The latest on disabling Flash

Topic

New Reply

I received an email from a reader who asked me about all the talk about Flash. He pointed out the fact that there are more than 400 mentions of Flash
[See the full post at: The latest on disabling Flash]

1 user thanked author for this post.

Pepsiboy

Reply | Quote

Replies

Why would anyone wait for Microsoft to update the latest bunch of Flash fixes since, as you say, Adobe posted fixes last Tuesday?
Get them directly.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

Pepsiboy

Reply | Quote

samak wrote:

Why would anyone wait for Microsoft to update the latest bunch of Flash fixes since, as you say, Adobe posted fixes last Tuesday?
Get them directly.

Sorry, I should’ve made this more clear.

IE11 and Edge in Windows 8.1 and later have Flash baked-in.

The only way to update IE 11 and Edge is by installing the Microsoft patch.

IE 11 in Win7 is different, as it still uses an add-on. You CAN update Flash in IE 11, but only on Windows 7, by applying the Adobe patch.

h/t to @b

Reply | Quote

Getting the updates directly has always been my method of updating. In Firefox, with Flash set to Ask to Activate (in Add-Ons), I can tell when it needs updating – those pages that need Flash to work give me a warning that it is insecure. At that point, I update.
I seldom need Flash, but it’s very handy to have it ready to go when it is needed.

With a lot of talk in recent times about the demise of Flash, due to its vast problems, it’s only a matter of time before it’s either withdrawn from use or banned by hosts. Or was that concept vastly overblown? 12 months ago, Google said it was banning Flash-based ads; Firefox blocked Flash for a couple of days in 2015; pcworld.com predicted its demise in 2011… surely it’s only a matter of time?

Reply | Quote

“Getting the updates directly has always been my method of updating. In Firefox, with Flash set to Ask to Activate (in Add-Ons)”
Me too. Never had a problem, but then I’m careful about the sites I visit as well.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

Pepsiboy

Reply | Quote

Getting the updates directly from Adobe is fine for windows 7, but windows 8.1 and 10 get their Flash updates for IE and Edge via Windows Update. And, as of today, no updates have been issued. If you are actually using Edge or IE, be sure to disable Flash.

Reply | Quote

This, and Woody’s post on “Another Windows 0day appears”, once again highlights the poor judgment of MS by going to the “one patch” program back in, what was it October. For those with Win 8.1 and Win 10, especially the most vulnerable home users who are unaware of the issues and potential problems with Flash, they now have absolutely no option but to continue to use a less secure version of Flash. Additionally, unless we assume there was only one security fix planned for February, across all Windows operating systems, we are all being denied security fixes because one, maybe two, maybe three, things didn’t pan-out in the bundled February update. MS can write all it wants about Win 10 being the most secure version of Windows yet and, even if I accept this, I don’t think a valid claim can be made that their “one patch” program properly supports that goal. There’s nothing wrong with going back to what worked better, remember “New Coke”. Perhaps MS will take a lesson away from what has transpired this month.

4 users thanked author for this post.

WildBill, Pepsiboy, Ascaris, Noel Carboni

Reply | Quote

JNP wrote:

Perhaps MS will take a lesson away from what has transpired this month.

I do love optimism.

That would have been a reasonable thought around the time of the Windows 8 previews. Now…

It’s pretty clear they’re marching to some kind of plan that can’t be altered for years no matter WHAT happens. I presume they believe without a doubt they know what the future needs to be, and continuing with the traditional business model that made them rich would have been just too hard or boring or something. I’m reminded of a ridiculous fad in the last millennium called “If it works, break it!”

Personally I think their level of success in the phone market says it all.

-Noel

1 user thanked author for this post.

Snowflake Theory

Reply | Quote

Noel, I am sure you are right, but if MS can re-re-re-re-release KB2952664, which was solely for the benefit MS late last month, it most certainly can issue a dedicate IE/Edge KB to secure Flash. It is simply a matter of caring about doing the right thing for your customers.

Reply | Quote

I use Chrome as my only Flash enabled browser. Chrome updates the PPAPI version of Flash automatically. My default browser is Firefox, and I do not have any media plugins enabled there. The Firefox plugin “Open in Chrome” lets me launch any page that requires Flash. But it is up to me to click to launch, not a decision for the web page I visit

Flash is slowly being replaced by HTML5 media. Apple has already dropped it from iOS devices. It is only a matter of time…

Windows 10 Pro 22H2

Reply | Quote

Chrome may not always automatically update Flash Player to the latest version all by itself. Sometimes I have had to go to the internal page chrome://components and manually run the Flash Player component updater. It’s just a one-button click, so that takes care of my needs. Also, I generally use Linux, so IE and Edge aren’t an issue for me. But in Windows 10, I can’t remember when the last time was that I allowed a Flash based player to run in either of MS’s own browsers. The experience of Flash playback in those browsers is not as good in my experience as with Chrome or Firefox.

-- rc primak

Reply | Quote

If we drop Adobe Flash Player just bc it is a popular target of malware, shouldn’t we also drop M$ Windows bc it is also a popular target of malware?

Reply | Quote

I disabled the flash add-on entirely a while back, and frankly I’m not feeling like I’m missing much from the web. But I’m more about business, less about pleasure online. Your mileage may vary.

If you DO want to disable it in Internet Explorer, here’s how

• Click the gear icon.
• Choose Manage add-ons from the menu that opens.
• Change the Show: box at the left to All add-ons.
• Locate the add-on named Shockwave Flash Object in the list.
• Right-click on Shockwave Flash Object and choose Disable from the menu.

