Adobe Flash Player GOOD? BAD?

When I go to some sites, Firefox says, "Additional plugins are required to display all media on this page."

Per http://en.wikipedia.org/wiki/Adobe_flash Wikipedia...

I have NoScript, and on the Options > Advanced > Untrusted tab, there is a "Forbid Macromedia Flash" restriction option. The default is not checked.

Any advice...
Flash... GOOD? BAD?
NoScript... check ""Forbid Macromedia Flash" YES? NO?

I can not seem to find a definitive answer if Flash is or is not OK.

Mike

 

I would say that Flash Player is like a number of multimedia programs, such as QuickTime, Winamp, RealPlayer, etc., that are under constant attack these days. Most people have them and don't think about them, are used to clicking on videos in web pages, and don't patch them the way they're used to patching things like OS's, web browsers, and MS Office. It's hard to do without them these days (although there are options like QT Alternative and Real Alternative), but you need to keep up on patches.

 

Yes, I do keep up on patches.

I am also probably the only person on the planet that uses NoScript and my whitelist only has wilderssecurity.com... I sparingly use temp allow.

Mike

 

Hello,
Flash Player in itself is not good or bad. It just is. As to the content, the same rule applies as to programs and such. Run only files that you feel are ok.
Mrk

 

True...Thanks

When you spend a lot of time here on Wilders, I start to not even trust my brain.exe.

Mike

 

Ditto to Mrk.

Most browsers have some ways to deal with flash objects. One of Opera's ways is to insert a placeholder where the .swf object appears on the screen. Then, you can make a decision. To run, just click on the placeholder

Some sites use flash for advertising (my biggest gripe: I'm not opposed to adverts, just the animated ones, so I block them)

The same site may use flash for multimedia presentations, such as csmonitor.com:

Advertisement:

http://www.urs2.net/rsj/computing/imgs/flash-1.gif
___________________________________________________________________

Multimedia presentation:

http://www.urs2.net/rsj/computing/imgs/flash-2.gif
____________________________________________________________________

Choosing whether or not to run the file, or download a flash video: Your trust of the site would be the most important factor. Scanning the file may or may not flag an infected file.

And, there is the possible remote code execution attempt.

The exploits that have been identified point to the usual type of executing a payload, easily prevented:

Conclusion: low threat level.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

If running Firefox then I would suggest Flashblock. Does for FF what Opera has already built in.

 

NoScript does it as well, and it blocks all the other nasties too.

btw, I bet the most technical-minded of yours will love these slides

 

Just great, more scary stuff.

In my first post I asked if I should forbid Flash in Untrusted sites... Yes or No?

Which is it better...
1) to allow Flash in a untrusted site, or
2) Temporarily Allow the untrusted site?

Mike

P.S. Love your signature!

 

Yes.

The best is to temporarily allow just the Flash movie you need to watch by left-clicking on the NoScript placeholder. This choice will be remembered for the current tab.

Generally speaking, security is a matter of reducing the attack surface and always giving away only the privileges needed to do the work, nothing more than those, for the minimum timespan.
So if you need a specific Flash movie to play, why enabling the whole site or Flash everywhere, forever, when you can enable just the movie you want and leave the rest alone?

Sometimes a Flash movie can't work if JS is disabled on the page. If this is the case (and the content is really worth), just temporarily allow the site.

Notice that a recent addition to NoScript is the noscript.contentBlocker preference, which extends the content restrictions for Java, Flash and other plugins to trusted sites as well, sort of FlashBlock on steroids.

My signature loves you back

 

Thanks... done/forbid. I also forbid "other plugins".

I had forgotten that.

Yup, I only sparingly use Temporarily Allow JS.

OK

OK

I currently only have wilderssecurity.com on my white list. Yes, I know it does not required it, but I like the site navigation better with it. I think I will still use noscript.contentBlocker just in case I do add a few more white sites.

I am currently reading http://www.adobe.com/products/flashplayer/security/ about...
1) A local shared object, sometimes referred to as a "Flash cookie"
2) A third-party local shared object, sometimes referred to as a "third-party Flash cookie"

Yikes, Flash can use my Microphone and Camera! http://www.macromedia.com/support/documentation/en/flashplayer/help/help05.html

Mike

 

Thanks for this. It is a very clearly-presented and understandable paper - even a non-programmer like myself can follow it!

Well, yes and no. Scary, because the potential for abuse of the code is laid out. But this is becoming very common for more and more applications. In this paper, the authors comment,

Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation
http://infosecon.net/workshop/pdf/telang_wattal.pdf

In theory, the only safe computer is that which is unplugged (courtesy of bigC). But we want to use our computer and its software, including Flash. So, while reading about flaws in our software can be disconcerting, looking carefully at what their impact is helps lead to solutions for their safe use.

The best way is to analyze known exploits. With Flash, as I mentioned in my above post, the only analyses I've found published reveal a tried and successful, yet easily blocked attack: the downloading of a trojan.

With respect to the various techniques presented in Stefano Di Paola's paper on Testing Flash Applications, no instances of use of these in the wild were given, so I emailed him and asked a few questions. He replied that he was not aware of any exploits in the wild of Flash objects using these techniques.

Preventative measures for using Flash, then include

1) starting with the browser's features to control displaying of Flash objects, as have been mentioned in this thread

2) user's decision whether or not to run a Flash object: trustworthiness of the site, etc.

3) protection place behind the browser to block the known methods of attack.

Having a strategy in place to deal with a situation like this gives us the freedom and confidence to use the software we want.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​