Is disabling Flash not enough?

Topic

New Reply

UPDATE: Starting in October, Google Chrome will not show Flash objects unless you specifically click to show your acceptance. If a site offers both HT
[See the full post at: Is disabling Flash not enough?]

Reply | Quote

Replies

On my Windows 8.1 PC I’ve uninstalled Adobe Flash Player NPAPI Plugin for Firefox from Control Panel > Programs And Features,
but Adobe’s uninstaller does not delete FlashPlayerCPLApp.cpl and FlashPlayerApp.exe and even after Flash Player is uninstalled and not listed among installed programs,
Flash Player Settings Manager is still accessible from Control Panel.
Downloading and running Flash Player Uninstaller (uninstall_flash_player.exe) ends with same results – FlashPlayerCPLApp.cpl and FlashPlayerApp.exe still remain intact.
If I just delete those files manualy are there any registry entries associated with them that should also be removed?

Reply | Quote

That should be good enough, I think.

Reply | Quote

Erm… Flash is bundled with W8 and higher. So, the uninstaller will not remove the control panel item, of course. What we *really* need is a way to kick the flash out of Windows installs completely. Plus, Microsoft needs to stop bundling this insane superbuggy s*** with their OS. Who the heck came up with the retarded idea in the first place? :-X

Reply | Quote

This is a case for either Revo Uninstaller or Geek Uninstaller. These programs will deal with precisely this sort of failure of a program uninstaller to remove everything associated with that program. Geek Uninstaller also covers 64-bit areas of Windows, and can force-remove programs or modules which don’t have their own uninstallers.

There is no excuse for a vendor to provide a program where the uninstaller doesn’t completely remove the program and all its non-shared components. Yet one more reason to distrust Adobe.

Reply | Quote

Woody,

I can now confirm that the Noel Carboni Method does work for selectively patching Windows 10 Pro.

The latest MS Update for Flash Player for Windows 10 version 1511 was not available from the MS Update Catalog for 32-bit systems. Weird, as the same patch for 64-bit systems is available at the Update Catalog.

Anyway, the only way to get the patch was to use the full-on MS Updates mechanism on my Win 10 Pro 32-bit tablet, and we are not installing the May Win 10 CU just yet. So the only way to selectively get just the May 13th Flash Player Update was to go ahead and use the Carboni Method.

I downloaded and ran the Registry mods from the Infoworld article link. So now I’m no longer on Automatic Updates for the tablet.

Then I downloaded WuShowHide, and hid for now both of the other updates (the CU and MSRT, even though there’s no harm in running MSRT any time). Then restarted the tablet and ran the updates checker with Metered Connection still on for safety.

Turns out, even with the Metered Connection trick, the Download button for non-hidden MS Updates is still available, so running the Flash Player update selectively went off smoothly without unmetering the connection. Rechecking for MS Updates showed no further updates available.

Then I ran WuShowHide to unhide the hidden updates, and rechecked for MS Updates. Everything was back, but due to the Metered Connection, nothing downloaded. And due to no longer having Automatic Updates enabled, nothing new should download anyway.

So the Carboni Method worked. Thanks Woody and Noel!

Reply | Quote

Why isn’t setting Shockwave Flash to “ask to activate” in Firefox’s Add-ons Manager good enough?

Reply | Quote

Just butting in here… would using something like
Revo Uninstaller help to remove those files/registry entries that have been left behind after using the
Adobe uninstaller ? Just a thought! LT

Reply | Quote

I have plugins set to not run automatically, but I was wondering how Chrome’s (and its derivatives’) Pepperflash figures in this? Safer than Adobe? Less safe?

Reply | Quote

“The people who control the site obviously don’t give a harry rat’s patoutie about you. Write to them and complain!”

I presume you’ve already handled this for us at Infoworld.com?

Reply | Quote

IE got (gets) a bad rap but it does have one of the most controllable security models. It just isnt’ shipped with out-of-the-box default settings in secure positions.

It is, for example, quite doable to change IE to just not run ActiveX (or the fancier scripting features) from sites on the wild internet. Boom, Flash problem solved.

