply

      a

      No need to download and install anything, just activate click to play in the browser. I use this technique for PDFs, too. In Firefox, go to Tools, Add-ons, click plugins, and then change settings to “ask to activate.”

    • #42623 Reply

      ch100
      AskWoody MVP

      Sometimes it is useful to reinstall and then uninstall following safe steps, i.e. restarting between procedures, even if not requested by the installer. This would clean up in most situations.

      While being at Flash, I am wondering how “dangerous” using Flash is, beyond the general recommendations provided by different trusted security authorities. I would be interested in reading authoritative references beyond what is generally thought about Flash as being insecure.

      I know about Java RE that the US Government recommended many months ago not to use it on the Internet, while it is acceptable to run Java RE locally or on trusted networks. This can be configured in the plugin Control Panel. Also Oracle, the current owner, seems to have plans, although not formally announced, to discontinue or heavily modify the product.

      I know about Flash Player that Adobe announced that eventually the product should be replaced and that they support alternative technologies now.

      Internet Explorer is to some extent seen in a similar fashion like Flash, Java RE and more recently QuickTime.

      This is not enough to convince me that I should limit my experience when browsing to well-known sites or what I perceive as safe enough, while keeping the systems up to date with the released updates. Browsing to dubious sites would make the experience relatively insecure even for the most secure technologies, except for special configurations like those provided by sandboxes, virtual machines etc.

      I would like to know what are the thoughts of those who read this site and their personal experience with the technologies mentioned above and which are generally considered less secure.

    • #42624 Reply

      woody
      Da Boss

      That seems like a significant impediment to getting your system hacked. But life would be so much simpler if web sites didn’t run Flash! A utopian wish, I know.

    • #42625 Reply

      woody
      Da Boss

      Does InfoWorld use Flash?????

    • #42626 Reply

      Richard Allen

      If you do not use an ad blocker when you click on ‘Allow Now’ on the left side of the address bar you are then enabling EVERY flash element visible on the webpage and actually some of the elements below the visible webpage. And the further down you scroll more flash content is then enabled. And… by default once you click on ‘Allow Now’ that website will allow flash content for 60 minutes, for that browser session. Not Good! You can change the about:config entry ‘plugin.sessionPermissionNow.intervalInMinutes’ to 1 minute or whatever but you are still enabling a lot of questionable content (my opinion) if ads are not being blocked. If ads are not being blocked the best solution would be to use the add-on ‘Click to Play per-element.’

    • #42627 Reply

      poohsticks

      @Noel Carboni,
      I was glad to read your thoughts on Flash with I.E.
      That is how I’ve been approaching it the last couple of years.
      (Earlier today, in comment number 9 below, I described what I do when using Flash with my I.E. 11. I make it as safe as can be.)
      It’s heartening to this non-techie to learn that at least a few folks who are “in the know” don’t think it’s necessarily akin to playing with fire. 🙂

    • #42628 Reply

      EP
      AskWoody Lounger

      The FlashPlayerCPLApp.cpl and FlashPlayerApp.exe files, unfortunately, are part of the Adobe Flash Player security updates that Microsoft created for Windows 8x & 10 (like KB3163207). You do not have to delete those files.

    • #42629 Reply

      EP
      AskWoody Lounger

      I now use IE w/ an AD Blocker like Adblock Plus for IE, which blocks some flash ads.

    • #42630 Reply

      Picky

      I also suggest using spywareblaster, as it help makes IE more secure. It is simple but sometime simplicity is best.

    • #42631 Reply

      ch100
      AskWoody MVP

      Please add Silverlight to the list of less secure software for which I am asking for your experience. I was inspired to add Silverlight by one of Woody’s post in reply to someone asking for advice in regards to the current updates.
      What I know is that initially Silverlight was Microsoft’s response to Flash (then owned by the original developer Macromedia). After few years, voices within Microsoft claimed that Silverlight will be discontinued while other voices from Microsoft claimed quite the opposite. Fact is that we still get updates and occasionally an update important enough that it requires full installation and not only patching.

    • #42632 Reply

      doktornotor

      It’s exactly as “safe” as the others. It’s nothing more that a Adobe’s PPAPI Flash plugin. Same POS. Google did not reimplement Flash. They’ve just licensed it for bundling.

    • #42633 Reply

      Simpson

      More there will be users who keep Flash alive longer will Flash continue to be used by sites.
      It’s as simple as that.

      I have eradicated Flash from my Windows 7, that means no Flash ActiveX and no Flash plug-in, cleaned all traces of Flash be it as files or within the Registry. Done for some time now.

      Of course I meet sites, even important ones like BBC, France Television to name just two, which stick to Flash in what seems to be a stubborn position. Are they lazy, do they fear to lose the precious user information provided by Flash (unless its mms.cfg is properly configured, and still…) when HTML5 is already adopted by many video places?

      Here, sites that refuse to offer HTML5 rendering are simply boycotted : I will not participate to the survival of an everlasting highly problematic piece of junk named Adobe Flash for the sole purpose of satisfying y eyes/ears. No way. And I invite you all to do the same : boycott sites which refuse progress.

    • #42634 Reply

      woody
      Da Boss

      Silverlight is dead, although some Microsoft sites still require it. MS hasn’t done anything with it for years. Like ActiveX, it’s a Microsoft-proprietary technology that should’ve been euthanized years ago. With Edge, Microsoft is finally making a clean break.

