Sophos Cloud Optix
Browser plug-in components such as Flash aren’t there to improve security in your browser, but rather to add more features and process more types of file.
So, the best result from a security point of view is “nothing”, while the worst is “crooks have more ways to attack and install malware.”
The problem with Flash is that it became so widespread that crooks focused on it, finding bug after bug that they could exploit because the rewards from drive-by malware installs were so big.
At the same time, Flash has become less and less necessary, to the point that few websites these days truly require it. (Just ask any iPhone or Android user – neither platform uses Flash at all.)
So, why not get rid of Flash alogether? Uninstall it or turn it off completely?
Many users have done just that, without regret; others prefer a more granular approach.
So far, Microsoft Edge has taken what amounts to an on-or-off approach, but Microsoft just announced that it will take a more nuanced attitude in the future.
Microsoft is introducing an Edge feature that will make future versions of the browser a bit more like Safari, which lets you have Flash off for the most part, yet turned on for specific sites, either always on or in “click-to-play” mode where you’ll be asked every time.
If Microsoft had said it was dropping Flash entirely, like iOS notoriously did, we’d have cheered out loud…
…but we also know lots of people who won’t get rid of it because they prefer it or need it for some sites, so we’re still happy to hear about this new Edge feature.
If we can get more people to block Flash on more sites, instead of leaving it turned on everywhere just so that it’s turned on somewhere, we’ll all be better off.
Nevertheless, I’ll still suggest trying to live without Flash altogether – for a while, perhaps, say for a month.
You may find that your digital lifestyle is inconvenienced very little – and in return you will inconvenience the cybercriminals enormously.
That’s not meant as an indictment of Adobe, or a direct criticism of Flash, but simply a reminder that when it comes to attack surface area – the amount of software you have that is directly exposed to hostile content – then less is definitely more.
Flash has always had more holes than a Swiss cheese but like a zombie it keeps refusing to die.
The sooner all browsers decide to scrap it the better, with support removed legacy websites will be forced to depart from this horrible legacy nightmare. They will not upgrade until forced to.
The thing that surprises me is when sites work fine on my iPhone by using HTML5 but won’t do the same on my laptop. I can understand (if not really smypathise) with sites that insist on Flash because it’s all they’ve got…but why insist on Flash when you’ve already crossed the HTML5 bridge for all your mobile users?
Hopefully, Google’s “Roll-out plan for HTML5 by Default” (Chromium Blog, 2016-12-09) will discourage sites from using Flash by the time it’s rolled out to all Chrome users in October, 2017.
Chrome has had a feature for ages which prompts before Flash runs,
Settings–>Show Advanced Settings–>Privacy–>Content Settings–>PlugIns
and then check “Let me choose when to run plugin content”
This only seems to prompt for Flash; I don’t seem to require any other content plugins. (It used to prompt for PDFs too, which wasn’t annoying, but now that Chrome uses its built-in PDF viewer, I don’t even get those prompts any more.)
I’m not a Chrome (or Chromium) user but this sounds a bit like Mozilla’s click-to-play.
As far as I can see, Edge’s feature will be closer to Safari’s, where you get to set allow/block/click-to-play by site. So you can allowlist your work site that always needs Flash, click-list the BBC (what is it with the Beeb and Flash?) and blocklist everything else. Whether more control is better or not remains to be seen but I like the idea of having even click-to-play blocked on most sites. (For click-to-play to work, your browser has to admit to the server that Flash is possible, which often gives a different outcome to acting as though it is not installed at all.)
The only website that I use regularly that needs Flash is the BBC website. Once they stop using Flash, then I can say “Good riddance” to it.
I stopped using the BBC instead. More exactly, I use the BBC site for reading articles only. I have heard people say that if you switch your User-Agent to pretend you are an iPad you will be fine without Flash but I have never bothered to find out 🙂
Well its progress. That’s better than nothing. Its better than whatever Adobe is trying to do (are they doing anything about there masterful popular and unsafe plugin?)