And of course you can disable Add-ons, of which “Shockwave Flash Object” is one. Like I said, IE is ultimately configurable.

Couple the above reconfiguration with a strategy of maintaining a good blacklist of malware-delivering web sites and IE becomes one of the fastest performing browsers and, I assure you, quite secure.

As far as I know (though to be fair I haven’t looked at ANY Apps lately) Edge doesn’t offer that configurability. And so it is growing up to be clearly and measurably worse than IE.

-Noel

Reply | Quote

Dear WH, many websites provide a html5 version for mobile users. Most of the time you can trick the site to show the mobile version to you by changing your user-agent. The Chrome documentation (https://developer.chrome.com/multidevice/user-agent) can help you make up one. How-To Geek has an awesome guide on how to change user-agents in different browsers: http://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/?PageSpeed=noscript

If the above trick doesn’t work, I recommend you to use a virtual machine and install Flash Player inside that.

And of course the best option is to contact the website owner and express your feelings.

Reply | Quote

In Firefox browser’s Add-ons, Flashplayer now has a box that’s checked by default to “Enable Flash Protected Mode”. It’s been there for some time I think.

Also, in Firefox Add-ons, you can choose to have Flashplayer Activated, Ask To Activate, or Never Activate with a little drop down choice box. I chose Ask To Activate, and nothing plays unless I allow it. It works like a charm. All areas where videos would run are greyed out and you have a standard notice to choose if you want to allow that site to play videos AND it even gives you the choice to just make it a temporary allowing. Is this not good enough?

Sorry Woody, I had to ask.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Like W.H., sometimes I have to use a website that requires Flash.

I have a Windows 7 machine and I.E. 11.

I think that the programs that people often recommend to hobble Flash, like “NoScript”, do not work with I.E. 11 on Windows 7. Maybe I am wrong about that, though. (Yes, I know that other browsers allow for those programs, but none of them are perfect solutions.)

It’s somewhat different in scope, but I do heavily use the old, free program PeerBlock and it’s been totally fantastic for me and has blocked a lot of stuff online that I don’t want to see — ads and moving videos and so forth, whether they are powered by Flash or not.

Some other things I do to stay safe with Flash:
-I go to the Flash settings area and lock down all the options for safety as much as I can
-I have Flash constantly disabled in I.E. Tools/Manage Add-Ons and only enable Flash once I’m at the website which requires it to be on
-I don’t surf off of that site to other locations on the internet until I’m ready to disable Flash again
-I always have ActiveX filtering turned on
-I check for updates at the Adobe site once a month: https://get.adobe.com/flashplayer/?promoid=KLXMF

Reply | Quote

I meant to put in the middle there that, for blocking moving videos and ads, turning off DOM storage in tools/internet options/advanced seems to help with that.

Reply | Quote

No need to download and install anything, just activate click to play in the browser. I use this technique for PDFs, too. In Firefox, go to Tools, Add-ons, click plugins, and then change settings to “ask to activate.”

Reply | Quote

Sometimes it is useful to reinstall and then uninstall following safe steps, i.e. restarting between procedures, even if not requested by the installer. This would clean up in most situations.

While being at Flash, I am wondering how “dangerous” using Flash is, beyond the general recommendations provided by different trusted security authorities. I would be interested in reading authoritative references beyond what is generally thought about Flash as being insecure.

I know about Java RE that the US Government recommended many months ago not to use it on the Internet, while it is acceptable to run Java RE locally or on trusted networks. This can be configured in the plugin Control Panel. Also Oracle, the current owner, seems to have plans, although not formally announced, to discontinue or heavily modify the product.

I know about Flash Player that Adobe announced that eventually the product should be replaced and that they support alternative technologies now.

Internet Explorer is to some extent seen in a similar fashion like Flash, Java RE and more recently QuickTime.

This is not enough to convince me that I should limit my experience when browsing to well-known sites or what I perceive as safe enough, while keeping the systems up to date with the released updates. Browsing to dubious sites would make the experience relatively insecure even for the most secure technologies, except for special configurations like those provided by sandboxes, virtual machines etc.

I would like to know what are the thoughts of those who read this site and their personal experience with the technologies mentioned above and which are generally considered less secure.

Reply | Quote

That seems like a significant impediment to getting your system hacked. But life would be so much simpler if web sites didn’t run Flash! A utopian wish, I know.

Reply | Quote

Does InfoWorld use Flash?????

Reply | Quote

If you do not use an ad blocker when you click on ‘Allow Now’ on the left side of the address bar you are then enabling EVERY flash element visible on the webpage and actually some of the elements below the visible webpage. And the further down you scroll more flash content is then enabled. And… by default once you click on ‘Allow Now’ that website will allow flash content for 60 minutes, for that browser session. Not Good! You can change the about:config entry ‘plugin.sessionPermissionNow.intervalInMinutes’ to 1 minute or whatever but you are still enabling a lot of questionable content (my opinion) if ads are not being blocked. If ads are not being blocked the best solution would be to use the add-on ‘Click to Play per-element.’

Reply | Quote

@Noel Carboni,
I was glad to read your thoughts on Flash with I.E.
That is how I’ve been approaching it the last couple of years.
(Earlier today, in comment number 9 below, I described what I do when using Flash with my I.E. 11. I make it as safe as can be.)
It’s heartening to this non-techie to learn that at least a few folks who are “in the know” don’t think it’s necessarily akin to playing with fire.

Reply | Quote

The FlashPlayerCPLApp.cpl and FlashPlayerApp.exe files, unfortunately, are part of the Adobe Flash Player security updates that Microsoft created for Windows 8x & 10 (like KB3163207). You do not have to delete those files.

Reply | Quote

I now use IE w/ an AD Blocker like Adblock Plus for IE, which blocks some flash ads.

Reply | Quote

I also suggest using spywareblaster, as it help makes IE more secure. It is simple but sometime simplicity is best.

Reply | Quote

Please add Silverlight to the list of less secure software for which I am asking for your experience. I was inspired to add Silverlight by one of Woody’s post in reply to someone asking for advice in regards to the current updates.
What I know is that initially Silverlight was Microsoft’s response to Flash (then owned by the original developer Macromedia). After few years, voices within Microsoft claimed that Silverlight will be discontinued while other voices from Microsoft claimed quite the opposite. Fact is that we still get updates and occasionally an update important enough that it requires full installation and not only patching.

Reply | Quote

It’s exactly as “safe” as the others. It’s nothing more that a Adobe’s PPAPI Flash plugin. Same POS. Google did not reimplement Flash. They’ve just licensed it for bundling.

Reply | Quote

More there will be users who keep Flash alive longer will Flash continue to be used by sites.
It’s as simple as that.

I have eradicated Flash from my Windows 7, that means no Flash ActiveX and no Flash plug-in, cleaned all traces of Flash be it as files or within the Registry. Done for some time now.

Of course I meet sites, even important ones like BBC, France Television to name just two, which stick to Flash in what seems to be a stubborn position. Are they lazy, do they fear to lose the precious user information provided by Flash (unless its mms.cfg is properly configured, and still…) when HTML5 is already adopted by many video places?

Here, sites that refuse to offer HTML5 rendering are simply boycotted : I will not participate to the survival of an everlasting highly problematic piece of junk named Adobe Flash for the sole purpose of satisfying y eyes/ears. No way. And I invite you all to do the same : boycott sites which refuse progress.

Reply | Quote

Silverlight is dead, although some Microsoft sites still require it. MS hasn’t done anything with it for years. Like ActiveX, it’s a Microsoft-proprietary technology that should’ve been euthanized years ago. With Edge, Microsoft is finally making a clean break.

Reply | Quote

Edge supports Flash but not Silverlight?! What is going on behind the scenes, is Microsoft offering to buy Adobe?

Reply | Quote

You’re welcome.

There is nothing evil about wanting to control how the technology we rely upon is managed.

-Noel

Reply | Quote

Hmm.. IE11 on 7 and 8.1 don’t seem to have that problem, still the interface is far from ideal.