This is what it will look like when done:

-Noel

4 users thanked author for this post.

Sailor, SueW, samak, Pepsiboy

Reply | Quote

Unless somebody else has already made this point very directly, I think we are missing the forest for the trees here. Flash is a third-party program/app, which MS has chosen, perhaps with Adobe’s permission, to bundle security updates to Flash, for Win 8.1 and Win 10, in the updates for IE and Edge. However, what this has done is it has made it completely impossible for the individual user to properly secure his or her own computer upon release by a third-party vendor of a security update. So, what we have is Adobe saying version 24.0.0.221 of Flash is ready to be, and should be, installed, http://www.adobe.com/software/flash/about/ , but MS is blocking this for Win 8.1 and Win 10 users. We shouldn’t be talking about how to disable Flash at all, but thanks, Noel, for telling us how. The good news is this: Send the bill to Redmond when you get infected with Flash malware ?.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Not sure “blocking this” is a fair characterization. They’re simply not facilitating the immediate update of a 3rd party add-on through Windows Update, but can’t the add-on be updated by any user who chooses to do so?

Or am I missing something?

EDIT: I apparently AM missing something. I tried to update it manually using the link on the flash player page and still have 24.0.0.194. I wasn’t aware of the true magnitude of this issue until just now. Thank you for opening my eyes.

Guess it’s a good thing I don’t use it anyway.

If you want to talk about weighing the risk of not updating it, perhaps we should consider what specific vulnerabilities version 24.0.0.221 patches…

I found that information here:

https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

Vulnerability Details

• These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2017-2995).
• These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2017-2987).
• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994).
• These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).
• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).

Seems like a pretty stout list, and code execution as a result of just displaying an ad or video in a web page might be a serious threat, but I didn’t actually delve into the individual vulnerabilities to try to get an idea of the chances of someone running across one of them in the wild.

-Noel

6 users thanked author for this post.

AlanH, walker, Elly, DeWayne12, Kirsty, Microfix

Reply | Quote

Noel, thanks for doing the digging, which is way beyond my skill level.

So, once again, we are back at the topic of Microsoft’s constant attempts to bundle things that are not strictly a part of the core OS. Bundle the patches so we really don’t know what’s going on and can’t choose which things to install, other than going Group A, Group B. Then, we have the Grand Theory Of Bundling, which we’ve covered before, and has been found, previously, to possess legal problems. The absences of the Flash patch is an example of this, as was MS attempt to bundle IE back in the 90’s. Yet, MS continues to go down this path and is now bundling more than ever before.

I understand why MS is doing this from a business model approach, although it is highly questionable whether it will succeed. The paradox is that if MS does succeed, arguably the consumer will be worse off and, if MS fails, the consumer will likely be better off, with more options and less expense to keep up with the constantly changing Win 10 model. Most of us initially migrated to the MS/Intel model, as opposed to the Apple model, to have greater flexibility, both hardware and software, and less cost, than with an Apple product. If Win 10 succeeds, it is likely the two basic reasons we purchased into the MS/Intel model in the first place will no longer be valid. Then it will become more of a direct shootout between MS Win 10 and a comparable Apple product. I don’t see this ending well for MS.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

It’s a little more complicated than that. The version of Flash Player included with IE 11 and Edge is not fully unrestricted. It uses a Whitelist which limits the sites at which these versions will play back Flash content.

Frankly, I have never run enough Flash dependent pages through IE or Edge to find any site which will not play in those browsers, but the Whitelist is there, and this is why the official Adobe Flash Player plugin for Active-X won’t install into Edge or IE 11.

This has little or nothing to do with Rollups or Cumulative Updating. Flash patches in Windows 10 and 8.1 are single patches, and download and install separately from IE or Edge Rollups or Win 10 CUs. I use wushowhide to isolate these and the MSRT patches so that I can apply these and only these patches as they come out. Flash patches usually appear mid-month, totally separate from Patch Tuesday or the end of the month updates.

-- rc primak

Reply | Quote

That’s the point. There is no flash patch available.

The current individual patch listed on this page leaves flash at 24.0.0.194, even though this page refers to it when describing how to get 24.0.0.221.

-Noel

Reply | Quote

Thank you!

Reply | Quote

We dropped Adobe Flash back in 2007 IIRC due to the constant patching of exploits and vulnerabilities. Those in the know, know!
Never missed. wanted or needed it, especially now that most websites are HTML5.

anonymous wrote:

If we drop Adobe Flash Player just bc it is a popular target of malware, shouldn’t we also drop M$ Windows bc it is also a popular target of malware?

Rephrased to: ‘If we drop Adobe Flash Player just bc it is a popular target of malware, shouldn’t we also drop M$ Windows 10 bc it is an unpopular malware?’
sounds more inviting for discussion, to which, my answer would be YES!

I could not for the life of me, understand WHY microsoft put it in windows 10, then it struck me, windows 10 IS a form of corporate malware, force fed to the masses on biblical proportions.
I am not a Microsoft hater, and never have been but, Windows 10, in it’s current state, is also being avoided, and not just by individuals.

Windows - commercial by definition and now function...

3 users thanked author for this post.

DeWayne12, Noel Carboni, Snowflake Theory

Reply | Quote

anonymous wrote:

If we drop Adobe Flash Player just bc it is a popular target of malware, shouldn’t we also drop M$ Windows bc it is also a popular target of malware?

If you can do so without giving up programs you need, it would not be a bad idea to give up Windows because almost all of the malware is written for it. As with Flash, it breaks down to a cost vs. benefit analysis. For years, we’ve understood that Flash was a security risk, but too many sites used it for most people to consider dumping it. Things have changed; most sites that would once have required Flash will happily serve a HTML5 version now, so while Flash’s cost in terms of the security risk has not changed, its benefit certainly has… so it’s much more viable to drop Flash now than it has been in the past. If some sites you are not willing or able to stop using require Flash, though, the benefit of Flash would then be worth the costs.

If you are able to give up Windows without losing access to programs you find important, you may also find that, as with Flash, the cost-benefit analysis favors dumping Windows. Again, though, if some programs you can’t or won’t live without will not run on anything but Windows, then the benefit of Windows likely exceeds the cost for you, and that would mean sticking with Windows.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Reply | Quote

@ Ascaris

Bear in mind that website developers/admins do not hv to pay any fees to include HTML5 videos in their websites, whereas they hv to pay Adobe to use Adobe’s proprietary software to include Flash videos in their websites.
Hence, Adobe Flash Player has been losing considerable market share to free HTML5, which is a good thing, esp for website developers/admins.

Problem is, now malware will likely start targeting mostly HTML5 videos on websites, instead of Flash videos previously. IOW, the problem of Flash malware got “transmitted” to HTML5. Eg,

https://securityintelligence.com/news/research-proves-html5-could-be-used-to-hide-malware-for-drive-by-download-attacks/
http://searchsecurity.techtarget.com/answer/How-does-a-new-malware-obfuscation-technique-use-HTML5

https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2016/11/tech-support-scammers-abuse-bug-in-html5-feature-to-freeze-computers/

http://www.securityweek.com/html5-wont-stop-malvertising-brings-new-threats

3 users thanked author for this post.

Elly, DeWayne12, b

Reply | Quote

First of all, Let me make the big confessional. I have been an Insider since the beginning and I have never willingly opened Edge. When some farcical arrangement opened it, it was immediately closed, so I can’t speak at all to that.

As far as IE is concerned and the Browsers that I do use, mostly Vivaldi, I keep “Flash” disabled but up to date. I don’t need/want/use Flash in IE so it is not an issue for me. The only reason I ever need to use IE is for Active X and the need for that has gotten more and more fewer and farther between for me, to the point of nonexistent.

One addition point I might add is about “HTML 5” which seems to be reaching critical mass and taking the planet like a storm. I believe the key turning point was You Tube going 100% HTML 5 even though Flash is there for those odd users whom what/need it. NASA has announced that they are going all HTML 5 in 5 days. Microsoft has been working at an HTML 5 only attitude for there Streaming with less then stellar results especially for very long distant conferences. To bad because my NUC just does not like Flash and crashes 20 to 40 minutes into Netcasts.

Last point I would like to make is, Disabling Flash was a Great ‘Autoplay’ control! Well with HTML 5 that don’t work so well no more! For those who have a Browser Store available to them, like Chrome’s Store available to all ‘chrome engine’ based Browsers like Vivaldi, look up “Disable HTML 5 Autoplay”. It makes all the difference in the world!

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

4 users thanked author for this post.

walker, Elly, DeWayne12, Noel Carboni

Reply | Quote

I use Firefox. In add on`s I use “flashblock” I only disable it when necessary, elsewise I leave it enabled.

Reply | Quote

I use Pale Moon with the Flashblock add on and run the browser in Sandboxie.

Reply | Quote

I uninstalled Adobe Flash 2 years ago on all my machines. The times it has been an issue for me has been far and few in between. The few sites it was needed was of no real significance to me to begin with, so I just moved on.

I don’t use IE either. Not only do I not use it, I have it disabled.

Reply | Quote

JNP wrote:

We shouldn’t be talking about how to disable Flash at all, but thanks, Noel, for telling us how.

I’m not completely sure I agree that we shouldn’t be discussing disabling it…

Is it more important to see the video or ad or whatever is being delivered by Flash or is it better to have the computer system and your data live to surf another day?

What price glitz?

I personally tend to regard web content with contempt and suspicion, so I don’t find it difficult to shut out whole sections of it if there’s any reason at all. Kind of a “I didn’t need it anyway, and I didn’t even know it was there before now, so why take a risk to see it?”

My personal choices have led me to this specific layered security condition…

• ActiveX isn’t allowed to run from the Internet Zone at all.
• Flash is disabled for ALL sites (for 2+ months now).
• I blacklist many sites observed to have delivered malware or ads in the past so I don’t see anything at all from those.

Surprisingly, my web experience still seems quite rich, and more so without ads or malware intrusions. I really don’t sense I’m missing out on much that’s good. When I need to get information from the web, I get it. Given that, it’s hard to feel my choice to disable Flash – given my other choices and expectations – was the wrong one.

As always, mine is just one man’s opinion, and I am freely sharing my actual experience. Your mileage may vary, and you’ll undoubtedly want to make your own choices.

-Noel

2 users thanked author for this post.

Bill C., Elly

Reply | Quote

Noel Carboni posted (#95707)

What price glitz?

This is not entirely the case. Flash Player is essential to view video streams from US network TV web sites. It was until recently required at PBS Video. These are only two examples of legitimate sites where the content does not have HTML5 streams. If Flash Player were really all about glitz, I would have dropped it a couple of years ago.

-- rc primak

Reply | Quote

Each person has different expectations and requirements. Watching TV on one’s computer could be considered “glitz” by some.

But okay, let’s assume you really, really want to see flash videos from, say, nbc.com, and you trust that NBC won’t try to infect you with the very latest malware through their flash videos.

Assuming you use Internet Explorer and it’s flexible configuration model, this could be a case where selective blocking could be effective:

You could set up to block the execution of ActiveX from sites in the Internet Zone, yet have the Shockwave Flash plug-in enabled in the Add-ons list. Flash wouldn’t run by the vast majority of sites, which would by default be in the Internet Zone. So you’re generally protected from your system ever trying to run ad-borne malware brought in through Flash.

You could then configure your Trusted Sites zone list to allow ActiveX to run, then add nbc.com to your list of Trusted Sites.

Voila, just the Flash videos you want, but not from sites where you haven’t made a judgment of trust.

I personally wouldn’t trust NBC, but I acknowledge that not everyone would feel that way.

-Noel

Reply | Quote

Yes, I could do all of that. But I prefer to use Chrome and its Click To Play feature. I haven’t seen that feature in IE or Edge. But as I say, I don’t run Flash content through those browsers. So in IE and Edge, I could remove Flash Player and be none the poorer.

And yes, one person’s daily use might be another person’s “glitz”.

One advantage of not running Flash Player is fewer annoying and auto-playing ads and videos, although HTML5 autoplay is still a problem.

-- rc primak

Reply | Quote

I use “Flash Control” on my Firefox browser, even with Flash uninstalled. Its options panel allows blocking of Flash and/or HTML5 video/audio (even hidden HTML5 audio). It seems to work well with most websites. One click on the toolbar icon lets you enable a site if you wish. The icon changes color to let you know if the control is enabled or disabled for a given site. It remembers via a whitelist (you can edit) any sites you have previously allowed.

https://addons.mozilla.org/en-US/firefox/addon/flash-control/

On Chrome, I use “Disable HTML5 Autoplay”. Disable HTML5 Autoplay disables HTML5 audio and video autoplaying.

https://chrome.google.com/webstore/detail/disable-html5-autoplay/efdhoaajjjgckpbkoglidkeendpkolai?utm_source=chrome-app-launcher-info-dialog

Windows 10 Pro 22H2

1 user thanked author for this post.

walker

Reply | Quote

Web sites can override HTML5 autoplay blocking. I wish these extensions and settings were respected more places. But in my experience, they only block about one-third of Yahoo’s autoplaying links. And even less at some other sites. It’s like the Tracking Cookies — these extensions and blacklists are not always respected, and there is nothing end users can do about this except never to visit sites which disrespect our browser settings.

-- rc primak

Reply | Quote

You could look into hosts-based or DNS-based blacklisting if you want to exert a bit more control.

See also:
http://win10epicfail.proboards.com/post/2284/thread

-Noel

Reply | Quote

Possible, but it looks like a lot of effort. These are annoyances, not malware attacks (in my experience).

-- rc primak

Reply | Quote

With Windows 7 (Group B), I don’t have Flash installed for IE, but it’s current (usually) but disabled in Pale Moon. The National Weather Service still uses Flash for radar loops off the main forecast page, but the western US has another tool that gives radar loops without Flash. I ran into one state government application that needed Flash to run, so I updated, enabled, got my data, and disabled. When I think of it, I’ll check the current version at Adobe and update if necessary. Lately, Woody has the head’s up notice.

After this year’s taxes are done, my desktop machine will go Linux, without Flash. I’m keeping one laptop on Group B as long as MS cooperates. Fallback is group W and keep it offline. I can sneakernet anything that has to go to that machine.

Reply | Quote

Current ver is 24.0.0.221

Reply | Quote

Yep. Updated a few days ago (IIRC, Woody posted the update info).

Reply | Quote

I usually use Firefox and the latest Flash beta at home, with NoScript to help block stuff. The fact that I can update Flash separately is a great thing. As for people saying Flash is dying, maybe in the West, but Flash games are still a thing elsewhere. There’s a reason why I know a bunch of folks have reenabled Flash after a recent Chrome update – there’s Kantai Collection time-limited special event going on right now, and unless you play on fairly recent Android version of the game as I do, you need Flash to play (and, if you aren’t in Japan and aren’t using a VPN, you’re most likely using a Chrome extension to play the game – there were a number of threads on the Kancolle subreddit about having to reenable Flash in Chrome recently because of Chrome update-related issues). I haven’t seen anything about DMM, the game distributor, doing anything about getting rid of Flash versions of the many browser games they offer or forcing game developers to do HTML versions, so I have a feeling Flash won’t die anytime soon in Japan at least.

Reply | Quote

I think it is in general a lot of over-reaction about technologies like Flash, Java, Silverlight, QuickTime and how insecure they may be.
Most typical end-users who browse legitimate sites should be concerned about security and apply good practices when browsing and a lot of common sense, but should not panic due to specific vulnerabilities, zero day vulnerabilities not being patched etc. History shows that the mainstream attacks come much later after patches are released and those impacted do not patch at all or are sometimes years behind with patching.
Those accessing high-risk sites and they know which sites are those, would likely be target for malware, regardless of being patched or not patched.
Saying that, IE on Windows 8/8.1/10 and Edge on Windows 10 are likely safe enough with one version behind for Flash as we are today, but for those who are desperately in need to have the latest version, Mozilla Firefox, Chrome and Opera and their forks should offer the latest version of Flash. IE11 on Windows 7 also has the latest version of the Flash ActiveX Control available to install from Adobe.

3 users thanked author for this post.

Elly, Noel Carboni, walker

Reply | Quote

ch100 wrote:

I think it is in general a lot of over-reaction about technologies like Flash, Java, Silverlight, QuickTime and how insecure they may be.

Most typical end-users who browse legitimate sites should be concerned about security and apply good practices when browsing and a lot of common sense, but should not panic due to specific vulnerabilities, zero day vulnerabilities not being patched etc. History shows that the mainstream attacks come much later after patches are released and those impacted do not patch at all or are sometimes years behind with patching.

A lot of wisdom there.

People have a hard time grasping risk. Most folks probably only mentally differentiate risky vs. not risky behavior (i.e., using some kind of arbitrary cutoff based on subjective judgment), when in fact what we’re really talking about is reducing risk or minimizing risk when we talk about ways to configure things or practices to follow.

It’s okay; it’s human nature to simplify things. It’s one of our greatest strengths.

There is SOME risk that your computer will catch fire today. Or that a meteor will come through the roof and hit it. But those risks are not that great, so we might say they’re unworthy of worry. How can I possibly judge that? Past experience. I personally haven’t had it happen, and I’ll wager nearly all of us have never experienced those things and never will.

Developing software takes time – even malware – but presuming that SOME website out there has a REALLY energetic malware writer and implements a “zero day” exploit right after such exploits are published, there is SOME risk that we might visit that web site. But how much risk? It’s probably very low. If it were high you’d be hearing about it.

Thing is, we can’t really know the risk levels. There are very many things we can’t or don’t know. So we have to judge, “too much risk for me?”

As ch100 implies, base your thinking on your experience, and factor in the collective experience of others (one of the great things about the internet and forums is sharing experiences with others). Try to get a feel for the level of the risk and make your own judgments about what you feel comfortable doing about it.

-Noel

2 users thanked author for this post.

ch100, Elly

Reply | Quote

So actually, it looks harder for the MS PR to spin the idea that Windows 10 with Edge and IE is more secure than Windows 7 with or even without another browser? Making bold claims about security is often a minefield.

I agree mostly with ch100, but still, I would not use an out of date Flash on IE or Edge right now. Sure, your old games website will probably be ok, it will serve the same old flash content, but you never know who will use an ad to infect you with a zero-day. I’ve seen some innocent small websites get infected without the owner even noticing it. You think you will learn to knit some fancy sweater but you end up with a locked down computer.

It is so easy to just download an alternate browser and use it for Flash until MS patches IE and Edge. Just disable Flash from IE and Edge and then use it like you normally do, and then switch to the other browser if you happen to see a Flash content you really want. That seems like a reasonable approach that is not very costly and will raise your security online.

3 users thanked author for this post.

AlanH, ch100, JohnW

Reply | Quote

@AlexEiffel

I’ve seen some innocent small websites get infected without the owner even noticing it. You think you will learn to knit some fancy sweater but you end up with a locked down computer.

Have you actually encountered this situation yourself or only heard/read on some internet sites about it?
I am asking because I believe this to be an extreme and very unlikely situation to have your client computer locked down just because of being patched only one month behind.

Reply | Quote

I’ve seen one person getting locked down with a ransomware browsing an innocent small website (not a computer I managed so maybe it wasn’t a just one month behind patches PC).

I’ve seen a few times over the years people triggering drive-by malware on small websites, but they always have been catched either by the antivirus or EMET. I can’t tell you if those were 0-days either though.

I believe that the past experience you had might be representative of a lot of business use scenarios, but in theory, the future has no responsibility to reproduces the past. In theory, the malware developers have a strong incentive to use a 0-day vulnerability.

Following security blogs for a long time, over the years I remember seeing a not insignificant amount of 0-days used. Maybe they were not that successful at spreading everywhere for various reasons, but from memory, I wouldn’t think unpatched vulnerabilities were not exploited at all until patches were sent.

I don’t pretend I have the truth here as I bring my experience and distant memory of what I read on serious websites, but regardless, without going crazy, I don’t think it is bad advice to act as if 0-days were a real threat if the cost in time or other resource is not very important, like just using a different browser for a month or disabling flash for a month and only using it in Chrome or Firefox instead of IE and Edge for one month.

Reply | Quote

the future has no responsibility to reproduces the past.

This is what Tony Robbins always says

Reply | Quote

As for being careful about where you browse, sure it is always a good idea to avoid shady websites that promises you things like free pirated software and other illegal stuff, but as careful as you might be, it sometimes is not enough. Just two examples that might be a bit scary about what is possible for the serious business user:

https://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/

https://nakedsecurity.sophos.com/2011/09/26/mysql-com-hacked-for-second-time-in-a-year-sql-injection-to-blame/

1 user thanked author for this post.

ch100

Reply | Quote

A doorway is open if you’re allowing executable software to run on your computer that’s sourced from who-knows-where. Such software could find ways to do things it shouldn’t be doing.

Which is why I personally have chosen to change IE’s defaults so that it will not execute ActiveX (e.g., Java, Flash, Silverlight) from any web site in the “Internet Zone” by default. Most sites work well enough with just limited scripting.

Making this one configuration choice averts more risk from malware than patching known vulnerabilities, installing antivirus software.

Users should ask themselves: Is seeing the videos/animation/etc. that these active content delivery packages present to you worth opening the door to malware?

-Noel

Reply | Quote

While your approach to IE is sensible and likely to protect you from IE acquired malware, I would suggest that ActiveX running on well-known sites and which are used a lot by those posting here is still a useful technology as is today.
I would give as example Microsoft Update Catalog
https://catalog.update.microsoft.com/v7/site/Home.aspx
which to me still looks better when being used with IE than any of the other browsers.

Reply | Quote

Actually, the Catalog can now be run in any browser, even those without Active-X. In fact, I could run it in Chrome under Linux, but that would not have any practical value.

-- rc primak

Reply | Quote

https://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/

This is a great one!
Thanks for posting it.

Good reading in particular for those new fans of Linux who keep claiming that Microsoft is to be blamed for everything that they don’t like or understand about computers.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Never hurts to verify the checksum when you download an installer

Windows 10 Pro 22H2

Reply | Quote

How many people actually do it?
How many people actually know what is a checksum and what tool to use to check it?

1 user thanked author for this post.

Microfix

Reply | Quote

Great questions ch100
See here:
https://www.askwoody.com/forums/topic/importance-of-checksums-for-linux/

Windows - commercial by definition and now function...

1 user thanked author for this post.

ch100

Reply | Quote

I would add to Raymond’s list 7-zip (latest version) which can also compute hashes.

1 user thanked author for this post.

Microfix

Reply | Quote

<back on topic>

Windows - commercial by definition and now function...

Reply | Quote

NirSoft to the rescue!!!

http://www.nirsoft.net/utils/hash_my_files.html

Highly recommended to use for ISO downloads of operating system installers …

Windows 10 Pro 22H2

Reply | Quote

I agree with most of the comments, except that it is no longer a matter of avoiding questionable websites, or sites that have been hacked with malware.

The new kid in town is malware infected ads, that ANY website can present to your browser. This is because most sites now display ads that are brokered through 3rd party services, and they have not been screening their clients well enough. So even though it may be a trusted website, they have limited control over the ads that get shown.

The malware exploit kit in the ad then typically runs a script that detects the versions of Flash or other browser plugins software you are running and any potential security flaws it can use.

The only way to truly prevent this type of exploit is to block all ads, and/or lock down Javascript. But that is not very practical, because many website will deny access if the detect an ad blocker, and blocking all scripts will break the rendering of most websites.

The good advice to keep all OS, browsers, and plugins patched and up to date still applies. Reducing some of the attack surface and adding malware behavior analysis protection is the way forward in fighting these new exploits, that are mostly ransomware style attacks.

Windows 10 Pro 22H2

3 users thanked author for this post.

AlanH, Elly, AlexEiffel

Reply | Quote

JohnW wrote:

The only way to truly prevent this type of exploit is to block all ads, and/or lock down Javascript.

Are there JavaScript-only exploits you know of? It’s been my experience that the nasty stuff comes in ActiveX.

I ask because I have found it effective to block known ad/tracking/malware sites AND block ActiveX AND not allow software/files to run in iFrames AND a number of other configuration changes, while still allowing JavaScript.

-Noel

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Are there JavaScript-only exploits you know of?

You may find annoying pop-ups or the browser being switched to full-screen coming via JavaScript now and then. But this is likely to happen on one of the higher risk web sites than on well-known ones.

Reply | Quote

I agree, but to me, that is not a security risk, mostly an annoyance. I still find Noel’s question highly relevant and I would not disable javascript to prevent pop-ups and full screening my browser.

Reply | Quote

I do not disable JavaScript, only replying to Noel.

Reply | Quote

ch100 wrote:

You may find annoying pop-ups or the browser being switched to full-screen coming via JavaScript now and then. But this is likely to happen on one of the higher risk web sites than on well-known ones.

Good point, though I believe there are config options (in IE at least) to mitigate some of that. I can’t say I’ve had either of those things happen for the past few years.

Of course, I could just be visiting mostly sanitary web sites. Nah, I follow Google search results pretty freely all the time.

-Noel

Reply | Quote

Noel Carboni wrote:

JohnW wrote:

The only way to truly prevent this type of exploit is to block all ads, and/or lock down Javascript.

Are there JavaScript-only exploits you know of? It’s been my experience that the nasty stuff comes in ActiveX.

I ask because I have found it effective to block known ad/tracking/malware sites AND block ActiveX AND not allow software/files to run in iFrames AND a number of other configuration changes, while still allowing JavaScript.

-Noel

Thanks for asking!

Javascript is a complete programming language that normally is limited to the DOM in the browser. But it can execute malicious code in the client. So unless you are sandboxing, it’s not foolproof.

Here’s an explanation … (not endorsing any security products, but this is good info)
https://heimdalsecurity.com/blog/javascript-malware-explained/

This is called a drive-by attack and it generally includes 9 stages:
1. You, as a user, unwittingly browse the compromised website.
2. The malicious JavaScript files are downloaded on your system.
3. They are executed through your browser, triggering the malware infection.
4. The infected JavaScript files silently redirect your Internet traffic to an exploit server.
5. The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.
6. Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.
7. This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.
8. In the next step, malware will be downloaded onto the PC and executed.
9. The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals.

More info:
https://en.wikipedia.org/wiki/Heap_spraying

https://www.veracode.com/security/javascript-security

Yikes! There’s a new one! https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

http://www.pcworld.com/article/3170583/security/javascript-based-aslr-bypass-attack-simplifies-browser-exploits.html

Windows 10 Pro 22H2

4 users thanked author for this post.

Noel Carboni, Kirsty, AlexEiffel, ch100

Reply | Quote

JohnW wrote:

3. They are executed through your browser, triggering the malware infection.
4. The infected JavaScript files silently redirect your Internet traffic to an exploit server.

That all sounds scary, but…

I’d really like to understand more about how the actual “malware infection” is done, because JavaScript as run in a browser just hasn’t been given a fundamental ability to take over a system.

Some of the information at the above links smells very “buy our security product” salesy.

In other cases, comments in the articles, like…

When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides

…imply that there’s additional software involved (i.e., the “attack code” mentioned).

If it were possible to compromise a system by simply executing JavaScript in a browser, pretty much every system everywhere would be compromised. Sites have been loading JavaScript to be run on client systems forever. I believe there’s more than meets the eye here.

Thanks for the info. I’m going to have to learn more about this.

-Noel

Reply | Quote

The bottom line is Javascript is active code that runs in the browser. In theory, if you are completely patched and up to date, you minimize the risk. You may even be silently scanned by an exploit kit and not even know it, because you have been passed up due to no obvious vulnerabilities.

Exploit Kits: A Fast Growing Threat
https://blog.malwarebytes.com/101/2015/01/exploit-kits-a-fast-growing-threat/

What is malvertising?
https://blog.malwarebytes.com/101/2015/02/what-is-malvertising/

To see what info your browser is sharing (or leaking), this site is very informative
https://browserleaks.com/

Reply | Quote

anonymous wrote:

The bottom line is Javascript is active code that runs in the browser.

Yes, but details matter with regard to the risk level, and JavaScript is far more sandboxed than “active code” running under Win32 (i.e., in an Add-on/ActiveX).

Browsers have been building up the walls around the JavaScript sandbox for a very long time.

I’m still looking to find details on what the threats are when running JavaScript alone in a browser when the (large number of) other browser security settings are set to block malware scaling those walls.

All in all I’m trying to test the theory that running JavaScript with otherwise maximum security settings, coupled with ad-blocking and malware-site-blocking at the name resolution level, makes it so much of the modern web can be enjoyed without a significant threat of “drive by” infection. Evidence from actual practice says it’s workable, but my experience is necessarily limited on a world scale.

“Significant threat” is of course difficult to define, though I’ll know it when I see it.

-Noel

Reply | Quote

I am not actually suggesting that we should disable Javascript. That would break just about all of the modern web! Here is a report from somebody who tried it for 1 week, LOL … https://www.wired.com/2015/11/i-turned-off-javascript-for-a-whole-week-and-it-was-glorious/

But to get a graphic idea of just how many web connections you make when you visit a popular web site, try installing the Disconnect browser plugin. It’s actually kind of creepy when you see how many connections are made. And I am well aware of how HTML, CSS, and Javascript work in the browser.

In my opinion we need to stay informed of the possible risks, and to stay as patched and up to date as possible. The zero day vulnerabilities, or reported ones that have have gone unpatched by software vendors for some time, concern me the most.

You say that you use ad blocking and blacklisting, which I also do. That is a good plan. In addition, removing plugins (like Flash or others) that are no longer needed is good practice.

Something else to consider is use of an anti-exploit software to detect malicious exploit behavior in browsers and web facing application and stop it, before it can execute on the PC.

Windows 10 Pro 22H2

Reply | Quote

https://www.howtogeek.com/138865/htg-explains-should-you-disable-javascript/

1 user thanked author for this post.

woody

Reply | Quote

Thanks for your response. However, I’m not sure this article is a reliable source. It is not well-written at all, confusing and repeating the same things in different ways. It seems purposefully obscure to scare people into buying some kind of protection that we don’t know in which way it would protect better than other products.

I highly doubt Javascript itself is responsible for what the author says. Ok, mainly in the article it seems to be the idea is it helps connect to a place where an exploit kit can scan your computer for vulnerabilities, so in theory if you are patched and there are no 0-days in the field, it doesn’t change anything, but if you aren’t it makes it easy to scan your system regularly if it stays in your browser and is active every time you use it without revisiting the website again, but I find that idea suspicious.

The author talks about the ability of Windows to run javascript natively, but I don’t think it should be inferred that because a javascript have been downloaded in your temp folder, Windows will necessarily run it by itself, “Look! a javascript! I waited for so long to get one so I can run it!”. I found a few .exe viruses in my users temp folders that have never been run over the years.

You might be interested in cross-site scripting issues with javascript. For that reason, I install noscript on Firefox and I set it to disable to not annoy users with incessant prompts and a degraded experience, but it still protects from cross-site scripting (XSS). Better than nothing.
“Allow Scripts Globally (dangerous) switches NoScript in the (not recommended) “Default Allow” mode. Only sites and objects explicitly marked as untrusted will be disabled. Other important security features, like Anti-XSS protection, HTTPS enforcement, Clickjacking protection and ABE will still be effective, though.”

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Opera Browser uses html5, its better than buggy chrome, which failed to account login/sync on new computer.

Reply | Quote

also ublock origin on Opera

Reply | Quote

I am concerned that relying on a webpage to tell you Flash is outdated is unwise. While I do not believe regular readers of AskWoody.com would actually click on the magnanimous offers on a website to “assist” in any Flash update, folks who find this site on a web search may be less knowledgeable. Website popups for Flash being out of date are notorious vectors for being potential malware installers. Maybe I am paranoid, but if I get a popup like that I immediately close the webpage (many times it will not even allow you to close the popup and browser without resorting to task manager.)

If so, I will then do a quick scan with Malwarebytes.

I will then use the Control Panel applet to delete the browser cache (for IE) and do the same from inside Firefox, even though both are set to flush the cache upon shutdown.

For all flash updates, I go to the Adobe site to download the offline installer for IE and Firefox and run them as admin. I use the offline as the installers will totally delete the prior versions of Flash, and don’t offer Google, Chrome or Yahoo, etc. during the opening screen. I have found that the online installers will usually not completely delete all of the old version’s files until reboot. I always check the C:/Windows/System32/macromedia and C:/Windows/sysWOW64/macromedia folders after the update and have usually found the Active-X (IE *.ocx) file is still there until after a reboot. Firefox is a bit better.

I use the website Tweakguides.com for monitoring Flash updates and patches, along with PSI and Belarc Advisor. There are also other sites.

I use IE for certain functions and sites and Firefox for general browsing and have set the Firefox Flash to ask permission to run. I will usually deny it initially and if the site is usable leave it denied. Unfortunately, IE has no such capability to require permission for individual sites.

Actually, I could probably eliminate Flash from IE. If I did, I would uninstall it and leave only the Firefox plug-in. I rarely used IE for YouTube (pre-HTML5) since YouTube and other video hosting sites and media outlets often did not work even with Flash due to my Tracking protection settings in IE. I also never watch TV on my smartphone of computer, simply because I bought a big screen TV for a reason.

Reply | Quote

Bill C. wrote:

I am concerned that relying on a webpage to tell you Flash is outdated is unwise.

That concern is prudent. I have one reliable site I visit daily, which is always the first to alert me. I always directly download the offline installer from Adobe (re my Flash Links), and update my W7 set-ups, often before word is out that an update is available.

Reply | Quote

Why bother with disabling if you can remove it? I uninstalled Flash like 4 years ago, and don’t miss it at all.

For static videos, youtube-dl covers all the sites I use.

If I really want to watch some streaming video I just view the site source, Ctrl+F for ‘rmtp’ put together the url and open it in my own media player. (if you have a site where you can’t find the url scheme, just ask here in a reply and I’ll help)

I have no idea what else is using Flash anymore, but you can download TENS (https://www.spi.dod.mil/lipose.htm) and run it in VirtualBox. This is probably the only Linux Live-CD distribution which includes Flash Player. (https://www.spi.dod.mil/liposeFAQ.htm#FAQ3.10)

Reply | Quote

anonymous wrote:

Why bother with disabling if you can remove it? I uninstalled Flash like 4 years ago, and don’t miss it at all.

It’s been my experience that removed things in general tend to come back more often than disabled things get enabled.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

It seems to me that this is the case too.

Reply | Quote

Any examples of programs like Flash getting installed without any user interaction?

Reply | Quote

Hi Y’all,

I am hearing that Microsoft will release the Flash update on 2017.2.21 Tuesday???

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Any word on the SMB fix too?

Reply | Quote

I think Susan Bradley said a while ago that a fix for SMB was released in Catalog only in January. This vulnerability is normally mitigated by ISPs for home users or firewalls in business context, so I did not install the Catalog patch anywhere. This patch was supposed to be made mainstream in February, but as we know, there was no security patch released in February yet.
The details are here http://patchmanagement.org/ on the Patch Management List tab which redirects to http://marc.info/?l=patchmanagement

2 users thanked author for this post.

PKCano, Noel Carboni

Reply | Quote

Woody,

Secunia updated Flash on 2/14/2017 with v24.0.0.221. They’ve been on top of my Office patches also.

If one were to uninstall Flash, what would be an alternative?

Thanks,

Chip

Reply | Quote

HTML5, check your browser’s capabilities with YouTube for example: https://www.youtube.com/html5

Reply | Quote

This is all relevant to Flash, the browser, and other plugins that run code …

Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click
https://www.wired.com/2015/12/hacker-lexicon-malvertising-the-hack-that-infects-computers-without-a-click/

What is Malvertising and How Do You Protect Yourself?
https://www.howtogeek.com/227205/what-is-malvertising-and-how-do-you-protect-yourself/

How to Protect Yourself from “Malvertising” on the Web
http://lifehacker.com/how-to-protect-yourself-from-malvertising-on-the-web-1745588094

Why Malvertising Is Cybercriminals’ Latest Sweet Spot (Part 1)
https://www.wired.com/insights/2014/11/malvertising-is-cybercriminals-latest-sweet-spot/

Why Malvertising Is Cybercriminals’ Latest Sweet Spot (Part 2)
https://www.wired.com/insights/2014/12/why-malvertising-is-cybercriminals-latest-sweet-spot-part-2/

Windows 10 Pro 22H2

Reply | Quote

PhotM wrote:

I am hearing that Microsoft will release the Flash update on 2017.2.21 Tuesday???

Is this the best way to see it ASAP?

http://www.catalog.update.microsoft.com/Search.aspx?q=flash
(sort by date Last Updated)

-Noel

Reply | Quote

It works better when you use the full term Flash Player. And no, as of mid-day Tuesday, Feb. 21, 2017 in the USA, the patch is not yet in the Catalog. Many times these Flash Player patches are made available through MS Updates before they hit the Catalog. Assuming MS Updates is working again, which may not be so.

-- rc primak

Reply | Quote

I use Windows 7, Firefox and the Noscript addon. No doubt I will be called paranoid, but I don’t care. I prefer blocking all ads and scripts and selectively enable them as needed myself.

If any website blocks me off by saying I am using a ad blocker, then I will not visit them again, simple.

As for the c*** known as Flash, I removed it a long time ago from all my computers. I don’t feel my web experience diminished in any way. I almost never spend time viewing web videos anyway.

Yeah, I am well aware that IE in Windows 8.1 and 10 needed to be patched for Flash vulnerabilities and I will do that if I need to use them. But why does Microsoft feel it necessary to include that rubbish in the first place?

Hope for the best. Prepare for the worst.

Reply | Quote