Page 1 of 1

Coping with Flash vulnerabilities

Posted: Wed Feb 04, 2015 8:47 pm
by BillM
Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos.
The short form of this question is: How do I best use NoScript or FlashGot, in dealing with this situation?

I have NoScript (for years, and I love it!) ... but I never bothered with FlashGot; I've had little need to download Flash videos, but do watch them online occasionally (or "did," until now!).

Is there a NoScript setting that will block all Flash video from all sources, unless I explicitly override on a case-by-case basis? (I'm unlikely to override until they fix this!)

I suppose I could simply delete the vulnerable versions of Flash Player... but it's not clear to me, yet, how much (if any) of the vulnerability is "in the video," vs. how much is "in the player."

Re: Coping with Flash vulnerabilities

Posted: Wed Feb 04, 2015 9:12 pm
by therube
Options | Embeddings -> Forbid Flash
Apply these restrictions to whilelisted sites too (checkmark)

You should then get a placeholder on Flash content.

Re: Coping with Flash vulnerabilities

Posted: Wed Feb 04, 2015 11:16 pm
by Thrawn
And FlashGot is not relevant; it actually has nothing to do with the Flash Player. It's for "downloading in a flash".

Re: Coping with Flash vulnerabilities

Posted: Thu Feb 05, 2015 12:26 am
by barbaz
Also enable browser builtin click-to-play for Flash: Tools > Add-ons manager > plugins > shockwave flash: ask to activate.
NoScript will play nice with it, and extra layers of protection don't hurt.

Let's move this to Security since it isn't about FlashGot.

Re: Coping with Flash vulnerabilities

Posted: Fri Feb 13, 2015 9:51 pm
by bgmnt
Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos.

While blocking active content is never a bad idea, one has to salute the transparency of the Flash Player team. There are TONS of vulnerabilities in both Firefox and Chrome (Chrome updates have about 40 critical security issues fixed every time), and you don't hear as much about them. Browser vendors, OS vendors, they just fix security issues and that's it, so their products don't look half-assed. The Flash team goes the extra mile and admits when they learn about a security issue exploited in the wild. Let's not take that against them and encourage opacity. ;)

But do block Flash by default like you do JavaScript, of course.