Reply | Quote

Yea, edge is IE will all the features removed. It is almost identical to IE11 in 8.1 running in tile mode (appcontainer), only now with windows 10 the tiles invade the desktop.

appcontainer integrity level, good.
tiles, bad.
removed function, bad.
unique tracking ID embedded in the browser, really bad
ad blocking functions crippled, really bad.
Some limited ad blocking “returning soon!” (maybe), hardly matters.

Reply | Quote

Clean break, removing all plugins including ad blocking. (removing zones didn’t help either)

Reply | Quote

Java sidesteps the browser sandbox. It runs in medium integrity mode. All successful java exploits fully compromise the account running the browser and can set to run on boot (doesn’t give them admin unless UAC is off).

Java has needed to be “heavily modified” for about a decade. Ever since Vista came out java’s security model has been obsolete.

Reply | Quote

Woody:

I’m repeating myself, but there are still sites that require Silverlight to be usable. Here in Phoenix, AZ the Maricopa County government websites still require Silverlight for such things as GIS mapping services.

Reply | Quote

There is probably not one method that makes everybody happy, but this layered works well for me.

1. Set Firefox and Chrome to “Ask to activate” plugins. Don’t need script blockers anymore to perform basic allow/deny for Flash. It’s built in. See #2 below for more info on how to take further control of Flash and other plugins.

2. For Firefox and Chrome, Use uMatrix to limit the scripts than can run, to 1st party only. I used Noscript in the past, but it breaks a lot of websites without really showing you what you need to allow visually. Plus there isn’t a Noscript for Chrome. You can then selectively allow any 3rd party partner’s video plugins or scripts as needed. uMatrix automatically allows all domain’s CSS and still images, so the page renders much better by default than with Noscript. It also includes some filter lists for advertising and malware domains. This stops a lot of those annoying auto-play video ads right off the bat!

3. Check out Malwarebytes Anti-Exploit Free. It can protect most browsers and their plugins from Exploit Kits. Say for example that you surf to an infected site or load an infected ad, and some malware probes your browser to find that you have an out-of-date Flash plugin or other vulnerability. MBAE can stop it based purely on behavior, before it executes on your system. No signatures, no training, set and forget!

Reply | Quote

Understood. I’m still flummoxed when a Microsoft site requires Silverlight.

Livin’ in the past….

Reply | Quote

Silverlight programmers – there are thousands of them – would like to know, too.

Reply | Quote

It is the same with other potentially insecure technologies. I know of at least one public Australian Government web site which still needs Java.

Reply | Quote

Woody, I am deeply disappointed in how you have fumbled and dropped the ball on this Flash issue.

1 – People who need to use Flash should only ever use PPAPI flash (aka the Pepper Flash included with Chrome/Chromium).

2 – Some people are still using the unsandboxed NPAPI version and that is dangerous. No mention of this in your posts even though you have a responsibility to inform your audience.

3 – The best possible way to handle mandatory-flash websites is to download and use a PORTABLE browser such as Portable Firefox or Portable Chrome. Run the website in that browser and when you are done, just delete that entire browser folder and extract yourself a new/virgin copy of it whenever you need to access it. This method minimizes your attack surface and is a good computing practice. Once again ZERO mention of portable browsers being a thing or where to download them on your end.

http://portableapps.com/apps/internet/firefox_portable
http://portableapps.com/apps/internet/google_chrome_portable
http://crportable.sourceforge.net/

What a shame. I asked for orange security and got nothing but lemon-lime fumbles.

You can do better than this. So do it!

Reply | Quote

But a well-behaved program or plugin uninstaller should remove everything. At least in my opinion.

Reply | Quote

Looks like you just did it for me. Thanks!

Reply | Quote

While sandboxing of Flash in Google Chrome’s Pepper plugin is a bit better than the isolation in Firefox’s NPAPI version, both are vulnerable. Even under Linux.

It would be best ot get rid of the whole mess. Short of that, Chrome or Chromium under Linux seems the safest choice I’ve seen. Even then, click to play for every instance is desirable.

Reply | Quote

I have a support company, I have a acer aspire,visitor, this adobe flash player I am sick of running,they said I need it, everytime I use laptop it pops yp show what my acer laptop can do, well I am sick of it

Reply | Quote