    • #42635 Reply

      ch100
      AskWoody MVP

      Edge supports Flash but not Silverlight?! What is going on behind the scenes, is Microsoft offering to buy Adobe?

    • #42636 Reply

      Noel Carboni

      You’re welcome.

      There is nothing evil about wanting to control how the technology we rely upon is managed.

      -Noel

    • #42637 Reply

      NotReallyBob(fromanothercomputer)

      Hmm.. IE11 on 7 and 8.1 don’t seem to have that problem, still the interface is far from ideal.

    • #42638 Reply

      NotReallyBob(fromanothercomputer)

      Yea, edge is IE will all the features removed. It is almost identical to IE11 in 8.1 running in tile mode (appcontainer), only now with windows 10 the tiles invade the desktop.

      appcontainer integrity level, good.
      tiles, bad.
      removed function, bad.
      unique tracking ID embedded in the browser, really bad
      ad blocking functions crippled, really bad.
      Some limited ad blocking “returning soon!” (maybe), hardly matters.

    • #42639 Reply

      NotReallyBob(fromanothercomputer)

      Clean break, removing all plugins including ad blocking. (removing zones didn’t help either)

    • #42640 Reply

      NotReallyBob(fromanothercomputer)

      Java sidesteps the browser sandbox. It runs in medium integrity mode. All successful java exploits fully compromise the account running the browser and can set to run on boot (doesn’t give them admin unless UAC is off).

      Java has needed to be “heavily modified” for about a decade. Ever since Vista came out java’s security model has been obsolete.

    • #42641 Reply

      Tom in Az
      AskWoody Lounger

      Woody:

      I’m repeating myself, but there are still sites that require Silverlight to be usable. Here in Phoenix, AZ the Maricopa County government websites still require Silverlight for such things as GIS mapping services.

    • #42642 Reply

      John W

      There is probably not one method that makes everybody happy, but this layered works well for me.

      1. Set Firefox and Chrome to “Ask to activate” plugins. Don’t need script blockers anymore to perform basic allow/deny for Flash. It’s built in. See #2 below for more info on how to take further control of Flash and other plugins.

      2. For Firefox and Chrome, Use uMatrix to limit the scripts than can run, to 1st party only. I used Noscript in the past, but it breaks a lot of websites without really showing you what you need to allow visually. Plus there isn’t a Noscript for Chrome. You can then selectively allow any 3rd party partner’s video plugins or scripts as needed. uMatrix automatically allows all domain’s CSS and still images, so the page renders much better by default than with Noscript. It also includes some filter lists for advertising and malware domains. This stops a lot of those annoying auto-play video ads right off the bat!

      3. Check out Malwarebytes Anti-Exploit Free. It can protect most browsers and their plugins from Exploit Kits. Say for example that you surf to an infected site or load an infected ad, and some malware probes your browser to find that you have an out-of-date Flash plugin or other vulnerability. MBAE can stop it based purely on behavior, before it executes on your system. No signatures, no training, set and forget!

    • #42643 Reply

      woody
      Da Boss

      Understood. I’m still flummoxed when a Microsoft site requires Silverlight.

      Livin’ in the past….

    • #42644 Reply

      woody
      Da Boss

      Silverlight programmers – there are thousands of them – would like to know, too.

    • #42645 Reply

      ch100
      AskWoody MVP

      It is the same with other potentially insecure technologies. I know of at least one public Australian Government web site which still needs Java.

    • #42646 Reply

      JC Denton

      Woody, I am deeply disappointed in how you have fumbled and dropped the ball on this Flash issue.

      1 – People who need to use Flash should only ever use PPAPI flash (aka the Pepper Flash included with Chrome/Chromium).

      2 – Some people are still using the unsandboxed NPAPI version and that is dangerous. No mention of this in your posts even though you have a responsibility to inform your audience.

      3 – The best possible way to handle mandatory-flash websites is to download and use a PORTABLE browser such as Portable Firefox or Portable Chrome. Run the website in that browser and when you are done, just delete that entire browser folder and extract yourself a new/virgin copy of it whenever you need to access it. This method minimizes your attack surface and is a good computing practice. Once again ZERO mention of portable browsers being a thing or where to download them on your end.

      http://portableapps.com/apps/internet/firefox_portable
      http://portableapps.com/apps/internet/google_chrome_portable
      http://crportable.sourceforge.net/

      What a shame. I asked for orange security and got nothing but lemon-lime fumbles.

      You can do better than this. So do it!

    • #42647 Reply

      rc primak

      But a well-behaved program or plugin uninstaller should remove everything. At least in my opinion.

    • #42648 Reply

      woody
      Da Boss

      Looks like you just did it for me. Thanks!

    • #42649 Reply

      rc primak

      While sandboxing of Flash in Google Chrome’s Pepper plugin is a bit better than the isolation in Firefox’s NPAPI version, both are vulnerable. Even under Linux.

      It would be best ot get rid of the whole mess. Short of that, Chrome or Chromium under Linux seems the safest choice I’ve seen. Even then, click to play for every instance is desirable.

    • #42650 Reply

      Joan Scott

      I have a support company, I have a acer aspire,visitor, this adobe flash player I am sick of running,they said I need it, everytime I use laptop it pops yp show what my acer laptop can do, well I am sick of it

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Is disabling Flash not enough?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: