Defending against the Flash player

I had an epiphany today when I read that there was yet another bug fix for the Flash player.  

The insight came only because I was using a new Windows 7 computer. Being new, it did not yet have Firefox installed. And, needless to say, it arrived with an outdated version of the Flash Player plug-in for Internet Explorer, which I had un-installed.  

I read about yesterdays new release of the Flash Player while using Google's Chrome browser. The story said that Chrome had already been updated with the latest version, and sure enough, it had.  So I was done.

A new version of the Flash Player had been released, and the computer downloaded and installed the new version without my knowledge or involvement. That suits me just fine, at least as far as the Flash Player goes (I wouldn't want all software to work like this).

Of course, to get to this point, the Adobe Reader had also been removed. Versions 9 and 10 of the Reader include Flash, which few people consider a good idea. Last October I explained my rational for using alternate PDF viewer programs. The risk/reward ratio for the Adobe Reader doesn't make Defensive Computing sense when there are good free alternatives.   

The Flash player has a bulls-eye painted on its back. In part, this comes from its being so popular, but I also think it's fair to say that Adobe could do a better job both securing the software in the first place, and pushing out updates on a timely basis.

Bad guys seem to have a never-ending list of Flash exploits at their disposal. The last edition of the Flash Player had a lifespan of about 24 days, the previous edition was the latest and greatest for about 30 days, the one before that, about 17 days and the one before that about 21 days (from my flashtester.org site). As soon as Adobe fixes a bug, the bad guys simply move on to the next one in their arsenal.

I'm tired of being a pawn in this game. Perhaps you are too.

One defense against the Flash player is not to use it. Of course, that's not always possible. So when you do need it, it's important to insure you have the latest version. The best way to get the latest version, without question, is to use the Chrome browser.

Chrome is different from other Windows-based browsers in that it includes a copy of the Flash player. Install Chrome, get Flash. Other browsers use a version of the Flash Player that is visible in the Control Panel, not Chrome. With Chrome, Flash is an integral part of the browser.

Thus Flash benefits from the excellent self-updating of Chrome which installs bug fixes and new releases quietly and often. By default, a Google update task runs every time Windows boots, another instance runs once a day at a fixed time and a third instance runs hourly.

At first, I found this too intrusive and used the portable version of Chrome which does not automatically self-update. I have since settled on disabling the Google update task that runs at system startup (the less that happens at boot time, the less that can go wrong), and adjusting the Windows scheduler so that the hourly task runs every 2 hours. That seems sufficient to me.

Since Google integrated the Flash Player into Chrome, it has consistently been the first to roll out new versions. Gregg Keizer of Computerworld, even reported that Google found the latest bug and reported it to Adobe.

So, in a nutshell, a good Defensive Computing approach to Flash is:

1. Un-install the ActiveX version used by Internet Explorer

2. Un-install the plugin version used by Firefox and other Windows based browsers

3. Un-install the Adobe Reader

4. View sites that require Flash in Chrome

I'm well aware of NoScript for Firefox, but find the above approach simpler and thus more realistic for many Windows users. Also, Chrome can self-update as a limited/restricted user, another big Defensive Computing advantage.

I don't come to this suggestion easily, being a fan of Firefox. But with version 4, Mozilla seems to have taken their eye off the ball.

Some may find this approach too extreme. After all, Adobe pops up a big window on the screen when Flash needs to be updated. As the saying goes, ignorance is bliss. The warning from Adobe that Flash needs to be updated is flawed.

For one, it checks once a week, at best. To me, this not frequently enough. And, your computer may only be checking every 60 days or not at all. To see how your machine is configured, check the Global Notifications Settings Panel. On a new Windows 7 machine, the default was 7 days, but I don't know if that's always the case.

Secondly, Adobe only warns about new versions of the Flash player at system startup. Surely, we all know people that don't turn off their computers. The Windows XP laptop that I wrote this on, gets re-booted once a month to install Windows patches. Every night it hibernates. No warning messages for me.

Another problem has to with verification. When you see this message, how do you know if it's legit or a scam? Non-techies can't tell*. The Flash update notice has already been used in attempts to install malware. To check if the message is legit, you need to go to www.adobe.com/software/flash/about/.

Finally, the message is sometimes wrong. For example, if the computer was booted with an old version of Flash, then Flash was updated to the latest and greatest version, the next re-boot may well incorrectly warn that Flash is outdated.

So, when the Flash Player is needed, use Chrome.

As a side benefit, removing Flash from Internet Explorer and Firefox makes them more secure. It's a win-win :-)

Is this a step towards making Chrome your default browser? Could be. Long time Firefox users have their favorite extensions and Chrome still has no Print Preview. But always being up-to-date on the Flash Player, with no fuss or muss, is a big deal.   

*Techies can use Process Explorer to see the source of the window. On Windows XP SP3, the last time I checked, Process Explorer showed that the warning came from program NPSWF32_FlashUtil.exe running out of C:\WINDOWS\system32\Macromed\Flash. Recently on a Windows 7 64 bit system, the program displaying the window touting a Flash update was FlashUtil10q_Plugin.exe running out of C:\Windows\SysWOW64\Macromed\Flash. This may change over time, so I'd key off the Window Title column in Process Explorer to see the source process.  

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies