Recently Adobe released an emergency fix to their Flash player, the second emergency update to Flash this month. The latest patch continues a loooooong line of critical flaws in the software (see my FlashTester.org site for a history). Simply put, Flash can't be trusted. Yet, it remains popular.
What to do?
One defense is to simply avoid Flash. It's not supported on iOS and Android and it can always be un-installed on Windows and OS X.
A less drastic defense is preventing Flash apps from running by default when web pages initially load. Then, if the site or page is trusted, the browser can be commanded to run the embedded Flash app(s). Blocking Flash by default, can be done with either a browser extension or a click-to-run option offered by the browser itself. The screen shot above shows Flash being blocked by the Click-to-play option of Chrome on Windows.
Although better than nothing, this strikes me as an accident waiting to happen. For one thing, it takes constant vigilance. Let down your guard or make a mistake, and malicious Flash can still run. In addition, there is really no way to know which Flash apps are trustworthy and which are not.
This leads me back to my previous blog, A Chromebook offers Defensive Computing when traveling. Simply put, Chromebooks offer the safest environment for dealing with Flash enabled websites.
In part, this safety comes from simply being a lesser target.
Macintosh computers benefit by being a lesser target than Windows. Linux benefits by being an even lesser target than Macs. The latest bug in Flash was rated critical by Adobe for Windows and OS X. On Linux, not so much.
Chrome OS (the operating system on a Chromebook) is also a lesser target than Apple's OS X machines.
In addition, Chrome OS was designed with security in mind, moreso than other operating systems (more details are in my prior blog).
For example, Chrome OS updates installed software (the OS itself, Flash and Chrome apps) automatically. There is nothing for the end user do, enable or configure. There are no warnings that a user can ignore. Chrome OS software is, by and large, always up to date.
When security is paramount, Chrome OS offers guest mode, which runs a vanilla copy of the system without any installed apps. A case can be made that a Chromebook running in guest mode is the safest computing platform available to most people. Flash is supported in guest mode.
The downside of Chrome OS is that you can't run as many apps as you can on other systems. The upside, is that the apps you can run, are run securely.
This being Computerworld, most of you have surely read your fair share of articles about the latest security flaw in the Flash Player. How many articles on the subject suggested a Chromebook as a safe environment for Flash enabled websites? Any?
Brian Krebs, as he always does, covered the recent emergency update to the Flash player in a timely and helpful manner. I added a comment to his blog suggesting that the safest way to view a Flash enabled web site is on a Chromebook.
Brian deleted my comment.
Krebs on Security is a Chromebook free zone. Search for "chromebook" on the site and the result is shown below.
For a blog dedicated to computer security, ignoring the most secure computing device is a strange editorial position.
We can't expect Trend Micro, Symantec, McAfee and the like to suggest Chromebooks for security, they can't make any money off them. But Krebs is doing his readers a disservice by blogging with blinkers on.