Sunday, February 1, 2015

Don't get flashed by Flash

Flash Player is a common browser plug-in for rich content, but is also a common method of "drive-by" infection. Here are some security tips.
This article was written in the context of a series of Flash exploits in early 2015, but in Chrome the same technique of making plug-ins click-to-play will stop exploits against any plug-ins, including Windows Media Player.

Adobe Flash Player is a common browser enhancement that enables so-called "rich web content" - animations, video, in-browser games, interactive advertisements, and more. It's also a top target for malicious hacks - a bogus Flash program that automatically launches when you open a web page can take over your computer. Over the last few weeks, there have been a series of malware outbreaks exploiting vulnerabilities in Flash to infect unsuspecting people's computers.

With Flash installed, all it takes is browsing to a compromised website to become infected yourself. There's no way of knowing in advance if a site is compromised: in fact, a common infection method lately is to insert a malicious Flash file into an advertising network, which may be used by hundreds if not thousands of otherwise benign websites. Visit a normally-safe site whose ad network has been compromised, and your PC can become infected as soon as the page loads.

Adobe (the maker of Flash) has released updates to fix each vulnerability as it comes to light. Depending on your browser, the updates may be installed automatically, or you may need to install them yourself. That still leaves a period of time when bad guys are using a vulnerability that has not yet been fixed - you can't update your software if no update has been developed yet.

A second step you can take that is effective whether or not a fix is out, is to change the default browser settings for Flash content. By default, most if not all browsers automatically display interactive Flash content. You can instead set the browser to ask before displaying Flash content. It is simple to do, it is next to no inconvenience to you, and it stops this sort of automatic infection dead in its tracks. Read on for specific steps in each of the three major PC browsers.

Google Chrome

Google's Chrome browser has Flash Player built in to the browser; Flash Player updates are included with Chrome updates, and are installed automatically. A simple way to verify this is to open Chrome's "plug-ins" window to see the current version of all plug-ins (plug-ins are "helper programs" that hook into the browser to provide additional features). Chrome does not provide a way to get to the plug-ins window through menus, but you can easily find it by typing "chrome://plugins" in the address bar (the same place where you might otherwise enter "https://whatever.com"). As of this writing, version 18.0.0.194 is the latest - but that will change this week as there is yet another newly-discovered unpatched vulnerability being exploited.
Check the version of any installed plugins on Chrome

If the version shown is older than the latest known version, you can tell Chrome to update immediately instead of waiting for its next scheduled update. Simply click the menu icon (the three horizontal lines at the upper right-hand corner of your browser window), and choose "About Google Chrome." Alternately, you can use the shortcut address "chrome://chrome" to get to this screen. Chrome will automatically check for and install updates when you open the screen.

Chrome automatically installs updates, but you can also check for and install updates immediately.

To change Flash content to "click to play" instead of automatically playing, use another hidden menu option. The shortcut address "chrome://settings/content" opens a content settings menu; look for the section entitled "Plugins," and select "Let me choose when to run plugin content."

Set chrome plug-ins to "Click to play" instead of playing automatically upon visiting a web site.

With this setting, when you browse to a web page that contains Flash content, instead of automatically playing (or automatically infecting your PC, depending on the developer's intent), you'll see something like this. Only if you click the Flash object will it begin to play:

With this setting, Flash content will only play after you click it


Mozilla Firefox

For Firefox, the process is very similar, though Firefox provides a visual way to get to the plug-ins menu. From the Firefox start screen, simply click the "Add-ons" icon at the bottom, or type "about:addons" in the address bar:

Access the Add-ons manager within Firefox

From the Add-ons Manager, click the "Plugins" tab, and look for "Shockwave Flash." If the version shows as something other than the latest version (18.0.0.194 as of this writing, but that will change as soon as an update is released for the newest newly-discovered unpatched vulnerability), use the link at the top to check to see if your plugins are up to date. From this same screen, you can set Flash content to "Ask to Activate" instead of playing automatically.

Update plug-ins, and set plug-ins to "Ask to Activate" instead of automatically playing Flash content upon visiting a website.

Keep in mind that Firefox does not actually update the Flash Player for you. The "Check" link will let you know that a plug-in is outdated and give you a link to Adobe to download an update if needed. The simplest way to actually update the plug-in is through the Flash Player Settings Manager, as shown below.

Microsoft Internet Explorer

Internet Explorer is somewhat less user-friendly when it comes to updating plug-ins. Unlike with Chrome and Firefox, Flash Player settings and updates are not integrated into the browser; instead, Flash Player settings are controlled through a separate Flash Player Settings Manager in the Windows Control Panel. To get there, open the Control Panel (it ordinarily is included in the Start Menu; if you have removed it, simply type "Control Panel" into the "Search programs and files" box in the Start Menu), and select "Flash Player."

Internet Explorer does not manage Flash natively; instead, use the Flash Player Settings Manager in the Windows Control Panel.

Alas Internet Explorer does not have a native "click to play" option. There is a somewhat cumbersome method of forcing IE to prompt you for permission, I am of the mind that if a product is cumbersome, I'll use a different product. For that reason (and others), I disable the Flash Player plug-in in Internet Explorer, and generally do not use IE at all unless a particular website requires it.

Now it's your turn. Do you have any favorite tips for avoiding malicious content hidden in normally-safe websites?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.