Here's the very best advice on what you should do with Adobe Flash

On Tuesday, Adobe released a critical update patching over 50 security holes in its Flash Player plugin.

Security blogger Brian Krebs says it better than me:

It’s bad enough that hackers are constantly finding and exploiting zero-day flaws in Flash Player before Adobe even knows about the bugs.

The bigger issue is that Flash is an extremely powerful program that runs inside the browser, which means users can compromise their computer just by browsing to a hacked or malicious site that targets unpatched Flash flaws.

The smartest option is probably to ditch this insecure program once and for all and significantly increase the security of your system in the process.

That seems pretty reasonable to me.

Here is our guide on how you can update Adobe Flash on your computer or (even better) uninstall it entirely.

If that seems too drastic a step for you take right now, at the very least consider enabling "click to play" to reduce the chances of attackers exploiting Flash as you browse the web.

The full advisory on the Flash security vulnerabilities can be read on Adobe's website, as can details of the security update they have released for another of their beleaguered products - Adobe Reader.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

16 Responses

  1. Joe \'flash\' user

    July 13, 2016 at 11:05 pm #

    Perhaps you and Brian can get together this weekend and rewrite all of the commercial software that uses Flash in HTML5. I'm sure that the two of you will be able to do this without difficulty.

  2. PeterfromMesa

    July 14, 2016 at 12:00 am #

    Suppose we delete Flash; then what? What do we use to view the content on most of the Web pages we visit?

    • Graham Cluley in reply to PeterfromMesa.

      July 14, 2016 at 12:03 am #

      iOS users seem to manage just fine.

      Seriously, a half-way house is to enable Click-to-Play. I've described how to do that, and its benefits, here: https://www.grahamcluley.com/enable-click-play-adobe-flash/

    • Bob in reply to PeterfromMesa.

      July 14, 2016 at 10:23 am #

      Most websites, YouTube does this, fallback to HTML5 or some other media provision when they detect Flash is unavailable.

      Or carry on using Adobe Flash at your risk. I've give some additional suggestions in another comment.

  3. paul

    July 14, 2016 at 1:20 am #

    ok I will remove, but many apps say they cannot run and need flash, as a computer infant, how do I get around this?

    • Bob in reply to paul.

      July 14, 2016 at 10:21 am #

      Remove Adobe Flash and then install Google Chrome. That still uses Flash BUT NOT Adobe Flash. The version of Flash that Chrome uses is kept more up-to-date. And then enable click-to-play as Graham suggests for extra security.

      In terms of mitigating the risk caused by such exploits consider installing something like Malwarebytes Anti-Exploit. The free version protects your browser – you probably won't need the paid version. You should use this IN ADDITION to your normal anti-virus software and firewall.

      https://www.malwarebytes.com/antiexploit/

      • Steve Moreau in reply to Bob.

        July 14, 2016 at 2:47 pm #

        Malwarebytes Anti-Exploit is an excellent way to mitigate the risk of malware triggering on your PC, but it's not free (there is a free trial) and it's not an option for OS X.

        • Bob in reply to Steve Moreau.

          July 14, 2016 at 9:37 pm #

          Steve, it IS free. Take a look at their website again ;-)

          They give you a 14-day free trial of the Premium Features and after the 14-days it downgrades to the Free version.

          The free version only provides you with:

          "Shields browsers and add-ons"
          "Shields Java"

          All the other premium features get deactivated after 14-days unless you pay £20 per year.

          The free protection is sufficient for those not willing to fork out for it.

          https://www.malwarebytes.com/antiexploit/

  4. proud bay man

    July 14, 2016 at 1:58 am #

    Trashed it several months ago. Don't miss much.

  5. rick

    July 14, 2016 at 2:24 am #

    So will adobe start shelling out money for malicious damage done to users computers as a result of their crap? No they wont .. its your problem.

    As long as adobe flash exists we will never be free!

    • Mike in reply to rick.

      July 14, 2016 at 6:06 am #

      Didn't you mean "As long as applications using Flash exist" ???

  6. Dav_Daddy

    July 14, 2016 at 11:17 am #

    I don't see why Adobe doesn't release flash open source?

    It's not like they have made money from flash in ages if ever. The cost of paying the team responsible for writing this constant flow of patches has to be costing more than they make from selling the tools to author flash content. That's assuming they even sell them any longer? Didn't they announce they were retiring flash back in 2012?

    Open that sucker up and let the community maintain it.

    • Bob in reply to Dav_Daddy.

      July 14, 2016 at 12:54 pm #

      Because it's commercial software.

      Remember that Open Source doesn't equal security. Look at OpenSSL (Heartbleed et. al.), Bash and all of the other vulnerabilities that have lurked in open source software for YEARS simply because the programmers/people reviewing the code:

      were not skilled enough
      didn't have enough time on their hands
      not motivated to look for vulnerabilities
      overlooked something which appeared 'okay'
      were too busy developing their own forks

      Open Source is good but the waterfall of vulnerabilities in Open Source doesn't make it any more secure from common vulnerabilities.

      Open Source IS good for allowing people to check if there are any backdoors but then again all the best backdoors are designed to look like simple programming errors and we all know that the unpaid community have left these vulnerabilities un-repaired and open to hackers for years.

  7. Joe

    July 14, 2016 at 1:05 pm #

    Unfortunately, even though Flash is evil and has always been evil, MOST webpages and a very large number of businesses —INCLUDING __YOUR__ BANK — use Flash.
    Why?
    Because it is so easy to program Flash and the product is so, well, Flashy and comic-book like that it appeals to and can be programmed by children.

  8. Snowhawke

    July 14, 2016 at 10:17 pm #

    I have had nothing but problems with adobe flash on firefox recently. It crashes and then freezes on certain sites.
    I have been using the avast safe zone browser instead of firefox. It will not even open some sites, but no crashes yet.

  9. Burt

    September 10, 2016 at 2:19 am #

    This is complete nonsense. I've been working in IT for over 20 years and I have never once encountered a situation where a computer was compromised due to Flash. This rampant Flash hysteria smacks of a concerted effort to defame Adobe. It probably started with Apple and now every Tom, Dick, and Harry is jumping on the bandwagon and parroting the incessant propaganda.

Leave a Reply