Quick Links
Adobe Flash is under attack yet again, with yet another "0-day" -- a new security hole being exploited before there's even a patch available. Here's how to protect yourself from future problems.
A malicious website -- or a website with a malicious advertisement from a third-party ad network -- could abuse one of these bugs to compromise your computer.
Enable Click-to-Play (or Uninstall Flash Entirely)
You could theoretically uninstall Flash to avoid these problems. It's needed less and less, with even YouTube dumping Flash completely for modern HTML5 video in modern web browsers. In a worst case scenario when you stumble on some sort of video site that requires Flash, you could always just pull out your smartphone or tablet and use the mobile site -- those are built without Flash.
But sometimes you need Flash, and we can't recommend most people uninstall it completely. If you do want Flash installed -- and you probably do, sadly -- enabling click-to-play is the best option available to you. This prevents websites from loading all the Flash content they want. When you visit a site, you can just click the placeholder icon to load a specific Flash element -- such as the video. Flash won't automatically run, protecting you from "drive-by" attacks where you get infected simply from visiting a website.
But Don't Whitelist Any Websites!
You shouldn't use the click-to-play whitelist, which allows you to automatically load Flash content on certain trusted sites. Here's why:
The recent attack was discovered in ads on Dailymotion, a popular video site. This is the kind of site people would whitelist so they wouldn't need an additional click every time they wanted to watch a Dailymotion video. But whitelisting the site would allow all Flash content to load, including those potentially malicious ads. Using click-to-play and just clicking the main video player to load it would have prevented this attack -- click-to-play allows you to only load specific Flash elements on a page, reducing your vulnerability.
Click-to-play isn't a panacea, as some ads are delivered inside video players. Yes, you could potentially be exploited from there using some sort of zero-day vulnerability. But it's not about avoiding every risk -- it's about minimizing the risk as much as possible.
Use Chrome, Chromium, or Opera for the Flash Sandbox
Browser plug-ins like Flash were never made to be "sandboxed" for security, which involves running them in a low-permission environment so that attacks that crack Flash won't get access to your entire computer.
Google has alleviated this problem a bit with the "PPAPI" (or "Pepper API") plug-in system used in Google Chrome and the open-source Chromium browse that forms the basis for Chrome. PPAPI provides additional sandboxing, which can help protect you from vulnerabilities. But the real solution is replacing plug-ins entirely.
The recent security bulletin from Adobe notes: "We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below." Chrome is conspicuously not mentioned, which could be because the PPAPI system provides additional security. Chrome users shouldn't have a false sense of security, as this hasn't protected against every problem -- but Chrome is probably the safest browser to use Flash in.
Chrome includes a Flash plug-in, but you can also download the PPAPI plug-in for Chromium or Opera from Adobe's website. Chromium forms the basis for both Chrome and Opera, so the three browsers should offer the same security features for Flash.
Keep Flash Updated Automatically
Be sure to keep your Flash plug-in updated. This won't protect you from the 0-days -- which don't have a patch released, by definition -- but it's a critical part of securing the Flash plug-in on your computer. When those security holes are patched, you'll get the update.
There are several ways to do this. If you use Google Chrome, Google includes the sandboxed (PPAPI) Flash plug-in with Chrome. it will automatically update along with the Chrome web browser so you don't even have to think about it.
If you use Internet Explorer on Windows 8 or Windows 8.1, Microsoft includes a version of the Flash plug-in with IE, too. You'll receive updates for Flash for IE from Windows Update along with your other security updates.
If you use a different browser -- Firefox, Opera, or Chromium on any version of Windows; or even Internet Explorer on Windows 7 or earlier -- you'll need to use Flash's built-in updater. Flash recommends you enable automatic updates when you install it, but you should check to make sure automatic updates are actually enabled on your computer.
On Windows, you'll find this option under Flash Player in the Control Panel. Open the Control Panel and search for "Flash" to find the shortcut, or click the System & Security category and scroll down to the bottom. Click the "Flash Player" icon, click the Advanced tab, and ensure automatic updates are enabled.
Use a Different Browser or Browser Profile for Flash
Rather than uninstalling Flash entirely or depending solely on click-to-play, you could use a separate browser profile that has Flash enabled and open it only when you need Flash.
For example, if you use Firefox most of the time, you could uninstall Flash itself and install Google Chrome. Launch Google Chrome (which comes with a built-in Flash player) when you need to use Flash content. Or, you could create a separate "profile" (user account in Chrome) in the browser itself and disable Flash only in your main profile, leaving Flash enabled in the secondary profile. This would isolate Flash in a separate area away from your main browser.
Browser plug-ins are dangerous -- really, the plug-ins and the underlying plug-in architecture itself just wasn't designed with security in mind. Java is the worst of the bunch, but even Flash has a never-ending stream of problems. The good news is that the only plug-in you likely need is Flash, and the web depends on it less with each passing day.