Stop the Flash madness - 5 bugs a week

On August 11, 2015 Adobe fixed 34 bugs in their Flash Player software. Many of the bugs enabled a computer to get infected with malicious software simply by viewing a web page.

This most recent round of bug fixes comes 28 days after Adobe fixed two other Flash bugs, and 34 days after they fixed 36 bugs. Putting this in perspective, the Flash Player has been updated a dozen times so far this year (below).

  1. August 11, 2015 Fixed 34 bugs
  2. July 14, 2015  Fixed 2 bugs
  3. July 8, 2015  Fixed 36 bugs
  4. June 23, 2015  Fixed one bug
  5. June 9, 2015  Fixed 13 bugs
  6. May 13, 2015  Fixed 18 bugs
  7. April 14, 2015  Fixed 22 bugs
  8. March 12, 2015  Fixed 11 bugs
  9. February 5, 2015  Fixed 15 bugs
  10. January 27, 2015  Fixed 2 bugs
  11. January 22, 2015  Fixed 1 bug
  12. January 14, 2015  Fixed 9 bugs

This adds up to 164 bug fixes so far in 2015, a year that was 223 days old when the last group of patches were released on the 11th. In round numbers, this comes out to 1 bug fix every 33 hours for 2015.

Or, five a week.

If you are reading this on August 18th, the odds are that Adobe has found, and not yet fixed, 5 new bugs in the Flash Player. Reading this on August 25th? Chances are you are vulnerable to 10 new Flash bugs. Five bugs a week.

And, it's getting worse. Back in May, I wrote that in its 19th year of existence (the Flash Player was first released in 1996), Flash needed 143 bug fixes (from May 2014 through May 2015. That's 2.75 a week.


Don't put up with this.

Un-install the Flash Player.

Do the world a favor.

As fewer computers have the Flash Player installed, it will inevitably pressure software developers to move to an alternate platform.

Others are also raising their voices against Flash. 

Back in June, Brian Krebs wrote about spending A Month Without Adobe Flash Player, an endeavor prompted by the flood of Flash bugs. By and large, he didn't miss it.

Last month, Alex Stamos, the Chief Information Security Officer at Facebook wrote that "It is time for Adobe to announce the end-of-life date for Flash."

Picking up on that, security analyst Graham Cluley wrote that "... the only people who truly seem to love Adobe Flash these days are the criminals."

And just last month, Mozilla temporarily blocked all versions of the Flash Player from running automatically in Firefox. 

Removing the Flash Player, however, is easier said than done. 

Chrome OS users, for example, can not remove Flash. But they can disable it fairly easily, after entering "chrome://plugins" in the address bar. Chrome OS users that need Flash, should enable click-to-play so that it does not run automatically.

Microsoft has also forced the Flash Player down the throats of Windows 8 and 10 users. Starting with Windows 8, Flash is embedded in Internet Explorer, and starting with Windows 10 it is embedded in both IE and the new Edge browser. As with Chrome OS, these embedded copies of Flash can not be un-installed, but they can be disabled.

There are two ways to disable Flash in Internet Explorer, I would do both for good luck.

The first is ActiveX Filtering which can be found both on the Tools menu or via Gear -> Safety. The second is "Manage add-ons", also off the Tools menu or the Gear icon in the top right corner. In the "Toolbars and Extensions" section, look for the "Shockwave Flash Object". Simply right click on it to disable it. If you don't see it, make sure that the "Show" box is set to "All add-ons".

To disable Flash in the Edge browser, see How to Uninstall and Disable Flash in Every Web Browser.

Windows users also can not remove Flash from the Chrome browser. But, as with Chrome OS, it can be disabled or set to click-to-play.

Like Windows, OS X Yosemite allows multiple independently installed copies of the Flash Player.

Under Utilities, there is an Adobe Flash Player Install Manager that says it will remove Flash, but it only removes it from Safari and Firefox, not from Chrome. The procedure for restricting Flash in the Chrome browser, either full disabling or click-to-play, is the same on OS X, Windows and Chrome OS.

OS X users that need Flash are safest using a copy of Safari or Firefox without Flash, most of the time, and using Chrome with Flash set to click-to-play on an as-needed basis. On Windows, the same concept applies, but Firefox is the only browser that can truly be Flash-free.

Chrome on Windows and OS X displays the file that it uses for the Flash Player (click Details on the plug-in page), so the truly paranoid can delete or rename the file. But, this needs to be re-done every time Chrome updates itself.


Is that overkill? Maybe not, when you consider that Flash objects are not restricted to web pages, they can also be found in Microsoft Office documents and PDF files.

Speaking of PDF files, it may come as no surprise that another Adobe product, their PDF Reader, is also chock full of bugs.

At last weeks DEF CON conference, three people from HP’s Zero Day Initiative (Brian Gorenc, AbdulAziz Hariri and Jasiel Spelman) described Abusing Adobe Reader's JavaScript APIs. They started looking into the Adobe Reader in December 2014, when it too, was a very mature product. By their count, 41 bugs that they reported to Adobe have been fixed, and 22 are still unpatched. One of them even found a new Adobe Reader bug on the plane to the conference (so that's 23 unpatched flaws as of August 9th). 

Perhaps even worse than the bugs in the Adobe Reader was the Collab object which has 125 undocumented methods. Is this an oversight, or, are these functions being purposely hidden? Certainly anyone running a spy agency, would just love to have the Adobe Reader helping them out. Personally, as a Windows user, I prefer the Sumatra PDF reader.

Spy agencies probably salivate over the Flash Player, especially considering the many instances where it can't be un-installed. We know Hacking Team targeted Flash. Who can blame them?

Five new bugs a week.

Copyright © 2015 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon