Here's why disabling Flash in your browsers may not be enough...

Adobe FlashPoor old Adobe Flash. The seemingly endless cycle of zero-day vulnerabilities, in-the-wild exploits, and rushed-out patches has given the software something of a bad name.

It's no wonder that people are calling for it to be killed off.

Flash's funeral might still be some way off, but there are plenty of computer users who are choosing to control its functionality through Click-to-Play or ridding it from their browser entirely.

But, as security firm Fortinet explains, even if you turn off Flash support from your browser that doesn't mean your computer can't be hit by a Flash attack:

"Flash files can not only be embedded in a web page but also in various document formats such as Microsoft Office documents and PDF files. Even if you have disabled Flash in your browsers, Flash exploits can still leverage Flash player vulnerabilities through software like Microsoft Office and Adobe Reader."

They're quite correct.

A Flash vulnerability doesn't have to be exploited through poisoned webpages (although this is a common vector for infection). Attacks can also be launched against targeted computers by tricking computer users into opening a file which has Flash content embedded inside it - such as a Word document, a Powerpoint presentation or Adobe PDF file.

Embedded object

System administrators responsible for security their company's computers would do well to remember this. To best secure your systems, adopt an approach of layered protection, reducing the chances of successful exploitation and ensuring that Adobe Flash is always running the latest security updates.

Alternatively, if you don't think you can manage that, consider banishing Flash entirely from ever getting anywhere near your computers.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

7 Responses

  1. Gil Favor

    July 20, 2015 at 1:49 pm #

    Uh-oh…this is not good. Removing Flash altogether is not an option for me, because a proprietary application I occasionally need to run relies on Flash. The application itself is secure, and I'm using click-to-play for browsers, but if Flash's exposure hazard includes MS Word and PDF documents, we're talking major suckage here. I use MS Word and PDF files daily.

    I'm already very cautious about Word files, but PDFs are so ubiquitous…how can one be sure a PDF hasn't been loaded with a dog's egg into which one can unwarily step? Do Flash exploits require the user to click on a link, or can they run automatically, just by opening a containing document? I can inspect links before clicking, but if these nasty bits can execute upon merely opening a Word or PDF document…aaarrrggghhh!!!

    Damn and blast! I feel myself being drawn into the ranks of those who wonder why Adobe doesn't just put Flash out of its perpetual misery.

  2. Andy Lee Robinson

    July 21, 2015 at 1:03 am #

    WTF is Flash and objects doing inside a PDF?
    PDF is, or should be a portable document formant, ie static and dumb apart from the ability to annotate.

    • Graham Cluley in reply to Andy Lee Robinson.

      July 21, 2015 at 1:19 am #

      I remember thinking the same thing 20 years ago – although then it was WTF has Microsoft put an auto executing macro language into Word docs?

      • Coyote in reply to Graham Cluley.

        July 21, 2015 at 5:19 pm #

        Me too. And then (this is a rough guesstimate) about 10-12 years ago they decided it would be a good idea to have executable code in graphics (but maybe they figured this wasn't a good idea at some point down the road ?). I remember discussing this with some friends about how on Earth could an image have malware. I suggested to them the answer and of course it was exactly that: the fact the viewer would execute code from the image itself is hard to fathom (but that is Microsoft for you, eh?); it is one thing for scripting language for filtering (image filters) and the like, but there is no need for an image to have executable code! POC (in this case it might be both POCs but I refer to proof of concept) or not is immaterial.

        And Andy (…) you have part of it right:
        "ie static and dumb"
        Indeed dumb. Statically dumb, even. The static part only refers to that dumb is part of it; these 'ingenious' ideas won't exactly improve; that is, they will continue and some of them will be worse (see part about images above).

  3. Frank Pod

    July 22, 2015 at 12:58 am #

    What do you propose to replace it with. Hulu needs it to show videos and many yahoo articles use it to display video. Just fix it and shut the hell up!

    • Coyote in reply to Frank Pod.

      July 23, 2015 at 12:49 am #

      Yes, that would be a good idea, wouldn't it, to fix it? Try telling that to Adobe though. I think we all wish you good luck; you'll need it. As for what to replace it with – HTML5 maybe ? It would depend on what is required (of the service). But it has a terrible record with security, and I don't see it improving.

  4. alan burnett-provan

    November 6, 2015 at 11:30 am #

    could some one please tell me how to down load play and click adobe flash, or is there a safe way to watch the video links my friends send me. many thanks.

Leave a Reply