Coping with Flash vulnerabilities

Talk about internet security, computer security, personal security, your social security number...
Post Reply
BillM
Posts: 4
Joined: Wed Jun 04, 2014 5:32 pm

Coping with Flash vulnerabilities

Post by BillM »

Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos.
The short form of this question is: How do I best use NoScript or FlashGot, in dealing with this situation?

I have NoScript (for years, and I love it!) ... but I never bothered with FlashGot; I've had little need to download Flash videos, but do watch them online occasionally (or "did," until now!).

Is there a NoScript setting that will block all Flash video from all sources, unless I explicitly override on a case-by-case basis? (I'm unlikely to override until they fix this!)

I suppose I could simply delete the vulnerable versions of Flash Player... but it's not clear to me, yet, how much (if any) of the vulnerability is "in the video," vs. how much is "in the player."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Coping with Flash vulnerabilities

Post by therube »

Options | Embeddings -> Forbid Flash
Apply these restrictions to whilelisted sites too (checkmark)

You should then get a placeholder on Flash content.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 SeaMonkey/2.32
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Coping with Flash vulnerabilities

Post by Thrawn »

And FlashGot is not relevant; it actually has nothing to do with the Flash Player. It's for "downloading in a flash".
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Coping with Flash vulnerabilities

Post by barbaz »

Also enable browser builtin click-to-play for Flash: Tools > Add-ons manager > plugins > shockwave flash: ask to activate.
NoScript will play nice with it, and extra layers of protection don't hurt.

Let's move this to Security since it isn't about FlashGot.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; OpenBSD amd64; rv:29.0) Gecko/20100101 SeaMonkey/2.26.1
bgmnt
Junior Member
Posts: 47
Joined: Sun Nov 17, 2013 3:41 pm

Re: Coping with Flash vulnerabilities

Post by bgmnt »

Two recently-reported Flash Player vulnerabilities (CVE-2015-0313 and -0311) are leading me to block most Flash videos.
While blocking active content is never a bad idea, one has to salute the transparency of the Flash Player team. There are TONS of vulnerabilities in both Firefox and Chrome (Chrome updates have about 40 critical security issues fixed every time), and you don't hear as much about them. Browser vendors, OS vendors, they just fix security issues and that's it, so their products don't look half-assed. The Flash team goes the extra mile and admits when they learn about a security issue exploited in the wild. Let's not take that against them and encourage opacity. ;)

But do block Flash by default like you do JavaScript, of course.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Post Reply